Jump to content


Super Admin
  • Posts

  • Joined

  • Last visited

  • Days Won


Everything posted by zecoxao

  1. Special Thanks to Anonymous for helping me with this, and to @softstarfor providing the elfs You'll need: An FTP Payload with CUSTOM DECRYPT command (you can compile it from scene-collective github repo) A target file (i've chosen 5.05's SceShellCore for this) in both encrypted and decrypted state. Filezilla Hashing tool (i use WSL with sha256sum tool) Step1: Send FTP Payload Step2: Grab the encrypted SceShellCore (at /system/vsh/) Step3: Use custom DECRYPT command (in filezilla, this can be found in Server->Indicate personalized command...) Step4: Grab decrypted SceShellCore (same location but now DECRYPT is toggled ON) Step5: Hash the decrypted elf (sha256sum SceShellCore.elf) Step6: Compare it with the FIRST 0x20 bytes that look like random data. If they match, your elf is OK, if they don't match, retry to download the elf with DECRYPT toggled on until it matches. This concludes the tutorial added 7 minutes later some pics:
  2. Required Tools: python2 ecdsa python module pycryptodome module verify_eid.py file (provided in the zip) donor file (provided in the zip) (WARNING, contains DECH-A idps minver! do NOT push your luck by by going below the previous idps minver!) advanced tools (provided in the zip) eid_root_key (get this either with flatz's dumper or rebug toolbox's embedded dumper) eid file (you can get this by running advanced tools->dump_eeid and renaming eeid.bin to eid) Steps: 1- Place ALL of the files required in the same folder The structure MUST BE: folder: --------eid --------eid_root_key --------donor --------verify_eid.py 2- Run the script: python2 verify_eid.py 3- Make sure that the ECDSA values are VALID (if the idps is INVALID and the CMAC is INVALID, they'll be VALID later) 4- rerun the script 5- Make sure that ALL 3 values are VALID 6- Install Advanced Tools 7- Place your newly modified eid in the root of usb stick. rename it to eeid.bin 8- Run Advanced Tools->Flash EEID 9- Congratulations! You're now on full DEX system! You can now go to any DEX OFW without siren beep (validation brick) Tools: https://www.sendspace.com/file/zi8adp
  3. added lv1 internal folder with embedded internal lv1 processes from ebootroms previous to 0.84.001 Updated databases via Lumina Push n Pull (January 1st 2021)
  4. Currently uploaded: lv0 (ssl) lv1 (picard) lv2 (picard) vsh (ssl) ss_server1(ssl) ss_server2(ssl) pme_init(picard) sys_init_osd(ssl)
  5. This is a project i've been aiming to do for a while, but never got the resources needed to do so. Now that i do (IDA 7.5 with latest decompilers) I can start it and people can contribute as well, using Lumina or via their own hands at home. The first .c file and its corresponding database will be submitted and i'll add more and more throughout edits. It'll all be posted in this post added 3 minutes later For now, let's start with lv1 from 4.46 ( 3141card has reversed this and he's very good and what he has done ) Folder Link: https://mega.nz/folder/09V3nC5b#-pzGqyoGkjMEhKyCwjmOrw
  6. https://github.com/balika011/belf/releases no links for pirate content has to be done manually
  7. Tools Required: IDA Pro or Ghidra with proper ps4 loaders / tools (i'll be using IDA Pro 7.x with balika's loader for this) Hexeditor of choice (I Use HxD) Flatz's required functions, They are as follows: 7CxI50-xlCk +OnbUs1CV0M xmhnAoxN3Wk pMxXhNozUX sometimes they have underscore behind them so: _7CxI50-xlCk _+OnbUs1CV0M _xmhnAoxN3Wk _pMxXhNozUX eboot of the game you want to fix (for example fifa 20) in ELF format, NOT FSELF! The process: Load your eboot with IDA and balika's loader, the process will be similar to this when it finishes loading go to the pink area at the bottom (the nids) under functions window patch all these from so ff 25 72 ff 25 6a ff 25 62 ff 25 5a to 31 C0 C3 apply and your EA Eboot should work properly together with 5.05 backport tools this concludes the tutorial Credits: @flatz for the original discovery @Joonie for the implementation and POC in the scene
  8. blc is a plugin that was created to implement Ghidra's decompiler natively into Ida Pro. it works really well for most languages but not ps3 ppu elfs, which is why i decided to add support for them (hardcoded still at the moment). https://www.sendspace.com/file/izd2pe first you must download this (Ghidra folder) and extract it under your IDA 7.0 or 7.2 plugins directory Then, according to the module you'll be studying, you download this https://www.sendspace.com/file/caywmf and start reversing away with alt+f3 for decompilation of function Enjoy RE! Note: I have fixed the 64 bit addr bug, so the ppc_64.cspec comes already bundled in the first zip. For @mysis and @3141card in case they need
  9. Just spoke to him directly on skype. he is investigating
  10. With these steps you'll be able to set up a proxy on your main psn ps4 machine and grab some pkgs you purchased or visit other links: Tools required: .Net 1.1 (in case you don't have it) and PS3 Proxy Server Gui https://www.sendspace.com/file/f98qv5 cmd line to know your ip Step 1: Install .net 1.1 Step 2: Install PS3 Proxy Server Gui Step 3: Start the cmd line and copy your PC ip (in my case it's https://imgur.com/a/nUku3xD Step 4: Start PS3 Proxy GUI and choose PS3 Mode (it's located in C:\Program Files (x86)\CF3B5\PS3.ProxyServer, double click it) Step 5: Start the proxy https://imgur.com/a/KYUWM0i Step 6: On your ps4 settings->network settings, do a manual connection and select the pc ip (in this case as ip, port should already be 8080. Step 7: Check Logs in PS3 Proxy Server GUI, you should have some with ps4 connections Credits to Andrew2007 for letting me know the proxy server works on ps4 and we don't need no charles for this or skfu
  11. here's the toolchain https://mega.nz/#!fpt3yK6B!GOdJBtAj3nd4MdancqAB_-0g02zcz-o4jMfTpe5GTFo
  12. https://www.sendspace.com/file/39utp5 tiny image https://www.sendspace.com/file/84u9cn huge image here are the images me, wildcard, M4j0r and SSL are currently using for testing CPA/DPA on SW2. i'll put the toolchain required to compile these at a later time, as well as the syscon programs and the PUP used to test this
  13. https://www.sendspace.com/file/teufzl LINK https://pastebin.com/5sTdsVMZ https://pastebin.com/zEznkQiq external and internal commands
  14. Besides unity you could give it a go at 5.05 native homebrews like cores for retroarch made by frangarcj and bigboss. Sauces here: https://github.com/psxdev/ps4sdk/tree/firmware505 https://github.com/frangarcj/RetroArch/blob/master/Makefile.orbis https://github.com/frangarcj/libretro-2048 Edit: I'm already warning you that these sources are VERY compile intensive. So get yourself ready for a bunch of errors showing up if you do the wrong steps!
  15. you probably converted it from CEX to DEX (i had the siren beep only when that happened and it checked hashes) but from your description that doesn't seem to be the case :/
  16. Tools required: 1. PSVita with wifi working 2.Al Azif's dns tool found in his repo: https://github.com/Al-Azif/ps4-exploit-host/releases 3. 3.65 update found in darthsternie.net (or any other one you want to really) 4. 3.65 psp2-updatelist.xml (see 3) 5. A brain to know which region the vita belongs to Steps: 1. Download and extract 3.65 OFW and psp2-updatelist.xml from darthsternie.net 2. Download al azif's dns host tool and extract it 3. Place both the pup and the updatelist.xml on your updates folder of dns host. 4. Once you figurre out which region your vita is from (us,eu,uk,etc) replace ALL instances of the given region in psp2-updatelist.xml with the one from your vita. 5. Start the dns host. If everything goes well you should see your PC's ip for main IP and DNS. 6. Set up the wifi of your console, taking into consideration that the dns must be the same one displayed on the host terminal window! 7. Attempt to update. You should see a notification of update version 3.65. if not, recheck region, and that the xml and updare files are ok! 8. Update
  17. it's a mod i'd like it if you could add it to your nodemcu payload
  18. Tools: HEN 1.8 https://cdn.discordapp.com/attachments/159066660962041856/498138504656715776/ps4-hen-vtx.bin https://cdn.discordapp.com/attachments/159066660962041856/498138541570654209/index.html payload_ldr https://cdn.discordapp.com/attachments/159066660962041856/498062138686963712/payload_ldr_verbose.pkg FTP payload/OrbisMAN (Optional But Recommended) Mira for usermode logs / UART Step0:If needed for your homebrew, put ALL resources inside /data/ (specify the path in your homebrew as well) Step1: Create a folder called self inside data folder (You can use ftp or orbisman for this) Step2: Launch HEN 1.8 Step3: If needed, launch mira aswell(for logging your homebrew/game while it's being tested) Step4: Install payload_ldr pkg Step5: Launch payload ldr (the screen should hang at start) Step6: Send the main eboot (it MUST be a self file) sender.py --endpoint eboot.bin Other options are available but for now i'll only use this one Step7: Your homebrew should now run and (if you have it) logs should be displayed on putty/some other Telnet/Serial logger
  19. First of all, credits to @Joonie, without him none of this would have been possible. Things required: 2 PS4s (one in 5.05 preferably, another in the version you wish to port stuff to, like 4.55) SDK of the older version (don't ask for it, just search a bit) Hexeditor (such as HxD) Fpkg tools (specifically https://www.sendspace.com/file/bqsin5 ) Game to port (Something like God of War or the likes) FTP Payload on 5.05 Filezilla Client First thing we'll do is find how many modules our game has and which they are. So we start our game minimized, go to the ftp payload and start filezilla, then navigate to the pfsmnt folder and to the title id for patch. In the case of God of War, they're libc and libSceFios2. So we'll grab both of these from our SDK (in this case, 4.50 sdk) and place them in the sce_module folder, replacing the ones existing there (from 5.00 SDK). Last but not least we grab the eboot from the ftp and we replace the version binary string (search for ORBI, caps, it should be around this location) Example: https://imgur.com/a/4rZofbG https://imgur.com/a/isZaGw9 And finally, after replacing those strings you can replace the eboot as well and place it under the fpkg creator. This has been tested by @Joonie and works for some games (cases like 5.05 on 4.55 work for the majority of it but cases like 5.05 on 4.05 don't for the majority so you're on your own to test these)
  • Create New...