This one’s big. Today SpecterDev launched a payload for all hackable PS5 Firmwares, that permits decrypting self recordsdata. Something that till now was solely probably on Firmware 4.03, by way of Sleirsgoevy‘s Prosper0 Debugger, is now doable on all hacked firmwares.
What are SPRX/SELF recordsdata, and why do I care about decrypting them?
Most recordsdata on the PS5 are encrypted. This consists of system binaries, libraries required by purposes at runtime, and the video games themselves after all. Decrypting these recordsdata is step one to reverse engineering them (when you’re eager about that course of, I’ve a tutorial on tips on how to do it on PS4, and the PS5 course of is mainly similar), which itself is used for all the things you may need to do on a hacked PS5: modding video games, discovering extra vulnerabilities within the system, patching the system for hacking functions, and many others…
Sleirsgoevy had launched a device to decrypt these recordsdata on 4.03 virtually a 12 months in the past, so folks on these firmwares have been in a position to decrypt PS5 sprx and self recordsdata. This will now be doable on all hackable firmwares, and will open the trail to extra cool stuff coming to the PS5.
This launch follows a tweet from SpecterDev, the place he hinted he had one thing coming for us, by way of a brand new data-only assault on the PSP (Platform Secure Processor) of the PS5.
In my presentation @hardwear_io I talked about how underestimated data-only assaults will be. Here’s an instance: decrypting system recordsdata by sending messages to the PSP with simply kernel arb. learn/write 🙂 pic.twitter.com/FroQuArXVP
— Specter (@SpecterDev) September 7, 2023
Notes from the discharge:
PS5 SELF Decrypter
A payload that makes use of kernel arbitrary learn/write to decrypt Signed ELFs (SELFs) from the filesystem and dump the plaintext ELFs to USB drive.
Notes
- Replace
PC_IPandPC_PORTmacros on traces 24-25 together with your TCP server’s IP/port- It’s beneficial you employ logging to understand how far the payload’s progressed or if it’s stalled
- Plug suitable USB drive into PS5 with not less than 1GB of free area earlier than operating
- Files will probably be dumped to
[USB root]/PS5/ - Should assist 3.xx-4.xx, however not examined on all firmwares (open a difficulty for any issues)
- Currently, the payload assumes pre-jailbroken state (ie. escaped sandbox), including jailbreak code here’s a TODO
- If you discover log exercise has stopped for greater than a minute, laborious powerdown the PS5 by way of energy button for 3 beeps and restart the console and run once more
- The console could panic within the midst of dumping recordsdata, that is high-quality, restart the console and run once more
- The payload will choose up the place it left off and proceed dumping from the place it was halted beforehand
- Improvements to make the payload much less janky are welcome
Download and use PS5-SELF-Decrypter payload
You can obtain the payload supply code on the undertaking’s github right here. You should construct it your self (tutorial right here) as a result of you need to exchange the IP deal with with that of your native PC. (Alternatively, get a constructed payload from someone you belief and exchange the IP with a hex editor ought to do the trick)
To run the payload:
- plug in a USB key with not less than 1GB area into your PS5
- run the PS5 exploit (regionally in your laptop, or by way of an esp8266, or utilizing a faux DNS and one of many public hosts)
- open a TCP listener in your laptop. On linux you need to use Netcat (nc -l [YOUR IP ADDRESS] 5655). On Windows Ncat ought to work.
- add the payload e.g. with netcatGui.
You ought to begin seeing knowledge within the listener’s logs. In parallel, the device will write decrypted recordsdata to your USB Key, within the PS5 folder. The course of will take some time and may fail recurrently, which can crash the console. Restarting the exploit and operating the payload once more, it ought to resume the place it failed.
$ nc -l 10.1.1.100 5655 [+] kernel .knowledge base is ffffffff89c80000, pipe 9->10, rw pair 11->13, pipe addr is fffff02a3ba0ba80 [+] kernel_pmap_store offset 0x31be218, pm_pml4 0xfffff02610474000, pm_cr3 0x10474000, dmap_base 0xfffff02600000000 [+] firmware model 0x3000038 ( 3.000.038) [+] received auth supervisor: 4 (that is model 2) [+] dumping /... [+] decrypting //decid_update.elf... [?] file segments are irregular, falling again on final LOAD section [+] calculated file measurement: 0x00035554 [+] wrote 0x00035554 bytes... [+] decrypting //first_img_writer.elf... [?] file segments are irregular, falling again on final LOAD section [+] calculated file measurement: 0x000aaef4 [+] wrote 0x000aaef4 bytes... [+] decrypting //mini-syscore.elf... [?] file segments are irregular, falling again on final LOAD section [+] calculated file measurement: 0x000c62c4 [+] wrote 0x000c62c4 bytes... [+] decrypting //safemode.elf... [?] file segments are irregular, falling again on final LOAD section [+] calculated file measurement: 0x004f3cc4 [+] wrote 0x004f3cc4 bytes... [+] decrypting //SceSysAvControl.elf... [?] file segments are irregular, falling again on final LOAD section [+] calculated file measurement: 0x000c3944 [+] wrote 0x000c3944 bytes... [+] decrypting //setipaddr.elf... [?] file segments are irregular, falling again on final LOAD section [+] calculated file measurement: 0x0002d1a4 [+] wrote 0x0002d1a4 bytes... [+] dumping /system/widespread/lib...
