Downgrading Firmware

From PS4 Developer wiki
Revision as of 14:36, 5 February 2022 by Roxanne (talk | contribs) (Reverted edits by 188.150.82.35 (talk) to last revision by Zecoxao)
Jump to navigation Jump to search

Firmware Revert

By dumping with hardware Syscon memory and flash memory of a specific PS4 console, one can update the System Software of this PS4 to any version then whenever he wants, restore the dumps in order to restore the older firmware. Then it is required to either restore a HDD dump from that Firmware or to reinstall Firmware with PUP.

Actual Downgrade

There may be a way to downgrade the firmware without need of a hardware backup. This downgrade might be infeasible due to per-console keys and unknown crypto keys used to decrypt PUP and re-encrypt respective flash components. That would require full code execution inside SAMU, or at least keys from SAMU.

Current Firmware Version Modification or Bypass

SNVS modification

Current Firmware version is stored in Syscon SNVS. SNVS is an area encrypted with per-console keys. SNVS encryption is handled by SAMU.

See the research done by fail0verflow on PS4 Syscon. [1]

SPKG decryption

Modoru is a PSVita Firmware downgrader made by TheFloW. It relies on the fact that PSVita checks current Firmware version in its secure processor, but even on such error it decrypts successfully SPKG and returns data to kernel. All modoru has to do is to hook some functions in the updater. It does not require a secure processor hack at all, except for 3 things: - when TheFloW made modoru, he had access to all PSVita secure processor keys and binaries, allowing him to ensure downgrade would work. Doing it blind would have been dangerous for his tester' PSVitas and he could not even have been sure it would work. - when downgrading from a recent Firmware to a very old Firmware where SPKG keys where different: need old secure processor keys to decrypt SPKGs in modoru directly without asking secure processor as it does not contain these old keys. - when downgrading from a very recent Firmware, checks have been added in secure processor: need secure processor patching to bypass current Firmware check.

See PSVita downgrader: Modoru by TheFloW. [2]

Official Current Firmware Version Bypass

ConsoleId

PS4 non-retail models like TestKit, DevKits and Prototypes are allowed to downgrade. If PS4 ConsoleId becomes editable, thanks to a SAMU hack maybe, that would unlock official way of downgrading.

QA flags

Any QA flagged PS4 can downgrade.