PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

January 29, 2014 // 5:35 pm - Following up on the previous PS4 Macronix MX25L25635FMI-10G and MX25L1006E NOR Flash dumps, today Sony PlayStation 4 hacker cfw prophet has made available a PS4 NOR Dump 1.06 (without MAC Address & Console-ID) serial flash MX25L25635FMI-10G for CXD90025G dump with some analysis details below.

Download: ps4nordmp_1.06_without_Mac-Serial.rar (27.59 MB)

To quote: Subject: Dump of serial flash MX25L25635FMI-10G for CXD90025G

Reference file: PS4 NOR Dump 1.06 (without MAC Address & Console-ID)


Size: 0x2000000 filesize / 0x1D40000 datasize
Statistics: 2.64-2.66% 00's / 11.83% FF's / < 0.38% rest
Entropy: 6.96569 (87.0711%) - 7.52856 (94.107%)
Redundancy: 12.9289% - 5.893%
A. Mean: 131072
StdDev: 454103 - 245647
Strings: Flash-Main/strings

[Register or Login to view code]

From modrobert (via I have analyzed the binary and there seem to be an interesting area not mentioned:

Starting at offset 0x144200 there is a pretty big area which doesn't seem to be encrypted. I found the area by making a raw image conversion to get a better visual view of the data.

The arrow marks the area which doesn't seem to be encrypted.

Here's a close-up of the same area, look at the top bar, grains look lumpy there, not even as the encrypted area below.

If you want to have a look, you can find the hi-res image here. Here's a hex dump of the first part of the suspect area.

[Register or Login to view code]

This looks more like executable code to me, not sure what the target device might be.

[Register or Login to view code]

Yes, looks this executable indeed, check the strings up there, embedded Linux maybe.

[Register or Login to view code]

Wireless/Bluetooth firmware!? Unencrypted?! We can't be that lucky.

  • Generic Bluetooth SDIO driver

Source code:

By the looks of it, this flash can be read by several PS4 devices accessing different offsets, so maybe we can use that to our advantage and modify data on the fly only when the decrypted area is accessed without breaking checksum in the original flash as a whole.

I'm thinking of a hardware device between the PS4 Wifi/Lan/Bluetooth circuit (or whatever it is) and the MX25L25635FMI-10G flash chip.

I found the Verilog model for the MX25L25635F flash from the manufacturer, so should be possible to emulate the flash in an FPGA for interesting manipulation. Also attached (PDF / ZIP), if their files suddenly disappear:

Thanks goes to cfwprophet on IRC, I learned a lot of new stuff about the PS4. A block diagram of the MediaCon functions is also attached.

Finally, from smhabib:

[Register or Login to view code]


1st 40 bytes are encrypted with aes-256-cbc and the result is used as erk and riv for the next 240 bytes. now that is decrypted through aes-128-ctr and now you can find the location for encrypted sections+hmac key+erk/riv keys. the rest sections are also encrypted with aes-128-ctr. enjoy! j/k

PS4 NOR Flash Dump MX25L25635FMI-10G for CXD90025G Arrives

Follow us on Twitter, Facebook and drop by the PS3 Hacks and PS3 CFW forums for the latest PlayStation 3 scene and PS4 Hacks & JailBreak updates with PlayStation 4 homebrew.

#15 - GunMeat - January 4, 2016 // 10:25 pm
GunMeat's Avatar
It's perfect news ...

#14 - engragy - May 19, 2015 // 2:47 pm
engragy's Avatar
i think this is a big helpful step .. very cool

#13 - technodon - February 1, 2014 // 3:54 pm
technodon's Avatar
Someone found a vulnerability, when you launch Vidnow for the first time it gets a file called vidzone_386_US.db.psarc. which is 5mb. This file loads into a 60k tcp buffer.

No checks are done at all on the files size/hash/contents. A carefully crafted file may be able to exploit this or similar issues to gain code execution. You can use aldostools PS3_PSARC_GUI.exe in PS3 Tools Collection 2.7.0 (PS3 PSARC 1.2 (x32) / PS3 PSARC 1.2 x64) to unpsarc it

#12 - RetroA - February 1, 2014 // 2:45 pm
RetroA's Avatar
Haa... True... Geohot Made Like 6-7 jailbreaks starting from 3.15 then finally he got sewed on 3.55

#11 - anamsel007 - February 1, 2014 // 9:35 am
anamsel007's Avatar
i agree with you...

Jail in hacker Mind...

#10 - NTA - February 1, 2014 // 4:17 am
NTA's Avatar
and then 3 more firmware updates and removed features start lol.

#9 - Tek9 - February 1, 2014 // 3:12 am
Tek9's Avatar
Wow why am I not surprised that hackers are already figuring out ways to get into the PS4 system next thing you know homebrew appears

#8 - RetroA - January 31, 2014 // 4:34 pm
RetroA's Avatar
Hacking Anything Is Always Possible, But people are scared of sony, that they will sew them, THEIR IS NOTHING THAT CAN'T BE HACKED

#7 - anamsel007 - January 31, 2014 // 12:19 pm
anamsel007's Avatar
PLAYSTATION hack i think is dead... SONY is the Winner... take GeoHOtz sample... hmmmmm...

#6 - BBoy Chrif - January 31, 2014 // 11:50 am
BBoy Chrif's Avatar
No way.. The PS4 Still Young