Hacking exfathax.h - no error fix

[mrdude]

@mrdude Congrats on the 9.00 work you have been doing on the esp32 s2. I havent tried it out yet but it is looking very promising.

In my 9.00 web hosts I have started using a "return new Promise" that gets resolved when a addEventListner 'click' is detected for the manual insertion of the USB stage.
I've been trying to find a way to auto detect if a USB drive has been inserted using javascript and I came across this but unfortunatly it is not compatable with the PS4 browser. (or at least I could not get it to work)

https://developer.mozilla.org/en-US/docs/Web/API/WebUSB_API
https://developer.mozilla.org/en-US/docs/Web/API/USBConnectionEvent

Is there a similar function for the ESP that can physically detect when a USB drive is mounted?
If so this could be useful in eliminating the timing variable from when the code tells the ESP to mount a usb drive to the actual time of when it has done it.

I havent used the ESP32 S2 in a while but when I did I had it set ups as a network device rather than an access point but I found that during testing every time the timing of the USB mounting was slightly different. Could be a few hundred milliseconds or sometimes a couple of seconds.

If we could set the wait time for the kernel exploit to trigger when the ESP has detected that the USB has been mounted rather than a set time from when the enableUSB has been requested it might work a little better.

I dont know if any of this will be of any help but I thought I'd mention it just in case.

What you could do is when the script runs this part of the code:

void enableUSB() {
  dev.vendorID("PS4");
  dev.productID("ESP32 Server");
  dev.productRevision("1.0");
  dev.onRead(onRead);
  dev.mediaPresent(true);
  dev.begin(8192, 512);
  USB.begin();
  enTime = millis();
  hasEnabled = true;
}

Is add a function call to the end of that, that would send a web page to spiffs with something in it like this:

sessionStorage.setItem('usbenabled', true);

You could then then make a while loop in the loader which runs the temp page and looks for "sessionStorage.getitem" (the value), if it returns true it would know the usb has been mounted correctly.

After it reads the value - add a call in the loader to remove the temp web page from spiffs.

That should do what you want to achieve without messing about too much or caring about the browser.

 

[marek256]

1: It's only for ESP32 S2, other chips use different code because the commands in the ESP32 S2 libraries are different from ESP32.

2: My home network is on 192.168.0.x, so if I switch to wifi mode instead of access mode I can connect without also needing to change the IP address. I think most peoples routers have IP address range 192.168.0.x or 192.168.1.x. Plus if you look on your PS4 Settings/Network/View Connection Status/Default Gateway - it tells you the address, so you don't need to remember anything.

3: Sometimes you will probably get a "failed to trigger"type message because you are not giving the chip long enough to work - it's set at 12 seconds because after many tries that is what works best for me. Still you have the option to change it and you can do that straight from your PS4 web browser if you have any issues. (192.168.0.31/config.html)

4: Semantics...but you have the sketch so you can type whatever message you want in there. Still I suppose I could add a section in the config page to change that to whatever you want.

Apart from these "personal" changes, did you find any actual errors in the code that you think would be better.

Hello, I think you have made a great work. I am not a very good in finding errors, I am just a bit advanced user, so do not expect anything special from me. All I can say is a note from an user. I believe that the sketch is good, timing is working, choosing the payload works as well. All I can recommend is to make it more foolproof, I mean to create a final bin file to upload and maybe expand the options. Like to make a list of payloads to load automatically (I mean a list of GoldHENs), maybe to have an option to turn on and off autohen, and some small tweaks if possible, like change background color or as you suggested an option to change the text. I believe this is all. I think most of regular users needs stable, fast, simple bin file with some additional functions like auto hen on and off, list of payloads to choose except autohen and possibility to add or remove payloads (which already exists). Thank you for all

 

[mrdude]

@Leeful

Actually, come to think about it - it would probably be easier instead of making a web page, is to make a blank text file in spiffs and then use the loader to see if it exists. Something like this:

void maketemp() {
  File file = SPIFFS.open("/1.txt", "w");
  file.print("1");
  file.close();
}

void cleantemp() {
  if (SPIFFS.exists("/1.txt")) {
    SPIFFS.remove("/1.txt");
  }
}

void enableUSB() {
  dev.vendorID("PS4");
  dev.productID("ESP32 Server");
  dev.productRevision("1.0");
  dev.onRead(onRead);
  dev.mediaPresent(true);
  dev.begin(8192, 512);
  USB.begin();
  maketemp();
  enTime = millis();
  hasEnabled = true;
}

Instead of using the timer in the loader, just check that 1.txt exists. When disableusb is called, call the cleantemp() function to remove it, also call the cleantemp in setup when the chip starts to clean up any artefacts.

remove usbWaittime here:

Instead add a loop to check 1.txt exists, when it finds it - the usb will be mounted, so it should be safe to continue.

In the loader, something like this:

var usbfile = new File("/1.txt");

if(usbfile.exists()){
  //run hack here...
}

 

[eemcmCL]

@mrdude Congrats on the 9.00 work you have been doing on the esp32 s2. I havent tried it out yet but it is looking very promising.

In my 9.00 web hosts I have started using a "return new Promise" that gets resolved when a addEventListner 'click' is detected for the manual insertion of the USB stage.
I've been trying to find a way to auto detect if a USB drive has been inserted using javascript and I came across this but unfortunatly it is not compatable with the PS4 browser. (or at least I could not get it to work)

Is there a similar function for the ESP that can physically detect when a USB drive is mounted?
If so this could be useful in eliminating the timing variable from when the code tells the ESP to mount a usb drive to the actual time of when it has done it.

I havent used the ESP32 S2 in a while but when I did I had it set ups as a network device rather than an access point but I found that during testing every time the timing of the USB mounting was slightly different. Could be a few hundred milliseconds or sometimes a couple of seconds.

If we could set the wait time for the kernel exploit to trigger when the ESP has detected that the USB has been mounted rather than a set time from when the enableUSB has been requested it might work a little better.

I dont know if any of this will be of any help but I thought I'd mention it just in case.

Will it launch an esp32 server? Before I bought my S2 mini board, I always used their hosts for 9.00 and never had a problem, they work perfectly.

I only hope the day when visiting the forum, I find the news that you published a server for esp32

 

[mrdude]

Is there a similar function for the ESP that can physically detect when a USB drive is mounted?
If so this could be useful in eliminating the timing variable from when the code tells the ESP to mount a usb drive to the actual time of when it has done it.

Have you tried doing this?

https://www.esp32.com/viewtopic.php?t=20358

 

[Leeful]

Have you tried doing this?

https://www.esp32.com/viewtopic.php?t=20358

Thanks for that.
I'm busy with PS5 stuff at the moment but I'll definatly look into it.

 

[muhlisabdi]

After what seems like about a million attempts, I have finally fixed the file system error message for those running chips that can send a usb image....

Replace the included exfathax.h included in the attachment for what you have in your arduino sketches and change your onread function to this:

static int32_t onRead(uint32_t lba, uint32_t offset, void * buffer, uint32_t bufsize) {
  if (lba > 130) {
    lba = 130;
  }
  memcpy(buffer, exfathax[lba] + offset, bufsize);
  return bufsize;
}

That will fix the file system errors when sending the exfat usb image as this mod has a small 512byte fat image added to it, which the ps4 will not error out with. This should give a faster and more stable hack.

Enjoy!

why not modify like this:
if (lba > 128) {
lba = 128;
}

 

[eemcmCL]

why not modify like this:
if (lba > 128) {
lba = 128;
}

What would be the difference?

 

[mrdude]

What would be the difference?

The code that is sent to the ps4 is a 4mb drive image (dev.begin(8192, 512) = 4,194,304 bytes. Reading 512 byte blocks x 130 is sufficient to send the 66,560 bytes that contains the modded exfat usb to the begining of that mounted drive which is 66,048 bytes. If you send less than that, you don't end up sending the full amount of data. However I am sure some would wish to argue about this, but as I modded the image, I know what size it is, and set the size of 130 so enough data would be sent. Also you can send this to your computer and open the disk image in winhex to check what data is being sent.

The thing is - the code works fine, so why even bother worrying about it, trying to send 1024 bytes less in not going to make any difference when you are mounting a 4mb drive image.

 

[denz_chelskie]

i have esp32s2 mini...how to make it a dongle for ps4 9.00...?

 

[PAYAMiN]

Dear @mrdude
first of all, I know may i do not asak this question in the right thread, but as i couldn't find any clue about my issue while asked in some other posts, I am asking you that sounds very professional in this sort of things.

I have a nanoESP32-S2 with ESP32-S2-WROOM chip (this one: /wuxx/nanoESP32-S2/blob/master/README_en.md at github, seems that no link is allowed!), I wrote several codes on my board from various coder but none of them worked.

it seems exploit is successfully deployed but when try to trigger ExFatHax it got failed with this error: "Failed to trigger exploit kernel heap might be corrupted, try again or reboot the console"

I flashed exfathax.img , exfathax_pico.img as well as your USBHack.img file on 4GB flash disk and connect to one of the board USB-C port with ''USB-C to USB-A OTG" while connect USB-C as power cable to another free USB-C port. (I tested both CH340 and ESP32 ports) but cannot run jailbreak on my PS4.

Would you please take a look to this board and let me what the problem is? it took several hours from me and still i cannot successfully jailbreak my console meanwhile there is no issue with legacy direct USB connection method.

thank you dude!

 

[mrdude]

Dear @mrdude
first of all, I know may i do not asak this question in the right thread, but as i couldn't find any clue about my issue while asked in some other posts, I am asking you that sounds very professional in this sort of things.

I have a nanoESP32-S2 with ESP32-S2-WROOM chip (this one: /wuxx/nanoESP32-S2/blob/master/README_en.md at github, seems that no link is allowed!), I wrote several codes on my board from various coder but none of them worked.

it seems exploit is successfully deployed but when try to trigger ExFatHax it got failed with this error: "Failed to trigger exploit kernel heap might be corrupted, try again or reboot the console"

I flashed exfathax.img , exfathax_pico.img as well as your USBHack.img file on 4GB flash disk and connect to one of the board USB-C port with ''USB-C to USB-A OTG" while connect USB-C as power cable to another free USB-C port. (I tested both CH340 and ESP32 ports) but cannot run jailbreak on my PS4.

Would you please take a look to this board and let me what the problem is? it took several hours from me and still i cannot successfully jailbreak my console meanwhile there is no issue with legacy direct USB connection method.

thank you dude!

View attachment 347363

Connect an LED to the pin that enables power to the usb drive, the gnd led pin to gnd - when the code activates to supply power to the usb drive the led should light up, if not - you need to mod the code you are using to set the pin high on your board that you are using for your usb drive.

 

[PAYAMiN]

Thanks, very smart solution, I will find a LED, try and share the result.

Indeed, when I connect my board to laptop in order to supply power, once the exploit try to trigger the EXFATHAX, one USB disk appear in Windows along with new device connection BEEP sound, and it got disconnected after around 10 seconds and the failure messgae appeares in PS4 right after it.

1. Does it mean USB emulation is working fine?

2. I tried your code but get error in writing phase. In the Stooged code there is one option for Enable USB, and i think I shoukd change it to True as my board doesn't have enough storage, am I right?
If yes, what the USB Pin has to select? default is 4, with considering I am using USB-C to USB OTG cable.

 

[mrdude]

Thanks, very smart solution, I will find a LED, try and share the result.

Indeed, when I connect my board to laptop in order to supply power, once the exploit try to trigger the EXFATHAX, one USB disk appear in Windows along with new device connection BEEP sound, and it got disconnected after around 10 seconds and the failure messgae appeares in PS4 right after it.

1. Does it mean USB emulation is working fine?

2. I tried your code but get error in writing phase. In the Stooged code there is one option for Enable USB, and i think I shoukd change it to True as my board doesn't have enough storage, am I right?
If yes, what the USB Pin has to select? default is 4, with considering I am using USB-C to USB OTG cable.

Before you do that, test your usb drive by using one of the online exploit websites, once you have confirmed your USB drive is flashed properly by using those sites and your PS4 is getting exploited you will know the USB drive is flashed properly and you are not having any issues with your USB port.

Next once you confirmed your USB drive is working, mod the code on your chip to set the USB drive active as soon as your chip gets plugged in, that way you can use the online exploit host again and when asked to insert the USB drive - plug your chip in, if the exploit doesn't run you will know there's a problem with your soldering or hardware.

 

[Leeful]

....mod the code on your chip to set the USB drive active as soon as your chip gets plugged in, ....

This is a brilliant idea for testing if the ESP is working as a USB drive on your PS4.

Another test you could do after modding your ESP sketch as mentioned is to go to Settings > Devices > USB Storage Devices and see if your ESP shows up as a connected device.

Yours will probably say something slighly different than mine but you will know if your ESP is being seen as a USB drive on your PS4 when the USB emulation is active.

 

[mrdude]

This is a brilliant idea for testing if the ESP is working as a USB drive on your PS4.

Another test you could do after modding your ESP sketch as mentioned is to go to Settings > Devices > USB Storage Devices and see if your ESP shows up as a connected device.
View attachment 347665
Yours will probably say something slighly different than mine but you will know if your ESP is being seen as a USB drive on your PS4 when the USB emulation is active.

There's no reason the code for esp32 can't be modded to switch between using the dongle as a USB drive or a dongle. You would just need to add a momentary push button switch to run a function that wrote a small config file into spiffs, If the config file was found on a chip reset the code could turn the USB on automatically so you could use as a USB drive insead of a dongle, another press could then erase that file and the dongle would act as a dongle. Not only would if be helpull for using the chip for online hosts and as a drive, but it would be easy to switch between that and using as an access point with it's own exploit running.

 

[eemcmCL]

Hi Mr. Dude, sorry for commenting on something that has nothing to do with the original post, but I need help to know if I'm doing things right.

I want the eps32 to turn on the LED to make three quick blinks and then blink every second. I did the query on stooged's github and it told me to add the following to the sketch:

first setup your globals.

int LED = LED_BUILTIN;
boolean ledOn = false;
long ledTime = 0;
then in the setup() function set the pin mode to output.

pinMode(LED, OUTPUT);
then in the loop() add the blinky code.

if (millis() >= (ledTime + 1000)) {
if (ledOn){
ledOn = false;
digitalWrite(LED, LOW);
}
else
{
ledOn = true;
digitalWrite(LED, HIGH);
}
ledTime = millis();
}

Added the code and my sketch was like this:

void setup() {
//HWSerial.begin(115200);
//HWSerial.println("Version: " + firmwareVer);
//USBSerial.begin();

pinMode(LED, OUTPUT);
for (int i = 0; i < 3; i++) { //repite el encendido del LED 3 veces
digitalWrite(LED, HIGH); //enciende el LED
delay(200); //espera medio segundo
digitalWrite(LED, LOW); //apaga el LED
delay(200); //espera medio segundo
}


void loop() {
if (millis() >= (ledTime + 2000)) {
if (ledOn){
ledOn = false;
digitalWrite(LED, LOW);
}
else
{
ledOn = true;
digitalWrite(LED, HIGH);
}
ledTime = millis();
}
if (espSleep && !isFormating) {
if (millis() >= (bootTime + (TIME2SLEEP * 60000))) {
//HWSerial.print("Esp sleep");
esp_sleep_pd_config(ESP_PD_DOMAIN_RTC_PERIPH, ESP_PD_OPTION_OFF);
esp_deep_sleep_start();
return;
}
}
if (hasEnabled && millis() >= (enTime + 15000)) {
disableUSB();
}
#if !USESD
if (isFormating) {
//HWSerial.print("Formatting Storage");
isFormating = false;
FILESYS.end();
FILESYS.format();
FILESYS.begin(true);
delay(1000);
#if USECONFIG
writeConfig();
#endif
}
#endif
dnsServer.processNextRequest();
}

The code works, but I would like to confirm if it is correct.

Another query, I have two boards, one I use only on the ps4 and the other for testing.

The one I use for testing, I don't know if it's bad, since it works, but when I connect it to the internet it restarts in a loop. If I use it normally by connecting the ps4 to the board's wifi it works fine and sometimes it restarts but it works normal again.

How can I confirm if the board is bad from the factory?

 

[mrdude]

How can I confirm if the board is bad from the factory?

Run the blink sketch for the onboard led, or add an led to one on the pins and tell the sketch to turn the led on. If it works then the board is fine and your sketch is the problem.

Also I don't get involved with other people's code, if you have an issue with it - ask the person that made it. Or learn to code yourself so you can fix it. It's not difficult to learn.

 

[eemcmCL]

how I love the goodwill of the community XD thanks for nothing!

 

[PAYAMiN]

@mrdude @Leeful
Thanks for your suggestions, for USB I am pretty sure it is flashed properly, as it works for more than one year since 9.00 JB has been released. To make sure I flashed it and test again with online web hosts and worked as expected. Also I flashed with main (4 MB) and Pico (few KB) and moded file of mrdude (which is not bringing pop-up notification), and for all the results were same, working fine im online host, but not working in ESP madule.

Then, for change sketch to be working as direct USB, unfortunately I don't have enough skill to do, if you help me how to code it I would be thankful