Guest User

IRC chatlog of PSN hackers

a guest
Apr 27th, 2011
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 19.52 KB | None
  1. [user1] xxx: I don’t think there are many people involved in circumventing PSN access in /this/ channel [ "application/x-i-5-ticket" reason=40 > PSN error 80710101 ]
  2. [user2] talk about network stuff?
  3. [user2] nice
  4. [user2] i just finished decrypting 100% of all psn functions
  5. [user3]
  6. [user2] you can forget all the history wiper and log remove apps
  7. [user2] theres a independant check
  8. [user2] which transfers all games and their playtime
  9. [user2] every time you login
  10. [user2] you can modify it like the firmware version tho
  11. [user2] it looks like:
  12. [user2]
  13. [user2] aswell they can detect backups this way
  14. [user1] hash is eboot.bin to check for version?
  15. [user2] if you use a backup it will look like this:
  16. [user2] [user4] user2, is that in data sent to a0.[CC]
  17. [user2] sec lemme check
  18. [user4] im still collecting all the data
  19. [user2]
  20. [user2] thats the server
  21. [user3] user2: what about Blu-ray Master Disc/BD Emulator ?
  22. [user3] since, i use those features legitimately
  23. [user2] on debug or retail?
  24. [user2] i didnt check all on debug unit yet
  25. [user2] so no clue if it sends discid for bdemu
  26. [user2] but sony is the biggest spy ever lol
  27. [user2] they collect so much data
  28. [user1] true
  29. [user2] all connected devices return values sent to sony server
  30. [user2] example:
  31. [user3] user2: Debug models of course
  32. [user2] >32” TFT-TVOEMreleasecex
  33. [user4] i cannot find my PS3 connect to host with ‘updptl’ in the name
  34. [user2] returns tv, fw version, fw type, console model
  35. [user2] also i found data it collects when i had usb device attached etc etc
  36. [user2] so if they ever sue someone for psn stuff, they will be sued themselves as most of the data they collect is just not legal
  37. [user4] user2, at what time does it connect to that host?
  38. [user4] during the PSN logon?
  39. [user2] sec i check
  40. [user5] user2 how can you modify that data?
  41. [user6] user2: do you now know enough to wipe all traces so that people who never had their consoles on the internet can avoid sending this information now?
  42. [user4] no DNS request for a host with ‘updptl’ in the name in my packet captures :-
  43. [user2] @user5: it sents directly after user profile load and sometimes; – it seams random, just when u play a game or anything
  44. [user4] ohh
  45. [user2] @xxxx: we could modify the data via proxy between the tunnels, like delete all data between the xml tags or somehow
  46. [user5] oh so its not on the ps3 hdd itself?
  47. [user6] user2: aha, so this information is actually encrypted?
  48. [user2] ya
  49. [user2] the list is stored online
  50. [user2] and updated when u login psn and random
  51. [user5] damn
  52. [user6] but where is it stored before that? I have never been online with my ps3…
  53. [user6] so it must be somewhere
  54. [user5] was hoping it would be on the ps3 hdd
  55. [user5] then lock it or so
  56. [user1] the only avoidance is block all *
  57. [user2] MAYBE – i rly dont know – it doesnt save it at all on hdd
  58. [user2] so only transfers the games and stuff in one ps3 session when you go online
  59. [user2] so if u have ps3 offline and play a game, then shutdown and turn on again
  60. [user2] it MAY not transfer update
  61. [user2] cuz i didnt find any info for that list on hdd
  62. [user2] it could be that its used for online playtime or psn logged in playtime
  63. [user2] aswell you should never ever install a CFW from someone unknown
  64. [user2] cuz its way too easy todo scamming at this point
  65. [user2] for example:
  66. [user2] [redacted plain text code, includes false credit card number]
  67. [user2] sent as plaintext
  68. [user3] uh
  69. [user3] did you censor that card?
  70. [user2] ya its fake
  71. [user3] good
  72. [user1] wow, plaintext :S
  73. [user5] plaintext wow
  74. [user3] im never putting in my details like that
  75. [user2] ya is all fake lol
  76. [user2] i never used cc on ps3
  77. [user2] normally you ATLEAST enccrypt the securtity code, even if its ssl
  78. [user5] id hope sony would do such in a safe manner
  79. [user5] psn cards probably plain text to then
  80. [user2] fake certs are known since years as vuln so companies encrypt such data twice normally
  81. [user2] but hey its sony –> its a feature
  82. [user5] lol
  83. [user7] lol
  84. [user5] yeah if you go public with your info they either remove the store or psn all together
  85. [user5] as an update
  86. [user6] I doubt it
  87. [user7] from all the actions they’ve taken the past years, we can only deduce that Sony don’t care about their customers
  88. [user2] impossible
  89. [user7]
  90. [user2] they wont update their whole psn lol
  91. [user6] but this should really get out there, but I guess it’s on in a matter of minutes already
  92. [user5] 3.60 removal of psn
  93. [user2] i know a few guys who worked @ sony’s psn backend. just when the ps3 was released we talked bout the first psn, at this time ALL was http and unencrypted. so you could see userpass etc plain. i asked em why is it that way. lame answer was “we thought it was adressed.” – lol
  94. [user2] sony qa –> trainees
  95. [user8] that fits nicely into the “#define rand() 4″ mentality.
  96. [user2] yep
  97. [user3] or more of
  98. [user3] ECDSA_PRIVATE_KEY privateKey;
  99. [user2] lol
  100. [user3] and PrivateKey is in a header file
  101. [user3] and it’s static
  102. [user2] xD
  103. [user3] and ECDSA_RANDOM in a header file
  104. [user3] and so on
  105. [user2] another funny function i found is regarding psn downloads
  106. [user2] its when a pkg game is requested from the store
  107. [user2] in the url itself you can define if you get the game free or not. requires some modification in hashes and so on tho
  108. [user3] ..
  109. [user2] is like
  110. [user8]
  111. [user3] my god
  112. [user2] drm:off
  113. [user5] lol
  114. [user2] lol
  115. [user1] :facepalm:
  116. [user8] well, that’s one way to offload the server.
  117. [user2] still wondering when the big ban wave arrives
  118. [user1] if they ban everyone, even using backups legally in their country (but in their opinion a TOS violation), it will be a huge tsunami, not a wave
  119. [user10] ask ur friends
  120. [user2] prolly they take it like it is now, unstoppable anyways
  121. [user2] new firmware to ban all further actions and done
  122. [user4] an open psn would be nice
  123. [user4] even if it was just a player matching service
  124. [user2] ya
  125. a PSN host by the community
  126. [user3] that actually could be perhaps possible
  127. [user3] if you can get auth working
  128. [user3] and all
  129. [user3] a new np environment
  130. [user2] the friend list management is easiest
  131. [user2] simple jabber server
  132. [user11] don’t some games use their own servers?
  133. [user1] some use p2p
  134. [user11] which check from the official psn servers whether you’re logged in and who you are
  135. [user2] imagine the traffic load
  136. [user2] whod pay this xD
  137. [user11] yes, but even p2p games do use publisher or sony provided servers for matchmaking
  138. [user3] NpCommerce2
  139. [user12] I am getting behind everything on doing my security analysis
  140. [user12] started a couple months ago monitoring SSL stuff, and theen got distracted with blackops and havent pursed it, seems a lot of people are starting to take interest in it now
  141. [user2] and regarding matchmaking and lobby systems
  142. [user2] the functions built in firmware and/or game
  143. [user2] how would you answer them
  144. [user2] the server side code we dont know of
  145. [user12] some stuff appears to be in lv2 and not in sprx for network stuff
  146. [user2] so we can not create proper answers
  147. [user12] you can try to analyze the protocol and say “if X then Y” type responses the problems come up when you get something you haveent seen before
  148. [user12] that was done with counterstrike for example so that people could cheat
  149. [user12] so its not entirely impossible although it is time consuming
  150. [user12] sometimes its happy accidents, reason code 21 means bad cipher, 51 bad firmware version – for x-i-5 tickets for example
  151. [user11] wasn’t cs/hl server software available for anyone to download even back then?
  152. [user6] anyone found a way to change DVD region on ps3 yet, btw?
  153. [user11] for psn you can’t even get binaries for the server side
  154. [user5] user2 i remember some months ago you made a psntool with a psn messenger in it but not yet functional is that still being worked on?
  155. [user12] but for stuff like that the ticket has to exist on the psn side of things because if I send my ticket to a vendor server they will validate it against psn and if its not there it will fail
  156. [user1] xxx: wasn’t syscall 0×363 0×19004 3rd byte usefull for that?
  157. [user2] @xxxx: at this time i could finish the tool yes but im not sure if it is useful at all
  158. [user12] xxxx: no but you can monitor traffic, even send some “bad” things and watch the responses… I discovered x-i-5 reason code 21 by accident, I did not force my proxy to mirror the cipher that the ps3 presented
  159. [user2] i mean why would someone want to chat with a someone on ps3
  160. [user2] while any1 anyway have msn/icq/aol
  161. [user12] know this, sony in realtime, monitors all messages over psn
  162. [user12] I verified that, its part of my privacy threats thing I am doing
  163. [user5] ok too bad id like the psn messenger on pc
  164. [user12] the realtime monitoring is a bit bothersome to me
  165. [user6] user1: such information is quite useless to me, as I’m not that into the technical stuff was more hoping someone had an easy way to do it.. like a DVD region changer or something.
  166. [user2] @user12: the realtime jabber monitoring as most likely for realtime censor of messages
  167. [user12] they appear to have at the very least keywords they look for, not sure just how invasive the whole thing is, but …
  168. [user12] well they have osme odd things in there
  169. [user11] yeah they have that dumb automatic word filter
  170. [user4] the censor word-list is ridiculous
  171. [user13] psn messenger would be helpful, just yesterday was killed 2 times when typing response on the message + its so slow loading
  172. [user12] a psn code that is not really valid if you sent that via email it becomes valid but you cant add funds to your wallet. The fact that emailing that code to someone makes it valid for you is odd … why monitor that code?
  173. [user11] which makes it much more difficult to have a sensible conversation in languages other than english
  174. [user12] why change its state on sending it?
  175. [user12] the censor words in home is on your system, it downloads a dict list of words
  176. [user12] an empty file resolves that
  177. [user2] tryin to find my jabber logs… >.< [user12] so it only censors on receipt not on transmission [user12] dunno how the other stuff does it [user12] mostly because I have yet to look [user12] now you have me curious I am gonna go redo my network a little bit to start monitoring again [user2] btw aswell a reason AGAINST pc to ps3 messenger is spam [user2] cuz there actually is an easy way to get userlists [user2] would fuck psn pretty hard if some skiddy releases a spam app [user2] the highscore and matchmaking lobbies you can request per game id and get user mails for psn [user13] ugh, yeah [user2] huge list + spam app == sux [user3] argghhhh [user3] why do my trophies never sync to np [user2] anyway sony just would have to open a port on the jabber server, so you could login with icq [user5] lol [user2] and we all know what happens if cool homebrew arrives, remember open remote play [user2] sony just releases an official tool lol [user12] thing is the more people do things and discuss what they do and explain how to do it the more likely sony will lock down psn in the future [user2] psn is a core feature of ps3 [user12] making it harder and harder to do anything, like using older firmwares to log in, that will probably be the first to go away [user2] they would be sued like with otheros [user5] yeah but they also blocked open remote play [user11] user12: that already went away, didn’t it [user12] if you are not running current firmware you do not have a right to psn [user11] user12: even for debug users [user12] not really, not yet anyway [user12] 3.56 did not break it but the next release might [user12] especially because it stops people running backups and other stuff on psn [user11] well i mean 3.41 [user2] ya would be all possible for them [user12] not sure what, if anything, changed with 3.41 [user11] you used to be able to sign in on debug 3.41 until someone released that psn enabler hack [user2] one way more difficult than the other so i think they first will go on with backup ban on psn [user11] even though 3.42 and 3.50 had already been released [user2] via playlists and stuff i meantioned before [user2] a secure way to fix it would require firmware and server update tho [user2] wondering what prevents em of this way [user12] I just got a new ps3 yesterday, has 3.40, gonna put 3.55 on it and do my work [user12] I *might* try with 3.40 and see if I can do enough of my work, that would make it somewhat harder though [user1] banwave possibly, new FW + plus they still need to fix that 3.56-1st/2nd harddrive exchange bug in the next version [user12] because my work is specialized and very limited in scopee [user2] the psn has 45 environments all working independant [user2] prolly that is the reason [user2] we could just change to another environment [user2] and they also need to have an eye to the official developers which use environments too [user2] and the qa [user2] which needs to work with older firmware sometimes [user2] so they cant update all environments and block all [user4] probably so much ITIL process management so they can’t fart without a work request [user2] hehe [user12] the way that people are getting on now is to change the user agent in the login request, well x-platform-version specifically. but if the x-platform-passphrase changes in how its constructed then its easy to detect people trying to use an older firmware [user2] they can even without the xi [user2] as the firmware version is in a lot more requests than the auth [user4] version is sent to the getprof servers also [user2] ppl change only the xi one atm [user4] and ena. [user2] but its in netstart, xi, game starts [user12] I understand that part of it, I was just talking about x-i-5 auth stuff [user2] many many functions send the real fw version [user2] but only xi5 is checked [user12] I realize that many functions send the fw version, anything that uses libhttp.sprx does [user2] ya [user12] remember I have been donig this for a couple months [user12] even wrote software that lets me do the ssl parts on the fly instead of to a fixed server, mirroring the CN of the real server [user4] what is the data in xi5 at 0xC0 ->EOF ? some crypto/salt ?
  178. [user4] luckily they use CN=*.* which saves a bit of hassle, just calling openssl from your app user12 ?
  179. [user12] openssl libs
  180. [user12] not the app itself
  181. [user12] and I do it for *ALL* ssl connections in realtime
  182. [user12] so even if you use the webbrowser it will generate certs for that too
  183. [user4] nice tool you made
  184. [user12] it is similar in function to “sslsniff” but mine works with the ps3 and logs correctly
  185. [user2] for the first i think ppl should use a replace of all 3.5.5 and 355 strings but regarding to the user agent, else psn wont load
  186. [user2] user12 which certs u use?
  187. [user2] only 05 i guess ?
  188. [user2] CA i mean sorry
  189. [user12] user2: I use them all
  190. [user12] there is a place that the firmware version is in lv2 that is not a “string”
  191. [user12] its ‘decimal’ “035500″ not sure if its 32 or 64 bit in size though,
  192. [user2] btw u know the login url for auth is like:
  193. [user12] but that is not the ascii 3 its the decimal value
  194. [user2] &serviceid=IV0001-NPXS01001_00&loginid=MYMAIL&password=MYPASS&first=true&consoleid=MYID
  195. [user12] I have complete logs for the auth stuff
  196. [user2] did u already change the “first” param?
  197. [user2] i wonder what it does
  198. [user12] first=true is only there if you had not previously loggged into psn
  199. [user2] ah ok
  200. [user12] its missing if you were previously logged in but you need a new ticet
  201. [user12] ticket
  202. [user14] hi
  203. [user14] please not connect
  204. [user14] to external dns ip
  205. [user14] with your ps3
  206. [user14] your passwords and email and other data is revealed on the external side
  207. [user12] which you need for each service id that you need one for, meaning if you sync trophies you get 1 ticket, when you play a game you get a 2nd ticket, when you watch netflix you get a 3rd
  208. [user14] spam people can use this info
  209. [user12] most likely if they are mapping that host
  210. [user12] if its just the firmware check then no, because there is nothing private sent in that http (cleartext) request
  211. [user12] so it depends on what hosts they are looking at
  212. [user14] to start a spamming attack
  213. [user2] hm didnt check that ticket stuff yet
  214. [user2] as when i used a ticket
  215. [user2] for a test POST
  216. [user2] i worked with 1 only
  217. [user2] and always worked
  218. [user2] prolly many to identify the service
  219. [user12] the ticket is sent to say a game, netflix, etc. anythibng that uses psn. That way you do not send credentials to anyone but sony
  220. [user2] if its like u say then this is another vuln lol
  221. [user2] cuz as i tested if always first ticket works
  222. [user2] you could hijack a session
  223. [user2] the ticket and session i used didnt timeout
  224. [user2] and if it always creates a new ticket as u say
  225. [user2] there would be many sessions
  226. [user12] I also haave yet to monitor how long the tickets are valid for, I know that the ps3 does not reuse them between apps but that could just be the way its coded (they might be valid even though a normal ps3 will never reuse)
  227. [user2] for one user open
  228. [user12] it may invalidate old ones on issuance of a new, I never looked
  229. [user12] I just know that I saw it getting one at app launch
  230. [user2] hm wierd with the tickets
  231. [user2] i know the ticket is build outta few params
  232. [user2] the serial
  233. [user2] the userid
  234. [user2] issueddare
  235. [user2] service id
  236. [user2] online id
  237. [user2] many many
  238. [user12] I also know that the server that does the x-i-5 tickets is a bit more tight about the ciphers than any other system in sonyland
  239. [user12] if sony is watching this channel they should know that running an older version of apache on a redhat server with known vulnerabilities is not wise, especially when that server freely reports its version and its the auth server
  240. [user2] its not old version, they just didnt update the banner
  241. [user12] I consider apache 2.2.15 old
  242. [user2] which server
  243. [user12] it also has known vulnerabilities
  244. [user12]
  245. [user2] ya the displayed version u see via banner is not the real version
  246. [user12] unless they updated it in the last couple weeks
  247. [user12] I doubt that since its not trivial to change that
  248. [user12] its a bit more invasive than just setting it to Prod like they do on their other servers
  249. [user11] you know, watching this conversation makes me think about whether it was a good idea after all to buy a couple of games from psn using a visa card
  250. [user2] its just backported security patches
  251. [user11] i did remove all my info after downloading the games though
  252. [user12] that is just psn not the store
  253. [user12] they are running linux 2.6.9-2.6.24 on that box too
  254. [user12] that too is old
  255. [user2] lol @ buying on store
  256. [user11] yes, but their general attitude towards security just seems…ugh
  257. [user2] sony wont misuse the info i bet xD
  258. [user2] but just prevent using cfw’s of unknown ppl
  259. [user2] even better from ALL ppl
  260. [user2] make ur own lol
  261. [user12] so I doubt that they are spoofing the network stack on that box as well
  262. [user12] my guess is that it really is undermaintained “it works why change anything”
  263. [user2] could be
  264. [user12] sony really should update that stuff to something more current
  265. [user2] ya
  266. [user2] but imagine
  267. [user2] psn == 45 environments
  268. [user2] and for example
  269. [user2] every env has 50 subdomains
  270. [user2] to external machines
  271. [user2] its rly rly huge
  272. [user2] who wants to do this xD
  273. [user2] ppl r lazy
  274. [user2] wont change
RAW Paste Data Copied