PSN: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
mNo edit summary
Line 140: Line 140:
*Get profile need's other certicate to auth ssl connection in this case Dnas root 05
*Get profile need's other certicate to auth ssl connection in this case Dnas root 05


= Patching the PSN Ingame Login Message Dialog =
This was taken from MGO2.SELF, and reversed by GHzGangster and his friends, so credits to them.
<pre>
....
bl        _cellSysutil_cellSysutilRegisterCallback # int cellSysutilRegisterCallback(int slot, void *userdata)
ld        r2, 0xC0+var_98(r1)
addi      r9, r1, 0xC0+var_44
clrldi    r9, r9, 32
li        r0, 0
stw      r0, 0(r9)
stw      r0, 8(r9)
stw      r0, 4(r9)
lwz      r3, 0x84(r29)
li        r0, 0xC
cmpwi    cr7, r3, 0
stw      r0, 0xC0+var_44(r1)
beq      cr7, loc_AA08F4
li        r0, 1
....
</pre>
cellSysUtilRegisterCallback is the function that determines if the title is an online game, or offline game (I'm not 100% sure right now, just go along with it).
We found this out after a while, we have an 8 byte array that is passed onto the function by address.
We found out that if we change the byte array from:
<pre>
00 00 00 0c 00 00 00 01
</pre>
to
<pre>
00 00 00 0c 00 00 00 00
</pre>
then the title is an "offline" game, and doesn't require a log in.
After a while, I realized we didn't have to do weird stuff with our own functions and messy stuff, it's created in the assembly and stored in the address that is read.
So all we have to do, is change the immediate value from a 1 to a 0:
<pre>
li        r0, 1
</pre>
to
<pre>
li        r0, 0 
</pre>
Which will do what we need.
[https://savemgo.com/forums/viewtopic.php?f=24&t=770&p=12529#p12528 [Source<nowiki>]</nowiki> https://savemgo.com/forums/viewtopic.php?f=24&t=770&p=12529#p12528]


= PSN Store =
= PSN Store =

Revision as of 21:01, 16 July 2014

PSN Handshake Signup

Signup Response

Basic structure of the response

   0x00:  4 Byte - main header -> 30 00 00 4f 
   0x04:  4 Byte - size		   -> 00 5e 00 47
   0x08:  8 Byte - ? Identifier, often found before Name/Handle
   0x10: 16 Byte - Name/Handle
   0x20: 16 Byte - language
   0x26:  6 Byte - np:  00 01 00 00 00 sp-int: 00 01 00 00 00 23 
   0x2a:  4 Byte - {10 5d 00 0b} 0x000b - size of email
   0x2e:  x Byte - email, here 0b in size

Legend

Main Header xx xx xx ss ss = size

Positive Auth

Auth Reply Structure

   0x00:  4 Byte - main header -> 31 00 00 00 
   0x04:  4 Byte - size        -> 00 00 00 d4 
   0x08:  4 Byte - frame head  -> 30 00 00 ac 
   0x0c:  4 Byte - {00 08 00 14}
   0x10: 20 Byte - SIGNATURE -> maybe HMAC/SHA1
   0x24:  4 Byte - {00 01 00 04}
   0x28:  4 Byte - ? 00 00 00 01 (cfr) or 00 00 01 00 (me & nks) (???)
   0x2c:  4 Byte - {00 07 00 08}
   0x30:  8 Byte - Timestamp (Login Time)
   0x38:  4 Byte - {00 07 00 08}
   0x3c:  8 Byte - Timestamp (Login Expiry)  
   0x44:  4 Byte - {00 02 00 08} 
   0x48:  8 Byte - Identifier *
   0x50:  4 Byte - {00 04 00 20}
   0x54: 32 Byte - Name/Handle 
   0x74:  4 Byte - {00 08 00 04}
   0x78:  4 Byte - language
   0x7c:  4 Byte - {00 04 00 04}
   0x80:  4 Byte - ??? 		
   0x84:  4 Byte - {00 08 00 18}
   0x88: 24 Byte - service ID 
   0xa0:  4 Byte - {30 11 00 04}
   0xa4:  4 Byte - ??? 		07 and 3 undef
   0xa8:  4 Byte - {00 01 00 04}
   0xac:  4 Byte - ??? 		2 undef and 02 00
   0xb0:  8 Byte - 30 10 00 00 00 00 00 00 
   0xb8:  4 Byte - frame head -> 30 02 00 20 
   0xbc:  4 Byte - {00 08 00 04}
   0xc0:  4 Byte - Network: NP: 34 CD 3C A9 SP/QA: B8 2F CB 09
   0xc4:  4 Byte - {00 08 00 14}
   0xc8: 20 Byte - SIGNATURE -> maybe HMAC/SHA1
  • Often found before Name/Handle, assigned at signup and store at first 8 byte of cache
  • * Seems to be the same for the same for every console, differs for others

Size xx xx xx ss ss = message size

Frame Head [xx yy ss ss] xx = 30 yy = unknown. maybe frame number ss = framesize in hex

Limiter {xx xx ss ss} xx = unknown ss = data size in hex

Timestamps

These are Timestamp:

	X = 00 00 01 2f 31 ff a0 58h -> 1302213927000d

The X / 1000 = seconds since 1970, so this date is 08.04.2011

PHP to easy recheck:

 $timestamp = 1302010662000 / 1000;
 date("d.m.Y",$timestamp);

It's just Miliseconds.



Profile Settings

Request

On finalize auth ps3 request profile settings is xml based process

request profile with auth encrypted to base64 and sends to a server with this :

Headers:

 POST /basic_view/sec/get_self_profile HTTP/1.1
 Connection	Keep-Alive
 Content-Length	430
 Accept-Encoding	identity
 User-Agent	PS3Community-agent/1.0.0 libhttp/1.0.0
 Host	Url:443


Contents:

 <profile platform="ps3" sv="[VERSION">
 	<ticket>[encrypted with base64 auth handshake]</ticket>
 	<env>[enviroment]</env>
 	<avatar size="l" />
 </profile>

nb: [environment] is one of the Environments lowercased

Response

and get profile responses here :

Headers:

 HTTP/1.1 200 OK
 Date	Wed, 18 May 2011 08:12:42 GMT
 Server	Apache-Coyote/1.1
 Content-Type	text/xml;charset=UTF-8
 Content-Length	364

Content:

 <profile result="00">
 	<jid>[USERNAME]@[SERVER].[COUNTRY].[ENVIROMENT].URL</jid>
 	<onlinename upd="0">[Nickname on psn]</onlinename>
 	<country>[Country code]</country>
 	<language1>3</language1>
 	<language2 />
 	<language3 />
 	<aboutme />
 	<avatarurl id="1000">[png image url to set avatar display]</avatarurl>
 	<ptlp>0</ptlp>
 </profile>
  • Get profile need's other certicate to auth ssl connection in this case Dnas root 05


Patching the PSN Ingame Login Message Dialog

This was taken from MGO2.SELF, and reversed by GHzGangster and his friends, so credits to them.

....
bl        _cellSysutil_cellSysutilRegisterCallback # int cellSysutilRegisterCallback(int slot, void *userdata)
ld        r2, 0xC0+var_98(r1)
addi      r9, r1, 0xC0+var_44
clrldi    r9, r9, 32
li        r0, 0
stw       r0, 0(r9)
stw       r0, 8(r9)
stw       r0, 4(r9)
lwz       r3, 0x84(r29)
li        r0, 0xC
cmpwi     cr7, r3, 0
stw       r0, 0xC0+var_44(r1)
beq       cr7, loc_AA08F4
li        r0, 1
....

cellSysUtilRegisterCallback is the function that determines if the title is an online game, or offline game (I'm not 100% sure right now, just go along with it). We found this out after a while, we have an 8 byte array that is passed onto the function by address.

We found out that if we change the byte array from:

00 00 00 0c 00 00 00 01

to

00 00 00 0c 00 00 00 00

then the title is an "offline" game, and doesn't require a log in.

After a while, I realized we didn't have to do weird stuff with our own functions and messy stuff, it's created in the assembly and stored in the address that is read.

So all we have to do, is change the immediate value from a 1 to a 0:

li        r0, 1

to

li        r0, 0   

Which will do what we need.

[Source] https://savemgo.com/forums/viewtopic.php?f=24&t=770&p=12529#p12528

PSN Store

To get installable packages you have downloaded to your console go to /dev_hdd0/vsh/game_pkg the name will be garbled, so you'll be safer doing it one at a time.

PSN INFINITY v2 - Open Beta

App made by SKFU + iQD, source: http://streetskaterfu.blogspot.de/2012/03/psn-infinity-v2-open-beta.html
Dependencies are OpenSSL + VC Redists: http://www.slproweb.com/products/Win32OpenSSL.html
http://www.ps3devwiki.com/files/NP/infinity.zip

PSN PS3MFW TCL Task - 4.11 only PS3 CFW 3.55 - Open Beta

It is one patch for PSN 4.11 IN CFW 3.55 RETAIL Beta using PS3MFW 0.2.1. Use with your responsibility.

#!/usr/bin/tclsh
#
# ps3mfw -- PS3 MFW creator
#
# Copyright (C) Anonymous Developers (Code Monkeys)
#
# This software is distributed under the terms of the GNU General Public
# License ("GPL") version 3, as published by the Free Software Foundation.
#

# Created By Boludoz

# Priority: 700
# Description: Patch PSN Activator

# Option --allow-activating-psn: PSN Spoof 4.11 (requiere sproof 4.11)

# Type --allow-activating-psn: boolean

namespace eval ::patch_vsh_psn {

    array set ::patch_vsh_psn::options {
        --allow-activating-psn true
    }

    proc main { } {
        set self [file join dev_flash vsh module vsh.self]

        ::modify_devflash_file $self ::patch_vsh_psn::patch_self
    }

    proc patch_self {self} {
        if {!$::patch_vsh_psn::options(--allow-activating-psn)} {
            log "WARNING: Enabled task has no enabled option" 1
        } else {
            ::modify_self_file $self ::patch_vsh_psn::patch_elf
        }
    }

    proc patch_elf {elf} {
        if {$::patch_vsh_psn::options(--allow-activating-psn)} {
            log "Patching [file tail $elf] to allow activating psn content offline"

			set offset "0x679E30"
            set search "\x39\x39\x2e\x39\x39\x00\x00\x00\x25\x30\x32\x64\x2e\x25\x30\x32\x20"
            set replace "\x39\x39\x2e\x39\x39\x00\x00\x00\x30\x34\x2e\x31\x31\x00\x00\x00"

            catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"

			set offset "0x679E40"
            set search "\x64\x00\x00\x00\x00\x00\x00\x00\x73\x70\x2d\x69\x6e\x74\x00\x00"
            set replace "\x00\x00\x00\x00\x00\x00\x00\x00\x73\x70\x2d\x69\x6e\x74\x00\x00"

            catch_die {::patch_elf $elf $search 20 $replace} "Unable to patch self [file tail $elf]"
			
			set offset "0X6F8400"
            set search "\x42\x8A\x8A\x72\x09\x13\x8F\x12\x48\x4E\xA4\xF0\xD0\x4C\xED\xF4"
            set replace "\x42\x8A\x8A\x72\x49\xE4\xB5\x6D\x14\xFE\x48\xB9\xD1\x87\x7F\xDF"

            catch_die {::patch_elf $elf $search 20 $replace} "Unable to patch self [file tail $elf]"
			
			set offset "0X6F8410"
            set search "\xB8\x22\x80\xE4\x3C\xB5\x88\x76\x75\x03\xD5\xEF\xB1\x70\xAA\x19"
            set replace "\x1C\xE0\xC6\x21\xA3\x74\x2C\x45\x67\x8B\x69\x4D\x32\xC0\xDC\xD9"
			
			set offset "0X6F8420"
            set search "\x4D\x42\x7D\x4F\xCA\xD8\x6C\x5A\x2B\xE0\xC3\x80\x74\x22\x86\x75"
            set replace "\x40\x4F\xB8\xF6\x12\xE0\x60\x3C\x37\x20\x9D\x8B\x93\x71\x6C\xD7"

            catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"

			set offset "0X6F8430"
            set search "\x10\x5D\x40\x99\x63\x01\x38\x06\x79\x59\xB9\x62\x96\x53\xDD\x67"
            set replace "\x09\xC8\x20\x21\xD7\xE5\x24\x6A\x36\xBE\xE0\x99\xA1\x0E\x8F\x40"

            catch_die {::patch_elf $elf $search 20 $replace} "Unable to patch self [file tail $elf]"
			
			set offset "0X6F8440"
            set search "\x7D\x24\x4F\xA3"
            set replace "\x0D\x8E\x0D\x95"

            catch_die {::patch_elf $elf $search 20 $replace} "Unable to patch self [file tail $elf]"

            log "WARNING: activating PSN requires SPROOF 3.41" 1
        }
    }
}