├── .gitignore ├── PS4DecryptSaveDataKey ├── Makefile ├── README.md ├── enviar.txt ├── include │ ├── kern.h │ └── type.h └── source │ ├── kern.c │ └── main.c ├── PS4DumpSealedKeyAndSecret ├── Makefile ├── README.md ├── enviar.txt ├── include │ ├── kern.h │ └── type.h └── source │ ├── kern.c │ └── main.c └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | # Compiled source # 2 | ################### 3 | *.com 4 | *.class 5 | *.dll 6 | *.exe 7 | *.o 8 | *.so 9 | *.bin 10 | 11 | # Packages # 12 | ############ 13 | # it's better to unpack these files and commit the raw source 14 | # git has its own built in compression methods 15 | *.7z 16 | *.dmg 17 | *.gz 18 | *.iso 19 | *.jar 20 | *.rar 21 | *.tar 22 | *.zip 23 | 24 | # Logs and databases # 25 | ###################### 26 | *.log 27 | *.sql 28 | *.sqlite 29 | 30 | # OS generated files # 31 | ###################### 32 | .DS_Store 33 | .DS_Store? 34 | ._* 35 | .Spotlight-V100 36 | .Trashes 37 | ehthumbs.db 38 | Thumbs.db 39 | -------------------------------------------------------------------------------- /PS4DecryptSaveDataKey/Makefile: -------------------------------------------------------------------------------- 1 | LIBPS4 := $(PS4SDK)/libPS4 2 | 3 | TEXT := 0x926200000 4 | DATA := 0x926300000 5 | 6 | CC := gcc 7 | AS := gcc 8 | OBJCOPY := objcopy 9 | ODIR := build 10 | SDIR := source 11 | IDIRS := -I$(LIBPS4)/include -I. -Iinclude 12 | LDIRS := -L$(LIBPS4) -L. -Llib 13 | CFLAGS := $(IDIRS) -O2 -std=c11 -fno-builtin -nostartfiles -nostdlib -Wall -masm=intel -march=btver2 -mtune=btver2 -m64 -mabi=sysv -mcmodel=large -DTEXT_ADDRESS=$(TEXT) -DDATA_ADDRESS=$(DATA) 14 | SFLAGS := -nostartfiles -nostdlib -march=btver2 -mtune=btver2 15 | LFLAGS := $(LDIRS) -Xlinker -T $(LIBPS4)/linker.x -Wl,--build-id=none -Ttext=$(TEXT) -Tdata=$(DATA) 16 | CFILES := $(wildcard $(SDIR)/*.c) 17 | SFILES := $(wildcard $(SDIR)/*.s) 18 | OBJS := $(patsubst $(SDIR)/%.c, $(ODIR)/%.o, $(CFILES)) $(patsubst $(SDIR)/%.s, $(ODIR)/%.o, $(SFILES)) 19 | 20 | LIBS := -lPS4 21 | 22 | TARGET = $(shell basename $(CURDIR)).bin 23 | 24 | $(TARGET): $(ODIR) $(OBJS) 25 | $(CC) $(LIBPS4)/crt0.s $(ODIR)/*.o -o temp.t $(CFLAGS) $(LFLAGS) $(LIBS) 26 | $(OBJCOPY) -O binary temp.t $(TARGET) 27 | rm -f temp.t 28 | 29 | $(ODIR)/%.o: $(SDIR)/%.c 30 | $(CC) -c -o $@ $< $(CFLAGS) 31 | 32 | $(ODIR)/%.o: $(SDIR)/%.s 33 | $(AS) -c -o $@ $< $(SFLAGS) 34 | 35 | $(ODIR): 36 | @mkdir $@ 37 | 38 | .PHONY: clean 39 | 40 | clean: 41 | rm -f $(TARGET) $(ODIR)/*.o 42 | -------------------------------------------------------------------------------- /PS4DecryptSaveDataKey/README.md: -------------------------------------------------------------------------------- 1 | # PS4DecryptSaveDataKey 2 | 3 | Working code based on the wiki code: 4 | 5 | http://www.psdevwiki.com/ps4/Sealedkey_/_pfsSKKey 6 | 7 | Put the encrypted PFS key you want to decrypt in your first USB drive and name it pfskeyencrypted 8 | 9 | This payload spits out a decryptedSaveDataKey.bin file on your USB 10 | -------------------------------------------------------------------------------- /PS4DecryptSaveDataKey/enviar.txt: -------------------------------------------------------------------------------- 1 | nc -w 3 192.168.1.20 9020 < PS4DecryptSaveDataKey.bin 2 | -------------------------------------------------------------------------------- /PS4DecryptSaveDataKey/include/kern.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "type.h" 4 | #include "ps4.h" 5 | 6 | #define KERN_XFAST_SYSCALL 0x30EB30 7 | #define KERN_PROCESS_ASLR 0x2862D6 8 | #define KERN_PRISON_0 0xF26010 9 | #define KERN_ROOTVNODE 0x206D250 10 | #define KERN_PTRACE_CHECK_1 0xAC2F1 11 | #define KERN_PTRACE_CHECK_2 0xAC6A2 12 | #define KERN_SCE_SBL_SS_DECRYPT_SEALED_KEY 0x5FB800 13 | #define KERN_COPY_IN 0x286DF0 14 | #define KERN_COPY_OUT 0x286D70 15 | 16 | #define X86_CR0_WP (1 << 16) 17 | 18 | struct auditinfo_addr { 19 | /* 20 | 4 ai_auid; 21 | 8 ai_mask; 22 | 24 ai_termid; 23 | 4 ai_asid; 24 | 8 ai_flags;r 25 | */ 26 | char useless[184]; 27 | }; 28 | 29 | struct ucred { 30 | uint32_t useless1; 31 | uint32_t cr_uid; // effective user id 32 | uint32_t cr_ruid; // real user id 33 | uint32_t useless2; 34 | uint32_t useless3; 35 | uint32_t cr_rgid; // real group id 36 | uint32_t useless4; 37 | void *useless5; 38 | void *useless6; 39 | void *cr_prison; // jail(2) 40 | void *useless7; 41 | uint32_t useless8; 42 | void *useless9[2]; 43 | void *useless10; 44 | struct auditinfo_addr useless11; 45 | uint32_t *cr_groups; // groups 46 | uint32_t useless12; 47 | }; 48 | 49 | struct filedesc { 50 | void *useless1[3]; 51 | void *fd_rdir; 52 | void *fd_jdir; 53 | }; 54 | 55 | struct proc { 56 | char useless[64]; 57 | struct ucred *p_ucred; 58 | struct filedesc *p_fd; 59 | }; 60 | 61 | struct thread { 62 | void *useless; 63 | struct proc *td_proc; 64 | }; 65 | 66 | struct payload_info 67 | { 68 | uint8_t* bufEncryptedKey; 69 | uint8_t* bufDecryptedKey; 70 | size_t size; 71 | }; 72 | 73 | struct decrypt_sealed_key_payload_args 74 | { 75 | void* syscall_handler; 76 | struct payload_info* payload_info; 77 | }; 78 | 79 | int kernelPayload(struct thread *td, void* uap); 80 | 81 | int sceSblSsDecryptSealedKeyPayload(void* td, struct decrypt_sealed_key_payload_args* args); 82 | 83 | typedef int (*sceSblSsDecryptSealedKey_ptr)(void *encryptedKey, void *decryptedKey); 84 | typedef int (*copyin_ptr)(const void *uaddr, void *kaddr, size_t len); 85 | typedef int (*copyout_ptr)(const void *kaddr, void *uaddr, size_t len); -------------------------------------------------------------------------------- /PS4DecryptSaveDataKey/include/type.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | #define TRUE 1 6 | #define FALSE 0 7 | 8 | #define Inline static inline __attribute__((always_inline)) 9 | 10 | typedef char BOOL; 11 | typedef unsigned char u8; 12 | typedef unsigned short u16; 13 | 14 | typedef int Any; 15 | typedef unsigned int uint; 16 | typedef int Hash; 17 | typedef int Entity; 18 | typedef int Player; 19 | typedef int FireId; 20 | typedef int Ped; 21 | typedef int Vehicle; 22 | typedef int Cam; 23 | typedef int CarGenerator; 24 | typedef int Group; 25 | typedef int Train; 26 | typedef int Pickup; 27 | typedef int Object; 28 | typedef int Weapon; 29 | typedef int Interior; 30 | typedef int Blip; 31 | typedef int Texture; 32 | typedef int TextureDict; 33 | typedef int CoverPoint; 34 | typedef int Camera; 35 | typedef int TaskSequence; 36 | typedef int ColourIndex; 37 | typedef int Sphere; 38 | typedef int ScrHandle; 39 | 40 | typedef struct { 41 | float x, y, z; 42 | } Vector3; 43 | 44 | typedef struct { 45 | u8 r, g, b; 46 | } Color; -------------------------------------------------------------------------------- /PS4DecryptSaveDataKey/source/kern.c: -------------------------------------------------------------------------------- 1 | #include "kern.h" 2 | 3 | Inline uint64_t readCr0(void) { 4 | uint64_t cr0; 5 | 6 | __asm__ __volatile__( 7 | "movq %0, %%cr0" 8 | : "=r" (cr0) 9 | : : "memory" 10 | ); 11 | 12 | return cr0; 13 | } 14 | 15 | Inline void writeCr0(uint64_t cr0) { 16 | __asm__ __volatile__( 17 | "movq %%cr0, %0" 18 | : : "r" (cr0) 19 | : "memory" 20 | ); 21 | } 22 | 23 | Inline uint8_t* getKernelBase() { 24 | uint32_t lo, hi; 25 | __asm__ __volatile__("rdmsr" : "=a" (lo), "=d" (hi) : "c"(0xC0000082)); 26 | return (uint8_t*)(((uint64_t)lo | ((uint64_t)hi << 32)) - KERN_XFAST_SYSCALL); 27 | } 28 | 29 | int kernelPayload(struct thread *td, void* uap) { 30 | uint8_t* ptrKernel = getKernelBase(); 31 | struct ucred* cred = td->td_proc->p_ucred; 32 | struct filedesc* fd = td->td_proc->p_fd; 33 | 34 | // Escalate privileges 35 | cred->cr_uid = 0; 36 | cred->cr_ruid = 0; 37 | cred->cr_rgid = 0; 38 | cred->cr_groups[0] = 0; 39 | 40 | // Escape sandbox 41 | void** prison0 = (void**)&ptrKernel[KERN_PRISON_0]; 42 | void** rootvnode = (void**)&ptrKernel[KERN_ROOTVNODE]; 43 | cred->cr_prison = *prison0; 44 | fd->fd_rdir = fd->fd_jdir = *rootvnode; 45 | 46 | void *td_ucred = *(void **)(((char *)td) + 304); // p_ucred == td_ucred 47 | 48 | // sceSblACMgrIsSystemUcred 49 | uint64_t *sonyCred = (uint64_t *)(((char *)td_ucred) + 96); 50 | *sonyCred = 0xffffffffffffffff; 51 | 52 | // sceSblACMgrGetDeviceAccessType 53 | uint64_t *sceProcType = (uint64_t *)(((char *)td_ucred) + 88); 54 | *sceProcType = 0x3801000000000013; // Max access 55 | 56 | // sceSblACMgrHasSceProcessCapability 57 | uint64_t *sceProcCap = (uint64_t *)(((char *)td_ucred) + 104); 58 | *sceProcCap = 0xffffffffffffffff; // Sce Process 59 | 60 | // Disable write protection 61 | uint64_t cr0 = readCr0(); 62 | writeCr0(cr0 & ~X86_CR0_WP); 63 | 64 | // Disable ptrace checks 65 | ptrKernel[KERN_PTRACE_CHECK_1] = 0xEB; 66 | *(uint16_t*)&ptrKernel[KERN_PTRACE_CHECK_2] = 0x27EB; 67 | 68 | // Disable process aslr 69 | *(uint16_t*)&ptrKernel[KERN_PROCESS_ASLR] = 0x9090; 70 | 71 | // Enable write protection 72 | writeCr0(cr0); 73 | 74 | return 0; 75 | } 76 | 77 | int sceSblSsDecryptSealedKeyPayload(void* td, struct decrypt_sealed_key_payload_args* args) { 78 | 79 | uint8_t* ptrKernel = getKernelBase(); 80 | 81 | sceSblSsDecryptSealedKey_ptr sceSblSsDecryptSealedKey = (sceSblSsDecryptSealedKey_ptr)&ptrKernel[KERN_SCE_SBL_SS_DECRYPT_SEALED_KEY]; 82 | copyin_ptr copyin = (copyin_ptr)&ptrKernel[KERN_COPY_IN]; 83 | copyout_ptr copyout = (copyout_ptr)&ptrKernel[KERN_COPY_OUT]; 84 | 85 | byte enc[96]; 86 | byte dec[16]; 87 | 88 | copyin(args->payload_info->bufEncryptedKey, enc, sizeof(enc)); 89 | 90 | sceSblSsDecryptSealedKey(enc, dec); 91 | 92 | copyout(dec, args->payload_info->bufDecryptedKey, sizeof(dec)); 93 | 94 | 95 | return 0; 96 | } -------------------------------------------------------------------------------- /PS4DecryptSaveDataKey/source/main.c: -------------------------------------------------------------------------------- 1 | #include "ps4.h" 2 | #include "kern.h" 3 | #include "kernel.h" 4 | 5 | #define debug(sock, format, ...)\ 6 | do {\ 7 | char buffer[512];\ 8 | int size = sprintf(buffer, format, ##__VA_ARGS__);\ 9 | sceNetSend(sock, buffer, size, 0);\ 10 | } while(0) 11 | 12 | 13 | typedef struct sealedkey_t { 14 | const unsigned char MAGIC[8]; 15 | const unsigned char CAT[8]; 16 | const unsigned char IV[16]; 17 | const unsigned char KEY[32]; 18 | const unsigned char SHA256[32]; 19 | } PfsSKKey; 20 | 21 | 22 | typedef unsigned char byte; /* byte defination for c/c++ */ 23 | byte PFSK_IDENT[8] = "pfsSKKey"; 24 | byte VERSION[8] = "\x01\x00\x00\x00\x00\x00\x00\x00"; 25 | const char *USER1 = "10000000"; 26 | const char *usb0 = "/mnt/usb0/"; 27 | const char *usb1 = "/mnt/usb1/"; 28 | const char *pfs = "dec_pfsSK.Key"; 29 | const char *home = "/user/home/"; 30 | const char *tropkey = "/trophy/data/sce_trop/sealedkey"; 31 | char *usb_error = "[-] ERROR: Can't access usb0 nor usb1!\n[-] Will return now to caller.\n"; 32 | 33 | int sock; 34 | 35 | /* Get's the encrypted sealed key based on user id */ 36 | int get_pfsSKKey(byte *buffer) { 37 | 38 | debug(sock,"[-] Inside get_pfsSKKey\n"); 39 | 40 | int fd = open("/mnt/usb0/pfskeyencrypted", O_RDONLY,0); 41 | if (fd != -1) { 42 | debug(sock,"[-] Inside get_pfsSKKey open OK: %d", fd); 43 | int leido = read(fd, buffer, 96 ); 44 | if (leido != -1) { 45 | debug(sock,"[-] Inside get_pfsSKKey read OK: leido - %d", leido); 46 | close(fd); 47 | return 1; 48 | } 49 | else { 50 | debug(sock, "read err : %s\n", strerror(errno)); 51 | close(fd); 52 | return 0; 53 | } 54 | } 55 | else { 56 | debug(sock, "open %s err : %s\n", "/mnt/usb0/pfskeyencrypted", strerror(errno)); 57 | return 0; 58 | } 59 | 60 | 61 | } 62 | 63 | 64 | 65 | int _main(void) { 66 | 67 | initKernel(); 68 | initLibc(); 69 | initNetwork(); 70 | 71 | // Connect to server and send message 72 | char socketName[] = "debug"; 73 | 74 | struct sockaddr_in server; 75 | 76 | // udp log to port 18194 77 | server.sin_len = sizeof(server); 78 | server.sin_family = AF_INET; 79 | sceNetInetPton(2, "192.168.1.80", &server.sin_addr); 80 | server.sin_port = sceNetHtons(18194); 81 | memset(server.sin_zero, 0, sizeof(server.sin_zero)); 82 | 83 | sock = sceNetSocket(socketName, AF_INET, SOCK_DGRAM, 0); 84 | sceNetConnect(sock, (struct sockaddr *)&server, sizeof(server)); 85 | 86 | debug(sock, "debugnet Initialized\n"); 87 | 88 | kexec(kernelPayload, NULL); 89 | 90 | 91 | 92 | 93 | // sceSblSsDecryptSealedKeyPayload 94 | debug(sock, "Kernel patched! starting sceSblSsDecryptSealedKeyPayload\n"); 95 | 96 | byte encryptedKey[96]; 97 | memset(encryptedKey, 0, sizeof(encryptedKey)); 98 | 99 | byte decryptedKey[16]; 100 | memset(decryptedKey, 0, sizeof(decryptedKey)); 101 | 102 | get_pfsSKKey(encryptedKey); 103 | 104 | 105 | struct payload_info payload_info; 106 | memset(&payload_info, 0, sizeof(payload_info)); 107 | payload_info.bufEncryptedKey = encryptedKey; 108 | payload_info.bufDecryptedKey = decryptedKey; 109 | 110 | kexec(sceSblSsDecryptSealedKeyPayload, &payload_info); 111 | 112 | 113 | 114 | 115 | // got the keys, now save them to usb 116 | debug(sock, "sceSblSsDecryptSealedKeyPayload finished. Saving decrypted save data key to file\n"); 117 | 118 | FILE *dump = fopen("/mnt/usb0/decryptedSaveDataKey.bin", "w"); 119 | fwrite(decryptedKey, sizeof(decryptedKey), 1, dump); 120 | fclose(dump); 121 | 122 | 123 | 124 | 125 | 126 | sceNetSocketClose(sock); 127 | 128 | 129 | // Return to browser 130 | return 0; 131 | } 132 | -------------------------------------------------------------------------------- /PS4DumpSealedKeyAndSecret/Makefile: -------------------------------------------------------------------------------- 1 | LIBPS4 := $(PS4SDK)/libPS4 2 | 3 | TEXT := 0x926200000 4 | DATA := 0x926300000 5 | 6 | CC := gcc 7 | AS := gcc 8 | OBJCOPY := objcopy 9 | ODIR := build 10 | SDIR := source 11 | IDIRS := -I$(LIBPS4)/include -I. -Iinclude 12 | LDIRS := -L$(LIBPS4) -L. -Llib 13 | CFLAGS := $(IDIRS) -O2 -std=c11 -fno-builtin -nostartfiles -nostdlib -Wall -masm=intel -march=btver2 -mtune=btver2 -m64 -mabi=sysv -mcmodel=large -DTEXT_ADDRESS=$(TEXT) -DDATA_ADDRESS=$(DATA) 14 | SFLAGS := -nostartfiles -nostdlib -march=btver2 -mtune=btver2 15 | LFLAGS := $(LDIRS) -Xlinker -T $(LIBPS4)/linker.x -Wl,--build-id=none -Ttext=$(TEXT) -Tdata=$(DATA) 16 | CFILES := $(wildcard $(SDIR)/*.c) 17 | SFILES := $(wildcard $(SDIR)/*.s) 18 | OBJS := $(patsubst $(SDIR)/%.c, $(ODIR)/%.o, $(CFILES)) $(patsubst $(SDIR)/%.s, $(ODIR)/%.o, $(SFILES)) 19 | 20 | LIBS := -lPS4 21 | 22 | TARGET = $(shell basename $(CURDIR)).bin 23 | 24 | $(TARGET): $(ODIR) $(OBJS) 25 | $(CC) $(LIBPS4)/crt0.s $(ODIR)/*.o -o temp.t $(CFLAGS) $(LFLAGS) $(LIBS) 26 | $(OBJCOPY) -O binary temp.t $(TARGET) 27 | rm -f temp.t 28 | 29 | $(ODIR)/%.o: $(SDIR)/%.c 30 | $(CC) -c -o $@ $< $(CFLAGS) 31 | 32 | $(ODIR)/%.o: $(SDIR)/%.s 33 | $(AS) -c -o $@ $< $(SFLAGS) 34 | 35 | $(ODIR): 36 | @mkdir $@ 37 | 38 | .PHONY: clean 39 | 40 | clean: 41 | rm -f $(TARGET) $(ODIR)/*.o 42 | -------------------------------------------------------------------------------- /PS4DumpSealedKeyAndSecret/README.md: -------------------------------------------------------------------------------- 1 | # PS4DumpSealedKeyAndSecret 2 | 3 | Just dumps to USB the sealed key and secret as shown here: 4 | 5 | http://www.psdevwiki.com/ps4/Keys#Sealed_Key_Values 6 | -------------------------------------------------------------------------------- /PS4DumpSealedKeyAndSecret/enviar.txt: -------------------------------------------------------------------------------- 1 | nc -w 3 192.168.1.20 9020 < PS4DumpSealedKeyAndSecret.bin 2 | -------------------------------------------------------------------------------- /PS4DumpSealedKeyAndSecret/include/kern.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "type.h" 4 | #include "ps4.h" 5 | 6 | #define KERN_XFAST_SYSCALL 0x30EB30 7 | #define KERN_PROCESS_ASLR 0x2862D6 8 | #define KERN_PRISON_0 0xF26010 9 | #define KERN_ROOTVNODE 0x206D250 10 | #define KERN_PTRACE_CHECK_1 0xAC2F1 11 | #define KERN_PTRACE_CHECK_2 0xAC6A2 12 | #define KERN_COPY_IN 0x286DF0 13 | #define KERN_COPY_OUT 0x286D70 14 | #define KERN_GET_SEALED_KEY_KEY_AND_SECRET 0x05FB630 15 | 16 | #define X86_CR0_WP (1 << 16) 17 | 18 | struct auditinfo_addr { 19 | /* 20 | 4 ai_auid; 21 | 8 ai_mask; 22 | 24 ai_termid; 23 | 4 ai_asid; 24 | 8 ai_flags;r 25 | */ 26 | char useless[184]; 27 | }; 28 | 29 | struct ucred { 30 | uint32_t useless1; 31 | uint32_t cr_uid; // effective user id 32 | uint32_t cr_ruid; // real user id 33 | uint32_t useless2; 34 | uint32_t useless3; 35 | uint32_t cr_rgid; // real group id 36 | uint32_t useless4; 37 | void *useless5; 38 | void *useless6; 39 | void *cr_prison; // jail(2) 40 | void *useless7; 41 | uint32_t useless8; 42 | void *useless9[2]; 43 | void *useless10; 44 | struct auditinfo_addr useless11; 45 | uint32_t *cr_groups; // groups 46 | uint32_t useless12; 47 | }; 48 | 49 | struct filedesc { 50 | void *useless1[3]; 51 | void *fd_rdir; 52 | void *fd_jdir; 53 | }; 54 | 55 | struct proc { 56 | char useless[64]; 57 | struct ucred *p_ucred; 58 | struct filedesc *p_fd; 59 | }; 60 | 61 | struct thread { 62 | void *useless; 63 | struct proc *td_proc; 64 | }; 65 | 66 | struct payload_info 67 | { 68 | uint8_t* bufSealedKey; 69 | uint8_t* bufSealedSecret; 70 | size_t size; 71 | }; 72 | 73 | struct get_sealed_key_payload_args 74 | { 75 | void* syscall_handler; 76 | struct payload_info* payload_info; 77 | }; 78 | 79 | int kernelPayload(struct thread *td, void* uap); 80 | 81 | int getSealedKeyAndSecretPayload(void* td, struct get_sealed_key_payload_args* args); 82 | 83 | typedef int (*copyin_ptr)(const void *uaddr, void *kaddr, size_t len); 84 | typedef int (*copyout_ptr)(const void *kaddr, void *uaddr, size_t len); 85 | typedef int (*GetSealedKeyKeyAndSecret_ptr)(void *p1, void *p2); -------------------------------------------------------------------------------- /PS4DumpSealedKeyAndSecret/include/type.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | #define TRUE 1 6 | #define FALSE 0 7 | 8 | #define Inline static inline __attribute__((always_inline)) 9 | 10 | typedef char BOOL; 11 | typedef unsigned char u8; 12 | typedef unsigned short u16; 13 | 14 | typedef int Any; 15 | typedef unsigned int uint; 16 | typedef int Hash; 17 | typedef int Entity; 18 | typedef int Player; 19 | typedef int FireId; 20 | typedef int Ped; 21 | typedef int Vehicle; 22 | typedef int Cam; 23 | typedef int CarGenerator; 24 | typedef int Group; 25 | typedef int Train; 26 | typedef int Pickup; 27 | typedef int Object; 28 | typedef int Weapon; 29 | typedef int Interior; 30 | typedef int Blip; 31 | typedef int Texture; 32 | typedef int TextureDict; 33 | typedef int CoverPoint; 34 | typedef int Camera; 35 | typedef int TaskSequence; 36 | typedef int ColourIndex; 37 | typedef int Sphere; 38 | typedef int ScrHandle; 39 | 40 | typedef struct { 41 | float x, y, z; 42 | } Vector3; 43 | 44 | typedef struct { 45 | u8 r, g, b; 46 | } Color; -------------------------------------------------------------------------------- /PS4DumpSealedKeyAndSecret/source/kern.c: -------------------------------------------------------------------------------- 1 | #include "kern.h" 2 | 3 | Inline uint64_t readCr0(void) { 4 | uint64_t cr0; 5 | 6 | __asm__ __volatile__( 7 | "movq %0, %%cr0" 8 | : "=r" (cr0) 9 | : : "memory" 10 | ); 11 | 12 | return cr0; 13 | } 14 | 15 | Inline void writeCr0(uint64_t cr0) { 16 | __asm__ __volatile__( 17 | "movq %%cr0, %0" 18 | : : "r" (cr0) 19 | : "memory" 20 | ); 21 | } 22 | 23 | Inline uint8_t* getKernelBase() { 24 | uint32_t lo, hi; 25 | __asm__ __volatile__("rdmsr" : "=a" (lo), "=d" (hi) : "c"(0xC0000082)); 26 | return (uint8_t*)(((uint64_t)lo | ((uint64_t)hi << 32)) - KERN_XFAST_SYSCALL); 27 | } 28 | 29 | int kernelPayload(struct thread *td, void* uap) { 30 | uint8_t* ptrKernel = getKernelBase(); 31 | struct ucred* cred = td->td_proc->p_ucred; 32 | struct filedesc* fd = td->td_proc->p_fd; 33 | 34 | // Escalate privileges 35 | cred->cr_uid = 0; 36 | cred->cr_ruid = 0; 37 | cred->cr_rgid = 0; 38 | cred->cr_groups[0] = 0; 39 | 40 | // Escape sandbox 41 | void** prison0 = (void**)&ptrKernel[KERN_PRISON_0]; 42 | void** rootvnode = (void**)&ptrKernel[KERN_ROOTVNODE]; 43 | cred->cr_prison = *prison0; 44 | fd->fd_rdir = fd->fd_jdir = *rootvnode; 45 | 46 | void *td_ucred = *(void **)(((char *)td) + 304); // p_ucred == td_ucred 47 | 48 | // sceSblACMgrIsSystemUcred 49 | uint64_t *sonyCred = (uint64_t *)(((char *)td_ucred) + 96); 50 | *sonyCred = 0xffffffffffffffff; 51 | 52 | // sceSblACMgrGetDeviceAccessType 53 | uint64_t *sceProcType = (uint64_t *)(((char *)td_ucred) + 88); 54 | *sceProcType = 0x3801000000000013; // Max access 55 | 56 | // sceSblACMgrHasSceProcessCapability 57 | uint64_t *sceProcCap = (uint64_t *)(((char *)td_ucred) + 104); 58 | *sceProcCap = 0xffffffffffffffff; // Sce Process 59 | 60 | // Disable write protection 61 | uint64_t cr0 = readCr0(); 62 | writeCr0(cr0 & ~X86_CR0_WP); 63 | 64 | // Disable ptrace checks 65 | ptrKernel[KERN_PTRACE_CHECK_1] = 0xEB; 66 | *(uint16_t*)&ptrKernel[KERN_PTRACE_CHECK_2] = 0x27EB; 67 | 68 | // Disable process aslr 69 | *(uint16_t*)&ptrKernel[KERN_PROCESS_ASLR] = 0x9090; 70 | 71 | // Enable write protection 72 | writeCr0(cr0); 73 | 74 | return 0; 75 | } 76 | 77 | int getSealedKeyAndSecretPayload(void* td, struct get_sealed_key_payload_args* args) { 78 | 79 | uint8_t* ptrKernel = getKernelBase(); 80 | 81 | 82 | 83 | 84 | 85 | GetSealedKeyKeyAndSecret_ptr getSealedKeyKeyAndSecret = (GetSealedKeyKeyAndSecret_ptr)&ptrKernel[KERN_GET_SEALED_KEY_KEY_AND_SECRET]; 86 | copyout_ptr copyout = (copyout_ptr)&ptrKernel[0x286D70]; 87 | 88 | byte p1[16]; 89 | byte p2[16]; 90 | 91 | getSealedKeyKeyAndSecret(p1, p2); 92 | 93 | copyout(p1, args->payload_info->bufSealedKey, sizeof(p1)); 94 | copyout(p2, args->payload_info->bufSealedSecret, sizeof(p2)); 95 | 96 | 97 | return 0; 98 | } -------------------------------------------------------------------------------- /PS4DumpSealedKeyAndSecret/source/main.c: -------------------------------------------------------------------------------- 1 | #include "ps4.h" 2 | #include "kern.h" 3 | #include "kernel.h" 4 | 5 | #define debug(sock, format, ...)\ 6 | do {\ 7 | char buffer[512];\ 8 | int size = sprintf(buffer, format, ##__VA_ARGS__);\ 9 | sceNetSend(sock, buffer, size, 0);\ 10 | } while(0) 11 | int sock; 12 | 13 | 14 | 15 | int _main(void) { 16 | 17 | initKernel(); 18 | initLibc(); 19 | initNetwork(); 20 | 21 | // Connect to server and send message 22 | char socketName[] = "debug"; 23 | 24 | struct sockaddr_in server; 25 | 26 | // udp log to port 18194 27 | server.sin_len = sizeof(server); 28 | server.sin_family = AF_INET; 29 | sceNetInetPton(2, "192.168.1.80", &server.sin_addr); 30 | server.sin_port = sceNetHtons(18194); 31 | memset(server.sin_zero, 0, sizeof(server.sin_zero)); 32 | 33 | sock = sceNetSocket(socketName, AF_INET, SOCK_DGRAM, 0); 34 | sceNetConnect(sock, (struct sockaddr *)&server, sizeof(server)); 35 | 36 | debug(sock, "debugnet Initialized\n"); 37 | 38 | kexec(kernelPayload, NULL); 39 | 40 | 41 | 42 | 43 | // getSealedKeyAndSecretPayload 44 | debug(sock, "Kernel patched! starting getSealedKeyAndSecretPayload\n"); 45 | 46 | byte sealedKey[16]; 47 | memset(sealedKey, 1, 16); 48 | 49 | byte sealedSecret[16]; 50 | memset(sealedSecret, 1, 16); 51 | 52 | 53 | struct payload_info payload_info; 54 | memset(&payload_info, 0, sizeof(payload_info)); 55 | payload_info.bufSealedKey = sealedKey; 56 | payload_info.bufSealedSecret = sealedSecret; 57 | 58 | kexec(getSealedKeyAndSecretPayload, &payload_info); 59 | 60 | 61 | 62 | 63 | // got the keys, now save them to usb 64 | debug(sock, "getSealedKeyAndSecretPayload finished. Saving keys to file\n"); 65 | 66 | FILE *dump = fopen("/mnt/usb0/sealedKey.bin", "w"); 67 | fwrite(sealedKey, 16, 1, dump); 68 | fclose(dump); 69 | 70 | dump = fopen("/mnt/usb0/sealedSecret.bin", "w"); 71 | fwrite(sealedSecret, 16, 1, dump); 72 | fclose(dump); 73 | 74 | 75 | 76 | 77 | sceNetSocketClose(sock); 78 | 79 | 80 | // Return to browser 81 | return 0; 82 | } 83 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | This repository won't be updated. I've sold my PS4s. Please feel free to fork it. 2 | 3 | # PS4SaveDataDecryptingTools 4 | 5 | ## PS4DumpSealedKeyAndSecret 6 | 7 | Just dumps to USB the sealed key and secret as shown here: 8 | 9 | http://www.psdevwiki.com/ps4/Keys#Sealed_Key_Values 10 | 11 | ## PS4DecryptSaveDataKey 12 | 13 | Working code based on the wiki code: 14 | 15 | http://www.psdevwiki.com/ps4/Sealedkey_/_pfsSKKey 16 | 17 | Put the encrypted PFS key you want to decrypt in your first USB drive and name it pfskeyencrypted 18 | 19 | This payload spits out a decryptedSaveDataKey.bin file on your USB 20 | --------------------------------------------------------------------------------