PSN: Difference between revisions
Jump to navigation
Jump to search
(added link for FTPing .PKG files out of your hard drive) |
|||
| (7 intermediate revisions by 5 users not shown) | |||
| Line 1: | Line 1: | ||
{{Wikify}} | |||
= PSN Handshake Signup = | = PSN Handshake Signup = | ||
| Line 94: | Line 93: | ||
On finalize auth ps3 request profile settings is xml based process | On finalize auth ps3 request profile settings is xml based process | ||
request profile with auth | request profile with auth encoded with base64 and sends to a server with this : | ||
Headers: | Headers: | ||
| Line 141: | Line 140: | ||
*Get profile need's other certicate to auth ssl connection in this case Dnas root 05 | *Get profile need's other certicate to auth ssl connection in this case Dnas root 05 | ||
= Patching the PSN Ingame Login Message Dialog = | |||
This was taken from MGO2.SELF, and reversed by SaveMGO2 guys, so credits to them. | |||
<pre> | |||
.text:0000000000AA08E8 li r0, 1 | |||
.text:0000000000AA08EC stw r0, 0xC0+var_40(r1) | |||
.text:0000000000AA08F0 b loc_AA08F8 | |||
</pre> | |||
<pre> | |||
.text:0000000000AA08F8 addi r3, r1, 0xC0+var_44 | |||
.text:0000000000AA08FC bl _cellNetCtl_cellNetCtlNetStartDialogLoadAsync # int cellNetCtlNetStartDialogLoadAsync(const struct CellNetCtlNetStartDialogParam *param) | |||
</pre> | |||
cellNetCtlNetStartDialogLoadAsync is the function that determines if the title is an online game, or offline game. | |||
We found this out after a while, we have an 8 byte array that is passed onto the function by address. | |||
We found out that if we change the byte array from: | |||
<pre> | |||
00 00 00 0c 00 00 00 01 | |||
</pre> | |||
to | |||
<pre> | |||
00 00 00 0c 00 00 00 00 | |||
</pre> | |||
then the title is an "offline" game, and doesn't require a log in. | |||
After a while, I realized we didn't have to do weird stuff with our own functions and messy stuff, it's created in the assembly and stored in the address that is read. | |||
So all we have to do, is change the immediate value from a 1 to a 0: | |||
<pre> | |||
li r0, 1 | |||
</pre> | |||
to | |||
<pre> | |||
li r0, 0 | |||
</pre> | |||
Which will do what we need. | |||
== How to == | |||
You find the offset where it is calling cellNetStartDialogLoadAsync(), | |||
this will read in a struct: | |||
-size | |||
-type | |||
-cid | |||
type 0 = Network Game | |||
type 1 = PSN required network game. | |||
You can simply change it to a 0 and it will keep network libraries loaded, but will not require a login via PSN. You will have to go through the rest of the binary and fulfill all NP related library calls or patch them out as well... or it will reference library calls that have not been loaded. | |||
= PSN Store = | = PSN Store = | ||
| Line 150: | Line 199: | ||
Dependencies are OpenSSL + VC Redists: http://www.slproweb.com/products/Win32OpenSSL.html<br /> | Dependencies are OpenSSL + VC Redists: http://www.slproweb.com/products/Win32OpenSSL.html<br /> | ||
http://www.ps3devwiki.com/files/NP/infinity.zip<br /> | http://www.ps3devwiki.com/files/NP/infinity.zip<br /> | ||
== PSN JSON Parser for PC == | |||
This simple script parse the online store json to an readable text. | |||
The json is here: (you need to connect to store.sonyentertainmentnetwork.com, to see the data) | |||
<pre>https://store.sonyentertainmentnetwork.com/kamaji/api/chihiro/00_09_000/gateway/store/v1/users/me/internal_entitlements?fields=drm_def</pre> | |||
* [https://gist.githubusercontent.com/wargio/24af527aaa53a8781438/raw/57d7e090f22ea41b8ceecc8be8d398ec0480efc8/ps_store_json.sh ps_store_json.sh] | |||
<pre> | |||
Usage: ./ps_store_json.sh <internal_entitlements.json> | |||
Login into 'https://store.sonyentertainmentnetwork.com' | |||
Save the page 'https://store.sonyentertainmentnetwork.com/kamaji/api/chihiro/00_09_000/gateway/store/v1/users/me/internal_entitlements?fields=drm_def' | |||
Give the page to this script './ps_store_json.sh internal_entitlements.json | |||
it will return something like: | |||
ContentID: UP0001-000000000_00-0000000000000000 | |||
Content Name: Game Name | |||
Content Size: XXX Mb | |||
Content URL: http://zeus.dl.playstation.net/cdn/xxxxxx/000000000_00/yyyy...yyyyyyy.pkg | |||
drmContentType: n | |||
drmType: m | |||
Publisher Name: Game Publisher | |||
Title Name: Game Name Demo | |||
Img URL: https://image.api.np.km.playstation.net/images/...... | |||
</pre> | |||
== PSN PS3MFW TCL Task - 4.11 only PS3 CFW 3.55 - Open Beta == | == PSN PS3MFW TCL Task - 4.11 only PS3 CFW 3.55 - Open Beta == | ||
It is one patch for PSN 4.11 IN CFW 3.55 RETAIL Beta using PS3MFW 0.2.1. Use with your responsibility. | It is one patch for PSN 4.11 IN CFW 3.55 RETAIL Beta using PS3MFW 0.2.1. Use with your responsibility. | ||
| Line 242: | Line 313: | ||
} | } | ||
}</pre> | }</pre> | ||
{{Reverse engineering}}<noinclude>[[Category:Main]]</noinclude> | |||
Revision as of 18:17, 22 January 2021
| This article is marked for rewrite/restructuring in proper wiki format. You can help PS3 Developer wiki by editing it. |
PSN Handshake Signup
Signup Response
Basic structure of the response
0x00: 4 Byte - main header -> 30 00 00 4f
0x04: 4 Byte - size -> 00 5e 00 47
0x08: 8 Byte - ? Identifier, often found before Name/Handle
0x10: 16 Byte - Name/Handle
0x20: 16 Byte - language
0x26: 6 Byte - np: 00 01 00 00 00 sp-int: 00 01 00 00 00 23
0x2a: 4 Byte - {10 5d 00 0b} 0x000b - size of email
0x2e: x Byte - email, here 0b in size
Legend
Main Header xx xx xx ss ss = size
Positive Auth
Auth Reply Structure
0x00: 4 Byte - main header -> 31 00 00 00
0x04: 4 Byte - size -> 00 00 00 d4
0x08: 4 Byte - frame head -> 30 00 00 ac
0x0c: 4 Byte - {00 08 00 14}
0x10: 20 Byte - SIGNATURE -> maybe HMAC/SHA1
0x24: 4 Byte - {00 01 00 04}
0x28: 4 Byte - ? 00 00 00 01 (cfr) or 00 00 01 00 (me & nks) (???)
0x2c: 4 Byte - {00 07 00 08}
0x30: 8 Byte - Timestamp (Login Time)
0x38: 4 Byte - {00 07 00 08}
0x3c: 8 Byte - Timestamp (Login Expiry)
0x44: 4 Byte - {00 02 00 08}
0x48: 8 Byte - Identifier *
0x50: 4 Byte - {00 04 00 20}
0x54: 32 Byte - Name/Handle
0x74: 4 Byte - {00 08 00 04}
0x78: 4 Byte - language
0x7c: 4 Byte - {00 04 00 04}
0x80: 4 Byte - ???
0x84: 4 Byte - {00 08 00 18}
0x88: 24 Byte - service ID
0xa0: 4 Byte - {30 11 00 04}
0xa4: 4 Byte - ??? 07 and 3 undef
0xa8: 4 Byte - {00 01 00 04}
0xac: 4 Byte - ??? 2 undef and 02 00
0xb0: 8 Byte - 30 10 00 00 00 00 00 00
0xb8: 4 Byte - frame head -> 30 02 00 20
0xbc: 4 Byte - {00 08 00 04}
0xc0: 4 Byte - Network: NP: 34 CD 3C A9 SP/QA: B8 2F CB 09
0xc4: 4 Byte - {00 08 00 14}
0xc8: 20 Byte - SIGNATURE -> maybe HMAC/SHA1
- Often found before Name/Handle, assigned at signup and store at first 8 byte of cache
- * Seems to be the same for the same for every console, differs for others
Size xx xx xx ss ss = message size
Frame Head [xx yy ss ss] xx = 30 yy = unknown. maybe frame number ss = framesize in hex
Limiter {xx xx ss ss} xx = unknown ss = data size in hex
Timestamps
These are Timestamp:
X = 00 00 01 2f 31 ff a0 58h -> 1302213927000d
The X / 1000 = seconds since 1970, so this date is 08.04.2011
PHP to easy recheck:
$timestamp = 1302010662000 / 1000;
date("d.m.Y",$timestamp);
It's just Miliseconds.
Profile Settings
Request
On finalize auth ps3 request profile settings is xml based process
request profile with auth encoded with base64 and sends to a server with this :
Headers:
POST /basic_view/sec/get_self_profile HTTP/1.1 Connection Keep-Alive Content-Length 430 Accept-Encoding identity User-Agent PS3Community-agent/1.0.0 libhttp/1.0.0 Host Url:443
Contents:
<profile platform="ps3" sv="[VERSION"> <ticket>[encrypted with base64 auth handshake]</ticket> <env>[enviroment]</env> <avatar size="l" /> </profile>
nb: [environment] is one of the Environments lowercased
Response
and get profile responses here :
Headers:
HTTP/1.1 200 OK Date Wed, 18 May 2011 08:12:42 GMT Server Apache-Coyote/1.1 Content-Type text/xml;charset=UTF-8 Content-Length 364
Content:
<profile result="00"> <jid>[USERNAME]@[SERVER].[COUNTRY].[ENVIROMENT].URL</jid> <onlinename upd="0">[Nickname on psn]</onlinename> <country>[Country code]</country> <language1>3</language1> <language2 /> <language3 /> <aboutme /> <avatarurl id="1000">[png image url to set avatar display]</avatarurl> <ptlp>0</ptlp> </profile>
- Get profile need's other certicate to auth ssl connection in this case Dnas root 05
Patching the PSN Ingame Login Message Dialog
This was taken from MGO2.SELF, and reversed by SaveMGO2 guys, so credits to them.
.text:0000000000AA08E8 li r0, 1 .text:0000000000AA08EC stw r0, 0xC0+var_40(r1) .text:0000000000AA08F0 b loc_AA08F8
.text:0000000000AA08F8 addi r3, r1, 0xC0+var_44 .text:0000000000AA08FC bl _cellNetCtl_cellNetCtlNetStartDialogLoadAsync # int cellNetCtlNetStartDialogLoadAsync(const struct CellNetCtlNetStartDialogParam *param)
cellNetCtlNetStartDialogLoadAsync is the function that determines if the title is an online game, or offline game. We found this out after a while, we have an 8 byte array that is passed onto the function by address.
We found out that if we change the byte array from:
00 00 00 0c 00 00 00 01
to
00 00 00 0c 00 00 00 00
then the title is an "offline" game, and doesn't require a log in.
After a while, I realized we didn't have to do weird stuff with our own functions and messy stuff, it's created in the assembly and stored in the address that is read.
So all we have to do, is change the immediate value from a 1 to a 0:
li r0, 1
to
li r0, 0
Which will do what we need.
How to
You find the offset where it is calling cellNetStartDialogLoadAsync(),
this will read in a struct: -size -type -cid
type 0 = Network Game type 1 = PSN required network game.
You can simply change it to a 0 and it will keep network libraries loaded, but will not require a login via PSN. You will have to go through the rest of the binary and fulfill all NP related library calls or patch them out as well... or it will reference library calls that have not been loaded.
PSN Store
To get installable packages you have downloaded to your console go to /dev_hdd0/vsh/game_pkg the name will be garbled, so you'll be safer doing it one at a time.
PSN INFINITY v2 - Open Beta
App made by SKFU + iQD, source: http://streetskaterfu.blogspot.de/2012/03/psn-infinity-v2-open-beta.html
Dependencies are OpenSSL + VC Redists: http://www.slproweb.com/products/Win32OpenSSL.html
http://www.ps3devwiki.com/files/NP/infinity.zip
PSN JSON Parser for PC
This simple script parse the online store json to an readable text. The json is here: (you need to connect to store.sonyentertainmentnetwork.com, to see the data)
https://store.sonyentertainmentnetwork.com/kamaji/api/chihiro/00_09_000/gateway/store/v1/users/me/internal_entitlements?fields=drm_def
Usage: ./ps_store_json.sh <internal_entitlements.json>
Login into 'https://store.sonyentertainmentnetwork.com'
Save the page 'https://store.sonyentertainmentnetwork.com/kamaji/api/chihiro/00_09_000/gateway/store/v1/users/me/internal_entitlements?fields=drm_def'
Give the page to this script './ps_store_json.sh internal_entitlements.json
it will return something like:
ContentID: UP0001-000000000_00-0000000000000000
Content Name: Game Name
Content Size: XXX Mb
Content URL: http://zeus.dl.playstation.net/cdn/xxxxxx/000000000_00/yyyy...yyyyyyy.pkg
drmContentType: n
drmType: m
Publisher Name: Game Publisher
Title Name: Game Name Demo
Img URL: https://image.api.np.km.playstation.net/images/......
PSN PS3MFW TCL Task - 4.11 only PS3 CFW 3.55 - Open Beta
It is one patch for PSN 4.11 IN CFW 3.55 RETAIL Beta using PS3MFW 0.2.1. Use with your responsibility.
#!/usr/bin/tclsh
#
# ps3mfw -- PS3 MFW creator
#
# Copyright (C) Anonymous Developers (Code Monkeys)
#
# This software is distributed under the terms of the GNU General Public
# License ("GPL") version 3, as published by the Free Software Foundation.
#
# Created By Boludoz
# Priority: 700
# Description: Patch PSN Activator
# Option --allow-activating-psn: PSN Spoof 4.11 (requiere sproof 4.11)
# Type --allow-activating-psn: boolean
namespace eval ::patch_vsh_psn {
array set ::patch_vsh_psn::options {
--allow-activating-psn true
}
proc main { } {
set self [file join dev_flash vsh module vsh.self]
::modify_devflash_file $self ::patch_vsh_psn::patch_self
}
proc patch_self {self} {
if {!$::patch_vsh_psn::options(--allow-activating-psn)} {
log "WARNING: Enabled task has no enabled option" 1
} else {
::modify_self_file $self ::patch_vsh_psn::patch_elf
}
}
proc patch_elf {elf} {
if {$::patch_vsh_psn::options(--allow-activating-psn)} {
log "Patching [file tail $elf] to allow activating psn content offline"
set offset "0x679E30"
set search "\x39\x39\x2e\x39\x39\x00\x00\x00\x25\x30\x32\x64\x2e\x25\x30\x32\x20"
set replace "\x39\x39\x2e\x39\x39\x00\x00\x00\x30\x34\x2e\x31\x31\x00\x00\x00"
catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"
set offset "0x679E40"
set search "\x64\x00\x00\x00\x00\x00\x00\x00\x73\x70\x2d\x69\x6e\x74\x00\x00"
set replace "\x00\x00\x00\x00\x00\x00\x00\x00\x73\x70\x2d\x69\x6e\x74\x00\x00"
catch_die {::patch_elf $elf $search 20 $replace} "Unable to patch self [file tail $elf]"
set offset "0X6F8400"
set search "\x42\x8A\x8A\x72\x09\x13\x8F\x12\x48\x4E\xA4\xF0\xD0\x4C\xED\xF4"
set replace "\x42\x8A\x8A\x72\x49\xE4\xB5\x6D\x14\xFE\x48\xB9\xD1\x87\x7F\xDF"
catch_die {::patch_elf $elf $search 20 $replace} "Unable to patch self [file tail $elf]"
set offset "0X6F8410"
set search "\xB8\x22\x80\xE4\x3C\xB5\x88\x76\x75\x03\xD5\xEF\xB1\x70\xAA\x19"
set replace "\x1C\xE0\xC6\x21\xA3\x74\x2C\x45\x67\x8B\x69\x4D\x32\xC0\xDC\xD9"
set offset "0X6F8420"
set search "\x4D\x42\x7D\x4F\xCA\xD8\x6C\x5A\x2B\xE0\xC3\x80\x74\x22\x86\x75"
set replace "\x40\x4F\xB8\xF6\x12\xE0\x60\x3C\x37\x20\x9D\x8B\x93\x71\x6C\xD7"
catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"
set offset "0X6F8430"
set search "\x10\x5D\x40\x99\x63\x01\x38\x06\x79\x59\xB9\x62\x96\x53\xDD\x67"
set replace "\x09\xC8\x20\x21\xD7\xE5\x24\x6A\x36\xBE\xE0\x99\xA1\x0E\x8F\x40"
catch_die {::patch_elf $elf $search 20 $replace} "Unable to patch self [file tail $elf]"
set offset "0X6F8440"
set search "\x7D\x24\x4F\xA3"
set replace "\x0D\x8E\x0D\x95"
catch_die {::patch_elf $elf $search 20 $replace} "Unable to patch self [file tail $elf]"
log "WARNING: activating PSN requires SPROOF 3.41" 1
}
}
}
