Release: PS4 CFW Toolkit by Al-Azif
Merry Christmas! PS4 developer Al-Azif has just dropped PS4 CFW Toolkit, probably one of the biggest PS4 releases since last year’s 9.00 Jailbreak (although the developer states that it’s all based on publicly available information). PS4 CFW Toolkit is a tool that allows you to encrypt/decrypt several parts of the PS4 system, including Syscon.
You need to provide the encryption/decryption keys, which can be obtained from the Jailbroken console (is there a tool out there that automates that part?)
What is PS4 CFW Toolkit
PS4 CFW Toolkit is a command line tool that allows you to encrypt/decrypt binary images from PS4. Specifically:
- EAP KBL (Kernel Boot Loader)
- EAP core
- EMC IPL (Initial Program Load)
- Syscon (both patch and full)
There are a lot of keywords here, so let’s try to remove it for you (source ps4 devwiki):
The role of EAP is to handle media (online Wireless/GbLAN, Bluray Drive and HDD/SSD) even when the PS4 is in standby mode. EAP runs its own FreeBSD kernel in standby mode, enabled to handle tasks such as downloading game updates while the PS4 is in standby.
The EAP Kernel Boot Loader is stored encrypted in an SLB2 container in the PS4 Serial Flash. The role of the EAP Kernel Boot Loader is to decrypt and then compress the EAP kernel. The encrypted EAP core is stored at the virtual address 0xC1000000, and the decrypted and uncompressed EAP core is located at the virtual address 0xC3000000.
EMC can stand for external microcontroller. EMC was called MediaCon by some people when the name was still unknown.
The role of the EMC is to load the EMC Initial Program Loader, to be an interface to icc for the main APU core and Syscon and to provide a debugging interface via UART that does not depend on Syscon or the main APU. EMC runs its own FreeBSD kernel. It exposes ARM accessories to the x86 side.
Syscon is the “other” chip, responsible for taking care of peripherals and more. We recently discussed how resetting the PS4 to a previous revision can fail, technically making a “downgrade”* possible to some degree.
Beyond encryption/decryption, the PS4 CFW Toolkit allows you to modify certain parts of the files. In particular, activate “God Mode” to unlock all possible commands.
Is PS4 CFW Toolkit useful for me?
Before you get (too) excited, it’s probably important to quote Al-Azif here:
This is NOT CFW like PS3 or like Ensō for Vita (yet, but who knows what might come due to the order stuff loaded). Everything here is/was documented publicly to some extent/keys needed for some revisions of PS4 are on the dev wiki.
With that out of the way: This is clearly not an end-user release, but seems like it is paving the way for potential “full-fledged” custom firmwares on the PS4 in the future. How far in time it is is not clear: Al-Azif’s readme mentions it some parts are still required and not currently supported with this special release.
But, he states that a larger (private) project contains more. How much more, is the question. Specifically:
Some of the keys required to encrypt critical parts (like creating a “real” CFW that you can install as a regular firmware update) are private: they cannot be found on the console. Brute-forcing them is theoretically impossible (unless the encryption implementation is messed up somehow, a mistake Sony famously made for the PS3), but we know in practice that some people have had access to these keys on stage. Whether the larger project Al-Azif mentions already has these is unclear. From the readme:
What’s missing in terms of custom code running ANYWHERE, which is currently not supported in this repo:
- SAMU IPL (encrypted with PCKs in Sflash and signed with private keys)
- Required for PS3 style CFW where you just install a PUP
- Private keys are NOT on the console
- Seven revisions
- SELV files (encrypted and signed with private keys)
- Doesn’t matter if SAMU IPL is broken/customized
- Private keys are NOT on the console
- Bluetooth/WiFi FW (Not encrypted or signed. One of them is packed, it’s just a ZIP)
- BD Drive FW (haven’t looked at it)
- USB SATA Bridge FW (haven’t looked at it)
- Communication processor FW (haven’t looked at it)
Reading between the lines, is it possible that SAMU IPL has been hacked?
Regardless of the current status of the larger project under the hood, this release is clearly for developers trying to provide a full-fledged CFW for PS4 going forward. Al-Azif is very clear that it is something you have seriously worked on, before reinventing the wheel, you might want contact him just to make sure the functionality you’re trying to work on isn’t already developed in the larger project.
Download PS4 CFW Toolkit
If you are the right audience for this release, you can grab it on the project’s github. And if you’re the right audience for this release, I don’t need to tell you to read the entire README before you do anything else.
* People prefer to use the word “revert” as currently you can only go back to the previous firmware that was installed on your console