PSN: Difference between revisions
mNo edit summary |
|||
Line 140: | Line 140: | ||
*Get profile need's other certicate to auth ssl connection in this case Dnas root 05 | *Get profile need's other certicate to auth ssl connection in this case Dnas root 05 | ||
= Patching the PSN Ingame Login Message Dialog = | |||
This was taken from MGO2.SELF, and reversed by GHzGangster and his friends, so credits to them. | |||
<pre> | |||
.... | |||
bl _cellSysutil_cellSysutilRegisterCallback # int cellSysutilRegisterCallback(int slot, void *userdata) | |||
ld r2, 0xC0+var_98(r1) | |||
addi r9, r1, 0xC0+var_44 | |||
clrldi r9, r9, 32 | |||
li r0, 0 | |||
stw r0, 0(r9) | |||
stw r0, 8(r9) | |||
stw r0, 4(r9) | |||
lwz r3, 0x84(r29) | |||
li r0, 0xC | |||
cmpwi cr7, r3, 0 | |||
stw r0, 0xC0+var_44(r1) | |||
beq cr7, loc_AA08F4 | |||
li r0, 1 | |||
.... | |||
</pre> | |||
cellSysUtilRegisterCallback is the function that determines if the title is an online game, or offline game (I'm not 100% sure right now, just go along with it). | |||
We found this out after a while, we have an 8 byte array that is passed onto the function by address. | |||
We found out that if we change the byte array from: | |||
<pre> | |||
00 00 00 0c 00 00 00 01 | |||
</pre> | |||
to | |||
<pre> | |||
00 00 00 0c 00 00 00 00 | |||
</pre> | |||
then the title is an "offline" game, and doesn't require a log in. | |||
After a while, I realized we didn't have to do weird stuff with our own functions and messy stuff, it's created in the assembly and stored in the address that is read. | |||
So all we have to do, is change the immediate value from a 1 to a 0: | |||
<pre> | |||
li r0, 1 | |||
</pre> | |||
to | |||
<pre> | |||
li r0, 0 | |||
</pre> | |||
Which will do what we need. | |||
[https://savemgo.com/forums/viewtopic.php?f=24&t=770&p=12529#p12528 [Source<nowiki>]</nowiki> https://savemgo.com/forums/viewtopic.php?f=24&t=770&p=12529#p12528] | |||
= PSN Store = | = PSN Store = |
Revision as of 21:01, 16 July 2014
This article is marked for rewrite/restructuring in proper wiki format. You can help PS3 Developer wiki by editing it. |
PSN Handshake Signup
Signup Response
Basic structure of the response
0x00: 4 Byte - main header -> 30 00 00 4f 0x04: 4 Byte - size -> 00 5e 00 47 0x08: 8 Byte - ? Identifier, often found before Name/Handle 0x10: 16 Byte - Name/Handle 0x20: 16 Byte - language 0x26: 6 Byte - np: 00 01 00 00 00 sp-int: 00 01 00 00 00 23 0x2a: 4 Byte - {10 5d 00 0b} 0x000b - size of email 0x2e: x Byte - email, here 0b in size
Legend
Main Header xx xx xx ss ss = size
Positive Auth
Auth Reply Structure
0x00: 4 Byte - main header -> 31 00 00 00 0x04: 4 Byte - size -> 00 00 00 d4 0x08: 4 Byte - frame head -> 30 00 00 ac 0x0c: 4 Byte - {00 08 00 14} 0x10: 20 Byte - SIGNATURE -> maybe HMAC/SHA1 0x24: 4 Byte - {00 01 00 04} 0x28: 4 Byte - ? 00 00 00 01 (cfr) or 00 00 01 00 (me & nks) (???) 0x2c: 4 Byte - {00 07 00 08} 0x30: 8 Byte - Timestamp (Login Time) 0x38: 4 Byte - {00 07 00 08} 0x3c: 8 Byte - Timestamp (Login Expiry) 0x44: 4 Byte - {00 02 00 08} 0x48: 8 Byte - Identifier * 0x50: 4 Byte - {00 04 00 20} 0x54: 32 Byte - Name/Handle 0x74: 4 Byte - {00 08 00 04} 0x78: 4 Byte - language 0x7c: 4 Byte - {00 04 00 04} 0x80: 4 Byte - ??? 0x84: 4 Byte - {00 08 00 18} 0x88: 24 Byte - service ID 0xa0: 4 Byte - {30 11 00 04} 0xa4: 4 Byte - ??? 07 and 3 undef 0xa8: 4 Byte - {00 01 00 04} 0xac: 4 Byte - ??? 2 undef and 02 00 0xb0: 8 Byte - 30 10 00 00 00 00 00 00 0xb8: 4 Byte - frame head -> 30 02 00 20 0xbc: 4 Byte - {00 08 00 04} 0xc0: 4 Byte - Network: NP: 34 CD 3C A9 SP/QA: B8 2F CB 09 0xc4: 4 Byte - {00 08 00 14} 0xc8: 20 Byte - SIGNATURE -> maybe HMAC/SHA1
- Often found before Name/Handle, assigned at signup and store at first 8 byte of cache
- * Seems to be the same for the same for every console, differs for others
Size xx xx xx ss ss = message size
Frame Head [xx yy ss ss] xx = 30 yy = unknown. maybe frame number ss = framesize in hex
Limiter {xx xx ss ss} xx = unknown ss = data size in hex
Timestamps
These are Timestamp:
X = 00 00 01 2f 31 ff a0 58h -> 1302213927000d
The X / 1000 = seconds since 1970, so this date is 08.04.2011
PHP to easy recheck:
$timestamp = 1302010662000 / 1000; date("d.m.Y",$timestamp);
It's just Miliseconds.
Profile Settings
Request
On finalize auth ps3 request profile settings is xml based process
request profile with auth encrypted to base64 and sends to a server with this :
Headers:
POST /basic_view/sec/get_self_profile HTTP/1.1 Connection Keep-Alive Content-Length 430 Accept-Encoding identity User-Agent PS3Community-agent/1.0.0 libhttp/1.0.0 Host Url:443
Contents:
<profile platform="ps3" sv="[VERSION"> <ticket>[encrypted with base64 auth handshake]</ticket> <env>[enviroment]</env> <avatar size="l" /> </profile>
nb: [environment] is one of the Environments lowercased
Response
and get profile responses here :
Headers:
HTTP/1.1 200 OK Date Wed, 18 May 2011 08:12:42 GMT Server Apache-Coyote/1.1 Content-Type text/xml;charset=UTF-8 Content-Length 364
Content:
<profile result="00"> <jid>[USERNAME]@[SERVER].[COUNTRY].[ENVIROMENT].URL</jid> <onlinename upd="0">[Nickname on psn]</onlinename> <country>[Country code]</country> <language1>3</language1> <language2 /> <language3 /> <aboutme /> <avatarurl id="1000">[png image url to set avatar display]</avatarurl> <ptlp>0</ptlp> </profile>
- Get profile need's other certicate to auth ssl connection in this case Dnas root 05
Patching the PSN Ingame Login Message Dialog
This was taken from MGO2.SELF, and reversed by GHzGangster and his friends, so credits to them.
.... bl _cellSysutil_cellSysutilRegisterCallback # int cellSysutilRegisterCallback(int slot, void *userdata) ld r2, 0xC0+var_98(r1) addi r9, r1, 0xC0+var_44 clrldi r9, r9, 32 li r0, 0 stw r0, 0(r9) stw r0, 8(r9) stw r0, 4(r9) lwz r3, 0x84(r29) li r0, 0xC cmpwi cr7, r3, 0 stw r0, 0xC0+var_44(r1) beq cr7, loc_AA08F4 li r0, 1 ....
cellSysUtilRegisterCallback is the function that determines if the title is an online game, or offline game (I'm not 100% sure right now, just go along with it). We found this out after a while, we have an 8 byte array that is passed onto the function by address.
We found out that if we change the byte array from:
00 00 00 0c 00 00 00 01
to
00 00 00 0c 00 00 00 00
then the title is an "offline" game, and doesn't require a log in.
After a while, I realized we didn't have to do weird stuff with our own functions and messy stuff, it's created in the assembly and stored in the address that is read.
So all we have to do, is change the immediate value from a 1 to a 0:
li r0, 1
to
li r0, 0
Which will do what we need.
[Source] https://savemgo.com/forums/viewtopic.php?f=24&t=770&p=12529#p12528
PSN Store
To get installable packages you have downloaded to your console go to /dev_hdd0/vsh/game_pkg the name will be garbled, so you'll be safer doing it one at a time.
PSN INFINITY v2 - Open Beta
App made by SKFU + iQD, source: http://streetskaterfu.blogspot.de/2012/03/psn-infinity-v2-open-beta.html
Dependencies are OpenSSL + VC Redists: http://www.slproweb.com/products/Win32OpenSSL.html
http://www.ps3devwiki.com/files/NP/infinity.zip
PSN PS3MFW TCL Task - 4.11 only PS3 CFW 3.55 - Open Beta
It is one patch for PSN 4.11 IN CFW 3.55 RETAIL Beta using PS3MFW 0.2.1. Use with your responsibility.
#!/usr/bin/tclsh # # ps3mfw -- PS3 MFW creator # # Copyright (C) Anonymous Developers (Code Monkeys) # # This software is distributed under the terms of the GNU General Public # License ("GPL") version 3, as published by the Free Software Foundation. # # Created By Boludoz # Priority: 700 # Description: Patch PSN Activator # Option --allow-activating-psn: PSN Spoof 4.11 (requiere sproof 4.11) # Type --allow-activating-psn: boolean namespace eval ::patch_vsh_psn { array set ::patch_vsh_psn::options { --allow-activating-psn true } proc main { } { set self [file join dev_flash vsh module vsh.self] ::modify_devflash_file $self ::patch_vsh_psn::patch_self } proc patch_self {self} { if {!$::patch_vsh_psn::options(--allow-activating-psn)} { log "WARNING: Enabled task has no enabled option" 1 } else { ::modify_self_file $self ::patch_vsh_psn::patch_elf } } proc patch_elf {elf} { if {$::patch_vsh_psn::options(--allow-activating-psn)} { log "Patching [file tail $elf] to allow activating psn content offline" set offset "0x679E30" set search "\x39\x39\x2e\x39\x39\x00\x00\x00\x25\x30\x32\x64\x2e\x25\x30\x32\x20" set replace "\x39\x39\x2e\x39\x39\x00\x00\x00\x30\x34\x2e\x31\x31\x00\x00\x00" catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]" set offset "0x679E40" set search "\x64\x00\x00\x00\x00\x00\x00\x00\x73\x70\x2d\x69\x6e\x74\x00\x00" set replace "\x00\x00\x00\x00\x00\x00\x00\x00\x73\x70\x2d\x69\x6e\x74\x00\x00" catch_die {::patch_elf $elf $search 20 $replace} "Unable to patch self [file tail $elf]" set offset "0X6F8400" set search "\x42\x8A\x8A\x72\x09\x13\x8F\x12\x48\x4E\xA4\xF0\xD0\x4C\xED\xF4" set replace "\x42\x8A\x8A\x72\x49\xE4\xB5\x6D\x14\xFE\x48\xB9\xD1\x87\x7F\xDF" catch_die {::patch_elf $elf $search 20 $replace} "Unable to patch self [file tail $elf]" set offset "0X6F8410" set search "\xB8\x22\x80\xE4\x3C\xB5\x88\x76\x75\x03\xD5\xEF\xB1\x70\xAA\x19" set replace "\x1C\xE0\xC6\x21\xA3\x74\x2C\x45\x67\x8B\x69\x4D\x32\xC0\xDC\xD9" set offset "0X6F8420" set search "\x4D\x42\x7D\x4F\xCA\xD8\x6C\x5A\x2B\xE0\xC3\x80\x74\x22\x86\x75" set replace "\x40\x4F\xB8\xF6\x12\xE0\x60\x3C\x37\x20\x9D\x8B\x93\x71\x6C\xD7" catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]" set offset "0X6F8430" set search "\x10\x5D\x40\x99\x63\x01\x38\x06\x79\x59\xB9\x62\x96\x53\xDD\x67" set replace "\x09\xC8\x20\x21\xD7\xE5\x24\x6A\x36\xBE\xE0\x99\xA1\x0E\x8F\x40" catch_die {::patch_elf $elf $search 20 $replace} "Unable to patch self [file tail $elf]" set offset "0X6F8440" set search "\x7D\x24\x4F\xA3" set replace "\x0D\x8E\x0D\x95" catch_die {::patch_elf $elf $search 20 $replace} "Unable to patch self [file tail $elf]" log "WARNING: activating PSN requires SPROOF 3.41" 1 } } }