Hacking How to compile a payload to bin format

[Muxi]

Hi,
is there anyone who can help me to compile a payload from a source in bin format?

What I want to do:
I would like to integrate my self-created ApplicationCache.db into stooged's Cache Install Payload so I can install my exploit menu directly by sending this payload. (Then I do not have to install my ApplicationCache.db over an external USB medium with the payload of stooged, and can do that directly by sending this payload.)


What I have done so far:
1. I have installed VirtualBox and set up Ubuntu 64bit.
2. Then I loaded PS4 SDK from xvortex and installed llvm, binutils and sqlite3 as well.
3. Then I assigned the path to PS4-Sdk and built libPS4 and libusbfatfs.
4. Last I loaded the source of cache install from stooged's github and replaced the existing applicationcache.sql in folder sql with mine.


I have also managed to create some bins from the examples from the PS4SDK with the command "make", but that does not seem to work with the source of stooged. I have to say that I have no idea about Linux, and I do not know the commands. Can someone tell me how I can solve this? Is it just a specific command line to enter in the terminal, or does something else have to be done? I would be very grateful if someone could help me further. Thanks in advance!

 

[MostlyUnharmful]

To build Stooged's Cache_Install, cd in the dir and launch "./build.sh" (dot slash build.sh) (if it doesn't work because build.sh isn's executable you can chmod it or launch it with "sh build.sh")...

 

[Muxi]

To build Stooged's Cache_Install, cd in the dir and launch "./build.sh" (dot slash build.sh) (if it doesn't work because build.sh isn's executable you can chmod it or launch it with "sh build.sh")...

Thank you for your reply.
When I enter the command "./built.sh, the message" bash: ./build.sh: no legitimation" appears (I do not know if my translation is correct because my system language is not English)
And if I enter "sh build.sh", the following message appears: "build.sh: 11: build.sh: pushd: not found"

What do you mean by chmod it?

 

[KiiWii]

If only we could have portable GUI tools to do these tasks.

A simple payload editor.

Good luck OP!

@Muxi while I think of it (and I know you can just clear the cache) but perhaps a payload to install a blank cache as a cache remover would be useful? Thanks in advance!

 

[Muxi]

@KiiWii yes you're right. There are so many gui solutions for everything, but not for compiling or editing payloads.
I could not find any instructions so far, so my request here in the forum.

 

[KiiWii]

@KiiWii yes you're right. There are so many gui solutions for everything, but not for compiling or editing payloads.
I could not find any instructions so far, so my request here in the forum.

Well @MostlyUnharmful is a fountain of knowledge, so hopefully he can guide you to success

 

[MostlyUnharmful]

I was in a rush so it was terse, anyway "pushd" is a "bashism" (I think it was copied from Ksh, another shell), so "bash build.sh" should work ("sh" is the Posix shell, Bash is the Ubuntu default shell). Or you can "chmod +x build.sh" and launch it directly ("man chmod" for the details, scripts and commands/programs files need the execution bit set to be launched)...

P.S. to launch it don't forget the "./"

 

[stooged]

@Muxi
if you ARE on windows 10
setup the compile environment using this tutoral
https://sce.party/?page=tutorials&tut=how-to-setup-ps4sdk-windows-10

when you get to Part 2: Installing the SDK on Bash install ubuntu for windows before continuing
https://tutorials.ubuntu.com/tutorial/tutorial-ubuntu-on-windows

once that is done continue with part 2 of the tutorial

when you get to the part that says to "pull the SDK" use the sdk from my repo because it has been modified for my payloads.
use this to pull the SDK
git clone https://github.com/stooged/ps4-payload-sdk

when you get to the end of the tutorial, before you close the bash window install SQLite by running this command
sudo apt-get install sqlite3

once that's installed close the bash window.

if all of that worked properly you can just go to the source code folder in windows and double click win-make.bat and the payload will compile.


--------------------------------------------------------------------------------------------------------


if you ARE NOT on windows 10 you have to use a VM with ubuntu and in your VM setup my fork of the payload sdk
https://github.com/stooged/ps4-payload-sdk
you said you had installed SQLite so that's done.

you can just go to the source folder inside the vm, right click inside the folder that contains build.sh and select open terminal.
then type into that window ./build.sh

 

[Muxi]

Thanks for the infos @MostlyUnharmful and @stooged.
Although I have Windows 10, I tried to setup ubuntu on windows before by the tut you mentioned @stooged, but was not able to finish the setup. I could not install bash on ubuntu on windows and failed at this step (Probably because I do not have a microsoft account). Hence the variant with VM. I have now loaded and set up your SDK version. With the command "./build.sh" I could create two folders (bin and html) which contain the corresponding file. But the created cache_Install.bin has a size of about only 8kb. But my cachedb has a size about 2mb.
I noticed that the applicationcache.h from the folder "include" now has a size of more than 2mb (before, it was something like 40kb). Then I tried with "make" in the Cache_Install folder - same result, a Cache_Install.bin with 8kb.
Is there another step to take?

In the attached pic you can see the result of the execution. (my system language is german)

 

[MostlyUnharmful]

Did you cloned and used his "ps4-payload-sdk" repository?

I tried here to build it and the Cache_Install.html payload is a little bigger than 6 MB. Last time I've looked, all the PS4 payloads sources used manually crafted linker scripts that never worked well with the binutils version in Debian Stretch (what I'm using, for the records 2.28-5), in the best scenarios they produced bigger executables, in the worst case they failed the linking phase. Few months ago I tried to find a version compatible or a way to fix the incompatibility but I got bored and it went in my TODO list.

@stooged can confirm, but IIRC he mentioned somewhere he's using Ubuntu 16.10 (not sure about the exact release).


P.S. if you temporarily want console messages in English you can "export LC_ALL=C"...

 

[stooged]

omg vm's are total ass lol

I tested a compile in a VM using ubuntu 16.04 and it compiled fine.

try get a fresh copy of the cache install source and just compile it without editing it
you should get

/bin/Cache_Install.bin = 2.3mb
/html_payload/Cache_Install.html = 6.2mb

with windows 10 bash I don't think it works with the ltsb version and its best to have the recent fall creators update 1803

--------------------- MERGED ---------------------------

he mentioned somewhere he's using Ubuntu 16.10 (not sure about the exact release).

I used to use virtualbox and ubuntu 16.04 but now I use 16.04 through windows bash using notepad++ as the editor.
its soo much easier, that's why all the recent sources have the win-make, just double click to compile.

 

[Muxi]

@stooged
I have now managed to compile it by using a clean source (cache_install 9). However, not my menu is transferred to that, but that of you, even though I had changed the applicationcache.sql.
Strange.......

Edit:
and also something strange .....I copied the bin into the payload folder of my Android phone. After sending this payload with ps4serve3, then it was in html format in this folder.

 

[stooged]

there is probably an error in your sql code that is preventing the db being created during the compile.

 

[Muxi]

@stooged I have used DB-Browser for SQLite version 3.10.1, Qt-version 5.7.1, SQLCipher-version 3.15.2 to convert to sql format. Maybe this is due to the tool? Are there alternatives for that, maybe a command line for sqlite3?

btw... is it necessary to delete the cache beforehand manually, or does your "cache install" also erases the existing cache during the installation? I've heard from users that there should be problems if the cache is not deleted, but just overwritten.

 

[Muxi]

@stooged I have done it now. It was not an issue of the sql file. I took the html version instead of the bin, and sent it with PS4Serve3, but will not work on it for the time being, because it only worked once, otherwise only Kernelpanics.
The best method for now I think, is the one with the applicationcache.db over USB.

 

[KiiWii]

@stooged can this appcacher be modded to be like: run once, install db on usb (or internal db if not found). Run twice to wipe blank the cache?

Or a separate payload to wipe it?

 

[Muxi]

@KiiWii
It would be good if an erase function would be done already while executing the payload so that the installation takes place in a clean cache. (I do not know if that's going to happen anyway)
It would also be nice to have some kind of ApplicationCache.db dumper payload, so in principle a backup just for these purposes.
The DB_SG_Backup does this already, but if a large amount of data (gamesaves) to be backed up, this process can take a long time.

 

[stooged]

@KiiWii
it could be modded to do that but don't forget you can delete the cache by going to the browser settings > clear website data
I figure it would be better to delete it that way so the payload is not run by accident wiping out the cache.


@Muxi
the bin loader that was released with the 505 exploit does not handle large payloads so when you send a large bin file it will kpanic
so you need to use the html file and I have not tested the limit of that.

ps4serve3 can send both .bin and .html files that are located in the ps4_50x_payloads folder but again the limitations are on the size of payloads the console will allow before it panics

here is a stripped down source of the original just for loading the db from usb USB-Cache-Install.zip it has no internal cache so the .bin payload will be about 8kb.


to backup the ApplicationCache.db to usb you can use DB_SG_Backup
you will find the backup copy on the usb drive in \UserData\user\system\webkit\webbrowser\appcache

 

[Muxi]

@stooged
Thank you for your prompt reply. The usb-only payload I have already received from a user who had contacted you. Thanks a lot for this.
My compiled htmls are between 6 and 15MB in size. But as I said, KPs.
Do you know something about the size limitation of the Applicationcache.db?

 

[stooged]

@Muxi
I just realized what you said about the db backup taking a long time because of large save data so I made a modified copy of db backup to just dump the database files

https://github.com/stooged/DB_SG_Backup-50X/releases

you will find a "database only" copy named "DB_Dackup"
that will just dump the app.db, addcont.db, av_content_bg.db and the ApplicationCache.db to usb.

as for size limitation on the ApplicationCache.db I don't think there is one on the actual file.
the limitations are on the payload sending because we need to allocate memory for that and it seems when you allocate too much the console panics a lot.