{"id":13795826,"url":"https://github.com/iHaiDeeZ/PS4Offsets-With-Payloads","last_synced_at":"2025-05-13T00:30:35.709Z","repository":{"id":148037652,"uuid":"123576781","full_name":"iHaiDeeZ/PS4Offsets-With-Payloads","owner":"iHaiDeeZ","description":"PS4 Offsets Documentation ","archived":false,"fork":false,"pushed_at":"2018-07-04T16:48:00.000Z","size":114,"stargazers_count":15,"open_issues_count":0,"forks_count":4,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-08-03T23:05:53.254Z","etag":null,"topics":["c","offsets","payload","ps4"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/iHaiDeeZ.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-03-02T12:31:08.000Z","updated_at":"2024-08-03T23:05:54.368Z","dependencies_parsed_at":null,"dependency_job_id":"f84ca03b-610e-48cf-8546-86f80fb7734f","html_url":"https://github.com/iHaiDeeZ/PS4Offsets-With-Payloads","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iHaiDeeZ%2FPS4Offsets-With-Payloads","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iHaiDeeZ%2FPS4Offsets-With-Payloads/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iHaiDeeZ%2FPS4Offsets-With-Payloads/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iHaiDeeZ%2FPS4Offsets-With-Payloads/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/iHaiDeeZ","download_url":"https://codeload.github.com/iHaiDeeZ/PS4Offsets-With-Payloads/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225159837,"owners_count":17430189,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["c","offsets","payload","ps4"],"created_at":"2024-08-03T23:01:02.881Z","updated_at":"2024-11-18T10:30:54.885Z","avatar_url":"https://github.com/iHaiDeeZ.png","language":"C","funding_links":[],"categories":["Examples and Tutorials"],"sub_categories":["Remote Package Installers"],"readme":"# PS4Offsets \u0026 Payloads 1.76/4.05/4.55/5.01/5.05\n\n\u003cp align=\"center\"\u003e\nšŸ”„ PS4Offsets ~ Use these offsets if you need to update your old payloads. šŸ”„\n \u003cbr\u003e\n\u003c/p\u003e\n\n# 4.05\n```\n#define KERN_XFAST_SYSCALL 0x30EB30\n#define KERN_PROCESS_ASLR 0x2862D6\n#define KERN_PRISON_0 0xF26010\n#define KERN_ROOTVNODE 0x206D250\n#define KERN_PTRACE_CHECK_1 0xAC2F1\n#define KERN_PTRACE_CHECK_2 0xAC6A2\n#define KERNEL_REGMGR_SETINT 0x4CEAB0\n```\n```\n//Reading kernel_base...\nvoid* kernel_base = \u0026((uint8_t*)__readmsr(0xC0000082))[-KERN_XFAST_SYSCALL];\nuint8_t* kernel_ptr = (uint8_t*)kernel_base;\nvoid** got_prison0 = (void**)\u0026kernel_ptr[KERN_PRISON_0];\nvoid** got_rootvnode = (void**)\u0026kernel_ptr[KERN_ROOTVNODE];\n\n// sceSblACMgrIsSystemUcred\nuint64_t *sonyCred = (uint64_t *)(((char *)td_ucred) + 96);\n*sonyCred = 0xffffffffffffffff;\n// sceSblACMgrGetDeviceAccessType\nuint64_t *sceProcType = (uint64_t *)(((char *)td_ucred) + 88);\n*sceProcType = 0x3801000000000013; // Max access\n// sceSblACMgrHasSceProcessCapability\nuint64_t *sceProcCap = (uint64_t *)(((char *)td_ucred) + 104);\n*sceProcCap = 0xffffffffffffffff; // Sce Process\n```\n```\n//Perm Browser Patch - CrazyVoids \nuint64_t *(sceRegMgrSetInt)(uint32_t regId, int value) = NULL;\nsceRegMgrSetInt = (void *)\u0026ptrKernel[KERNEL_REGMGR_SETINT];\nsceRegMgrSetInt(0x3C040000, 0);\n\nWill add more soon.\n```\n\n# 4.55 \n``` \n//4.55 KERN\n#define\tKERN_XFAST_SYSCALL 0x3095D0\n#define KERN_PROCESS_ASLR 0x1BA559\n#define KERN_PRISON_0 0x10399B0\n#define KERN_ROOTVNODE 0x21AFA30\n#define KERN_PTRACE_CHECK 0x17D2C1\n\n```\n```\n//Reading kernel_base...\nvoid* kernel_base = \u0026((uint8_t*)__readmsr(0xC0000082))[-KERN_XFAST_SYSCALL];\nuint8_t* kernel_ptr = (uint8_t*)kernel_base;\nvoid** got_prison0 = (void**)\u0026kernel_ptr[KERN_PRISON_0];\nvoid** got_rootvnode = (void**)\u0026kernel_ptr[KERN_ROOTVNODE];\n\n// sceSblACMgrIsSystemUcred\nuint64_t *sonyCred = (uint64_t *)(((char *)td_ucred) + 96);\n*sonyCred = 0xffffffffffffffff;\n// sceSblACMgrGetDeviceAccessType\nuint64_t *sceProcType = (uint64_t *)(((char *)td_ucred) + 88);\n*sceProcType = 0x3801000000000013; // Max access\n// sceSblACMgrHasSceProcessCapability\nuint64_t *sceProcCap = (uint64_t *)(((char *)td_ucred) + 104);\n*sceProcCap = 0xffffffffffffffff; // Sce Process\n```\n```\n// debug settings FULL\nkernelBase[0x1B6D086] |= 0x14;\nkernelBase[0x1B6D0A9] |= 0x3;\nkernelBase[0x1B6D0AA] |= 0x1;\nkernelBase[0x1B6D0C8] |= 0x1;\n\n// Disable write protection\n*(uint32_t*)\u0026kernelBase[0x4D70F7] = 0;\n*(uint32_t*)\u0026kernelBase[0x4D7F81] = 0;\n\n//UART Enabler 4.55\n*(char *)(kernel_base + 0x1997BC8) = 0;\n\n//EAP Internal Partition Key\nkernelBase[0x258CCD0]\n\n#elif defined PS4_4_55\n\n#define kern_off_printf 0x17F30\n#define kern_off_copyin 0x14A890\n#define kern_off_copyout 0x14A7B0\n#define kern_off_copyinstr 0x14AD00\n#define kern_off_kmem_alloc_contig 0x250320\n#define kern_off_kmem_free 0x16EEA0\n#define kern_off_pmap_extract 0x41DBC0\n#define kern_off_pmap_protect 0x420310\n#define kern_off_sched_pin 0x73770\n#define kern_off_sched_unpin 0x73780\n#define kern_off_smp_rendezvous 0xB2BB0\n#define kern_off_smp_no_rendevous_barrier 0xB2970\n#define kern_off_icc_query_nowait 0x808C0\n#define kern_off_kernel_map 0x1B31218\n#define kern_off_sysent 0x102B690\n#define kern_off_kernel_pmap_store 0x21BCC38\n#define kern_off_Starsha_UcodeInfo 0\n#define kern_off_gpu_devid_is_9924 0x496720\n#define kern_off_gc_get_fw_info 0x4A12D0\n\n#define kern_off_pml4pml4i 0x21BCC28\n#define kern_off_dmpml4i 0x21BCC2C\n#define kern_off_dmpdpi 0x21BCC30\n```\n# 5.01 Offsets\n\n```\n\nKERN_XFAST_SYSCALL 0x1C0 //5.0x https://twitter.com/C0rpVultra/status/992789973966512133\nKERN_PRISON_0\t\t0x10986A0 //5.01\nKERN_ROOTVNODE\t\t0x22C19F0 //5.01\nKERN_PMAP_PROTECT\t0x2E2D00 //5.01\nKERN_PMAP_PROTECT_P\t0x2E2D44 //5.01\nKERN_PMAP_STORE\t\t0x22CB4F0 //5.01\nKERN_REGMGR_SETINT\t0x4F8940 //5.01\nKERN_PROCESS_ASLR 0x194765 //5.01 Thanks to J00ni3 - Need Verification\nKERN_PTRACE_CHECK 0x30D633 //5.01 Thanks to J00ni3 - Need Verification\nDT_HASH_SEGMENT\t\t0xB5EE20 //5.01\n```\n```\n//Reading kernel_base...\nvoid* kernel_base = \u0026((uint8_t*)__readmsr(0xC0000082))[-KERN_XFAST_SYSCALL];\nuint8_t* kernel_ptr = (uint8_t*)kernel_base;\nvoid** got_prison0 = (void**)\u0026kernel_ptr[KERN_PRISON_0];\nvoid** got_rootvnode = (void**)\u0026kernel_ptr[KERN_ROOTVNODE];\n\n// sceSblACMgrIsSystemUcred\nuint64_t *sonyCred = (uint64_t *)(((char *)td_ucred) + 96);\n*sonyCred = 0xffffffffffffffff;\n// sceSblACMgrGetDeviceAccessType\nuint64_t *sceProcType = (uint64_t *)(((char *)td_ucred) + 88);\n*sceProcType = 0x3801000000000013; // Max access\n// sceSblACMgrHasSceProcessCapability\nuint64_t *sceProcCap = (uint64_t *)(((char *)td_ucred) + 104);\n*sceProcCap = 0xffffffffffffffff; // Sce Process\n```\n```\n \n// debug settings patches 5.01\n*(char *)(kernel_base + 0x1CD0686) |= 0x14;\n*(char *)(kernel_base + 0x1CD06A9) |= 3;\n*(char *)(kernel_base + 0x1CD06AA) |= 1;\n*(char *)(kernel_base + 0x1CD06C8) |= 1;\n\n// debug menu error patches 5.01\n*(uint32_t *)(kernel_base + 0x4F8C78) = 0;\n*(uint32_t *)(kernel_base + 0x4F9D8C) = 0;\n\n// target_id patches 5.01\n*(uint16_t *)(kernel_base + 0x1CD068C) = 0x8101;\n*(uint16_t *)(kernel_base + 0x236B7FC) = 0x8101;\n\n// disable pfs signature 5.01\n*(uint32_t *)(kernel_base + 0x6A2320) = 0x90C3C031;\n\n// flatz enable RIFs 5.01\n *(uint32_t *)(kernel_base + 0x64AED0) = 0x90C301B0;\n *(uint32_t *)(kernel_base + 0x64AEF0) = 0x90C301B0;\n \n// enable perm browser 5.01\nuint64_t *(sceRegMgrSetInt)(uint32_t regId, int value) = NULL;\nsceRegMgrSetInt = (void *)\u0026ptrKernel[KERNEL_REGMGR_SETINT];\nsceRegMgrSetInt(0x3C040000, 0, 0, 0, 0);\n\n// enable mmap of all SELF 5.01\n*(uint8_t*)(kernel_base + 0x117B0) = 0xB0;\n*(uint8_t*)(kernel_base + 0x117B1) = 0x01;\n*(uint8_t*)(kernel_base + 0x117B2) = 0xC3;\n\n*(uint8_t*)(kernel_base + 0x117C0) = 0xB0;\n*(uint8_t*)(kernel_base + 0x117C1) = 0x01;\n*(uint8_t*)(kernel_base + 0x117C2) = 0xC3;\n\n*(uint8_t*)(kernel_base + 0x13EF2F) = 0x31;\n*(uint8_t*)(kernel_base + 0x13EF30) = 0xC0;\n*(uint8_t*)(kernel_base + 0x13EF31) = 0x90;\n*(uint8_t*)(kernel_base + 0x13EF32) = 0x90;\n*(uint8_t*)(kernel_base + 0x13EF33) = 0x90;\n\n#elif defined PS4_5_01\n\n#define kern_off_printf 0x00435C70\n#define kern_off_copyin 0x1EA600\n#define kern_off_copyout 0x1EA520\n#define kern_off_copyinstr 0x1EAA30\n#define kern_off_kmem_alloc_contig 0xF1B80\n#define kern_off_kmem_free 0xFCD40\n#define kern_off_pmap_extract 0x2E02A0\n#define kern_off_pmap_protect 0x2E2D00\n#define kern_off_sched_pin 0x31FB70\n#define kern_off_sched_unpin 0x31FB80\n#define kern_off_smp_rendezvous 0x1B84A0\n#define kern_off_smp_no_rendevous_barrier 0x1B8260\n#define kern_off_icc_query_nowait 0x44020\n#define kern_off_kernel_map 0x1AC60E0\n#define kern_off_sysent 0x107C610\n#define kern_off_kernel_pmap_store 0x22CB4F0\n#define kern_off_Starsha_UcodeInfo 0\n#define kern_off_gpu_devid_is_9924 0x4DDC40\n#define kern_off_gc_get_fw_info 0x4D33D0\n\n#define kern_off_pml4pml4i 0x22CB4E0\n#define kern_off_dmpml4i 0x22CB4E4\n#define kern_off_dmpdpi 0x22CB4E8\n\n#endif\n```\n# 5.05 Offsets\n```\nKERN_XFAST_SYSCALL 0x00001C0 //5.0x https://twitter.com/C0rpVultra/status/992789973966512133\nKERN_PRISON_0\t\t0x10986a0\nKERN_ROOTVNODE\t0x22c1a70\nKERN_PMAP_PROTECT\t0x2E3090\nKERN_PROCESS_ASLR 0x194875\nKERN_PTRACE_CHECK 0x30D9AA\n\nKERN_PMAP_PROTECT\t0x2E3090\nKERN_PMAP_PROTECT_P\t0x2E30D4\nKERN_PMAP_STORE\t\t0x22CB570\n\nDT_HASH_SEGMENT\t\t0xB5EF30\n\n```\n```\n//Reading kernel_base...\nvoid* kernel_base = \u0026((uint8_t*)__readmsr(0xC0000082))[-KERN_XFAST_SYSCALL];\nuint8_t* kernel_ptr = (uint8_t*)kernel_base;\nvoid** got_prison0 = (void**)\u0026kernel_ptr[KERN_PRISON_0];\nvoid** got_rootvnode = (void**)\u0026kernel_ptr[KERN_ROOTVNODE];\n\n// sceSblACMgrIsSystemUcred\nuint64_t *sonyCred = (uint64_t *)(((char *)td_ucred) + 96);\n*sonyCred = 0xffffffffffffffff;\n// sceSblACMgrGetDeviceAccessType\nuint64_t *sceProcType = (uint64_t *)(((char *)td_ucred) + 88);\n*sceProcType = 0x3801000000000013; // Max access\n// sceSblACMgrHasSceProcessCapability\nuint64_t *sceProcCap = (uint64_t *)(((char *)td_ucred) + 104);\n*sceProcCap = 0xffffffffffffffff; // Sce Process\n```\n```\n//UART Enabler 5.05 Thanks to @DiwiDog // https://twitter.com/diwidog/status/996362528312647680\n*(char *)(kernel_base + 0x09ECEB0) = 0;\n\n// debug settings patches 5.05\n*(char *)(kernel_base + 0x1CD0686) |= 0x14;\n*(char *)(kernel_base + 0x1CD06A9) |= 3;\n*(char *)(kernel_base + 0x1CD06AA) |= 1;\n*(char *)(kernel_base + 0x1CD06C8) |= 1;\n\n// debug menu error patches 5.05\n*(uint32_t *)(kernel_base + 0x4F9048) = 0;\n*(uint32_t *)(kernel_base + 0x4FA15C) = 0;\n\n// enable mmap of all SELF 5.05\n*(uint8_t*)(kernel_base + 0x117B0) = 0xB0;\n*(uint8_t*)(kernel_base + 0x117B1) = 0x01;\n*(uint8_t*)(kernel_base + 0x117B2) = 0xC3;\n\n*(uint8_t*)(kernel_base + 0x117C0) = 0xB0;\n*(uint8_t*)(kernel_base + 0x117C1) = 0x01;\n*(uint8_t*)(kernel_base + 0x117C2) = 0xC3;\n\n*(uint8_t*)(kernel_base + 0x13F03F) = 0x31;\n*(uint8_t*)(kernel_base + 0x13F040) = 0xC0;\n*(uint8_t*)(kernel_base + 0x13F041) = 0x90;\n*(uint8_t*)(kernel_base + 0x13F042) = 0x90;\n*(uint8_t*)(kernel_base + 0x13F043) = 0x90;\n\n// flatz disable pfs signature check 5.05\n*(uint32_t *)(kernel_base + 0x6A2700) = 0x90C3C031;\n// flatz enable debug RIFs 5.05\n*(uint32_t *)(kernel_base + 0x64B2B0) = 0x90C301B0;\n*(uint32_t *)(kernel_base + 0x64B2D0) = 0x90C301B0;\n\n// debug pkg free string\n#define fake_free_patch 0xEA96A7\n\n// make pkgs installer working with external hdd\n#define pkg_installer_patch\t\t0x9312A1\n\n\n// Fself\n#define sceSblAuthMgrSmStart_addr 0x6418E0\n#define sceSblServiceMailbox_addr 0x632540\n#define sceSblAuthMgrGetSelfInfo_addr 0x63CD40\n#define sceSblAuthMgrIsLoadable2_addr 0x63C4F0\n#define sceSblAuthMgrVerifyHeader_addr 0x642B40\n\n// Fpkg\n#define sceSblPfsKeymgrGenKeys_addr 0x62D480\n#define sceSblPfsSetKeys_addr 0x61EFA0\n#define sceSblKeymgrClearKey_addr 0x62DB10\n#define sceSblKeymgrSetKeyForPfs_addr 0x62D780\n#define sceSblKeymgrSmCallfunc_addr 0x62E2A0\n#define sceSblDriverSendMsg_addr 0x61D7F0\n#define RsaesPkcs1v15Dec2048CRT_addr 0x1FD7D0\n#define AesCbcCfb128Encrypt_addr 0x3A2BD0\n#define AesCbcCfb128Decrypt_addr 0x3A2E00\n#define Sha256Hmac_addr 0x2D55B0\n\n// Patch\n#define proc_rwmem_addr 0x30D150\n#define vmspace_acquire_ref_addr 0x19EF90\n#define vmspace_free_addr 0x19EDC0\n#define vm_map_lock_read_addr 0x19F140\n#define vm_map_unlock_read_addr 0x19F190\n#define vm_map_lookup_entry_addr 0x19F760\n\n// Fself hooks\n#define sceSblAuthMgrIsLoadable2_hook 0x63E3A1\n#define sceSblAuthMgrVerifyHeader_hook1 0x63EAFC\n#define sceSblAuthMgrVerifyHeader_hook2 0x63F718\n#define sceSblAuthMgrSmLoadSelfSegment__sceSblServiceMailbox_hook 0x64318B\n#define sceSblAuthMgrSmLoadSelfBlock__sceSblServiceMailbox_hook 0x643DA2\n\n// Fpkg hooks\n#define sceSblKeymgrSmCallfunc_npdrm_decrypt_isolated_rif_hook 0x64C720\n#define sceSblKeymgrSmCallfunc_npdrm_decrypt_rif_new_hook 0x64D4FF\n#define sceSblKeymgrSetKeyStorage__sceSblDriverSendMsg_hook 0x624065\n#define mountpfs__sceSblPfsSetKeys_hook1 0x6AAAD5\n#define mountpfs__sceSblPfsSetKeys_hook2 0x6AAD04\n\n// SceShellCore patches\n\n// call sceKernelIsGenuineCEX\n#define sceKernelIsGenuineCEX_patch1 0x16D05B \n#define sceKernelIsGenuineCEX_patch2 0x79980B\n#define sceKernelIsGenuineCEX_patch3 0x7E5A13\n#define sceKernelIsGenuineCEX_patch4 0x94715B\n\n// call nidf_libSceDipsw\n#define nidf_libSceDipsw_patch1 0x16D087\n#define nidf_libSceDipsw_patch2 0x23747B\n#define nidf_libSceDipsw_patch3 0x799837\n#define nidf_libSceDipsw_patch4 0x947187\n\n// enable fpkg\n#define enable_fpkg_patch 0x3E0602\n\n#elif defined PS4_5_05 Thanks to #J0nni3\n\n#define kern_off_printf 0x436040\n#define kern_off_copyin 0x1EA710\n#define kern_off_copyout 0x1EA630\n#define kern_off_copyinstr 0x1EAB40\n#define kern_off_kmem_alloc_contig 0xF1C90\n#define kern_off_kmem_free 0xFCE50\n#define kern_off_pmap_extract 0x2E0570\n#define kern_off_pmap_protect 0x2E3090\n#define kern_off_sched_pin 0x31FF40\n#define kern_off_sched_unpin 0x31FF50\n#define kern_off_smp_rendezvous 0x1B85B0\n#define kern_off_smp_no_rendevous_barrier 0x1B8366\n#define kern_off_icc_query_nowait 0x44020\n#define kern_off_kernel_map 0x1AC60E0\n#define kern_off_sysent 0x107C610\n#define kern_off_kernel_pmap_store 0x22CB570\n#define kern_off_Starsha_UcodeInfo 0\n#define kern_off_gpu_devid_is_9924 0x4DE010\n#define kern_off_gc_get_fw_info 0x4D37A0\n#define kern_off_pml4pml4i 0x22CB560 // Pending verification.\n#define kern_off_dmpml4i 0x22CB564\n#define kern_off_dmpdpi 0x22CB568\n```\nPlease make an pull request for anything that is missing or want to add something.\nThis will be updated over a period of time adding more offsets.\n\n## Contributors\nMassive thanks to the following:\n\n- [qwertyoruiopz](https://twitter.com/qwertyoruiopz)\n- [Flatz](https://twitter.com/flat_z)\n- SpecterDev\n- Many others\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FiHaiDeeZ%2FPS4Offsets-With-Payloads","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FiHaiDeeZ%2FPS4Offsets-With-Payloads","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FiHaiDeeZ%2FPS4Offsets-With-Payloads/lists"}