PS5: SpecterDev releases sprx/self decrypter payload for all hackable firmwares
This one’s huge. Today SpecterDev released a payload for all hackable PS5 Firmwares, that allows decrypting self files. Something that until now was only possibly on Firmware 4.03, via Sleirsgoevy‘s Prosper0 Debugger, is now possible on all hacked firmwares.
What are SPRX/SELF files, and why do I care about decrypting them?
Most files on the PS5 are encrypted. This includes system binaries, libraries required by applications at runtime, and the games themselves of course. Decrypting those files is the first step to reverse engineering them (if you’re interested in that process, I have a tutorial on how to do it on PS4, and the PS5 process is basically identical), which itself is used for everything you might want to do on a hacked PS5: modding games, finding more vulnerabilities in the system, patching the system for hacking purposes, etc…
Sleirsgoevy had released a tool to decrypt those files on 4.03 almost a year ago, so people on those firmwares have been able to decrypt PS5 sprx and self files. This will now be possible on all hackable firmwares, and could open the path to more cool stuff coming to the PS5.
This release follows a tweet from SpecterDev, where he hinted he had something coming for us, via a new data-only attack on the PSP (Platform Secure Processor) of the PS5.
In my presentation @hardwear_io I talked about how underestimated data-only attacks can be. Here’s an example: decrypting system files by sending messages to the PSP with just kernel arb. read/write 🙂 pic.twitter.com/FroQuArXVP
— Specter (@SpecterDev) September 7, 2023
Notes from the release:
PS5 SELF Decrypter
A payload that uses kernel arbitrary read/write to decrypt Signed ELFs (SELFs) from the filesystem and dump the plaintext ELFs to USB drive.
PC_PORTmacros on lines 24-25 with your TCP server’s IP/port
- It’s recommended you use logging to know how far the payload’s progressed or if it’s stalled
- Plug compatible USB drive into PS5 with at least 1GB of free space before running
- Files will be dumped to
- Should support 3.xx-4.xx, but not tested on all firmwares (open an issue for any problems)
- Currently, the payload assumes pre-jailbroken state (ie. escaped sandbox), adding jailbreak code here is a TODO
- If you notice log activity has stopped for more than a minute, hard powerdown the PS5 via power button for three beeps and restart the console and run again
- The console may panic in the midst of dumping files, this is fine, restart the console and run again
- The payload will pick up where it left off and continue dumping from where it was halted previously
- Improvements to make the payload less janky are welcome
Download and use PS5-SELF-Decrypter payload
You can download the payload source code on the project’s github here. You will have to build it yourself (tutorial here) because you have to replace the IP address with that of your local PC. (Alternatively, get a built payload from somebody you trust and replace the IP with a hex editor should do the trick)
To run the payload:
- plug in a USB key with at least 1GB space into your PS5
- run the PS5 exploit (locally on your computer, or via an esp8266, or using a fake DNS and one of the public hosts)
- open a TCP listener on your computer. On linux you can use Netcat (nc -l [YOUR IP ADDRESS] 5655). On Windows Ncat should work.
- upload the payload e.g. with netcatGui.
You should start seeing data in the listener’s logs. In parallel, the tool will write decrypted files to your USB Key, in the PS5 folder. The process will take a while and might fail regularly, which will crash the console. Restarting the exploit and running the payload again, it should resume where it failed.
$ nc -l 10.1.1.100 5655 [+] kernel .data base is ffffffff89c80000, pipe 9->10, rw pair 11->13, pipe addr is fffff02a3ba0ba80 [+] kernel_pmap_store offset 0x31be218, pm_pml4 0xfffff02610474000, pm_cr3 0x10474000, dmap_base 0xfffff02600000000 [+] firmware version 0x3000038 ( 3.000.038) [+] got auth manager: 4 (this is version 2) [+] dumping /... [+] decrypting //decid_update.elf... [?] file segments are irregular, falling back on last LOAD segment [+] calculated file size: 0x00035554 [+] wrote 0x00035554 bytes... [+] decrypting //first_img_writer.elf... [?] file segments are irregular, falling back on last LOAD segment [+] calculated file size: 0x000aaef4 [+] wrote 0x000aaef4 bytes... [+] decrypting //mini-syscore.elf... [?] file segments are irregular, falling back on last LOAD segment [+] calculated file size: 0x000c62c4 [+] wrote 0x000c62c4 bytes... [+] decrypting //safemode.elf... [?] file segments are irregular, falling back on last LOAD segment [+] calculated file size: 0x004f3cc4 [+] wrote 0x004f3cc4 bytes... [+] decrypting //SceSysAvControl.elf... [?] file segments are irregular, falling back on last LOAD segment [+] calculated file size: 0x000c3944 [+] wrote 0x000c3944 bytes... [+] decrypting //setipaddr.elf... [?] file segments are irregular, falling back on last LOAD segment [+] calculated file size: 0x0002d1a4 [+] wrote 0x0002d1a4 bytes... [+] dumping /system/common/lib...