Hacking Project Lilygo-T-Dongle-S3-PS4-Payload-Launcher

[Puky70]

Finally got it online

Post automatically merged: Mar 10, 2023

@mrdude hwy your flasher program, what does the dump do? It dumps the files or makes a bin file?

Here he described the procedure:

https://gbatemp.net/threads/lilygo-t-dongle-s3-ps4-payload-launcher.625161/post-10085903

Regards

Puky70

 

[zazo]

Hi mrdude.
I wonder if i can use your files on lilygo t7-s3

 

[mrdude]

Hi mrdude.
I wonder if i can use your files on lilygo t7-s3

LCD stuff won't work, either will the onboard led. Also because that board has PSRam, you'd be crazy not to take advantage and use that. Probably the bin will work on most esp32-s3 boards,that have onboard flash, try and see. However I suggest you get the source from github and mod it for your own board.

 

[zazo]

LCD stuff won't work, either will the onboard led. Also because that board has PSRam, you'd be crazy not to take advantage and use that. Probably the bin will work on most esp32-s3 boards,that have onboard flash, try and see. However I suggest you get the source from github and mod it for your own board.

im runing it now on the board. jailbreak and pshive work but i dont know how to add payloads to the menu..
i wonder if you can help me to mod it for my board?
i really dont know how everthing work with this im soo new in this to setup and mod the files for the board

 

[mrdude]

im runing it now on the board. jailbreak and pshive work but i dont know how to add payloads to the menu..
i wonder if you can help me to mod it for my board?
i really dont know how everthing work with this im soo new in this to setup and mod the files for the board

I don't do custom firmware for other people and I don't do requests. I posted the source on github so can do this yourself, If you are unable to,I suggest you pay someone for their time and skill to do it for you.

 

[zazo]

I don't do custom firmware for other people and I don't do requests. I posted the source on github so can do this yourself, If you are unable to,I suggest you pay someone for their time and skill to do it for you.

Ok. Thank you.
But i think you have done a nice work on this exploit and thank for all the help i got so far

 

[mrdude]

FYI for those that like messing about with the source code, here's an old school starfield effect I made for the lcd screen....

#include"TFT_eSPI.h"

//Define LCD pins
#define TFT_CS_PIN     4 // Chip select control pin
#define TFT_SDA_PIN    3 // Serial Data pin
#define TFT_SCL_PIN    5 // Serial Clock pin
#define TFT_DC_PIN     2 // Data Command control pin
#define TFT_RES_PIN    1 // LCD Reset pin
#define TFT_LEDA_PIN   38 // LCD Backlight - set 0 for on and 1 for off

unsigned long nowMillis;
unsigned long startMillis;
uint8_t stardelay = 35; //higher the number the slower the stars

//Define LCD Screen Size
#define DISPLAY_WIDTH 160 //set tft screen width
#define DISPLAY_HEIGHT 80 //set tft screen height

#define STARS 80 //amount of stars to show on screen

float star_x[STARS], star_y[STARS], star_z[STARS];

void initStar(int i) {
  star_x[i] = random(-100, 100);
  star_y[i] = random(-100, 100);
  star_z[i] = random(100, 500);
}

TFT_eSPI tft = TFT_eSPI();

void showStarfield() {
  int x,y;
  int centrex,centrey;
 
  centrex = DISPLAY_WIDTH / 2;
  centrey = DISPLAY_HEIGHT / 2;
 
  for (int i = 0; i < STARS; i++) {
    star_z[i] = star_z[i] - 7;

    x = star_x[i] / star_z[i] * 100 + centrex;
    y = star_y[i] / star_z[i] * 100 + centrey;

    if(
      (x < 0)  ||        (x > DISPLAY_WIDTH) ||
      (y < 0)  ||        (y > DISPLAY_HEIGHT) ||
      (star_z[i] < 1)   
      )
    initStar(i);
    tft.drawPixel(x, y, TFT_WHITE);
  }
}

void setup(void) {
  tft.init();
  tft.fillScreen(TFT_BLACK);
  tft.setRotation(1);
  startMillis = millis();
  for (int i = 0; i < STARS; i++)
    initStar(i);
}

void loop() {
  nowMillis = millis();  //get the current "time" (actually the number of milliseconds since the program started)
  if (nowMillis - startMillis >= stardelay)
  {
    tft.fillScreen(TFT_BLACK);
    showStarfield();
    startMillis = nowMillis;
  }
}

I was just messing about to see how it looked, I might implement it with a starwars style text scroller just for the fun off it.

Post automatically merged: Mar 24, 2023

Here's an oldschool fire effect;

#include "Arduino.h"
#include"TFT_eSPI.h"

//Define LCD pins
#define TFT_CS_PIN     4 // Chip select control pin
#define TFT_SDA_PIN    3 // Serial Data pin
#define TFT_SCL_PIN    5 // Serial Clock pin
#define TFT_DC_PIN     2 // Data Command control pin
#define TFT_RES_PIN    1 // LCD Reset pin
#define TFT_LEDA_PIN   38 // LCD Backlight - set 0 for on and 1 for off
#define DISPLAY_WIDTH 160 //set tft screen width
#define DISPLAY_HEIGHT 80 //set tft screen height
#define MAXPAL 4

TFT_eSPI tft = TFT_eSPI();

uint16_t matrix[16384 + DISPLAY_WIDTH];
uint16_t backBuffer565[16384];
uint16_t color[200 * (MAXPAL + 1)]; // 2 palettes and current pallet space.
uint8_t pallet = 1;
uint8_t maxPal = 0;
uint32_t XORRand = 0;

// A standard XOR Shift PRNG but with a floating point twist.
// https://www.doornik.com/research/randomdouble.pdf
float random2(){
  XORRand ^= XORRand << 13;
  XORRand ^= XORRand >> 17;
  XORRand ^= XORRand << 5;
  return (float)((float)XORRand * 2.32830643653869628906e-010f);
}

void makePallets(){
  // 0b00011111 00000000 : blue
  // 0b00000000 11111000 : red
  // 0blll00000 00000hhh : green
  // Flame effect pallet
  for (int i = 0; i < 64; i++){
    uint8_t r = i * 4;
    uint8_t g = 0;
    uint8_t b = 0;
    color[200 + i] = ((g & 0b00011100) << 11) | ((g & 0b11100000) >> 5) | ((b & 0b11111000) << 5) | ((r & 0b11111000));
    r = 255;
    g = i * 4;
    b = 0;
    color[200 + i + 64] = ((g & 0b00011100) << 11) | ((g & 0b11100000) >> 5) | ((b & 0b11111000) << 5) | ((r & 0b11111000));
    r = 255;
    g = 255;
    b = i * 2;
    color[200 + i + 128] = ((g & 0b00011100) << 11) | ((g & 0b11100000) >> 5) | ((b & 0b11111000) << 5) | ((r & 0b11111000));
  }
  uint8_t r = 255;
  uint8_t g = 255;
  uint8_t b = 64 * 2;
  for (int i = 192; i < 200; i++){
    color[200 + i] = ((g & 0b00011100) << 11) | ((g & 0b11100000) >> 5) | ((b & 0b11111000) << 5) | ((r & 0b11111000));;
  }  
  // Cold flame effect pallet
  for (int i = 0; i < 200; i++){
    uint8_t r = (i > 100) ? (float)(i-100) * 1.775f: i / 3.0f;
    uint8_t g = (i > 100) ? (float)(i-100) * 1.775f: i / 3.0f;
    uint8_t b = (float)i * 1.275f;
    color[400 + i] = ((g & 0b00011100) << 11) | ((g & 0b11100000) >> 5) | ((b & 0b11111000) << 5) | ((r & 0b11111000));
  }
  // Black and white pallet
  for (int i = 0; i < 200; i++){
    uint8_t r = (float)i * 1.275f;
    uint8_t g = (float)i * 1.275f;
    uint8_t b = (float)i * 1.275f;
    color[600 + i] = ((g & 0b00011100) << 11) | ((g & 0b11100000) >> 5) | ((b & 0b11111000) << 5) | ((r & 0b11111000));
  }
  // Green flame effect pallet
  for (int i = 0; i < 200; i++){
    uint8_t r = (i > 100) ? (float)(i-100) * 1.175f: i / 5.0f;
    uint8_t g = (float)i * 1.275f;
    uint8_t b = (i > 100) ? (float)(i-100) * 1.775f: i / 3.0f;
    color[800 + i] = ((g & 0b00011100) << 11) | ((g & 0b11100000) >> 5) | ((b & 0b11111000) << 5) | ((r & 0b11111000));
  }
}

void usePalette(uint8_t pal){
  uint16_t palOffset = pal * 200;
  for(uint16_t i = 0; i < 200; i++){
    color[i] = color[palOffset + i];
  }
}

void setup(){
  tft.init();
  tft.setRotation(1);
  tft.fillScreen(TFT_BLACK);
  XORRand = esp_random();
  makePallets();
  usePalette(1); //1-4
}

void loop(){
  // Heat up the bottom of the fire.
  for (uint16_t i = 16384; i < 16384 + DISPLAY_WIDTH; i++) {
    matrix[i] = 300.0f * random2();
  }
  // Nasty floating point maths to produce the billowing and nice blending.
  for (uint16_t i = 0; i < 16384; i++) {
    uint16_t pixel = (float)i + 160.0f - random2() + 0.8f;
    float sum = matrix[pixel] + matrix[pixel + 1] + matrix[pixel - DISPLAY_WIDTH] + matrix[pixel - DISPLAY_WIDTH + 1];
    uint16_t value = sum * 0.49f * random2() + 0.5f;
    matrix[i] = value;
    if(value > 199) value = 199;
    backBuffer565[i] = color[value];
  }
  backBuffer565[0] = 0;
  backBuffer565[1] = 0;
  backBuffer565[2] = 0;
  backBuffer565[3] = 0;
  tft.pushImage(0, 0, DISPLAY_WIDTH, DISPLAY_HEIGHT, backBuffer565, 16384);
}

Post automatically merged: Mar 25, 2023

FYI for those that want to code the lcd colours themselves you need to use RGB565 hex codes. I couldn't find a decent offline convertor so I ended up just making one myself (64bit version).

I've attached it to the first post for those with an interest in these things.

 

[mrdude]

OP updated, added updated flashing tool + new firmware with some tweaks and embedded goldhen v2.4b5_900.

 

[mrdude]

OP - firmware updated, the following error checks added to the loader.

USB Wait time - minimum time is capped at over 1800 milliseconds, less than this will give a trigger warning so has been limited. I suggest 2000 if using the inbuilt goldhen, or 3000 if using PS-Phive files.

If the default payload name or payload bin is blanked in the config page - the onboard goldhen will still be used.

After usb disable code is run (same as unplugging a usb stick), the exploit code will wait 0.5 seconds before continuing, this is to give the chip time to reboot (unmount the usb), before the glitch code continues when the payload is sent.

 

[mrdude]

OP Firmware updated.

Moved exfat hax and some strings into PROGMEM to allow more space in SRAM for variables. Added fire effect to lcd display to prevent lcd screen burn when on for a long time, Added get internet date and time (GMT) to display, probably I'll add an option to the config page so you can set to your own timezone (but at a later date). Some random code mods/cleanup. Added file caching.

 

[wolf_]

Can anyone tell me if this will work on this chip?

Post automatically merged: Apr 5, 2023

Everything I find is for the s2 model

 

[mrdude]

Can anyone tell me if this will work on this chip?

Post automatically merged: Apr 5, 2023

Everything I find is for the s2 model

No, the code in the OP is specifically made for this dongle, if you want code for that other chip in the photo have a look at @Leeful code he made for esp32-s2, that should work on your chip but you will probably need to mod it for your pin mapping such as onboard led.

 

[laz305]

Looking forward to it laz305.

Thank You

can be found here
https://t.me/laz305_ps4

 

[OniAle]

First i want to thank you for you amazing work!
I managed to start goldhen correctly but I didn't understand how to access the PS-Phive menu.

 

[Nullinga]

Great Work ! Thanks for all

i update yesterday but now the Display is rotate to the other Side...

can you add an option to rotate the display in Settings ?

 

[bigking94]

An option to rotate the display would be really great.
Could you please install something like that?

Thank you very much for your great work.

Post automatically merged: Apr 12, 2023

First i want to thank you for you amazing work!
I managed to start goldhen correctly but I didn't understand how to access the PS-Phive menu.

Here please for you a full dump for the S3 with PS-PHIVE + GoldHen 2.4b5 ^^ Just flash done.

Download : https://magentacloud.de/s/TD53qyxGEcYfPSk

Have fun

 

[mrdude]

Great Work ! Thanks for all

i update yesterday but now the Display is rotate to the other Side...

can you add an option to rotate the display in Settings ?

I rotated it because when the dongle is in the PS4 or a USB hub it's easier to read for me.

 

[OniAle]

An option to rotate the display would be really great.
Could you please install something like that?

Thank you very much for your great work.

Post automatically merged: Apr 12, 2023

Here please for you a full dump for the S3 with PS-PHIVE + GoldHen 2.4b5 ^^ Just flash done.

Download : https://magentacloud.de/s/TD53qyxGEcYfPSk

Have fun

Oh great thanks!
Do i have to flash the dump.bin file with FlashingTool?
Could you explain me how to make this kind of .bin file?

 

[bigking94]

Oh great thanks!
Do i have to flash the dump.bin file with FlashingTool?
Could you explain me how to make this kind of .bin file?

Just flash the Dump.bin and have fun.

Post automatically merged: Apr 12, 2023

I rotated it because when the dongle is in the PS4 or a USB hub it's easier to read for me.

An option to rotate the display would be perfect.

I would like to have it the other way around.

Thank you.

 

[mrdude]

OP firmware updated, added option to rotate the LCD display in the web interface config page. NOTE: Flash mode has been changed from DIO to QIO (for faster flash read/writes) so you will probably need to flash the bootloader as well as the firmware, check in the config page after you flash to make sure you are showing fat fs Total Size: 11.75 MB, if not flash the partitions bin as well.