PS4 EMC CFW Steps: Phat CUH-1000 and CUH-1100

[zecoxao]

USE AT YOUR RISK​

EMC CFW Steps: Phat CUH-1000 and CUH-1100​

Tools Required Tutorial

• 
  Tools required:
  
  • Hardware flasher;
  • Testpoints for Mediacon Interaction (see Jaicrab's page)
  • JaiBrute v2 (see Jaicrab's page)
  • Scripts from the wiki (decrypt and encrypt EMC from MediaCon)
  • Hexeditor (i use HxD for this)
  • Wires(preferably some with black tip, so you can plug them nicely)
  • Soldering Iron (advised TS100)
  • Solder paste and solder
  • UART device (CP2102 advised or an equivalent)
  • 2BLS unpacker (either a python script something else to unpack bls entries)
• 
  Step 1:
  
  • Using the hardware flasher, dump the sflash to a file (for example sflash0.bin), or if you're on a hacked system, simply dump sflash0 from /dev/sflash0
  • Keep this backup somewhere safe! Make sure you do multiple backups and verify they're the exact same!
  
  Step 2:
  
  • At offset 0x4000 you can find the first bls entry for emc fw (size 0x60000)
  • At offset 0x64000 you can find the second bls entry for emc fw (size 0x60000)
  • Using HxD, select those entries and place them on the files sflash0s0x32 and sflash0s0x32b
  
  Step 3:
  
  • Unpack those files using a bls unpacker for 2bls files. You'll obtain C0000001 and C0008001
  • Discard C0008001. we'll only work with C0000001.
  Step 4:
  
  • Decrypt C0000001 with the scripts on the wiki:
    • https://www.psdevwiki.com/ps4/Talk:Keys#EAP.2FEMC_Aeolia_Script_for_decrypting_and_keeping_header
  • This will decrypt the emc fw while keeping the header. The new file will have a .bin extension
  Step 5:
  
  • Open the new file and change
    
  • ALL instances of 03 00 FD 00 with 0F 00 FD 00 (for 5.05 emc there are 3 or 4 instances) and
    
  • ALL instances of 07 00 FD 00 with 0F 00 FD 00 (for 5.05 emc there are 96 instances)
  
  Step 6:
  
  • Using the encrypt script on the wiki:
    • https://www.psdevwiki.com/ps4/Talk:...pt_for_encrypting_.28with_header_necessary.29
  • encrypt back C0000001.bin (it'll make a new file with an extra .bin extension, thus C0000001.bin.bin)
  
  Step 7:
  
  • Go to the original file you unpacked (either sflash0s0x32 or sflash0s0x32b) and at offset 0x200, replace the content with the content of
  • C0000001.bin.bin using HxD
  
  Step 8:
  
  • Replace the contents of sflash0 with the contents of modified sflash0s0x32 and sflash0s0x32b files, respectively at 0x4000, size 0x60000 and at 0x64000 size 0x60000.
  
  Step 9:
  
  • With all in place, you only need to flash sflash0 back to the console.
  
  Step 10:
  
  • After you've flashed it, if you haven't done it yet, don't forget to solder to the MediaCon testpads TX RX and also GND (use colored wires for easier diferentiating, label if you must)
  
  Step 11:
  
  • TX goes to TX on the CP2102, RX goes to RX on the CP2102, and GND goes to GND on the CP2102. plug accordingly.
  
  Step 12:
  
  • Test the patch by issuing the command socuid with JaiBrute v2.
  The usage is:
  
  .\JaiBrute.exe \\.\com3 cmd
  
  where \\.\com3 is your CP2102 com number (don't forget to install the Universal CP210x drivers)​
  
  Step 13:
  
  • There are no more steps. You have now absolute power over the lowest level of the console. Be careful with the commands you try as some may cause irreversible damage!

 

[zecoxao]

Pictures:
Testpads:

CP2102:

 

[Berion]

Does it survive fw update or i.e it will kill the console in the process?

 

[zecoxao]

Does it survive fw update or i.e it will kill the console in the process?

It is permanent until you update the firmware.

 

[zecoxao]

List of commands (5.05)

 help:A9
# ANY    "R16":A8
# ANY    "R32":A6
# ANY    "R8":79
# ANY    "W16":AD
# ANY    "W32":AB
# ANY    "W8":7E
# ANY    "_hdmi":F0
# ANY    "boot":A3
# ANY    "bootadr": DA
# ANY    "bootenable":0A
# ANY    "bootmode":48
# ANY    "buzzer":91
# ANY    "cb":B4
# ANY    "cclog":F7
# ANY    "ccul":96
# ANY    "cec":1A
# ANY    "cktemprid":B2
# ANY    "combuf":6B
# ANY    "comlog":70
# ANY    "csarea":5E
# ANY    "ddr":29
# ANY    "ddrc":8C
# ANY    "ddrr":9B
# ANY    "ddrw":A0
# ANY    "devpm":0B
# ANY    "dled":88
# ANY    "dsarea":5F
# ANY    "ejectsw":E4
# ANY    "errlog":7A
# ANY    "etempr":7C
# ANY    "fdownmode":B2
# ANY    "fduty":1B
# ANY    "flimit":74
# ANY    "fmode":FA
# ANY    "fservo":84
# ANY    "fsstate":E9
# ANY    "fstartup":68
# ANY    "getmacadr":97
# ANY    "halt":98
# ANY    "haltmode":3D
# ANY    "hdmir":03
# ANY    "hdmis":04
# ANY    "hdmistate":B2
# ANY    "hdmiw":08
# ANY    "help":98
# ANY    "mbu":33
# ANY    "mduty":22
# ANY    "nvscsum":FE
# ANY    "nvsinit":FA
# ANY    "nvsl2sw":CE
# ANY    "osarea":6A
# ANY    "osbootparam":96
# ANY    "osdebuginfo":84
# ANY    "osstate":F2
# ANY    "pcie":90
# ANY    "pdarea":5C
# ANY    "powcount":6E
# ANY    "powersw":06
# ANY    "powupcause":3B
# ANY    "qafinfo": D3
# ANY    "r16":C8
# ANY    "r32":C6
# ANY    "r8":99
# ANY    "resetsw":FC
# ANY    "rtc":38
# ANY    "runseq":8D
# ANY    "s3state":B6
# ANY    "sb":C4
# ANY    "sbnvs":1B
# ANY    "scfupdbegin":79
# ANY    "scfupddl":44
# ANY    "scfupdend":AB
# ANY    "scnvsinit": D0
# ANY    "scpdis":75
# ANY    "screset":E8
# ANY    "scversion":CB
# ANY    "sdkversion":37
# ANY    "sdnvs":1D
# ANY    "smlog":11
# ANY    "socdmode":3D
# ANY    "socuid":76
# ANY    "spoff":0D
# ANY    "spon":AF
# ANY    "sqlog":15
# ANY    "ssbdis":77
# ANY    "startwd":F8
# ANY    "state":10
# ANY    "stinfo":82
# ANY    "stopwd":90
# ANY    "stwb":AF
# ANY    "subsysid":65
# ANY    "subsysinfo":44
# ANY    "syspowdown":5C
# ANY    "task":A2
# ANY    "tempr":17
# ANY    "temprlog":59
# ANY    "testpcie":50
# ANY    "thrm":AA
# ANY    "uareq1":3E
# ANY    "uareq2":3F
# ANY    "version":F5
# ANY    "vshinfo":EC
# ANY    "w16":CD
# ANY    "w32":CB
# ANY    "w8":9E
# ANY    "wsc":3C
OK 00000000:3A

 

[zecoxao]

brickable commands (don't try these unless you know what you're doing):

# ANY "scfupdbegin":79 (syscon update begin, destroyer brick)
# ANY "scfupddl":44 (syscon update download, destroyer brick)
# ANY "scfupdend":AB (syscon update end, destroyer brick)
# ANY "scnvsinit": D0 (initializes nvs, ultra hyper mega brick)

# ANY "w16":CD (writes in uint16_t to any place emc controls, brick)
# ANY "w32":CB (writes in uint32_t to any place emc controls, brick)
# ANY "w8":9E (writes in uint8_t to any place emc controls, brick)

# ANY "sb":C4 (switches the bank of the ps4, ultra brick)

 

[vyktormvmpay25]

All this only to get access to syscon? Will this work for 90x fw?
I'm very limited on programming/software side but I'll try to get it at one point

 

[zecoxao]

All this only to get access to syscon? Will this work for 90x fw?
I'm very limited on programming/software side but I'll try to get it at one point

this works on all firmwares, due to the fact that no public-private keys are involved in the process of verification of the firmware (it is simply hmac-sha1) so it will always work until X.XX because we have all the necessary master keys, for both encryption and validation

 

[zecoxao]

Software method (5.05 hackable CUH-1000 and CUH-1100 ONLY!):

Some notes before you use this payload:

MAKE SURE THAT THE FILE YOU'RE FLASHING IS IN THE RIGHT LOCATION! YOU WILL BRICK OTHERWISE!
MAKE SURE THAT THE FILE IS PROPERLY ENCRYPTED! YOU WILL BRICK OTHERWISE!
MAKE SURE THAT THE FILE HAS THE CORRECT SIZE (0x60000 bytes or 384KB) YOU WILL BRICK OTHERWISE!
MAKE SURE THE MD5SUM OF 0.bin IS CORRECT (58213910f9b24d5b5069ea22046c21b8 0.bin)

with that out of the way, here is the instruction on flashing via software side:

ftp the file /dev/sflash0s0x32 (you need an ftp client, goldhen 2.00b2 has a good one, use it)

modify the file according to the steps 3-7 (unpack, decrypt, patch, encrypt, replace on sflash0s0x32)

create a new folder under ps4 hdd /data/ folder with the name payloads (NOT PAYLOADS, NOT payload, NOT PAYLOAD)

place the file sflash0s0x32 there, so it looks like this:

/data/payloads/sflash0s0x32

extract the file 0.zip to obtain the payload 0.bin

place the payload 0.bin under /data/payloads/ so it looks like this

/data/payloads/0.bin

AlAzif has made available a payload loader pkg. install it, then refresh the payload list with square, and finally press x on 0.bin

Wait AT LEAST 4 minutes! After 4 minutes pass, use ftp and verify if the file /dev/sflash0s0x32 matches the same file you patched

If it doesn't, tough luck, you're probably bricked at this point and you need to open the console and do the hardware method. if it does, congratulations! you have yourself an emc cfw.

 

[febag]

brickable commands (don't try these unless you know what you're doing):

# ANY "scfupdbegin":79 (syscon update begin, destroyer brick)
# ANY "scfupddl":44 (syscon update download, destroyer brick)
# ANY "scfupdend":AB (syscon update end, destroyer brick)
# ANY "scnvsinit": D0 (initializes nvs, ultra hyper mega brick)

# ANY "w16":CD (writes in uint16_t to any place emc controls, brick)
# ANY "w32":CB (writes in uint32_t to any place emc controls, brick)
# ANY "w8":9E (writes in uint8_t to any place emc controls, brick)

# ANY "sb":C4 (switches the bank of the ps4, ultra brick)

Any known HW way to prevent bricking or unbricking? I sure want to mess with the PS4, haven't been on the scene since the PS3 10 years ago

 

[zecoxao]

Just uploaded the zip that skips steps 3-7 on 5.05

md5:
35c094f9e71f7825d9a0060b0ee870fa sflash0s0x32

 

[zecoxao]

Any known HW way to prevent bricking or unbricking? I sure want to mess with the PS4, haven't been on the scene since the PS3 10 years ago

Unless you have a backup of your sflash and of syscon, no

 

[BwE]

Should I make something to automate this process?

 

[Md Hesam]

I have PS4 CUH-1004A
Can I do this EMC CFW on my PS4 but it's very risky
online hack's better than EMC CFW

 

[Amido]

whats the purpose of this EMC CFW and what we can get and use?

 

[zecoxao]

Should I make something to automate this process?

You should yes. more brick proof. just remember that its for 1000 and 1100 models only

 

[zecoxao]

whats the purpose of this EMC CFW and what we can get and use?

To control southbridge and syscon. For example for fan temperature limits, for buzzer experimenting or for leds.

 

[xxdylanxx]

Should I make something to automate this process?

yes please.. make our life easy.. @BwE still reliable since ps3 days thanks for all your work

 

[Md Hesam]

why no one discuss this cfw?

 

[STLcardsWS]

why no one discuss this cfw?

It's been discussed, There is only so much it can do, but is a very good release but not a CFW like you think:

https://www.psx-place.com/threads/p...-cuh-1000-cuh-1100-tutorial-by-zecoxao.36389/