Please note that you are required to have a exploited PlayStation 4 console to run the patches mentioned in this article.
I’m not much of a fan of sprinting camera shake myself so let’s see what we can do about it.
Diving into nothingness
Opening the executable in Ghidra and searching for
Disable Camera gives few results. But these are just text strings, what are they for?
These seem to be leftovers from developer menu code.
For PS3. We can see here that it points to addresses.
012b1d98 01 4f 34 12 addr DAT_014f3412 // byte 012b1d9c 00 ec 86 a0 addr s_Disable_Camera_Additives_00ec86a0 // string
On PS4, there’s a submenu dedicated to this.
uVar1 = FUN_00c81020(0xa0); FUN_00a29940(uVar1,"Show Camera Additives",FUN_00a298b0,&DAT_01524d28,0); FUN_00a2dcd0(param_1,uVar1); uVar1 = FUN_00c81020(0xa0); FUN_00a29940(uVar1,"Disable Camera Additives",FUN_00a31890,&DAT_01524d29,0); FUN_00a2dcd0(param_1,uVar1); uVar1 = FUN_00c81020(0xa0); FUN_00a29940(uVar1,"Allow Manual Camera Shake",FUN_00a31890,&DAT_0162d0aa,0); FUN_00a2dcd0(param_1,uVar1);
Let’s activate this menu in-game.
Three options. What we are interested here is
Disable Camera Additives Let’s see what happens when we enable it.
Let’s start with the PS3 version.
0x14f3412 in Memory and setting it to 1, does nothing. Why’s that?
0x14f3412 seems to be
Show Camera Additives as
final build configs have most debugging features stripped out, it doesn’t do anything. Let’s try byte next to it.
For The Last of Us, setting a breakpoint at startup and loading it’s with register 11 as it holds value 1 setup by
009941e4 39 60 00 01 li r11,0x1 made it work.
- [ be16, 0x00994234, 0x997d ] # disable camera addtiv
For Uncharted 3 however, things are not as cut and dry as one might think.
007e5884 38 00 00 01 li r0,0x1 007e58ac e8 01 00 b0 ld r0,0xb0(r1) // this will become important later 007e58cc 9b 9d 00 03 stb r28,0x3(r29)
We can try loading it with register 0. But it doesn’t work. Let’s see in the debugger to find out why.
r0 is now taken by instruction ld at
7e58ac and we can’t simply nop this and hope that the game will work. It does not.
Stuck at a deadend? Not so easy.
We can set a read breakpoint on
0x013257f3 and see where it will take us.
008242cc 88 0b 00 03 lbz r0,0x3(r11)=>DAT_013257f3
Loading intermediate with register 0 did the trick.
- [ be16, 0x008242cc, 0x3800 ]
Let’s move on to the PS4 Version.
Soothing for the eyes
We’ll need to use a byte that writes on startup, searching for something, say..
Enable OIT Assert and going to it’s reference, gives us what we need.
// uc3 1.00 0015f299 c6 80 62 MOV byte ptr [RAX + 0x762]=>DAT_016491d2,0x1 07 00 00 01 0015f2a0 c6 80 60 MOV byte ptr [RAX + 0x760]=>DAT_016491d0,0x0 07 00 00 00 // tlou 1.10 0000c2ff c6 83 ec MOV byte ptr [RBX + 0x6ec]=>DAT_0181ae5c,0x1 06 00 00 01 0000c306 c6 83 ea MOV byte ptr [RBX + 0x6ea]=>DAT_0181ae5a,0x0 06 00 00 00
Moving a byte on startup? Check. Let’s use instruction next to it.
We know that
0x01524d29 is byte we wanted to load looking from it’s menu code, we can change this instruction to load our desired byte instead.
// uc3 1.00 0015f2a0 c6 05 a2 MOV byte ptr [DAT_013f9149],0x1 9e 29 01 01 // tlou 1.10 0000c306 c6 05 1c MOV byte ptr [DAT_01524d29],0x1 8a 51 01 01
The video below showcases changes introduced by the Patch.
To apply patch and for use on an exploitable PlayStation 3 or PlayStation 4 console, you’ll have to modify the executable with a hex editor and install it back onto the console.
For RPCS3 Emulator, simply download and enable through Patch Manager.
Thanks to ZEROx for porting to Game of The Year Edition of Uncharted 3 (1.10)