Remember back in the old days when instead of installing an Kernel/Web-Exploit like nowadays, you asked "how I can install an Custom Firmware (CFW)" or something like "how I can Downgrade my Console"? Of course, todays attempts aren't that bad since you get a similar functionality in terms of running Homebrew for instance, but not quite for 100% compared to the old days. Especially not when we talk about the possibilities of modifying a PlayStation 3 compared to the PlayStation 4 today. In fact, there was a time where everyone wanted to "Downgrade" his/her PS3 from an higher System Firmware (OFW) to bring the functionality of Homebrew back to their PS3. Or can you remember when your Blu-ray Drive wasn't working anymore due to its age or because of an failed Downgrade process so everytime when you wanted to install a newer, higher CFW, it failed with displaying an error message and you had to install those "noBD" CFWs? While the latter one was already achieved for older Firmwares below <4.75 in the past, it will be still interesting to achieve both a Downgrading possibility and a "noBD" support for higher Firmwares on a PS4 as well. The good thing is, well-known Developer @TheoryWrong asked the same question to himself. And it gets even better; he is ready to show his progress so far So lets have a look at it. 
Disclaimer: The original Post by TheoryWrong was written in French Language and only a translated version (via Google Translate) was available by the time of writing this News Article. Please apologize in Advance for any typos & misunderstanding. Also please keep in mind that his researches are in very early stages & attempting to update the System Firmware with this method on a PS4 together with a broken BD Drive can lead into other major problems within the System (as specified on the original Blog Post within the red Text).
Launching the update outside of "Update Mode"
Update a PS4 without an working BD Drive ("noBD")
Downgrade attempt
Credits
-
It is possible to launch the update utility without putting the console in update mode, it can still update the components of the PS4. To do this, you need a Kernel exploit, a Homebrew ENabler), and the make_fself.py by flat_z.
The idea is that through a Homebrew "Hosts", to execute a modified orbis_swu.self which will do what we want. Just use the function sceSystemServiceLoadExec(char* path, void* unk);
The modification of the orbis_swu will have to apply 2 patches to make it usable with a host application.
- Modifying the video output: orbis_swu is normally used in a context where SceShellUI does not exist. It will now be necessary to indicate to him that he must take the exit of the Applications.
- Give it permissions: Like any system process, orbis_swu must be able to access certain things. It will therefore be necessary to give it special permissions and make it escape from its sandbox through a system call. It is also necessary to patch the kernel to be able to have access to the sflash in writing.
Once this is done, your homebrew is ready to use the orbis_swu to perform updates! Now is when things start to get interesting!
"orbis_swu.self" has launched without the existence of an Update File (therefore the Message Text keeps blank). -
The first possible use of this is to bring in the update of consoles without Blu-ray player possible.
BdWriter::checkDeviceExist -1PupReader::checkSegmentUpdate initialize failed: 0x801809a8 PupReader::Estimate::2019 checkSegmentUpdate failed: 0x801809a8 [ERROR]sceUpdaterVerifySign() failed : 801809a8
Here we can see that the update is impossible because the function BdWriter::checkDeviceExist cannot find the Blu-ray player. It would be enough to modify this function to launch an update to a higher firmware.
The patch will be very simple, it will suffice to modify the instruction to return the error with a xor ebx, ebx instead of a mov eax, ebx
Tadaaaa! PS4 updates even without Blu-ray player
PS4 updating the System Firmware without switching into "Update Mode" (note the "Connected Controller" Indicator on the top left corner, which isn't possible on a normal PS4 while updating the Firmware). -
Even if it may seem fanciful to try to downgrade in the simplest way possible, it is still necessary that this process reminds the downgrade of the PSVita Modoru by TheFlow which runs its update module to downgrade with a modified version.
Here the idea is simple, if the PS4 cannot decrypt blobs of PUP lower than its version, we will decrypt them for him. The attack is simple, we will hook (hook) the syscall dedicated to ioctl and intercept the calls made to the "device" of decryption then:
- Make an MD5 signature of the encrypted version
- Find the decrypted version in a USB key
- Return the decrypted version without using the SAMU
Once this was in place, I was surprised that it worked! The PS4 has accepted the update!
The Downgrade is underway!
However, an error at the Switch Bank level. Which cancels the update and switches back to the current version (The backup bank)
After analysis of the SFLASH, it is possible to notice that values have all the same changed, such as the version of this one. - Make an MD5 signature of the encrypted version
-
I continue my research to know how to correct the switch bank and why not have the possibility of Downgrade ^^
I hope that the article will have you more, I continue my work. Ciao
Source
- Payload Kernel based on Golden's work: https://github.com/jogolden/ps4-ksdk
- IDC ps4_pup_unpack: https://github.com/idc/ps4-pup_unpack/
- TheUpdaterToolkit: https://github.com/theorywrong/TheUpdaterToolkit/
- @zecoxao and @LightningMods for their aid and their participation in research is in the development of PoC.
Source: Twitter @TheoryWrong
Blog: theorywrong.me (Original Post in French)
Translated Version via Google Translate: Click here
Blog: theorywrong.me (Original Post in French)
Translated Version via Google Translate: Click here
Last edited:
