PS4: Homebrew & backups running on firmware 4.55, technical details coming soon (but there’s a catch)
Hacker Flat_z recently shared a video (see below) showcasing the installation of homebrews and backups on PS4 firmware 4.55, through the use of a kernel exploit. He shared the video in an interview with Russian hacking scene member Imaginary Monster.
In the video, the developer is shown running an exploit through the PS4’s webkit browser, which ends up with an error message. In the background, the exploit installs or unlocks the “Debug settings” menu, which then lets them install custom pkg files. In the video, the hackers shows a “hello world” simple homebrew application being launched, followed by the installation of PS4 game “The Last Guardian”.
It is not clear in the video if that last part is actually pirated content, or a regular pkg file for which the account has the license. Flat_z’s description however compares this to the recently revealed piracy technique on PS4 firmware 1.76, which does allow to install “backups”. He also mentions bypassing security measures as part of the process, in the interview. This seems to imply this technique on firmware 4.55 also allows to install and run pirated content, in a much easier way than what exists today on 1.76.
The video description states that a write up on how to achieve this will be published soon.
Of course, there’s a big catch to all of this: this process requires a kernel exploit, and flat_z has made it clear in the interview that he will not release one. He stated (rough translation from the original Russian text):
Let’s hope that someone will release a kernel exploit on 4.xx (or at least 3.xx), I myself can not do it, because I am not the original author of the 2.xx + exploits and I do not want to release someone else’s work.
So the direct usefulness of this technique, for the general PS4 hacking community, will be pretty much non existent.
That is, until a hacker releases an exploit for recent firmwares, which so far seems unlikely.
The full video, and description, below:
Installation of custom and repacked PKG files on a retail PS4 with a kernel’s exploit. A totally different and more bullet-proof method in comparison with the one from 1.76. A write-up on how to achieve this will see the light soon (and again, kernel exploit is needed for that, also porting to other firmwares is possible and shouldn’t be hard).
A full transcript of the interview (google translated, see original in source link below)
In connection with the latest events on the PS4 scene, our admin Imaginary Monster turned to the famous and perhaps the only Russian developer of the playstation scene behind which there are not a few really important developments for PS3 consoles with custom and official firmware.And as it became known, at the moment Flatz is busy with an active study of the PS4 system that proves a new video that without a doubt will go down in the history of hacking PS4 and will become a real sensation of the playstation scene.
Imaginary Monster: Flatz, what do you think about the latest developments, about this recently merged way of launching games on the firmware 1.76? Your opinion about what is happening.
Flatz: My opinion is long overdue. I would not say that I do not like their method, it is complex and looks like a crutch. On the PS4, it is possible to implement an alternative method that will be compatible with the usual way we install through the Package Installer and launch through XMB, which I have been doing from time to time in the intervals between work, i.e. in fact, the same thing as on the PS3, where they install and run PSN games and repacks, although it’s on the PS4 its complexity …
Imaginary Monster: And this simplified alternative method that we see on your video also works only at 1.76 as well as the one that is freely available? Or is it possible on later firmware?
Flatz: Specifically, their method works at 1.76, because It is written under it, of course, it can be ported to other firmware, too. the code is pretty big, then it will make it difficult. The simplified way that I do is working up to 4.55 and will work even higher (of course, if there is an exploit), although it will have to be ported, too. the displacement of different data varies from firmware to firmware (this is and was always), but in my case it’s just a few patches. I plan to write about it later, most likely, even with code examples, although I’m surprised that no one realized it earlier, because it came to mind first when the goal of launching own applications appeared. Unfortunately, I can not afford to port it myself to all the firmware (at the moment it is meant on 1.xx, since I have a console with 1.62, and for people, mostly 1.76).
Imaginary Monster: Is there a chance that your simplified method that you showed today in this video with the installation of games through pkg and launch through XMB will work at 5.00?
Flatz: Yes, as I said, the method is based on the standard system functionality except for a number of patches that you need to do to bypass some of the security restrictions. But again, again, the method works only in conjunction with the kernel exploit and as far as I know, all consoles (including Slim and Pro) to 4.55 inclusive can be hacked (although there is a chance that someone has exploits and under the firmware above). Let’s hope that someone will lay out an exploit for the kernel on 4.xx (or at least 3.xx), I myself can not do it, because I am not the original author of 2.xx + exploits and I do not want to merge someone else’s work.
Imaginary Monster: Recently, a certain Synergy promised an exploit for the latest firmware. But then he disappeared. You do not know this?
Flatz: Another troll. As I said, I know several people who actually have exploits, but they are recognizable to a large number of people. 🙂 Unfortunately, at the moment the most important heart of the system is still impregnable (read – there is no complete hacking), and therefore any current hack is easy to patch and I understand people who are taking care of their work and are afraid to spread it, I’m not sure who Something just wants to bury his work in the ground. It is also possible that a small number of people still have code and keys, but I assume that they used the hardware method of hacking SAMU (dismantled the processor and took out a boot).
Imaginary Monster: About vitu. It was hacked only on one firmware. This is not a complete hacking.
Flatz: And with the PS3 was the same story. It was completely hacked only on 3.55 firmware (and below), and now it is in fact hacked only on this firmware, but in the case of PS3, protected modules with keys and other junk were also cracked. Vita was hacked right up to the very firmware on which the release of Henkaku took place, but for the time being there was no hacking of protected modules that run on a separate processor, so in the beginning people dumped decrypted games and “stuck together” the code and resource segments, so that later it was possible to run the game. In fact, at the moment with the PS4 the same story is possible and an option for the type of Henkaku, only you need a moment, so that someone released an exploit and the mechanism spun. And by the way, a primitive analog of Enso on PS4 is also possible, because after the hibernation mode, if you go back, then all the patches made by the exploit remain hanging in the memory, the main thing is not to reboot and shut down the system completely if you do not want to restart the exploit again.
Imaginary Monster: Yes, something like Henkaku, just a lot of people are waiting for this on the PS4.
Flatz: In general, in my opinion, the ideal option, not counting wonders like full CFW, which, as I said earlier, in my opinion on the PS4 will not be, it’s when after the launch of the exploit PS4 “rebooted” into a completely custom firmware that would consist of patched (and decrypted) system modules. I think that you could even force the OS to boot over the network, say, from a shared network partition with a PC. And in this case, the risk of briquet is minimal, because in fact, we do not change the system files on the USB flash drive (unless you really screw it up at all). For example, you have a 4.55 firmware with an exploit, but after activating the exploit, it “replaces” its native files with decrypted files from the latest firmware and this is a full-fledged custom 5.00 firmware (here it must be said that since 4.0 Sony started to change the keys in different versions of the firmware, so to get the files from 5.00 you need to first exploit this version).
Imaginary Monster: And what about the decoding of games? Let’s say Henkaku will be released on PS4, how will the games, patches, DLC be decoded?
Flatz: If the game supports the firmware for which there is an exploit, then there are several options. Suppose that someone who has already bought the game, with an activated exploit copies it, for example, via FTP, and then, as it was on Vitka, an image from the finished files is glued together. If, however, you have the keys of the image (or the passcard used by the developers to generate the keys), then you unpack the ready image with the game with these keys and then repack again with your keys. I even wrote a utility for this, which in the future, if an exploit appears, I plan to post it. It generates a gp4 project from the finished pkg-file to build the game again into a pkg-file, but which can already be started by my method in the presence of an exploit. I had to hurry a bit to make it generate the image that the developers saw it (read – which will be launched, and not crash at startup). Here it is necessary to mention that we can not use the original debugging key for the new pkg, because on Sony’s retail consoles does not allow these keys to decrypt debug images, so we change the key to our own, put it into our exploit and rejoice. The funny thing is that now Sony can not decipher our images until the exploit code is reversed. By the way, with patches, you can also work and the principle is almost the same (unless patches, in which the bots are signed with new keys, will stop working).
Imaginary Monster: What about the hombre?
Flatz: You make your project, compile with some SDK, then create an image, write the files there, the pkg-file is packed with our keys and you can install it later via the Package Installer if there is an exploit. In my video, by the way, by the start of the flip floppy, the Guardian also has an example of a simple homebrew that renders text on the screen.
Imaginary Monster: And maybe a hombreu like a multiman? To be able to mount images and run games from an external hard drive?
Flatz: And why is it needed on the PS4? The games will be in the library, just like the usual ones bought in PSN, and it’s easier to run via XMB. But, if desired, I think a multiman can be done. Concerning the launch from external disks, I do not think this will be a problem, because if there is access to the kernel, then you can write a driver that will mount the game from an external hard disk (although in 4.x there is a similar official functionality, in a way).
Imaginary Monster: The last one. What do you think, when will we see all this and will be able to use what is shown in your video? When will all this appear in public access?
Flatz: It all depends on people who have exploits, although recently interest in hacking PS4 on the stage has fallen. I have already spoken about this earlier, but I hope that we will see the light at the end of the tunnel.
Imaginary Monster: Indeed, more than six months on the stage there was a lull, before that basically trolling and fake. But let’s hope that your video and this story with the recently merged launch of dumps on 1.76 firmware as it stimulates the developers of the scene. Flatz, thank you so much for the conversation. It was very interesting. Good luck with your new developments!
Flatz: Thank you, I was also glad to talk)