Advanced sFlash tools - andy-man/ps4-wee-tools GitHub Wiki
Extract/Build sflash' partitions
These options allows you to extract partitions to folder (SN of console) and make some changes (f.e. replace/patch wifi fw or anything else)
And then you can build everything back
s0_header > s0_head
s0_active_slot > s0_act_slot
s0_MBR1 > s0_mbr1
s0_MBR2 > s0_mbr2
s0_emc_ipl_a > sflash0s0x32
s0_emc_ipl_b > sflash0s0x32b
s0_eap_kbl > sflash0s0x33
s0_wifi > sflash0s0x38
s0_nvs > sflash0s0x34
s0_blank > sflash0s0x0
s1_header > s1_head.crypt
s1_active_slot > s1_act_slot.crypt
s1_MBR1 > s1_mbr1.crypt
s1_MBR2 > s1_mbr2.crypt
s1_samu_ipl_a > sflash0s1.cryptx2
s1_samu_ipl_b > sflash0s1.cryptx2b
s1_idata > sflash0s1.cryptx1
s1_bd_hrl > sflash0s1.cryptx39
s1_VTRM > sflash0s1.cryptx6
s1_CoreOS_A > sflash0s1.cryptx3
s1_CoreOS_B > sflash0s1.cryptx3b
s1_blank > sflash0s1.cryptx40
View/Recover HDD EAP keys
Eap key may have 0x40 and 0x60 bytes length. PS4 10xx/11xx models usually have only one key and 12xx/Slim/PRO models have backup key.
Magic is E5E5E501 and is located at few bytes before the key offset
Setting the right key can fix "EAP key panic" errors
Get HDD EAP keys [keys.bin]
Additional info can be found here PsDevWiki
After you get keys.bin you can use Сryptmount to access your PS4 hdd via PC (Linux or WSL for win10)
Сryptmount/cmtab example
# /etc/cryptmount/cmtab - encrypted filesystem information for cryptmount
# try 'man 8 cryptmount' or 'man 5 cmtab' for more details
user {
dev=/dev/sdc13
dir=/mnt/c/Users/username/Desktop/user
flags=user,nofsck
fstype=ufs mountoptions=ro,noatime,noexec,ufstype=ufs2
cipher=aes-xts-plain64
keyfile=/mnt/c/Users/username/Desktop/keys.bin
keyformat=raw
}
Commands
Get Disk List (PowerShell Admin)
GET-CimInstance -query "SELECT * from Win32_DiskDrive"
Mount Disk with WSL2 (CommandLine Admin)
wsl --mount \\.\PHYSICALDRIVE1
Copy bzImage to User Profile (WSL)
powershell.exe /C 'Copy-Item .\arch\x86\boot\bzImage $env:USERPROFILE'
Add kernel entry to .wslconfig (WSL)
powershell.exe /C 'Write-Output [wsl2] nkernel=$env:USERPROFILE\bzImage | % {$_.replace("\","\\")} | Out-File $env:USERPROFILE\.wslconfig -encoding ASCII'
Mount user partition (found either at /dev/sdX27 or at /dev/sdX13)
sudo cryptmount user
Base validation and entropy stats
Checks some known values (hash of emc, eap, wifi) and gets entropy stats
FW version 10.50 / Active slot B
Checking magics
header : OK
MBR1 : OK
MBR2 : OK
Checking partitions
emc_ipl_a : [1ec53a02094b615655d537dc2528be7c] OK FW 8.50 <-> 9.60
emc_ipl_b : [78bcc7e6fcafd9a5de8c32d5bf802d09] OK FW OK
eap_kbl : [536214ca8cd665157ce3e48b375c9496] OK FW OK
wifi : [50b0085e8917ffca236bb449a81fd3eb] OK FW OK
Entropy statistics
Entropy : 7.53813
0xFF : 11.80%
0x00 : 2.34%
Other : 85.85%
EMC CFW for Aeolia
EMC (External Micro Controller / southbridge) is a “peripheral” processor on the PS4, that is mostly used for diagnostics/debug/peripheral control.
You can use this CFW to change temperature limits, generate some beeps, change the PS4’s fan speed, control leds and syscon. This will only work on Phat PS4s models CUH-1000 and CUH-1100.
Additional information about commands JaiBrute and PSDevWiki
Command send: cmd:code (help:A9)
Code is sum of all bytes + bitwise (&) 0xFF
def getCmd(str):
sum = 0
for i in range(len(str)):
sum += ord(str[i])
return str + ':%02X'%(sum & 0xFF)
List of commands:
| Code | Command | Description |
|---|---|---|
| A9 | help | |
| A8 | R16 | |
| A6 | R32 | |
| 79 | R8 | |
| AD | W16 | |
| AB | W32 | |
| 7E | W8 | |
| F0 | _hdmi | |
| A3 | boot | Boots the console |
| DA | bootadr | [PSQ] boot address 00 |
| 0A | bootenable | |
| 48 | bootmode | bootmode 1 - Change bootmode (AUTO/Manual) |
| 91 | buzzer | buzzer [1-7] - Beep stuff, 7 modes (?) available |
| B4 | cb | |
| F7 | cclog | cclog [1-3] - Toggle chip communications log |
| 96 | ccul | |
| 1A | cec | |
| B2 | cktemprid | |
| 6B | combuf | |
| 70 | comlog | |
| 5E | csarea | |
| 29 | ddr | |
| 8C | ddrc | |
| 9B | ddrr | |
| A0 | ddrw | |
| 0B | devpm | Get devices power mode (wlan, hdd, usb, bd, acdc, pg3, hdmi, gbe, sdio) |
| 88 | dled | |
| 5F | dsarea | |
| E4 | ejectsw | Toggles eject switch |
| 7A | errlog | errlog [0-1F] - Gets error log, 32 possibilities (0-1F) |
| 7C | etempr | etempr get - Get (Alert Limits, Alert Hysteresis, CriticalTempr Limits) |
| B2 | fdownmode | fdownmode [1] - Run/Stop FataldownMode |
| 1B | fduty | fduty get - Get duty |
| 74 | flimit | flimit get - Get (MainSoc, Environment) max_duty and min_duty |
| FA | fmode | Fan Mode List (AutoServo, Maximun, Minimun, Manual, end) |
| 84 | fservo | fservo get - Get servo stats |
| E9 | fsstate | fsstate get - Get ctempr, err, ierr, duty |
| 68 | fstartup | |
| 97 | getmacadr | |
| 98 | halt | Halts the console |
| 3D | haltmode | |
| 03 | hdmir | |
| 04 | hdmis | |
| B2 | hdmistate | Get hdmi state (DP Video Setting) |
| 08 | hdmiw | |
| 98 | help | |
| 33 | mbu | |
| 22 | mduty | mduty get - Get MainSoc and Environment duty values |
| FE | nvscsum | Get nvs' checksum |
| FA | nvsinit | |
| CE | nvsl2sw | |
| 6A | osarea | |
| 96 | osbootparam | |
| 84 | osdebuginfo | |
| F2 | osstate | |
| 90 | pcie | PCIe Device Status |
| 5C | pdarea | |
| 6E | powcount | |
| 06 | powersw | Toggles power switch |
| 3B | powupcause | |
| D3 | qafinfo | |
| C8 | r16 | |
| C6 | r32 | |
| 99 | r8 | |
| FC | resetsw | Toggles reset switch |
| 38 | rtc | Get RTC Counter / Status |
| 8D | runseq | |
| B6 | s3state | |
| C4 | sb | Switches the bank of the ps4, ultra brick |
| 1B | sbnvs | |
| 79 | scfupdbegin | Syscon update begin, destroyer brick |
| 44 | scfupddl | Syscon update download, destroyer brick |
| AB | scfupdend | Syscon update end, destroyer brick |
| D0 | scnvsinit | Initializes nvs, ultra hyper mega brick |
| 75 | scpdis | |
| E8 | screset | Resets syscon |
| CB | scversion | Gets syscon version |
| 37 | sdkversion | |
| 1D | sdnvs | sdnvs [partition number] [bank number] |
| 11 | smlog | smlog [1] - Packet Log [on/off] |
| 3D | socdmode | [PSQ] Soc download mode |
| 76 | socuid | Gets socuid, also found in NVS |
| 0D | spoff | |
| AF | spon | |
| 15 | sqlog | |
| 77 | ssbdis | [PSQ] boot disable |
| F8 | startwd | |
| 10 | state | |
| 82 | stinfo | |
| 90 | stopwd | |
| AF | stwb | |
| 65 | subsysid | |
| 44 | subsysinfo | |
| 5C | syspowdown | Shutsdown system |
| A2 | task | |
| 17 | tempr | tempr get - Get temperature values |
| 59 | temprlog | |
| 50 | testpcie | |
| AA | thrm | |
| 3E | uareq1 | Command to gain more privileges, rsa |
| 3F | uareq2 | Command to gain more privileges, rsa |
| F5 | version | Gets emc version |
| EC | vshinfo | |
| CD | w16 | Writes in uint16_t to any place emc controls, brick |
| CB | w32 | Writes in uint32_t to any place emc controls, brick |
| 9E | w8 | Writes in uint8_t to any place emc controls, brick |
| 3C | wsc |
Responses:
| Code | Text | Description |
|---|---|---|
| 4E | NG E0000004 | Bad Checksum |
| 51 | NG F0000006 | Command no found |
| 4C | NG F0000001 | Incorrect argument |
| 3A | OK 00000000 | Correct command |