Hacking Debug ELF ps4 files by IDA Pro

[Rextor]

Hello friends.
I want debug elf ps4 module's dynamical with IDA Pro.
How can i connect ida to the ps4 ?
in fact im using 7.51 modules, btw should i use same version for ps4 too?
any references or etc... ?

 

[godreborn]

unfself the eboot or modules, use loader.

 

[Rextor]

unfself the eboot or modules, use loader.

I am so sorry, btw can you explain more ?
have any link (info) from this loader ?
and what you mean unfself the eboot or modules exactly ? is it about the ps4 ?
i mean in general am i need the jailbroken ps4 ?

 

[godreborn]

you need a fake pkg, yes. can't unself an official pkg. the system has to do that work without keys. here's unfself (don't have the loader). unfself is basically a fake encrypted self file (hence the name). you need them to install a game on the ps4:

--------------------- MERGED ---------------------------

just drag and drop the eboot.bin, prx, or sprx into it, and you'll have an elf file which can be read by the loader, which as I said I don't have.

 

[Rextor]

Already i have the ELF file to analyze, just now i don't know how can i debug it as dynamic mode in IDA.
i don't know how can i setup the ps4 + IDA for this action.
maybe we don't need the ps4 as you told about that Loader ? is this a Plugin for IDA or ... ?

 

[godreborn]

yes, if the files are already decrypted by the system, no need to use unfself. however, if they're in a pkg:

eboot.bin-decrypted is the eboot.elf (it will say this with selfutil if you use that instead). and, yes, the loader is a plugin for IDA or probably ghidra as well. you can look for it. I deleted all of my backport stuff after hearing about the new mira. I won't be a part of the scene after that is released, because it makes ps4 stuff too easy, and imo, it retards the scene greatly. no one reads shit after that.

--------------------- MERGED ---------------------------

here's with selfutil (makes it an eboot.elf, but it's a different size. I prefer unfself, since even right.sprx works with it):

--------------------- MERGED ---------------------------

try this: https://github.com/balika011/belf

 

[Rextor]

Can i send you a private message ?
how can i do it ?

 

[xZenithy]

I don't know this little tool unself, I have to do it manually a take me 10 min more or less. Now, 30 seconds and the file is decrypted..

@Rextor, the explanation of Redreborn is totally correct.

for me experience, the problem is there are a few loaders/plugin and few of them only works for the exact IDA version.
Example, I have found a public loader/plugin for IDA:

https://github.com/SocraticBliss/ps4_module_loader

But no works for me... You can try it and let me know if it works for you or not..

 

[Rextor]

@xZenithy, @godreborn, thanks for information.

I have the files decrypted already. Loaders can't help us to debug it dynamical.
IDA need an Host to do it correctly. so i need install a debug server on ps4 and connect it to IDA

I need dynamic debug because i need some generic fields in this file. in fact im not debuging a Game or App, its a Module of firmware.
also there are some functions using pointer to jump to another block, so i can't see what is this address without debug.

 

[godreborn]

that, I'm not sure how to do. I did decrypt the entire file system, but I don't know about creating a remote link with the ps4 to debug the files.

 

[godreborn]

@KiiWii may know of a way to do this, since he brings news of lots of different apps, scripts, etc. in his aio thread. one of them may do exactly what you're wanting. I think the ps3 uses prog dg (don't know of a ps4 equivalent).

 

[KiiWii]

@KiiWii may know of a way to do this, since he brings news of lots of different apps, scripts, etc. in his aio thread. one of them may do exactly what you're wanting. I think the ps3 uses prog dg (don't know of a ps4 equivalent).

Neighbourhood can remotely load debug/unsigned apps.

 

[godreborn]

I'm not sure if that's what he's wanting. I thought he wanted to debug an official module from the firmware.