Hacking [Release] PS-Phive! (ForPS4 6.72) Exploit Host Menu

xalfie · Apr 4, 2021

^^ @Leeful but if you see closely the jb.js we have just now... on that same site, to reach the return value 179 the full jb.js must be processed. Yes, i know that in a second try it need less time, but that way is a problem, because we NEED to run kernel exploit with an initial delay to avoid the KP, only the first time... see the problem ?
But jb.c source has that 179 value check on its init, no ? just near the first thing that checks...

Related to todex and toretail, from the collective i did compile yesterday todex and also i knew that id toretal 0x87 examining your payload for this PS-Phive. None of them works, in fact, none of the 'todex' payloads i can find out there, works on 7.55. I see no the stars options, annd by the way i cant know if my compiled toretail works or not.

But, i did find on pshax a guy that shared a extremelly little todex.bin file that works, and stars settings did appear. Soooo i dont know what is happening with this source.....

Leeful · Apr 4, 2021

arfgh said:
^^ @Leeful but if you see closely the jb.js we have just now... on that same site, to reach the return value 179 the full jb.js must be processed. Yes, i know that in a second try it need less time, but that way is a problem, because we NEED to run kernel exploit with an initial delay to avoid the KP, only the first time... see the problem ?
But jb.c source has that 179 value check on its init, no ? just near the first thing that checks...

Related to todex and toretail, from the collective i did compile yesterday todex and also i knew that id toretal 0x87 examining your payload for this PS-Phive. None of them works, in fact, none of the 'todex' payloads i can find out there, works on 7.55. I see no the stars options, annd by the way i cant know if my compiled toretail works or not.

But, i did find on pshax a guy that shared a extremelly little todex.bin file that works, and stars settings did appear. Soooo i dont know what is happening with this source.....

there are no 75x todex offsets set in the scene collective sdk. thats probably why it didnt work.
https://github.com/Scene-Collective...60fef03b50f3/libPS4/include/fw_defines.h#L568

RE the kernel exploit.
In the jb.js the 179 check is done twice.
First inside all the code that we cant clearly see what is happening (the long list of set_gadget and db functions)
and then written in plain javascript at the end.
The first check is to see if it needs to be run and the final check (witten in plain javascript) is to check if the exploit has passed or failed.
It does no harm running the kernel exploit code more than once because of that first check. During that first internal check if the kernel is already patched it just skips straight to the end without patching the kernel again.

If you want a delay between the webkit ending and the kernel exploit starting just use a setTimeout on running the jb.js.

xalfie · Apr 4, 2021

^^ but jb.js we have just now, can also return 0, that also means exploit was done, but on the source, that isnt happening, There 0 is not that.
Problem is that actual jb.js test, and if not, run fully. So in my point of view we need to have a testing only mode. In the source that isnt that way we have on jb.js.

Related to todex source, is there a way to retrieve these offsets for 7.55 from the valid strange little file i have ? or by some other way.... surely we can, but how.

Leeful · Apr 4, 2021

arfgh said:
^^ but jb.js we have just now, can also return 0, that also means exploit was done, but on the source, that isnt happening, There 0 is not that.
Problem is that actual jb.js test, and if not, run fully. So in my point of view we need to have a testing only mode. In the source that isnt that way we have on jb.js.

Related to todex source, is there a way to retrieve these offsets for 7.55 from the valid strange little file i have ?

The way I have found offsets in the past is to compare kernel dumps from previous firmwares.

eg. open a 5.05, 6.72 and a 7.02 kernel dump in a hex editor.
go to the know offset that you are looking for in each one and look for similarities before the offset you need. You should see a common pattern.
Then open up your 7.55 kernel dump and search for the same common pattern that you saw in the other firmware dumps.

This does not always work because the same common pattern might appear in multiple places in the same dump which is bad.

I'll dump my 7.55 kernel and see if I cand find the 7.55 targetID offset you need.

xalfie · Apr 4, 2021

^^ i am behind it just now.... i think that is CD872202, in reverse.

Leeful · Apr 4, 2021

My guess is that it is 0x212BDCD
could you post that working todex.bin I would like to dump my kernel again after I have run todex and see if that offset changes from 87(EUR retail) to 82(dex)

xalfie · Apr 4, 2021

yes, it is here: https://www.sendspace.com/file/8bjw16

Leeful · Apr 4, 2021

Thanks, I'll let you know how I get on if I ever get the kernel exploit to run again. Total nightmare.LOL

xalfie · Apr 4, 2021

^^ but that todex.bin is highly strange in comparisson to others, It's size and also no notification from it.

Prb · Apr 4, 2021

arfgh said:
^^ i am behind it just now.... i think that is CD872202, in reverse.

Dude I don't know it wasn't working lol
Only tested to the point of payload loading was going to have a look tomorrow and get some advice from me tutor but if you already have a fully working payload pass it my way and I'll update the menu

xalfie · Apr 4, 2021

aleluya @Prb... finally....

Leeful · Apr 4, 2021

arfgh said:
^^ but that todex.bin is highly strange in comparisson to others, It's size and also no notification from it.

The first todex payload was very small too. It just patched the offset and thats it, there were no notifications either.

Prb said:
Dude I don't know it wasn't working lol
Only tested to the point of payload loading was going to have a look tomorrow and get some advice from me tutor but if you already have a fully working payload pass it my way and I'll update the menu

I havent tested the todex payload on your host. It might work as it is. I just wanted a known working bin so I can quickly send it to the PS4.

BTW I'm still stuck trying to go the the exploit to run successfully again before I can test anything LOL

Prb · Apr 4, 2021

arfgh said:
aleluya @Prb... finally....

Family commitments this weekend buddy only on my phone messing with the ps4 is just something I do as a pass time

xalfie · Apr 4, 2021

^^ np dude

Leeful · Apr 4, 2021

Nope, the test didnt work. Im sure on previous firmware if you dump the kernel after running todex the value at the correct offset changed to 82. So that offset is probably completely wrong.
I give up for now .

KiiWii · Apr 4, 2021

Failed to fetch tweet https://twitter.com/notzecoxao/status/1370525922089132039

yeah 0x82

xalfie · Apr 4, 2021

^^ that offset @KiiWii... i dont think. Reason, that one isnt on the payload file. Or yes ? or i am blind ?

Leeful · Apr 4, 2021

KiiWii said:
https://twitter.com/notzecoxao/status/1370525922089132039

yeah 0x82

There must be something wrong at my end because my 7.55 kernel dumps end at 220C000. 34MB in size.
So I cant even get to that offset. LOL
No wonder I was struggling. anyone have a 7.55 kernel dump I could look at to compare?

KiiWii · Apr 4, 2021

@Leeful DM’d bud

xalfie · Apr 4, 2021

i bet, that offset is not right.

Hacking [Release] PS-Phive! (ForPS4 6.72) Exploit Host Menu

Well-Known Member

GBAtemp Member

Well-Known Member

GBAtemp Member

Well-Known Member

GBAtemp Member

Well-Known Member

GBAtemp Member

Well-Known Member

Well-Known Member

Well-Known Member

GBAtemp Member

Well-Known Member

Well-Known Member

GBAtemp Member

Editorial Team

Well-Known Member

GBAtemp Member

Editorial Team

Well-Known Member

Popular threads in this forum