PSN: Difference between revisions
m (Text replacement - "http://web.archive.org/web→/http://ps3devwiki.com/files" to "https://web.archive.org/web/: http://ps3devwiki.com/files") |
|||
(14 intermediate revisions by 9 users not shown) | |||
Line 1: | Line 1: | ||
{{Wikify}} | |||
= PSN Handshake Signup = | = PSN Handshake Signup = | ||
Line 94: | Line 93: | ||
On finalize auth ps3 request profile settings is xml based process | On finalize auth ps3 request profile settings is xml based process | ||
request profile with auth | request profile with auth encoded with base64 and sends to a server with this : | ||
Headers: | Headers: | ||
Line 141: | Line 140: | ||
*Get profile need's other certicate to auth ssl connection in this case Dnas root 05 | *Get profile need's other certicate to auth ssl connection in this case Dnas root 05 | ||
= Patching the PSN Ingame Login Message Dialog = | |||
This was taken from MGO2.SELF, and reversed by SaveMGO2 guys, so credits to them. | |||
<pre> | |||
.text:0000000000AA08E8 li r0, 1 | |||
.text:0000000000AA08EC stw r0, 0xC0+var_40(r1) | |||
.text:0000000000AA08F0 b loc_AA08F8 | |||
</pre> | |||
<pre> | |||
.text:0000000000AA08F8 addi r3, r1, 0xC0+var_44 | |||
.text:0000000000AA08FC bl _cellNetCtl_cellNetCtlNetStartDialogLoadAsync # int cellNetCtlNetStartDialogLoadAsync(const struct CellNetCtlNetStartDialogParam *param) | |||
</pre> | |||
cellNetCtlNetStartDialogLoadAsync is the function that determines if the title is an online game, or offline game. | |||
We found this out after a while, we have an 8 byte array that is passed onto the function by address. | |||
We found out that if we change the byte array from: | |||
<pre> | |||
00 00 00 0c 00 00 00 01 | |||
</pre> | |||
to | |||
<pre> | |||
00 00 00 0c 00 00 00 00 | |||
</pre> | |||
then the title is an "offline" game, and doesn't require a log in. | |||
After a while, I realized we didn't have to do weird stuff with our own functions and messy stuff, it's created in the assembly and stored in the address that is read. | |||
So all we have to do, is change the immediate value from a 1 to a 0: | |||
<pre> | |||
li r0, 1 | |||
</pre> | |||
to | |||
<pre> | |||
li r0, 0 | |||
</pre> | |||
Which will do what we need. | |||
== How to == | |||
You find the offset where it is calling cellNetStartDialogLoadAsync(), | |||
this will read in a struct: | |||
-size | |||
-type | |||
-cid | |||
type 0 = Network Game | |||
type 1 = PSN required network game. | |||
You can simply change it to a 0 and it will keep network libraries loaded, but will not require a login via PSN. You will have to go through the rest of the binary and fulfill all NP related library calls or patch them out as well... or it will reference library calls that have not been loaded. | |||
= PSN Store = | = PSN Store = | ||
To get installable packages you have downloaded to your console go to /dev_hdd0/vsh/game_pkg | |||
the name will be garbled, so you'll be safer doing it one at a time. | |||
== PSN INFINITY v2 - Open Beta == | == PSN INFINITY v2 - Open Beta == | ||
App made by SKFU + iQD, source: http://streetskaterfu.blogspot.de/2012/03/psn-infinity-v2-open-beta.html<br /> | App made by SKFU + iQD, source: http://streetskaterfu.blogspot.de/2012/03/psn-infinity-v2-open-beta.html<br /> | ||
Dependencies are OpenSSL + VC Redists: http://www.slproweb.com/products/Win32OpenSSL.html<br /> | Dependencies are OpenSSL + VC Redists: http://www.slproweb.com/products/Win32OpenSSL.html<br /> | ||
http:// | https://web.archive.org/web/*/http://ps3devwiki.com/files/NP/infinity.zip<br /> | ||
== PSN JSON Parser for PC == | |||
This simple script parse the online store json to an readable text. | |||
The json is here: (you need to connect to store.sonyentertainmentnetwork.com, to see the data) | |||
<pre>https://store.sonyentertainmentnetwork.com/kamaji/api/chihiro/00_09_000/gateway/store/v1/users/me/internal_entitlements?fields=drm_def</pre> | |||
* [https://gist.githubusercontent.com/wargio/24af527aaa53a8781438/raw/57d7e090f22ea41b8ceecc8be8d398ec0480efc8/ps_store_json.sh ps_store_json.sh] | |||
<pre> | |||
Usage: ./ps_store_json.sh <internal_entitlements.json> | |||
Login into 'https://store.sonyentertainmentnetwork.com' | |||
Save the page 'https://store.sonyentertainmentnetwork.com/kamaji/api/chihiro/00_09_000/gateway/store/v1/users/me/internal_entitlements?fields=drm_def' | |||
Give the page to this script './ps_store_json.sh internal_entitlements.json | |||
it will return something like: | |||
ContentID: UP0001-000000000_00-0000000000000000 | |||
Content Name: Game Name | |||
Content Size: XXX Mb | |||
Content URL: http://zeus.dl.playstation.net/cdn/xxxxxx/000000000_00/yyyy...yyyyyyy.pkg | |||
drmContentType: n | |||
drmType: m | |||
Publisher Name: Game Publisher | |||
Title Name: Game Name Demo | |||
Img URL: https://image.api.np.km.playstation.net/images/...... | |||
</pre> | |||
== PSN PS3MFW TCL Task - 4.11 only PS3 CFW 3.55 - Open Beta == | == PSN PS3MFW TCL Task - 4.11 only PS3 CFW 3.55 - Open Beta == | ||
It is one patch for PSN 4.11 IN CFW 3.55 RETAIL Beta using PS3MFW 0.2.1. Use with your responsibility. | It is one patch for PSN 4.11 IN CFW 3.55 RETAIL Beta using PS3MFW 0.2.1. Use with your responsibility. | ||
Line 163: | Line 236: | ||
# | # | ||
# Created By | # Created By Boludoz | ||
# Priority: 700 | # Priority: 700 | ||
Line 236: | Line 309: | ||
catch_die {::patch_elf $elf $search 20 $replace} "Unable to patch self [file tail $elf]" | catch_die {::patch_elf $elf $search 20 $replace} "Unable to patch self [file tail $elf]" | ||
log "WARNING: activating | log "WARNING: activating PSN requires SPROOF 3.41" 1 | ||
} | } | ||
} | } | ||
}</pre> | }</pre> | ||
{{Reverse engineering}}<noinclude>[[Category:Main]]</noinclude> |
Latest revision as of 06:04, 17 April 2023
This article is marked for rewrite/restructuring in proper wiki format. You can help PS3 Developer wiki by editing it. |
PSN Handshake Signup[edit | edit source]
Signup Response[edit | edit source]
Basic structure of the response
0x00: 4 Byte - main header -> 30 00 00 4f 0x04: 4 Byte - size -> 00 5e 00 47 0x08: 8 Byte - ? Identifier, often found before Name/Handle 0x10: 16 Byte - Name/Handle 0x20: 16 Byte - language 0x26: 6 Byte - np: 00 01 00 00 00 sp-int: 00 01 00 00 00 23 0x2a: 4 Byte - {10 5d 00 0b} 0x000b - size of email 0x2e: x Byte - email, here 0b in size
Legend
Main Header xx xx xx ss ss = size
Positive Auth[edit | edit source]
Auth Reply Structure
0x00: 4 Byte - main header -> 31 00 00 00 0x04: 4 Byte - size -> 00 00 00 d4 0x08: 4 Byte - frame head -> 30 00 00 ac 0x0c: 4 Byte - {00 08 00 14} 0x10: 20 Byte - SIGNATURE -> maybe HMAC/SHA1 0x24: 4 Byte - {00 01 00 04} 0x28: 4 Byte - ? 00 00 00 01 (cfr) or 00 00 01 00 (me & nks) (???) 0x2c: 4 Byte - {00 07 00 08} 0x30: 8 Byte - Timestamp (Login Time) 0x38: 4 Byte - {00 07 00 08} 0x3c: 8 Byte - Timestamp (Login Expiry) 0x44: 4 Byte - {00 02 00 08} 0x48: 8 Byte - Identifier * 0x50: 4 Byte - {00 04 00 20} 0x54: 32 Byte - Name/Handle 0x74: 4 Byte - {00 08 00 04} 0x78: 4 Byte - language 0x7c: 4 Byte - {00 04 00 04} 0x80: 4 Byte - ??? 0x84: 4 Byte - {00 08 00 18} 0x88: 24 Byte - service ID 0xa0: 4 Byte - {30 11 00 04} 0xa4: 4 Byte - ??? 07 and 3 undef 0xa8: 4 Byte - {00 01 00 04} 0xac: 4 Byte - ??? 2 undef and 02 00 0xb0: 8 Byte - 30 10 00 00 00 00 00 00 0xb8: 4 Byte - frame head -> 30 02 00 20 0xbc: 4 Byte - {00 08 00 04} 0xc0: 4 Byte - Network: NP: 34 CD 3C A9 SP/QA: B8 2F CB 09 0xc4: 4 Byte - {00 08 00 14} 0xc8: 20 Byte - SIGNATURE -> maybe HMAC/SHA1
- Often found before Name/Handle, assigned at signup and store at first 8 byte of cache
- * Seems to be the same for the same for every console, differs for others
Size xx xx xx ss ss = message size
Frame Head [xx yy ss ss] xx = 30 yy = unknown. maybe frame number ss = framesize in hex
Limiter {xx xx ss ss} xx = unknown ss = data size in hex
Timestamps[edit | edit source]
These are Timestamp:
X = 00 00 01 2f 31 ff a0 58h -> 1302213927000d
The X / 1000 = seconds since 1970, so this date is 08.04.2011
PHP to easy recheck:
$timestamp = 1302010662000 / 1000; date("d.m.Y",$timestamp);
It's just Miliseconds.
Profile Settings[edit | edit source]
Request[edit | edit source]
On finalize auth ps3 request profile settings is xml based process
request profile with auth encoded with base64 and sends to a server with this :
Headers:
POST /basic_view/sec/get_self_profile HTTP/1.1 Connection Keep-Alive Content-Length 430 Accept-Encoding identity User-Agent PS3Community-agent/1.0.0 libhttp/1.0.0 Host Url:443
Contents:
<profile platform="ps3" sv="[VERSION"> <ticket>[encrypted with base64 auth handshake]</ticket> <env>[enviroment]</env> <avatar size="l" /> </profile>
nb: [environment] is one of the Environments lowercased
Response[edit | edit source]
and get profile responses here :
Headers:
HTTP/1.1 200 OK Date Wed, 18 May 2011 08:12:42 GMT Server Apache-Coyote/1.1 Content-Type text/xml;charset=UTF-8 Content-Length 364
Content:
<profile result="00"> <jid>[USERNAME]@[SERVER].[COUNTRY].[ENVIROMENT].URL</jid> <onlinename upd="0">[Nickname on psn]</onlinename> <country>[Country code]</country> <language1>3</language1> <language2 /> <language3 /> <aboutme /> <avatarurl id="1000">[png image url to set avatar display]</avatarurl> <ptlp>0</ptlp> </profile>
- Get profile need's other certicate to auth ssl connection in this case Dnas root 05
Patching the PSN Ingame Login Message Dialog[edit | edit source]
This was taken from MGO2.SELF, and reversed by SaveMGO2 guys, so credits to them.
.text:0000000000AA08E8 li r0, 1 .text:0000000000AA08EC stw r0, 0xC0+var_40(r1) .text:0000000000AA08F0 b loc_AA08F8
.text:0000000000AA08F8 addi r3, r1, 0xC0+var_44 .text:0000000000AA08FC bl _cellNetCtl_cellNetCtlNetStartDialogLoadAsync # int cellNetCtlNetStartDialogLoadAsync(const struct CellNetCtlNetStartDialogParam *param)
cellNetCtlNetStartDialogLoadAsync is the function that determines if the title is an online game, or offline game. We found this out after a while, we have an 8 byte array that is passed onto the function by address.
We found out that if we change the byte array from:
00 00 00 0c 00 00 00 01
to
00 00 00 0c 00 00 00 00
then the title is an "offline" game, and doesn't require a log in.
After a while, I realized we didn't have to do weird stuff with our own functions and messy stuff, it's created in the assembly and stored in the address that is read.
So all we have to do, is change the immediate value from a 1 to a 0:
li r0, 1
to
li r0, 0
Which will do what we need.
How to[edit | edit source]
You find the offset where it is calling cellNetStartDialogLoadAsync(),
this will read in a struct: -size -type -cid
type 0 = Network Game type 1 = PSN required network game.
You can simply change it to a 0 and it will keep network libraries loaded, but will not require a login via PSN. You will have to go through the rest of the binary and fulfill all NP related library calls or patch them out as well... or it will reference library calls that have not been loaded.
PSN Store[edit | edit source]
To get installable packages you have downloaded to your console go to /dev_hdd0/vsh/game_pkg the name will be garbled, so you'll be safer doing it one at a time.
PSN INFINITY v2 - Open Beta[edit | edit source]
App made by SKFU + iQD, source: http://streetskaterfu.blogspot.de/2012/03/psn-infinity-v2-open-beta.html
Dependencies are OpenSSL + VC Redists: http://www.slproweb.com/products/Win32OpenSSL.html
https://web.archive.org/web/*/http://ps3devwiki.com/files/NP/infinity.zip
PSN JSON Parser for PC[edit | edit source]
This simple script parse the online store json to an readable text. The json is here: (you need to connect to store.sonyentertainmentnetwork.com, to see the data)
https://store.sonyentertainmentnetwork.com/kamaji/api/chihiro/00_09_000/gateway/store/v1/users/me/internal_entitlements?fields=drm_def
Usage: ./ps_store_json.sh <internal_entitlements.json> Login into 'https://store.sonyentertainmentnetwork.com' Save the page 'https://store.sonyentertainmentnetwork.com/kamaji/api/chihiro/00_09_000/gateway/store/v1/users/me/internal_entitlements?fields=drm_def' Give the page to this script './ps_store_json.sh internal_entitlements.json it will return something like: ContentID: UP0001-000000000_00-0000000000000000 Content Name: Game Name Content Size: XXX Mb Content URL: http://zeus.dl.playstation.net/cdn/xxxxxx/000000000_00/yyyy...yyyyyyy.pkg drmContentType: n drmType: m Publisher Name: Game Publisher Title Name: Game Name Demo Img URL: https://image.api.np.km.playstation.net/images/......
PSN PS3MFW TCL Task - 4.11 only PS3 CFW 3.55 - Open Beta[edit | edit source]
It is one patch for PSN 4.11 IN CFW 3.55 RETAIL Beta using PS3MFW 0.2.1. Use with your responsibility.
#!/usr/bin/tclsh # # ps3mfw -- PS3 MFW creator # # Copyright (C) Anonymous Developers (Code Monkeys) # # This software is distributed under the terms of the GNU General Public # License ("GPL") version 3, as published by the Free Software Foundation. # # Created By Boludoz # Priority: 700 # Description: Patch PSN Activator # Option --allow-activating-psn: PSN Spoof 4.11 (requiere sproof 4.11) # Type --allow-activating-psn: boolean namespace eval ::patch_vsh_psn { array set ::patch_vsh_psn::options { --allow-activating-psn true } proc main { } { set self [file join dev_flash vsh module vsh.self] ::modify_devflash_file $self ::patch_vsh_psn::patch_self } proc patch_self {self} { if {!$::patch_vsh_psn::options(--allow-activating-psn)} { log "WARNING: Enabled task has no enabled option" 1 } else { ::modify_self_file $self ::patch_vsh_psn::patch_elf } } proc patch_elf {elf} { if {$::patch_vsh_psn::options(--allow-activating-psn)} { log "Patching [file tail $elf] to allow activating psn content offline" set offset "0x679E30" set search "\x39\x39\x2e\x39\x39\x00\x00\x00\x25\x30\x32\x64\x2e\x25\x30\x32\x20" set replace "\x39\x39\x2e\x39\x39\x00\x00\x00\x30\x34\x2e\x31\x31\x00\x00\x00" catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]" set offset "0x679E40" set search "\x64\x00\x00\x00\x00\x00\x00\x00\x73\x70\x2d\x69\x6e\x74\x00\x00" set replace "\x00\x00\x00\x00\x00\x00\x00\x00\x73\x70\x2d\x69\x6e\x74\x00\x00" catch_die {::patch_elf $elf $search 20 $replace} "Unable to patch self [file tail $elf]" set offset "0X6F8400" set search "\x42\x8A\x8A\x72\x09\x13\x8F\x12\x48\x4E\xA4\xF0\xD0\x4C\xED\xF4" set replace "\x42\x8A\x8A\x72\x49\xE4\xB5\x6D\x14\xFE\x48\xB9\xD1\x87\x7F\xDF" catch_die {::patch_elf $elf $search 20 $replace} "Unable to patch self [file tail $elf]" set offset "0X6F8410" set search "\xB8\x22\x80\xE4\x3C\xB5\x88\x76\x75\x03\xD5\xEF\xB1\x70\xAA\x19" set replace "\x1C\xE0\xC6\x21\xA3\x74\x2C\x45\x67\x8B\x69\x4D\x32\xC0\xDC\xD9" set offset "0X6F8420" set search "\x4D\x42\x7D\x4F\xCA\xD8\x6C\x5A\x2B\xE0\xC3\x80\x74\x22\x86\x75" set replace "\x40\x4F\xB8\xF6\x12\xE0\x60\x3C\x37\x20\x9D\x8B\x93\x71\x6C\xD7" catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]" set offset "0X6F8430" set search "\x10\x5D\x40\x99\x63\x01\x38\x06\x79\x59\xB9\x62\x96\x53\xDD\x67" set replace "\x09\xC8\x20\x21\xD7\xE5\x24\x6A\x36\xBE\xE0\x99\xA1\x0E\x8F\x40" catch_die {::patch_elf $elf $search 20 $replace} "Unable to patch self [file tail $elf]" set offset "0X6F8440" set search "\x7D\x24\x4F\xA3" set replace "\x0D\x8E\x0D\x95" catch_die {::patch_elf $elf $search 20 $replace} "Unable to patch self [file tail $elf]" log "WARNING: activating PSN requires SPROOF 3.41" 1 } } }