zecoxao

First of all, credits to @Joonie, without him none of this would have been possible. Things required: 2 PS4s (one in 5.05 preferably, another in the version you wish to port stuff to, like 4.55) SDK of the older version (don't ask for it, just search a bit) Hexeditor (such as HxD) Fpkg tools (specifically https://www.sendspace.com/file/bqsin5 ) Game to port (Something like God of War or the likes) FTP Payload on 5.05 Filezilla Client First thing we'll do is find how many modules our game has and which they are. So we start our game minimized, go to the ftp payload and start filezilla, then navigate to the pfsmnt folder and to the title id for patch. In the case of God of War, they're libc and libSceFios2. So we'll grab both of these from our SDK (in this case, 4.50 sdk) and place them in the sce_module folder, replacing the ones existing there (from 5.00 SDK). Last but not least we grab the eboot from the ftp and we replace the version binary string (search for ORBI, caps, it should be around this location) Example: https://imgur.com/a/4rZofbG https://imgur.com/a/isZaGw9 And finally, after replacing those strings you can replace the eboot as well and place it under the fpkg creator. This has been tested by @Joonie and works for some games (cases like 5.05 on 4.55 work for the majority of it but cases like 5.05 on 4.05 don't for the majority so you're on your own to test these)

@sguerrini97 would it be possible to upload a vm with UFS rw support? something small, like what @3141card did, with easy to use scripts i think it'd be nice and much less time consuming than compiling the stuff ourselves

and this is the 4.55 kernel where the script is based (i tested the idc on one of my dumps and it didn't work so i'm also sharing this) https://www.sendspace.com/file/mtydoc

@3141card has given me permission to share this, as well. it is a RE script of 4.55 kernel by himself (the base being used here is the kernel's base without KASLR, 0xFFFFFFFF82200000, so rebase your own kernel in IDA before doing this.) Contains comments, defined globals, function symbols and other things. in a total of about 20000 functions, 12747 (64%) are defined. I didn't have luck using it with IDA 6.8 and below so i assume this only works with IDA 7. Enjoy added 2 minutes later link (forgot about it lol) https://www.sendspace.com/file/qknbez

Since @3141card has agreed to let these databases be released to the general public. Link: https://www.sendspace.com/file/5b9jw4 Contains LV1 and LV2 memory dump databases with several comments, constructors, destructors, documented syscalls, etc. Extremely useful for emulation research and/or exploit research

This executable decompresses ARZL binaries for the ps4, like the compressed eap kernel. This SHOULD also work on vita but i'm not sure about it. Download Link: https://www.sendspace.com/file/liris4

Happy birthday

Apologies for the necro bump, but since there's a new ksploit floating around i figured i might change < 2.00 games as green to < 4.06 games as green

fuck you @GregoryRasputin thanks guys

read the instructions again please: 1. load wb and start code execution, wait till its waiting for payload 2. press ps button 3. run the game 4. send the payload containing the path to the eboot inside the mounted folder in pfsmnt 5. collect your modules/eboot on usb0/any other output path that's how you prevent out of memory errors (this also happens with elfs)

go to that line and follow the instructions there.

use https://github.com/idc/PS4-SDK

there are tutorials that do this for you here. https://playstationhax.xyz/forums/topic/3271-tutorial-how-to-decrypt-and-dump-games-ebootprx-and-sprx/ https://playstationhax.xyz/forums/topic/3104-tutorial-how-to-bypass-pfs-protection-entirely/ but this is deprecated. i released on twitter a payload that allows to play any game without eboot_plugin patch

If any of you has any difficulty in running this tutorial, just use this payload instead and follow these steps on 1.76: https://www.sendspace.com/file/v81sn4 1. load wb and start code execution, wait till its waiting for payload 2. press ps button 3. run the game 4. send the payload containing the path to the eboot inside the mounted folder in pfsmnt 5. collect your modules/eboot on usb0/any other output path

Requirements: Minecraft Patch Kernel Hooks Payload CUSA00265 decrypted eboot named as eboot_dec.bin CUSA00265 filesystem (minus sce_modules) The Playroom encrypted sce_modules Playground that supports Code Exec and Elf Loader / Extreme-modding.de playground / etc Filezilla Client (Transfer mode MUST be binary) NetCat Socat Tutorial: 1- Create Folder in data folder named app2 (with ftp payload, binary mode always, NOT ascii) 2- Put in Folder original sce_modules from playroom (encrypted, not modified) 3- Put eboot_plugin in folder 4- Put eboot_dec.bin (from game we want to use, in this case, Minecraft Trial CUSA00265) 5- Put game files and folders (from game we want to use) 6- Reboot to clean memory from previous ftp payload patches 7- Execute kernel_hook payload (socat -u FILE:kernel_hooks TCP:my.ps4.ip:5054). Note that this is hitodama 8- Run listener to grab logs (nc my.ps4.ip 5088). You should see some logs on it 9- Minimize browser with PS Button 10- Run Playroom. Instead of the usual app, Minecraft Trial version should show up. Notes: This is only a POC, so treat it as such Most games SHOULD work with this method, but each and everyone of them will require a "patch" (i call it like that because it's the file that allows the eboot to run) Additionally, games that require modules besides libc and/or libSceFios2 will most likely not work, at least for now. Homebrew DOES work with this method, but as you can see from the SDKs available (the open source ones) there is no Graphics API whatsoever. This method however supports hitodama compiled ELFs. As for credits/source code, we're still discussing the best way to release this without any lawsuit from Sony (not that they're very interested in 1.76 but whatever...) The next game that we're working on is P.T. Some people are also working on homebrew. Hopefully that'll happen soon, but until then, STOP ASKING! In the meantime, maybe there'll be a source release on how to do the eboot_plugin "patches". Just be patient Video: