Merry Christmas! PS4 developer Al-Azif has just dropped PS4 CFW Toolkit, probably one of the biggest PS4 releases since the 9.00 Jailbreak last year (although the developer states everything’s based on publicly available information). PS4 CFW Toolkit is a tool that lets you encrypt/decrypt multiple parts of the PS4 System, including Syscon.

You will need to provide the encryption/decryption keys, which can be obtained from your Jailbroken console (Is there a tool out there that automates that part?)

What is PS4 CFW Toolkit

PS4 CFW Toolkit is a command line tool that lets you encrypt/decrypt binary images from the PS4. Specifically:

• EAP KBL (Kernel Boot Loader)
• EAP Kernel
• EMC IPL (Initial Program Load)
• Syscon (Both Patch and Full)

That’s a lot of keywords here, so let’s try to clear that out for you (source ps4 devwiki):

EAP

The role of EAP is to handle media (online Wireless/GbLAN, Bluray Drive and HDD/SSD) even when the PS4 is in standby mode. EAP runs its own FreeBSD kernel in standby mode, activated to handle tasks such as downloading games updates while the PS4 is in standby.

EAP Kernel Boot Loader is stored encrypted in a SLB2 container in PS4 Serial Flash. The role of EAP Kernel Boot Loader is to decrypt then uncompress the EAP Kernel. The encrypted EAP Kernel is stored at virtual address 0xC1000000 and the decrypted and uncompressed EAP Kernel is located at virtual address 0xC3000000.

EMC

EMC could stand for External Micro Controller. EMC was named MediaCon by some people when its name was still unknown.

The role of EMC is to load EMC Initial Program Loader, to be an interface for icc for the main APU kernel and Syscon and to offer a debug interface via UART that does not rely on Syscon or main APU. EMC runs its own FreeBSD kernel. It exposes ARM peripherals to the x86 side.

Syscon

Syscon is the “other” chip, responsible for taking care of peripherals and more. We’ve recently discussed how it can be glitched to revert the PS4 to a former revision, technically making a “downgrade”* possible to some extent.

(source Fail0verflow)

Beyond encryption/decryption, PS4 CFW Toolkit lets you modify some parts of the files. In particular enabling “God Mode” to unlock all possible commands.

Is PS4 CFW Toolkit useful for me?

Before you get (too) excited, it’s probably important to quote Al-Azif here:

This is NOT CFW like the PS3 or like Ensō for the Vita (Yet, but who knows what may come because of the order stuff is loaded in). Everything here is/was documented publicly to some degree/necessary keys for some revisions of the PS4 are on the dev wiki.

With that out of the way: This is clearly not a release for the end user, but seems like it’s paving the way for potential “full fledged” Custom Firmwares on the PS4 in the future. How far in the future is what’s not clear: Al-Azif’s readme mentions that some parts are still required, and not currently supported with this particular release.

However, he states a larger (private) project contains more. How much more, is the question. Specifically:

Some of the keys required to encrypt critical parts (such as creating a “real” CFW that you could install like a normal firmware update) are private: they cannot be found on the console. Bruteforcing them is theoretically impossible (unless the encryption implementation is messed up somehow, a mistake that Sony famously did for the PS3), but we know in practice that some people have had access to those keys on the scene. Whether that larger project Al-Azif mentions already has those, is unclear. From the readme:

What’s missing as far as custom code running EVERYWHERE, that’s not currently supported within this repo:

• SAMU IPL (Encrypted with PCKs within Sflash and signed with private keys)
  • Required for PS3 style CFW where you just install a PUP
  • Private keys are NOT on the console
  • Seven revisions
• SELF Files (Encrypted and signed with private keys)
  • Would not matter if SAMU IPL is broken/custom
  • Private keys are NOT on the console
• Bluetooth/WiFi FW (Not encrypted or signed. One of them is packed, it’s just a ZIP)
  • Three revisions
• BD Drive FW (Haven’t looked at it)
  • Six revisions
• USB SATA Bridge FW (Haven’t looked at it)
  • One revision
• Communication Processor FW (Haven’t looked at it)
  • Devkit only
  • One revision

Reading between the lines, is it possible that SAMU IPL has been hacked?

Whatever the current status of the larger project under the hood, this release is clearly for developers who are trying to provide a fully fledged CFW for the PS4 moving forward. Al-Azif is very clear that it’s something you’ve been seriously working on, before reinventing the wheel, you might want to get in touch with him just to make sure the functionality you’re trying to work on hasn’t already been developed in the larger project.

Download PS4 CFW Toolkit

If you’re the right audience for this release, you can grab it on the project’s github. And if you’re the right audience for this release, I don’t have to tell you to read the README in full before doing anything else.

Source: Al-Azif

* People prefer to use the word “revert” since you can currently only go back to the previous firmware that was installed on your console