[AIO] PS4 Exploit Guide

so that was a downgrade?

 

Not a true downgrade. The dumps of syscon and sflash from lower fw (in my case 6.72) are able to replay the nonce message back to samu.
This is part of snvs which is encrypted so we can't read that part. If we could, downgrading would be possible

 

hello there everyone....
so here is what i did now.
started my ps4 system which i had shutdown as per my previous post.
system clock showing 1-1-1970/05:30
reset the time manually as it asks to update the system and connect to psn to do it via internet when set to automatic and set now.
then went to my exploit page of v10. tried to load exploit + hen. the system crashed.
rebooted my ps4.on starting it rebuilt its database automatically as it always does when the system crashes.
on complete booting it had given me a message saying an error had occurred the last time error code ce-36329-3. do you want to report. i chose do not report and continued to my home page.
checked the date and time. it was again back to 1-1-1970/ 05:30 am.
reset the time again.
went to v10 in browser and loaded exploit + hen 2.1.3
this time no crash. tried to start the game and it gave me error ce-30391-6 and logged me out.
logged in again and loaded the ToDex. and tried to start my jailbroken game again.
kicked me back to homepage giving the error ce-32875-5.
i am also posting the picture of the first error here.

you can also see the video of the process after the second reboot here

 

@lilalex , still sure you want to exploit your system? there are tons of issues doing so. and, it looks like yet another person's hdd has failed from kernel panics. he lost all saves too. I put all my games on an external hdd, but a kernel panic will force a restore of an external hdd as well as the internal hdd. it takes like five minutes to scan over 7TBs for me.

 

@Ballbag So if i understand this correctly, this procedure resets the system version to its original 'shipping' state. But you can't just 'jump' between those two flash memories to apply any firmware because this communication is encrypted. Correct?

Can't the system time be set directly on the flash, without soldering? Therefore setting the time in the PS4 menu is just setting a delta value relative to the cmos clock?

Let's recap

- exploit + hen, crash, rebuild database, ce-36329-3 (Error with an application or system software)
- system time is 1-1-1970
- manually set time to now
- exploit + hen, NO crash
- start game, crash ce-30391-6 (System Error), log out
- (what's the system time?)
- log in, todex, start game, crash ce-32875-5 (devkit expired)

As @KiiWii and me (https://gbatemp.net/threads/aio-ps4-exploit-guide.497858/page-433#post-9274841) mentioned, first you should try to change the CMOS battery.

 

@KiiWii well the 30391-6 was fixed by running the ToDex payload.
i hope so it is only the cmos battery now cause almost for about 11 months my ps4 was not in use as i was stuck onboard during the pandemic. so yeah.....maybe the battery is the issue or atleast i hope it is and nothing else. i havent tried replacing the battery yet as i am not confident with my skills in handling electronics but i guess i have to do it.
if the problem still persists then i guess i have to leave my ps4 on the shelf for now and do good with my ps3 and nintendo switch.....and wait for the exploit on 7.02 or higher. but will be checking the thread for some fix regularly as in 11 months i have missed a lots of games to play.

— Posts automatically merged - Please don't double post! —

@Ballbag i had reset the time to now every time after the crash.

 

is that the rtc time? I know you can change it with godmode on the 3ds, but I know of no way to change the ps4's.

— Posts automatically merged - Please don't double post! —

I don't know if just resetting the clock in the home menu will work. on the 3ds, you reset the clock in godmode. that's for rtc. if you make a nand backup or something, it uses the rtc time to create the file from what I remember. altering the home menu time does nothing to the rtc.

 

@godreborn That's what i'm wondering about too. I guess @Ballbag knows the exact technical details. Another thing which is conspicuous, is that the system time is still 1-1-1970 since yesterday. Thus every time the ps4 restarts (short cutoff of electrical current to the cmos) its 1-1-1970? Well, to me it more and more likely the cmos battery is completely broken.

 

@godreborn. just for my clarification......replacing cmos battery will reset the rtc clock? i mean the whole idea of replacing it is about the rtc time which is suspected to cause the issue....right?

 

I dunno. that's a likely possibility. I changed the rtc of my 3ds to the real time. it's now a part of the 3ds tutorial from what I remember. I'd imagine rtc is how it determines whether a time-active game can be played on the ps4. I know rtc on the 3ds is what's used for certain time sensitive things in 3ds games like animal crossing, so you can't simply change the time in the home menu to cheat. it uses rtc, which without a cfw system, you can't change.

 

@vivekanand No, but a new battery will 'hold' the cmos clock. You said, you already hat to reset the system time after every reboot. Well, just let me construct something. Your system did work because there has been electric current long enough to set the OS System time. Any software running does see 'check, time is ok'. Now your battery is so broken, there isn't even enough time to set OS System time on boot up.

And the most irritating thing about this ... it's even not an issue of any kexploit. This can happen to any PS4. And if it does, you are forced to connect to some Sony Server to update the cmos clock?! Wow ...

 

imo, the playstation clocks are shit. I've had two ps3's that when reset in the xmb are off by like three minutes after a few days. they stay that way. the wii u doesn't have this problem.

— Posts automatically merged - Please don't double post! —

btw, there's a syscall for rtc with the ps3 from what I remember, so there's probably one with the ps4, which may be why it keeps resetting from a software standpoint.

 

I hope so. Because if just replacing the CMOS battery doesn't work, because also the system time has to set afterwards every kexploited PS4 is 'doomed' in some future day.

 

well, I'm just speculating. I've never tried changing the cmos battery of the ps4. that does sound like the cause though. afaik, it's turned on the moment it leaves the factory, so the rtc time and the home menu time will not be in sync. I think the rtc time is probably what determines when or if you can play a particular title. since it can't be changed normally, it's used instead of the normal clock. the normal clock would be a major fuck up in security. I'm assuming that the rtc time is what's used here. I know that's the purpose of it on the 3ds (to prevent cheating).

 

https://www.psdevwiki.com/ps3/LV2_Functions_and_Syscalls

looks like the rtc syscall is 119 according to devwiki (at least with the ps3).

— Posts automatically merged - Please don't double post! —

I've heard of serious bugs with the ps5's firmware (at least the initial one). lmao.

 

More interesting to me is 146: int sys_time_set_current_time(uint64_t sec, uint64_t nsec). What does the 'root' flag mean? I know what's a root, but not in the context of that list. Is this a syscall which we don't have control or access to?
@KiiWii I don't know for sure, but i suspect this can even happen with PS5. This device is assembled with a working cmos battery and an up to date set system time. If there's some break of electrical current it may fall back to 1-1-1970 too. In that case it depends on the system software whether it's allowed to some software.

 

The PS4 rtc bug is rare,could be based on a hardware fault or also software related. Seems all software problems are gone with the todex payload, but the payload won't work for all hardware faults. Here is a thread about it: https://gbatemp.net/threads/ps4-slim-error-ce-30391-6.546248/

 

@susi91 This thread is really interesting!
@vivekanand https://gbatemp.net/threads/ps4-slim-error-ce-30391-6.546248/page-6#post-9254188 you happend to link a video just about this issue this month