Hacking Project Lilygo-T-Dongle-S3-PS4-Payload-Launcher

[mrdude]

For those wishing to get the Lilygo-T-Dongle-S3, for PS4 hacking, I have written software for it and published on github. In the release section I uploaded the bin firmware files so you can flash these with esptool if you don't know how to use Arduino, and install libraries etc. I don't think you need to even install python for the standalone version of esptool - but if you don't trust the precompiled exe files from that github page you can use python, see the readme in the realse page zip file for flashing info.

Github Page:
Removed until furthe notice

The button on the device has various functions:

1: Press and hold button - plug into your computer, this will let you flash firmware.
2: Short press - wake up from sleep mode.
3: Double press - wipe config files out if you get locked out of wifi or want to reset back to the default settings (hard reset mode).
4: Long press - reboot the dongle.

USB wait time after the glitch has commenced is set to 2 seconds - It works fine on 1.85 seconds, but stick to two seconds to prevent issues. The Latest goldhen will be pushed automatically,

LCD display: This shows you the MAC address of the dongle, your current IP that is assigned in either AP or WIFI mode, it will also show the SSID of the AP or WIFI netwrok you are connected to.

Auto shutdown into deepsleep is enabled by default and set to 10 minutes, however as soon as goldhen is injected, the dongle will go into deep sleep and turn the led and lcd screen off - if you want to wake up, just short press the button on the dongle.

Default mode is set to AP mode - wifi network to connect to is PS4-Hack, Ip address for configuring is shown on the dongle http://1.2.3.4/admin.html

Micro SD card support is not added to this, as it is very slow compared to using the flash memory, With the included firmware+partitons bin in the zip you will have around 12MB to put your payloads on, which is more that enough for all the payloads that are avalable for the PS4.

Enjoy!

***INCLUDED GOLDHEN is for FW9.0 - if you are using lower FW, you can upload goldhen via the web server and set your version via the config page***

 

[mrdude]

First post updated, firmware updated to use fat partitions which gives around 12MB to upload your payloads to + addes some more code to the dongle, which is upto date on the github.

Also in the zip in the first post - I created a GUI flasher, so you can easily flash the bins to the dongle. Flash order:

1: Bootloader.
2: Partitions.
3: Firmware.

For flashing, hold the button on the dongle and plug it in. Flash the bin files.

Flasher Screenshot: (uses netframework 4.8)

The flasher is a front end for esptool - you can update this when a new version becomes available by replacing esptool in the tools folder. Current version is esptoo 4.4.

 

[mrdude]

First Post firmware updated:

I added a telegram bot setting so you can send your dongle IP to your telegram app on your phone when the dongle is on wifi, it sends the IP and config page link when first plugged in, so you can easily access the config page. You just need to follow this guide here for setting up a bot for telegram:

https://randomnerdtutorials.com/telegram-esp32-motion-detection-arduino/

From that guide you will get a bot token and chat ID and put these into the config page of your dongle & enable the bot.

:-), actually the code can be used for doing debugging - so you can make it send other messages if you want - I'll post the updated dongle code on github later so you could add this to your own esp32-s2 sketches.

Message sent to phone:

 

[peteruk]

First Post firmware updated:

I added a telegram bot setting so you can send your dongle IP to your telegram app on your phone when the dongle is on wifi, it sends the IP and config page link when first plugged in, so you can easily access the config page. You just need to follow this guide here for setting up a bot for telegram:

https://randomnerdtutorials.com/telegram-esp32-motion-detection-arduino/

From that guide you will get a bot token and chat ID and put these into the config page of your dongle & enable the bot.

:-), actually the code can be used for doing debugging - so you can make it send other messages if you want - I'll post the updated dongle code on github later so you could add this to your own esp32-s2 sketches.

Messgage sent to phone:

Fantastic!! thank you for another super update

 

[laz305]

Kool now all we need is a link where to get the dongle it will load Goldhen also right?

This?
LILYGO T-Dongle-S3 ESP32-S3 TTGO Development Board with Screen Dongle 0.96 inch ST7735 LCD Display TF Card https://a.co/d/aE0P4J8

 

[mrdude]

Kool now all we need is a link where to get the dongle

This?
LILYGO T-Dongle-S3 ESP32-S3 TTGO Development Board with Screen Dongle 0.96 inch ST7735 LCD Display TF Card https://a.co/d/aE0P4J8

You can get them here:
https://www.lilygo.cc/products/t-dongle-s3

I got mine from Ali-Express.

 

[laz305]

Ok so this is to load payloads only? Won’t load Goldhen and be used as usbhax? But can it be used as a combo then? So essentially adding 12mb more to the S2 Mini?

 

[mrdude]

Ok so this is to load payloads only? Won’t load Goldhen and be used as usbhax? But can it be used as a combo then? So essentially adding 12mb more to the S2 Mini?

Yes it loads goldhen automatically, but you can upload any payload you want via the config page and change the default payload to whatever your want. As for the flash - it is 16MB, so around a 12MB partition is formatted in fat and can be used to store payloads or web pages etc if you want to add your own.

Post automatically merged: Feb 14, 2023

First post updated, modded the GUI tool to flash the bin files faster - also reverted esptool to v4.2.1 - don't update this with a new esptool as there's issues with the loader stub flashing the esp32-s3 chip on this dongle. See here for more info:

https://github.com/espressif/esptool/issues/832

Post automatically merged: Feb 14, 2023

@laz305 FYI, I modded the partitions table and removed the OTA partition as it's not really needed - also I reduced the main firmware partition to 1.5MB instead of 3MB so gained another few MB, if you really need all that space for payloads etc, I got the free space up to this, If you end up getting one of these dongles let me know and I'll post a modded partitions bin for you.

 

[bigking94]

Thanks the S3 with display works Perfectly ^^

 

[laz305]

Yes it loads goldhen automatically, but you can upload any payload you want via the config page and change the default payload to whatever your want. As for the flash - it is 16MB, so around a 12MB partition is formatted in fat and can be used to store payloads or web pages etc if you want to add your own.

Post automatically merged: Feb 14, 2023

First post updated, modded the GUI tool to flash the bin files faster - also reverted esptool to v4.2.1 - don't update this with a new esptool as there's issues with the loader stub flashing the esp32-s3 chip on this dongle. See here for more info:

https://github.com/espressif/esptool/issues/832

Post automatically merged: Feb 14, 2023

@laz305 FYI, I modded the partitions table and removed the OTA partition as it's not really needed - also I reduced the main firmware partition to 1.5MB instead of 3MB so gained another few MB, if you really need all that space for payloads etc, I got the free space up to this, If you end up getting one of these dongles let me know and I'll post a modded partitions bin for you.

Nice. Yea thanks please do. Yeah I ordered it already

 

[mrdude]

Nice. Yea thanks please do. Yeah I ordered it already

Here you go, this will give you 14.22MB for a FAT partition where you can store payloads or html files. If using for storing html pages remember and give them unique names - not index.html or config.html etc as you will wipe out the pages that are already (hidden) cached in that partition. For example if you are putting in a page to launch other payloads direct your ps4 browser to that page you uploaded (index2.html for example). Also just leave the default index.html to launch the default goldhen payload and you can have the best of both worlds, ie an autolauncher, and a payload selector.

Obviously I removed the OTA partition so you will not be able to update the firmware wirelessley, so when you want to update you'll need to plug the dongle into a PC and flash via USB.

Post automatically merged: Feb 15, 2023

FYI, @laz305

 

[laz305]

@mrdude thanks bro but wait this can still be flashed in Arduino like any other esp board right? Cuz I was just thinking of adding my own host that I have for my FeatherS2 to it.

 

[mrdude]

@mrdude thanks bro but wait this can still be flashed in Arduino like any other esp board right? Cuz I was just thinking of adding my own host that I have for my FeatherS2 to it.

Yes, I already posted a github page with the code.

 

[mrdude]

First post updated, Firmware is updated to add functions for PS-Phive(mod) compatibility.

Button changes:
1 short press - reboot dongle.
2 short presses - delete config.
1 long press - format fat storage partition.

PS-Phive has been heavily modded to be compatible with this dongle, so don't use on a different dongle as the firmware contains routines that are required for it to work. The arduino sketch has been updated on the github.

Mods - normal auotpayload launcher - AP mode is the fastest, just connect to PS-Hack and click on Settings and select User's Guide. This glitch is the fastest and works nearly 100% first time, it uses differnet glitch code from what PS-Hive uses.

If you want to use PS-Phive, extract and upload the files to the dongle via the file upload page, open your psweb browser and navigate to 1.2.3.4/index2.html. First time will cache the files - if using via wifi, use the IP address your router assinged the dongle. You can easily set up a telegram bot to text you the IP via the config page, however your IP will be dispayed on the LCD screen if you don't want to do this.

Enjoy and thanks to @Leeful for PS-Phive, it's got good code in it :-)...

Post automatically merged: Feb 17, 2023

**This Attached sketch if only for testing if a replacement lcd screen works**

FIY for those that break their LCD screens by accident , or bought a dongle without one but want to add one, you can use a replacement - TFT Display Module IPS Color Screen SPI For LCD 80x160 ST7735 Drive Welded Spliced Link.

The same that's here: (the one with the thin connector)
https://www.aliexpress.com/item/1005001900221889.html?spm=a2g0o.cart.0.0.6efe38daD1yIfb&mp=1

The only thing is, that you will need to use different drivers - the ones from Adafuit work.
https://github.com/adafruit/Adafruit-ST7735-Library

I'v attached a test sketch I made for testing the replacement lcd on the dongle.

 

[bigking94]

Hello, I have the following problem with the bot.

I get my bot token and also my chat ID.

But if I enter both in the Config menu, I get an error message (see screenshot).

What can be the reason?

Thanks for tips.


Note : PS4 is in home network with S3 dongle and I use DNS Al-Azif "165.227.83.145, 192.241.221.79

Unfortunately, I always get the error message 0x0000000007



Can you help me that the bot works for me, where do I make the mistake?

Thanks

Post automatically merged: Feb 18, 2023

Have the S3 stick, now prepared exactly as you wrote. With the No-OTA partition !

I now have 14.22MB free, the stick is in my WLAN network and has access to the Internet.

At the same time PS-Phive!_v3-mod is now installed or uploaded. Index2.html works great.

I'm really excited about your work ^^

I only have the problem with the Telegram Bot, it doesn't work for me!

hope you can help !

 

[mrdude]

Hello, I have the following problem with the bot.

I get my bot token and also my chat ID.

But if I enter both in the Config menu, I get an error message (see screenshot).

What can be the reason?

Thanks for tips.


Note : PS4 is in home network with S3 dongle and I use DNS Al-Azif "165.227.83.145, 192.241.221.79

Unfortunately, I always get the error message 0x0000000007

View attachment 354052

Can you help me that the bot works for me, where do I make the mistake?

Thanks

Post automatically merged: Feb 18, 2023

Have the S3 stick, now prepared exactly as you wrote. With the No-OTA partition !

I now have 14.22MB free, the stick is in my WLAN network and has access to the Internet.

At the same time PS-Phive!_v3-mod is now installed or uploaded. Index2.html works great.

I'm really excited about your work ^^

I only have the problem with the Telegram Bot, it doesn't work for me!

hope you can help !

The telegram bot works fine for me, so I am not sure what you are doing wrong. I just put in the chat id and token and press save. Do this on a PC web browser, not the PS4 web Browser, then make sure on your phone or device that has telegram installed that you start the bot - as per in the guide that is linked. Also if you click on settings/user guide this is faster for glitching. Only use PS-Phive if you want to run other payloads, best to set the usb timeout to 3000 for this as you'll get less errors. I've updated the firmware and PS-Phive files since I posted last, but I still have a couple more changes to make and then I'll upload the new version which has some extra tweaks, maybe tomorrow or Monday.

 

[bigking94]

Thank you that was it, it worked perfectly on the PC ^^.....Now the chat bot works perfectly.

THANK YOU THANK YOU THANK YOU

PERFECT !!!

My new favorite PS4 Hack Stick ^^

 

[mrdude]

No worries, Yes I also love this dongle compared to others - just because there's no soldering, a large 16MB flash storage, the LCD, the button, and the addressable led all in such a small package. It's perfect for noobs and pretty can do everything and more that other dongles can do. Also if you ever get bored you can us it for other stuff - such as a USB Rubber Ducky :-).

 

[bigking94]

That's great news from you. I'm looking forward to further updates and renewals of the S3 stick ^^

really love it.

The gimmicks are also funny with the part ^^

Thank you for your work! ^^

Post automatically merged: Feb 18, 2023

Tell me can you also install a function with which , I can turn the S3 back on and off Manuel?

I find it a bit stupid that the stick always goes out after the hack has gone through.

Maybe you could put something in for that , on / off switch !

Thank you

 

[mrdude]

That's great news from you. I'm looking forward to further updates and renewals of the S3 stick ^^

really love it.

The gimmicks are also funny with the part ^^

Thank you for your work! ^^

Post automatically merged: Feb 18, 2023

Tell me can you also install a function with which , I can turn the S3 back on and off Manuel?

I find it a bit stupid that the stick always goes out after the hack has gone through.

Maybe you could put something in for that , on / off switch !

Thank you

I did that on purpose because once the payload has been sent there's no need to keep the dongle on, but I might add a chatbot command to turn it back on, also I am adding a feature to the config page so that you can use PS-Phive instead of the default hack so you can use PS-Phive from the user guide. Maybe I'll also add a setting to the config page so you can choose the deepsleep the dongle or not once the payload is sent. It's not much coding, I'll mabye do that sometime this week.