Credits to DaveeFTW, WildCard,Sean Shablack, for most of the glitch work Extra Special Thanks to Proxima for the reading of the code, to Nzaki for the 03g Golden PSP used for tests, and to MinaRalwasser for the service manual and guidance throughout the years.
Credits to Anonymous, Mathieulh and Freakler for the Card dumps. Special thanks to the APE discord group for the wonderful (and sometimes stressing) moments spent throwing ideas and dumping stuff.
Credits to DaveeFTW, WildCard,Sean Shablack, for most of the glitch work Extra Special Thanks to Proxima for the reading of the code, to Nzaki for the 03g Golden PSP used for tests, and to MinaRalwasser for the service manual and guidance throughout the years.
Credits to Anonymous, Mathieulh and Freakler for the Card dumps. Special thanks to the APE discord group for the wonderful (and sometimes stressing) moments spent throwing ideas and dumping stuff.Unbricking a BAD Cobra CFW From DEX or DECR by using FSM(C)ode e(X)ecute2024-09-27 | Do this for bad cobra stage2 cfws such as pseudo rebug cfws for dex or decr flavors. Formats the dev_flash, preventing a stage2 brick (stage2 gets deleted) You just need to then exit FSM and flash your favorite cfw from recovery
Enable Hidden System Files- 1 Enable Hidden Operating System Files- 2 Format a pendrive FAT32 MBR (Rufus is recommended for this) Grab a Jig Dongle (Teensy ++ 2.0, TI 84+ or Fat PSP With 5.50 GEN D Recommended) Enter FSM (Insert Jig on Rightmost Port* (on DECR it's middle top port) Near bluray drive, turn off console completely by pulling cord or by switching I to O on the on off switch, switch back/replug power cord, quickly press power then eject immediately after, wait until it turns off...) Insert Lv2diag.self Enter 3.55 (366Kb) (midnight archive, also on darthsternie?) on root of fat32 MBR pendrive insert rebug pup (the good kind) on root of fat32 MBR pendrive insert pendrive on rightmost port (on DECR it's middle top)* near bluray drive, turn on console normally, it should start led blinking (green led blinking), wait at least 20 minutes then forcefully turn it off if it doesn't do auto
Logs should be in pendrive (see 1 and 2), under UPDATER_LOG.TXT
Content:
manufacturing updating start PackageName = /dev_usb000/PS3UPDAT.PUP settle polling interval success vflash is disabled... boot from nand flash... creating flash regions... create storage region: (region id = 2) format partition: (region_id = 2, CELL_FS_IOS:BUILTIN_FLSH1, CELL_FS_FAT) create storage region: (region id = 3) format partition: (region_id = 3, CELL_FS_IOS:BUILTIN_FLSH2, CELL_FS_FAT) create storage region: (region id = 4) format partition: (region_id = 4, CELL_FS_IOS:BUILTIN_FLSH3, CELL_FS_FAT) create storage region: (region id = 5) create storage region: (region id = 6) Initializing taking a while... start Updating Proccess Initialize elapsed time = 49 msec check UPL UpMng.UpdatePackage() failure manufacturing updating FAILURE(0x8002f157) Total Elapsed time = 1413 msec
Exit fsm by placing Exit Lv2diag.self(202Kb) on root of pendrive. Remove PUP for safety from pendrive. You should now be out. Use recovery to return to the rebug cfw.PS5 Prototype Devkit Debug Settings(C)ode e(X)ecute2024-08-20 | This is a video of the Debug Settings from a PS5 Prototype Devkit my friend acquired. The story is sad (this friend of mine dumped all of the chips except for the main one which contained the Southbridge firmware and, most importantly, the nvs). He wanted to dump the southbridge chip, but lost it in the process. To anyone out there watching this video, if you have a similar kit, please contact me via twitter and provide a dump of your sflash to unbrick my friend's kit. Thank you!PS5 Prototype Devkit Main Menu(C)ode e(X)ecute2024-08-20 | PS5 Prototype Devkit Main Menu short video. This shows the main menu of a ps5 prototype devkit my friend recently acquired. The story is sad (this friend of mine dumped all of the chips except for the main one which contained the Southbridge firmware and, most importantly, the nvs). He wanted to dump the southbridge chip, but lost it in the process. To anyone out there watching this video, if you have a similar kit, please contact me via twitter and provide a dump of your sflash to unbrick my friend's kit. Thank you!Downloading ShadPS4 Commit Bundles(C)ode e(X)ecute2024-08-19 | Requirements:
Ps4 Game: Dump it from your ps4 (use app dumper) OR extract it from an fpkg (this is piracy, don't ask me how to do this)Tutorial StartAllBack(C)ode e(X)ecute2024-08-13 | startallback.com
Just download and install. Free License is for 180 days, if you want paid eternal license you must pay :
5 dollars 1 PC 9 dollars 2 PCs 12 dollars 3 PCs
for all life license
dedicated to user w3zCalculating HDD0 and HDD1 Offsets and Sizes on a nand hdd backup(C)ode e(X)ecute2024-07-08 | backup.img (obtained by using a tool called HDD Raw Copy Tool, link hddguru.com/software/HDD-Raw-Copy-Tool ) eid_root_key (obtained via cfw such as rebug or evilnat) ssl's /sorvigolova's ps3encdec tool (link github.com/Sorvigolova/ps3encdec/blob/master/bin/Release/ps3encdec.exe) hxd or any other hex editor (link https://mh-nexus.de/en/downloads.php?product=HxD) calculator (windows calculator is sufficient for this) WSL to make this easier dd tool to copy specific regions of the backup fileExtracting System, System ex, Preinst, Preinst2 From Pups(C)ode e(X)ecute2024-06-06 | Tools required
WSL/WSL2 github.com/zecoxao/ps5-pup-unpacker - requires cmake, make, g++, gcc, git 7zip - 7-zip.org/download.html 7zip exfat - tc4shell.com/en/7zip/exfat7z Decrypted PUP - https://darksoftware.xyz/PS5/decryptedFWlist (PS5 for this example, PS4 needs other tools)Permanently Enabling NVS Flags when Servicing PS4 or PS5 Unit(C)ode e(X)ecute2024-05-24 | Non Volatile Storage Flags (such as IDU Mode or permanent UART) sometimes do not apply correctly.
The reason for this is because all of these flags are stored in the memory of the southbridge (which persists after reboots as long as battery is on)
So you must completely drain the power battery by removing the power cable and, if necessary, remove CMOS battery to completely drain.
Finally, if that doesn't work, recheck if you have written the flag correctly. Sometimes that may not happen.
Credit to Flatz for this information.Testing PPPwn by TheFlow on windows with WSL2 + Python 3(C)ode e(X)ecute2024-05-01 | github.com/zecoxao/PPPwn (run.sh + WSL2 + Python3.11.6 + pip)
usage:
sudo apt install make gcc bash run.sh
don't expect anything for ps5 yet, it is substantially harder to hack than ps4ARK cIPL and ARK DC News(C)ode e(X)ecute2024-04-16 | Support for 02g 03g 04g 07g 09g 11g on new cIPL (01g users have to use old cIPL) Support for 01g 02g 03g 04g 09g 11g on DC (despertar del cementerio)
Strongly Advisable for Go (05g) users to not test this (you will brick with both flavors) Advisable for 07g users to not test this (you will brick with despertar del cementerio)
Release maybe somewhere public? Maybe you can find it? wink wink ;) (No links until then, you can go hunt it, no responsibility myself if you brick)
For despertar del cementerio you will of course need a baryon sweeper (do not ask me how to build one, as i do not know. Peter Lustig has an amazing collection of them for sale, you can find him on twitter)OnePlus 12R Acquisition and The Als DualSense Calibration(C)ode e(X)ecute2024-04-02 | One Plus 12R Acquisition Video and The Al's DualSense Calibration Talk
https://blog.the.al/2024/04/02/calibrating-dualsense.html blog from mr the_al
use github.com/LongSoft/UEFITool (UEFIExtract) to extract UEFI Blobs with PE files, etcPSVR Findings by Wildcard, FIGO Blog Post(C)ode e(X)ecute2024-02-26 | PSVR XTS Keys Discovered due to DMA Trick by Wildcard, first found by PS4 Enthusiast
Replace the IP in the comment (REDIRECT_IPV4: 192.168.1.11 # Change me!) with your own PC IP. in my case it's already changed
Replace the hijack url in the comment (HIJACK_URL: www.google.com) with your own site. in my case it's google.
Open a command line (Hold shift and right click with mouse on an area of your desktop)
Type the following command:
docker compose up
It'll bring several subsystems up (the docker images of al's dns,http,etc) and start a logger.
That's it, now you can use your IP from the PC as DNS IP. It'll work on both ps4 and ps5. The redirected site will be google as soon as you enter the user manual.
As you can see it works! I hope you enjoyed my tutorial! See you on the next one.Al Azif DNS Hosted Locally(C)ode e(X)ecute2023-10-27 | For those of you having issues on ps4 and ps5 with al azif host not being public for a whileThe Option(C)ode e(X)ecute2023-10-10 | Here's the option of bypassing version lock. The console being used is a testkit, running on 5.05, you can use a retail for this though. the hen used was 2.1.3, and not goldhen 2.3, which effectively spoofs qa flag options.
This option cannot be enabled without throwing some registry error. Unfortunately i never found a way to bypass it. If you know a way, let me know. ThanksInstalling / Compiling PS3 Toolchain(C)ode e(X)ecute2023-09-10 | git clone --recursive github.com/ps3dev/ps3toolchain
sudo apt-get install autoconf automake bison flex gcc libelf-dev make \ texinfo libncurses5-dev patch python-is-python3 subversion wget zlib1g-dev \ libtool libtool-bin python-dev-is-python3 bzip2 libgmp3-dev pkg-config g++ libssl-dev clangMounting PS4 HDD On Windows, Only Specific Partitions(C)ode e(X)ecute2023-09-10 | Requirements: sendspace.com/file/qwrurh
Requirements:
.wslconfig (for this you also need wsl2 installed, wsl1 should work as well) bzImage (this is ufs readonly! for ufs rw you need to compile your own bzImage)
Both .wslconfig are place on C:\Users\(your_username)\ (in my case it's zecoxao)
cmtab eap key partitions (i've chosen eap_vsh, update, user) folders (according to cmtab) and of course, your keys
in the case of user partition the number of the partition will be 27 so you do this
subtract 27 with 1
this will give 26
then you left shift 32
this will give 111669149696
Modify .wslconfig and cmtab accordingly! (path to bzImage, directory where to mount eap partitions, keys.bin location, ivoffset, etc)CP Box Keys and Libhijacker Big App Not Crashing News(C)ode e(X)ecute2023-08-27 | PS5 CP Box EMC Keys Discovered By Wildcard
* psdevwiki.com/ps5/Keys#Communication_Processor_.28CP.29_EMC_Keys * Use sum of diff to find region where key is being used (fill header with 00s and ffs and apply diff) * Use DPA on the (in this case decryption) last round of the first aes * Used DPA to find keyset (algo aes 128 cbc with zero iv) * Noise had to be removed * 2 new codenames for cp box, related with Shakespeare's work Tempest (psdevwiki.com/ps5/Codenames#Shakespeare)
Libhijacker does not hang anymore in app (work done by LM, illusion and astrelsky)
* (Different Voltage Levels)AMD PSP Bootrom News (PS5 Fully Pwned)(C)ode e(X)ecute2023-07-31 | Flatz got bootrom (with entry point at 0xFFFF0000 showing it) twitter.com/flat_z/status/1684554194366107650 He already got the keys previous to this * He already got flash partitions previous to this
What follows:
Flatz will decrypt entire chain (Bootrom - IPL - Secure Kernel/Kernel/Hypervisor - Selfs/PKGs/PUPs) Flatz will make a write up about a possible HEN/Fpkg method in future, if HEN is possible , as it might not be
* A note: "not all keys, just some of them, and i still needed key seeds from bootrom to calculate other keys (and algorithms, ofc), so now i have all pieces of puzzle, just need to RE and calculate"PS5 Testkit Debug Settings 3 00(C)ode e(X)ecute2023-07-10 | Just an overview of the PS5 Testkit Debug Settings.Leak News AMD PSP Bootroms and VMProtect Source(C)ode e(X)ecute2023-05-13 | AMD PSP Bootroms: github.com/anonpsp/bootroms
Device name is MT3612-A0compiling stuff from mast1core(C)ode e(X)ecute2023-02-22 | pastebin.com/ZfzmxaW7 (Instructions here, some characters aren't allowed on youtube)PS4 PS5 PS2EMU Exploit Mast1core Summary(C)ode e(X)ecute2023-02-14 | Brief description and overview of the ps2 emu exploit implemented by McCaulay from CTurt's blog post.
I'd like to thank to all the people that have contributed to this project, directly or indirectly:
flatz- initial DECR-1000 syscon work of syscon updates Mineralwasser/M4j0r-documentation and follow up on syscon work wildcard-master glitcher, your work will always be apreciated Juan Nadie-the honest guy behind the honest work, original D'Artagnan of the Lv0ldr exploit Naehrwert- The crypto guy, spuderman forever Jestero- Hardware dude, massive help during christmas in the exploit attempts MikeM64- The carrier of the torch, follower of Juan's teachings, many thanks for having helped with the follow up hw iniciative SSL/Zerotolerance-Perfect as always, the syscon pyramid bridge is an homage of your work, thank you for submitting yourself to the follow up work of Mike
And thank you Sony, for making me still believe that the dream was possible, even if it wasn't...Loading Files Via External Psp2Config(C)ode e(X)ecute2023-02-02 | file needs to be a plain txt, renamed to psp2config.skprx txt starts at first #, doesn't matter where it ends
More Info: https://wiki.henkaku.xyz/vita/SceSysStateMgrDebug Settings QA INT DEV(C)ode e(X)ecute2023-01-18 | Showcase of debug settings in a qa flagged internal 3.72 flashed devkit PDEL-1000A vitaA Video Dedicated to Hardware Tips (Appreciation Video)(C)ode e(X)ecute2022-12-23 | Thanks to everyone at Hardware Tips, including, but not only: Bravo Norris, Raul Piedade, Rita Costa, and others (please tell me and i'll add them here)Preparing a pendrive or an external harddrive for usage with ps3 updates(C)ode e(X)ecute2022-12-11 | This might be an already made video, let me know if it was already made or not. Thanks :)
Requirements: Rufus: https://rufus.ie Update file (has to be labeled PS3UPDAT.PUP, be CAREFUL with the extension, disable the check for known extensions if possible!)Compiling samples from Official PS3SDK without visual studio(C)ode e(X)ecute2022-11-26 | Requirements: 7zip or winrar: to extract PSDK3v2-master.zip : e.g: 7-zip.org PSDK3v2 by Estwald: github.com/Estwald/PSDK3v2 Oficial PS3 SDK: Don't ask me where to get this, you must find it yourself. Dedicated to random reddit user :PMassive rain in my home land(C)ode e(X)ecute2022-11-22 | ...Shirts Merchandise Demonstration(C)ode e(X)ecute2022-11-17 | A quick look at the future shirts that i'll (attempt to) sell in the near future. This one is for the winner of the previous giveaway @tozeleal which was randomly chosen on twitter after much deliberation.ps5 debug settings testkit (better quality)(C)ode e(X)ecute2022-11-10 | testkit ps5 debug settings without being recorded with a potato phoneBdj Sdk Homebrew for the PS5(C)ode e(X)ecute2022-09-25 | Tutorial on how to compile john's bdj-sdk homebrew
Requirements: WSL or Linux Blank BD-RE 25GB Disks BD-RE Burner Iso Mounter (Windows 10/11 Come with one) bash script to install everything: www80.zippyshare.com/v/TDXt7Izn/file.html
when doing a first blank bd-re disk, it'll ask if the type of disk will be:
A Pen Drive (formatting takes less time, you can drag and drop files, and it works on ps5 and also ps4) A Disk to use with a Player (not recommended, shouldn't be used)
Prepare the Disk Format the Disk Send a message (files are ready to be added)QAF on VITA memes(C)ode e(X)ecute2022-09-24 | example of sheer raw power of qa flag force update on vita. more to come soonOverview of the PS3 Keys(C)ode e(X)ecute2022-09-19 | Video discussing a general overview of the ps3 keys on the wiki (there are a lot of them)