API tools faq
paste
Guest User

Untitled

a guest
Feb 17th, 2011
2,798
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 21.06 KB | None | 0 0
raw download clone embed print report
  1. <user1> xxx: I don't think there are many people involved in circumventing PSN access in /this/ channel [ "application/x-i-5-ticket" reason=40 > PSN error 80710101 ]
  2. <user2> talk about network stuff?
  3. <user2> nice
  4. <user2> i just finished decrypting 100% of all psn functions
  5. <user3> :)
  6. <user2> you can forget all the history wiper and log remove apps
  7. <user2> theres a independant check
  8. <user2> which transfers all games and their playtime
  9. <user2> every time you login
  10. <user2> you can modify it like the firmware version tho
  11. <user2> it looks like:
  12. <user2> <info titleid="BLUS30034_00" disc="18cf5fc49cb4ac7ae9519d5062712350" boot="2011-02-03T20:35:09.00Z" playtime="8875" />
  13. <user2> aswell they can detect backups this way
  14. <user1> hash is eboot.bin to check for version?
  15. <user2> if you use a backup it will look like this:
  16. <user2> <info titleid="BLUS30034_00" disc="00000000000000000000000000000000" boot="2011-02-03T20:35:09.00Z" playtime="8875" /
  17. <user4> user2, is that in data sent to a0.[CC].np.communication.playstation.net
  18. <user2> sec lemme check
  19. <user4> im still collecting all the data
  20. <user2> updptl.de.np.community.playstation.net/
  21. <user2> thats the server
  22. <user3> user2: what about Blu-ray Master Disc/BD Emulator ?
  23. <user3> since, i use those features legitimately
  24. <user2> on debug or retail?
  25. <user2> i didnt check all on debug unit yet
  26. <user2> so no clue if it sends discid for bdemu
  27. <user2> but sony is the biggest spy ever lol
  28. <user2> they collect so much data
  29. <user1> true
  30. <user2> all connected devices return values sent to sony server
  31. <user2> example:
  32. <user3> user2: Debug models of course :)
  33. <user2> ><info category="76">32&apos;&apos; TFT-TV</info><info category="77">OEM</info><info category="88">release</info><info category="89">cex</info>
  34. <user4> i cannot find my PS3 connect to host with 'updptl' in the name
  35. <user2> returns tv, fw version, fw type, console model
  36. <user2> also i found data it collects when i had usb device attached etc etc
  37. <user2> so if they ever sue someone for psn stuff, they will be sued themselves as most of the data they collect is just not legal
  38. <user4> user2, at what time does it connect to that host?
  39. <user4> during the PSN logon?
  40. <user2> sec i check
  41. <user5> user2 how can you modify that data?
  42. <user6> user2: do you now know enough to wipe all traces so that people who never had their consoles on the internet can avoid sending this information now? :)
  43. <user4> no DNS request for a host with 'updptl' in the name in my packet captures :-\
  44. <user2> @user5: it sents directly after user profile load and sometimes; - it seams random, just when u play a game or anything
  45. <user4> ohh
  46. <user2> @xxxx: we could modify the data via proxy between the tunnels, like delete all data between the xml tags <info> or somehow
  47. <user5> oh so its not on the ps3 hdd itself?
  48. <user6> user2: aha, so this information is actually encrypted?
  49. <user2> ya
  50. <user2> the list is stored online
  51. <user2> and updated when u login psn and random
  52. <user5> damn
  53. <user6> but where is it stored before that? I have never been online with my ps3...
  54. <user6> so it must be somewhere
  55. <user5> was hoping it would be on the ps3 hdd
  56. <user5> then lock it or so
  57. <user1> the only avoidance is block all *.playstation.net
  58. <user2> MAYBE - i rly dont know - it doesnt save it at all on hdd
  59. <user2> so only transfers the games and stuff in one ps3 session when you go online
  60. <user2> so if u have ps3 offline and play a game, then shutdown and turn on again
  61. <user2> it MAY not transfer update
  62. <user2> cuz i didnt find any info for that list on hdd
  63. <user2> it could be that its used for online playtime or psn logged in playtime
  64. <user2> aswell you should never ever install a CFW from someone unknown
  65. <user2> cuz its way too easy todo scamming at this point
  66. <user2> for example:
  67. <user2> creditCard.paymentMethodId=VISA&creditCard.holderName=Max&creditCard.cardNumber=4558254723658741&creditCard.expireYear=2012&creditCard.expireMonth=2&creditCard.securityCode=214&creditCard.address.address1=example street%2024%20&creditCard.address.city=city1%20&creditCard.address.province=abc%20&creditCard.address.postalCode=12345%20
  68. <user2> sent as plaintext
  69. <user3> uh
  70. <user3> did you censor that card?
  71. <user2> ya its fake
  72. <user3> good
  73. <user1> wow, plaintext :S
  74. <user5> plaintext wow
  75. <user3> im never putting in my details like that
  76. <user2> ya is all fake lol
  77. <user2> i never used cc on ps3
  78. <user2> normally you ATLEAST enccrypt the securtity code, even if its ssl
  79. <user5> id hope sony would do such in a safe manner
  80. <user5> psn cards probably plain text to then
  81. <user2> fake certs are known since years as vuln so companies encrypt such data twice normally
  82. <user2> but hey its sony --> its a feature
  83. <user5> lol
  84. <user7> lol
  85. <user5> yeah if you go public with your info they either remove the store or psn all together
  86. <user5> as an update
  87. <user6> I doubt it :P
  88. <user7> from all the actions they've taken the past years, we can only deduce that Sony don't care about their customers
  89. <user2> impossible
  90. <user7> :)
  91. <user2> they wont update their whole psn lol
  92. <user6> but this should really get out there, but I guess it's on psx-scene.com in a matter of minutes already ;)
  93. <user5> 3.60 removal of psn
  94. <user2> i know a few guys who worked @ sony's psn backend. just when the ps3 was released we talked bout the first psn, at this time ALL was http and unencrypted. so you could see userpass etc plain. i asked em why is it that way. lame answer was "we thought it was adressed." - lol
  95. <user2> sony qa --> trainees
  96. <user8> that fits nicely into the "#define rand() 4" mentality. ;)
  97. <user2> yep
  98. <user3> or more of
  99. <user3> ECDSA_PRIVATE_KEY privateKey;
  100. <user2> lol
  101. <user3> and PrivateKey is in a header file
  102. <user3> and it's static
  103. <user2> xD
  104. <user3> and ECDSA_RANDOM in a header file
  105. <user3> and so on
  106. <user2> another funny function i found is regarding psn downloads
  107. <user2> its when a pkg game is requested from the store
  108. <user2> in the url itself you can define if you get the game free or not. requires some modification in hashes and so on tho
  109. <user3> ..
  110. <user2> is like
  111. <user8> :D
  112. <user3> my god
  113. <user2> drm:off
  114. <user5> lol
  115. <user2> lol
  116. <user1> :facepalm:
  117. <user8> well, that's one way to offload the server.
  118. <user2> still wondering when the big ban wave arrives :D
  119. <user1> if they ban everyone, even using backups legally in their country (but in their opinion a TOS violation), it will be a huge tsunami, not a wave
  120. <user10> ask ur friends :P
  121. <user2> prolly they take it like it is now, unstoppable anyways
  122. <user2> new firmware to ban all further actions and done
  123. <user4> an open psn would be nice
  124. <user4> even if it was just a player matching service
  125. <user2> ya
  126. <user9> a PSN host by the community :)
  127. <user3> that actually could be perhaps possible
  128. <user3> if you can get auth working
  129. <user3> and all
  130. <user3> a new np environment
  131. <user2> the friend list management is easiest
  132. <user2> simple jabber server
  133. <user11> don't some games use their own servers?
  134. <user1> some use p2p
  135. <user11> which check from the official psn servers whether you're logged in and who you are
  136. <user2> imagine the traffic load :D
  137. <user2> whod pay this xD
  138. <user11> yes, but even p2p games do use publisher or sony provided servers for matchmaking
  139. <user3> NpCommerce2
  140. <user12> I am getting behind everything on doing my security analysis
  141. <user12> started a couple months ago monitoring SSL stuff, and theen got distracted with blackops and havent pursed it, seems a lot of people are starting to take interest in it now
  142. <user2> and regarding matchmaking and lobby systems
  143. <user2> the functions built in firmware and/or game
  144. <user2> how would you answer them
  145. <user2> the server side code we dont know of
  146. <user12> some stuff appears to be in lv2 and not in sprx for network stuff
  147. <user2> so we can not create proper answers
  148. <user12> you can try to analyze the protocol and say "if X then Y" type responses the problems come up when you get something you haveent seen before
  149. <user12> that was done with counterstrike for example so that people could cheat
  150. <user12> so its not entirely impossible although it is time consuming
  151. <user12> sometimes its happy accidents, reason code 21 means bad cipher, 51 bad firmware version - for x-i-5 tickets for example
  152. <user11> wasn't cs/hl server software available for anyone to download even back then?
  153. <user6> anyone found a way to change DVD region on ps3 yet, btw?
  154. <user11> for psn you can't even get binaries for the server side
  155. <user5> user2 i remember some months ago you made a psntool with a psn messenger in it but not yet functional is that still being worked on?
  156. <user12> but for stuff like that the ticket has to exist on the psn side of things because if I send my ticket to a vendor server they will validate it against psn and if its not there it will fail
  157. <user1> xxx: wasn't syscall 0×363 0×19004 3rd byte usefull for that?
  158. <user2> @xxxx: at this time i could finish the tool yes but im not sure if it is useful at all
  159. <user12> xxxx: no but you can monitor traffic, even send some "bad" things and watch the responses... I discovered x-i-5 reason code 21 by accident, I did not force my proxy to mirror the cipher that the ps3 presented
  160. <user2> i mean why would someone want to chat with a someone on ps3
  161. <user2> while any1 anyway have msn/icq/aol
  162. <user12> know this, sony in realtime, monitors all messages over psn
  163. <user12> I verified that, its part of my privacy threats thing I am doing
  164. <user5> ok too bad id like the psn messenger on pc
  165. <user12> the realtime monitoring is a bit bothersome to me
  166. <user6> user1: such information is quite useless to me, as I'm not that into the technical stuff :) was more hoping someone had an easy way to do it.. like a DVD region changer or something.
  167. <user2> @user12: the realtime jabber monitoring as most likely for realtime censor of messages
  168. <user12> they appear to have at the very least keywords they look for, not sure just how invasive the whole thing is, but ...
  169. <user12> well they have osme odd things in there
  170. <user11> yeah they have that dumb automatic word filter
  171. <user4> the censor word-list is ridiculous
  172. <user13> psn messenger would be helpful, just yesterday was killed 2 times when typing response on the message + its so slow loading
  173. <user12> a psn code that is not really valid if you sent that via email it becomes valid but you cant add funds to your wallet. The fact that emailing that code to someone makes it valid for you is odd ... why monitor that code?
  174. <user11> which makes it much more difficult to have a sensible conversation in languages other than english
  175. <user12> why change its state on sending it?
  176. <user12> the censor words in home is on your system, it downloads a dict list of words
  177. <user12> an empty file resolves that
  178. <user2> tryin to find my jabber logs... >.<
  179. <user12> so it only censors on receipt not on transmission
  180. <user12> dunno how the other stuff does it
  181. <user12> mostly because I have yet to look
  182. <user12> now you have me curious I am gonna go redo my network a little bit to start monitoring again :)
  183. <user2> btw aswell a reason AGAINST pc to ps3 messenger is spam
  184. <user2> cuz there actually is an easy way to get userlists
  185. <user2> would fuck psn pretty hard if some skiddy releases a spam app
  186. <user2> the highscore and matchmaking lobbies you can request per game id and get user mails for psn
  187. <user13> ugh, yeah
  188. <user2> huge list + spam app == sux
  189. <user3> argghhhh
  190. <user3> why do my trophies never sync to np
  191. <user2> anyway sony just would have to open a port on the jabber server, so you could login with icq
  192. <user5> lol
  193. <user2> and we all know what happens if cool homebrew arrives, remember open remote play
  194. <user2> sony just releases an official tool lol
  195. <user12> thing is the more people do things and discuss what they do and explain how to do it the more likely sony will lock down psn in the future
  196. <user2> psn is a core feature of ps3
  197. <user12> making it harder and harder to do anything, like using older firmwares to log in, that will probably be the first to go away
  198. <user2> they would be sued like with otheros
  199. <user5> yeah but they also blocked open remote play
  200. <user11> user12: that already went away, didn't it
  201. <user12> if you are not running current firmware you do not have a right to psn
  202. <user11> user12: even for debug users
  203. <user12> not really, not yet anyway
  204. <user12> 3.56 did not break it but the next release might
  205. <user12> especially because it stops people running backups and other stuff on psn
  206. <user11> well i mean 3.41
  207. <user2> ya would be all possible for them
  208. <user12> not sure what, if anything, changed with 3.41
  209. <user11> you used to be able to sign in on debug 3.41 until someone released that psn enabler hack
  210. <user2> one way more difficult than the other so i think they first will go on with backup ban on psn
  211. <user11> even though 3.42 and 3.50 had already been released
  212. <user2> via playlists and stuff i meantioned before
  213. <user2> a secure way to fix it would require firmware and server update tho
  214. <user2> wondering what prevents em of this way
  215. <user12> I just got a new ps3 yesterday, has 3.40, gonna put 3.55 on it and do my work
  216. <user12> I *might* try with 3.40 and see if I can do enough of my work, that would make it somewhat harder though
  217. <user1> banwave possibly, new FW + plus they still need to fix that 3.56-1st/2nd harddrive exchange bug in the next version
  218. <user12> because my work is specialized and very limited in scopee
  219. <user2> the psn has 45 environments all working independant
  220. <user2> prolly that is the reason
  221. <user2> we could just change to another environment
  222. <user2> and they also need to have an eye to the official developers which use environments too
  223. <user2> and the qa
  224. <user2> which needs to work with older firmware sometimes
  225. <user2> so they cant update all environments and block all
  226. <user4> probably so much ITIL process management so they can't fart without a work request
  227. <user2> hehe
  228. <user12> the way that people are getting on now is to change the user agent in the login request, well x-platform-version specifically. but if the x-platform-passphrase changes in how its constructed then its easy to detect people trying to use an older firmware
  229. <user2> they can even without the xi
  230. <user2> as the firmware version is in a lot more requests than the auth
  231. <user4> version is sent to the getprof servers also
  232. <user2> ppl change only the xi one atm
  233. <user4> and ena.
  234. <user2> but its in netstart, xi, game starts
  235. <user12> I understand that part of it, I was just talking about x-i-5 auth stuff
  236. <user2> many many functions send the real fw version
  237. <user2> but only xi5 is checked
  238. <user12> I realize that many functions send the fw version, anything that uses libhttp.sprx does
  239. <user2> ya
  240. <user12> remember I have been donig this for a couple months
  241. <user12> even wrote software that lets me do the ssl parts on the fly instead of to a fixed server, mirroring the CN of the real server
  242. <user4> what is the data in xi5 at 0xC0 ->EOF ? some crypto/salt ?
  243. <user4> luckily they use CN=*.*.np.community.playstation.net which saves a bit of hassle, just calling openssl from your app user12 ?
  244. <user12> openssl libs
  245. <user12> not the app itself
  246. <user12> and I do it for *ALL* ssl connections in realtime
  247. <user12> so even if you use the webbrowser it will generate certs for that too
  248. <user4> nice tool you made :)
  249. <user12> it is similar in function to "sslsniff" but mine works with the ps3 and logs correctly
  250. <user2> for the first i think ppl should use a replace of all 3.5.5 and 355 strings but regarding to the user agent, else psn wont load
  251. <user2> user12 which certs u use?
  252. <user2> only 05 i guess ?
  253. <user2> CA i mean sorry
  254. <user12> user2: I use them all
  255. <user12> there is a place that the firmware version is in lv2 that is not a "string"
  256. <user12> its 'decimal' "035500" not sure if its 32 or 64 bit in size though,
  257. <user2> btw u know the login url for auth is like:
  258. <user12> but that is not the ascii 3 its the decimal value
  259. <user2> &serviceid=IV0001-NPXS01001_00&loginid=MYMAIL&password=MYPASS&first=true&consoleid=MYID
  260. <user12> I have complete logs for the auth stuff
  261. <user2> did u already change the "first" param?
  262. <user2> i wonder what it does
  263. <user12> first=true is only there if you had not previously loggged into psn
  264. <user2> ah ok
  265. <user12> its missing if you were previously logged in but you need a new ticet
  266. <user12> ticket
  267. <user14> hi
  268. <user14> please not connect
  269. <user14> to external dns ip
  270. <user14> with your ps3
  271. <user14> your passwords and email and other data is revealed on the external side
  272. <user12> which you need for each service id that you need one for, meaning if you sync trophies you get 1 ticket, when you play a game you get a 2nd ticket, when you watch netflix you get a 3rd
  273. <user14> spam people can use this info
  274. <user12> most likely if they are mapping that host
  275. <user12> if its just the firmware check then no, because there is nothing private sent in that http (cleartext) request
  276. <user12> so it depends on what hosts they are looking at
  277. <user14> to start a spamming attack
  278. <user2> hm didnt check that ticket stuff yet
  279. <user2> as when i used a ticket
  280. <user2> for a test POST
  281. <user2> i worked with 1 only
  282. <user2> and always worked
  283. <user2> prolly many to identify the service
  284. <user12> the ticket is sent to say a game, netflix, etc. anythibng that uses psn. That way you do not send credentials to anyone but sony
  285. <user2> if its like u say then this is another vuln lol
  286. <user2> cuz as i tested if always first ticket works
  287. <user2> you could hijack a session
  288. <user2> the ticket and session i used didnt timeout
  289. <user2> and if it always creates a new ticket as u say
  290. <user2> there would be many sessions
  291. <user12> I also haave yet to monitor how long the tickets are valid for, I know that the ps3 does not reuse them between apps but that could just be the way its coded (they might be valid even though a normal ps3 will never reuse)
  292. <user2> for one user open
  293. <user12> it may invalidate old ones on issuance of a new, I never looked
  294. <user12> I just know that I saw it getting one at app launch
  295. <user2> hm wierd with the tickets
  296. <user2> i know the ticket is build outta few params
  297. <user2> the serial
  298. <user2> the userid
  299. <user2> issueddare
  300. <user2> service id
  301. <user2> online id
  302. <user2> many many :P
  303. <user12> I also know that the server that does the x-i-5 tickets is a bit more tight about the ciphers than any other system in sonyland
  304. <user12> if sony is watching this channel they should know that running an older version of apache on a redhat server with known vulnerabilities is not wise, especially when that server freely reports its version and its the auth server
  305. <user2> its not old version, they just didnt update the banner
  306. <user12> I consider apache 2.2.15 old
  307. <user2> which server
  308. <user12> it also has known vulnerabilities
  309. <user12> auth.np.ac.playstation.net
  310. <user2> ya the displayed version u see via banner is not the real version
  311. <user12> unless they updated it in the last couple weeks
  312. <user12> I doubt that since its not trivial to change that
  313. <user12> its a bit more invasive than just setting it to Prod like they do on their other servers
  314. <user11> you know, watching this conversation makes me think about whether it was a good idea after all to buy a couple of games from psn using a visa card
  315. <user2> its just backported security patches
  316. <user11> i did remove all my info after downloading the games though
  317. <user12> that is just psn not the store
  318. <user12> they are running linux 2.6.9-2.6.24 on that box too
  319. <user12> that too is old
  320. <user2> lol @ buying on store
  321. <user11> yes, but their general attitude towards security just seems...ugh
  322. <user2> sony wont misuse the info i bet xD
  323. <user2> but just prevent using cfw's of unknown ppl
  324. <user2> even better from ALL ppl
  325. <user2> make ur own lol
  326. <user12> so I doubt that they are spoofing the network stack on that box as well
  327. <user12> my guess is that it really is undermaintained "it works why change anything"
  328. <user2> could be
  329. <user12> sony really should update that stuff to something more current
  330. <user2> ya
  331. <user2> but imagine
  332. <user2> psn == 45 environments
  333. <user2> and for example
  334. <user2> every env has 50 subdomains
  335. <user2> to external machines
  336. <user2> its rly rly huge
  337. <user2> who wants to do this xD
  338. <user2> ppl r lazy
  339. <user2> wont change
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!