Downgrading Firmware: Difference between revisions
No edit summary |
|||
(11 intermediate revisions by 7 users not shown) | |||
Line 1: | Line 1: | ||
= Firmware Revert = | |||
By dumping with hardware Syscon memory and flash memory of a specific PS4 console, one can update the System Software of this PS4 to any version then whenever necessary, restore the dumps in order to restore the older firmware. Then it is required to either restore a HDD dump from that Firmware or to reinstall Firmware with PUP. | |||
= Actual Downgrade = | |||
There may be a way to downgrade the firmware without need of a hardware backup. This downgrade might be infeasible due to per-console keys and unknown crypto keys used to decrypt PUP and re-encrypt respective flash components. That would require full code execution inside SAMU, or at least keys from SAMU. | |||
== Current Firmware Version Modification or Bypass == | |||
=== SNVS modification === | |||
Current Firmware version is stored in Syscon Secure [[Non Volatile Storage]]. SNVS is an area encrypted with per-console keys. SNVS encryption is handled by SAMU. | |||
See the research done by fail0verflow on PS4 Syscon. [https://fail0verflow.com/blog/2018/ps4-syscon] | |||
=== SPKG decryption === | |||
Modoru is a PS Vita Firmware downgrader made by TheFloW. It relies on the fact that PS Vita checks current Firmware version in its secure processor, but even on such error it decrypts successfully SPKG and returns data to kernel. All modoru has to do is to hook some functions in the updater. It does not require a secure processor hack at all, except for 3 things: | |||
- when TheFloW made modoru, he had access to all PS Vita secure processor keys and binaries, allowing him to ensure downgrade would work. Doing it blind would have been dangerous for his tester' PS Vitas and he could not even have been sure it would work. | |||
- when downgrading from a recent Firmware to a very old Firmware where SPKG keys where different: need old secure processor keys to decrypt SPKGs in modoru directly without asking secure processor as it does not contain these old keys. | |||
- when downgrading from a very recent Firmware, checks have been added in secure processor: need secure processor patching to bypass current Firmware check. | |||
See PS Vita downgrader: Modoru by TheFloW. [https://github.com/TheOfficialFloW/modoru] | |||
== Official Current Firmware Version Bypass == | |||
=== ConsoleId === | |||
PS4 non-retail models like TestKit, DevKits and Prototypes are allowed to downgrade. If PS4 ConsoleId becomes editable, thanks to a SAMU hack maybe, that would unlock official way of downgrading. | |||
=== QA flags === | |||
Any QA flagged PS4 can downgrade. |
Latest revision as of 08:55, 27 February 2024
Firmware Revert[edit | edit source]
By dumping with hardware Syscon memory and flash memory of a specific PS4 console, one can update the System Software of this PS4 to any version then whenever necessary, restore the dumps in order to restore the older firmware. Then it is required to either restore a HDD dump from that Firmware or to reinstall Firmware with PUP.
Actual Downgrade[edit | edit source]
There may be a way to downgrade the firmware without need of a hardware backup. This downgrade might be infeasible due to per-console keys and unknown crypto keys used to decrypt PUP and re-encrypt respective flash components. That would require full code execution inside SAMU, or at least keys from SAMU.
Current Firmware Version Modification or Bypass[edit | edit source]
SNVS modification[edit | edit source]
Current Firmware version is stored in Syscon Secure Non Volatile Storage. SNVS is an area encrypted with per-console keys. SNVS encryption is handled by SAMU.
See the research done by fail0verflow on PS4 Syscon. [1]
SPKG decryption[edit | edit source]
Modoru is a PS Vita Firmware downgrader made by TheFloW. It relies on the fact that PS Vita checks current Firmware version in its secure processor, but even on such error it decrypts successfully SPKG and returns data to kernel. All modoru has to do is to hook some functions in the updater. It does not require a secure processor hack at all, except for 3 things: - when TheFloW made modoru, he had access to all PS Vita secure processor keys and binaries, allowing him to ensure downgrade would work. Doing it blind would have been dangerous for his tester' PS Vitas and he could not even have been sure it would work. - when downgrading from a recent Firmware to a very old Firmware where SPKG keys where different: need old secure processor keys to decrypt SPKGs in modoru directly without asking secure processor as it does not contain these old keys. - when downgrading from a very recent Firmware, checks have been added in secure processor: need secure processor patching to bypass current Firmware check.
See PS Vita downgrader: Modoru by TheFloW. [2]
Official Current Firmware Version Bypass[edit | edit source]
ConsoleId[edit | edit source]
PS4 non-retail models like TestKit, DevKits and Prototypes are allowed to downgrade. If PS4 ConsoleId becomes editable, thanks to a SAMU hack maybe, that would unlock official way of downgrading.
QA flags[edit | edit source]
Any QA flagged PS4 can downgrade.