PS4 “Jailbreak” Brazilian method: how to dump the PS4 NOR (Video)
Although the technique to dump the PS4 NOR is nothing new, this is the first time we’re getting such a detailed Tutorial in Video. On the video, you’ll see that in addition to the stuff mentioned below, the modder uses a convenient board to attach the Flash, without having to do manual wiring. Wiring things manually could prove difficult, and people have recommended creating your own PCB or getting a board like the one in the video.
The PS4 “Jailbreak” basics
The video below basically showcases the basics of the infamous “Brazilian PS4 Jailbreak” that we revealed a few month ago.It is worth noting that hackers have mentioned this method will result in a brick on recent PS4 firmwares (if you write to the NOR), don’t do it at home unless you know what you’re doing. The video only shows here how to read the NOR, not what people do after that which lets them pirate games, but that’s the basic idea.
For those willing to seriously give it a try, AlphaHack has a very detailed explanation in English on how he extracted the NOR from his console and soldered it the right way (basically the steps that this video does not show). You can get his full guide here.
Edit: yes, we’re aware this is not a “jailbreak” in the traditional meaning of the word, but this is how people have been refering to it so far, so we’ll stick to that. Deal with it!
Installation and usage instructions below are from http://www.psdevwiki.com/ps4/JAISPI
- 1x Raspberry Pi
- 1x SD Memory (for Raspbian, a 4GB minimal is recommended)
- 1x PS4 Serial Flash MX25L25635FMI-10G desoldered from console
- Raspbian (http://downloads.raspberrypi.org/raspbian_latest)
- Win32 Disk Imager (http://sourceforge.net/projects/win32diskimager/files/latest/download)
- Putty (http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe)
|–||1||SIO3||NC||8pin: Not Available – not used / 16pin: Serial Data Input & Output (for 4xI/O read mode)|
|8||2||VCC||17||+3V DC Power Supply|
|7||3||HOLD#/RESET#||NC||8pin: Hold, to pause the device without deselecting the device / 16pin: Hardware Reset Pin Active low|
|2||8||SO/SIO1||21||Serial Data Output (for 1 x I/O) or Serial Data Input & Output (for 2x I/O or 4x I/O read mode)|
|3||9||WP#/SIO2||25||Write Protection: connect to GND or Serial Data Input & Output (for 4x I/O read mode)|
|5||15||SI/SIO0||19||Serial Data Input (for 1 x I/O) or Serial Data Input & Output (for 2x I/O or 4x I/O read mode)|
Use short wires, esp. if you are not adding the 0.1µF capacitor between ground and vcc as close as possible to the chip
newer Raspberry Pi model B+ and Raspberry Pi model A+ both use same pinout for the first 26 pinheaders as the previous nonplus model, so it should work on that as well.
Run win32diskimage (if you use linux you can use dd)
- In “Image file” select the downloaded and decompressed Raspbian image (2013-09-25-wheezy-raspbian.img at the time of this writing)
- In “Device” select the drive where the SD memory is.
- Select “Write”.
After finished writing, put the SD card in the Raspberry Pi and power it up by inserting the USB cable.
Remote Shell into Raspbian
Two minutes after booting up the Raspberry Pi, run Putty.
- In Host Name put: raspberrypi
If this doesn’t works properly, go to the router, find the IP assigned to your Raspberry Pi and use that instead,
- Select SSH (or Raspberry and Putty support TTL https://learn.adafruit.com/adafruits-raspberry-pi-lesson-5-using-a-console-cable/overview)
- Select Open
It will request a Login. According Raspbian the user is “pi” and the password “raspberry” (Both without quotes).
Insert the following commands:
sudo -s cd /bin wget http://jaicrab.org/Ps4/Tools/JAISPI/jaispi chmod +x jaispi echo "#blacklist spi-bcm2708" > /etc/modprobe.d/raspi-blacklist.conf echo "blacklist i2c-bcm2708" >> /etc/modprobe.d/raspi-blacklist.conf reboot
Installation is complete. By Putty you can access the Raspberry Pi. To run the command jaispi you need to be root (sudo-s):
# sudo -s # Jaispi -i / dev/spidev0.0
-i /dev/spidevX.X Get ID from flash -r file.bin /dev/spidevX.X Read entire flash to file -e /dev/spidevX.X Erase entire flash -p file.bin /dev/spidevX.X Only write blocks differences from file -v file.bin /dev/spidevX.X Verify blocks with file
-i: Displays information of the flash.
#jaispi -i /dev/spidev0.0 JaiSpi v1.0 ID: 0xC22019 MX25L25635
-r: Makes a full dump of the flash (Average time: 35sec)
#jaispi -r DUMP.bin /dev/spidev0.0 JaiSpi v1.0 ID: 0xC22019 MX25L25635 Reading... 0x02000000 Done!
-e: Clears all flash (Average time: 1min, 30sec)
#jaispi -e /dev/spidev0.0 JaiSpi v1.0 ID: 0xC22019 MX25L25635 Erasing blocks... Done!
-p: Write to flash only the changed sectors (Average time: 1min 30sec)
#jaispi -p Base.bin /dev/spidev0.0 JaiSpi v1.0 ID: 0xC22019 MX25L25635 Starting... 0x02000000 -> 8192 Sectors written Done!
-v: Compares the flash contents with a file in PC (Average time: 35sec)
#jaispi -v Base.bin /dev/spidev0.0 JaiSpi v1.0 ID: 0xC22019 MX25L25635 Checking... 0x02000000 -> 0 Different sectors Done!
Check our PS4 Jailbreak page for future updates!