Thread: Possible hack ?
10-11-2008 #1kakarotoks Guest
Possible hack ?
I wanted to discuss with you guys some ideas I have that just might be what we need in order to finally run homebrew on the PS3, but I wanted to do it over IRC, but it seems the public channel is now invite only, so I'm forced into posting it here.
Anyways, here's the story:
I've just recently discovered http://ps4news.com/subdomain.php?pagename=psn and it's a great idea.. but then I saw the "does not work with 2.42+", and I thought "it doesn't make sense, if you reimplement the PSN store through a proxy, there is no reason for it not to work", so I used some ARP poisoning and did some sniffing... it turns out that the PS3Proxy doesn't reimplement the PSN store, it just hijacks HTTP requests to the specific pkg file, while the whole PSN store uses HTTPS... yep, that's a bit harder to spoof.
Next step was to use ettercap with SSL man in the middle attack (MitM) which obviously failed with expected results, the SSL certificate is not 'correct'... so yes, of course the PS3 checks the certificate, but how does it do it? My guess was simply that they had the PSN's certificate signed by a Sony certificate authority, and that the OS has Sony's certificate and it checks whether it's the same or not.. I took a look at the certificate sent by the PSN, and it seems to be indeed a certificate signed by Sony (SCEI DNAS Root 05).
Next idea that came to my mind is : if the certificate is stored in the OS, we simply need to replace it with our certificate, then we can spoof with an SSL MitM attack using a certificate signed by our own CA... then when the PSN app tries to validate the certificate, it will find it valid.. yeah, cool, now how do we access that file and modify it. A few ideas came to my mind:
1 - it appears from a ps3news post that all (most) the firmware is now on the disk, and not on the flash, so we could try to access it from the HDD and modify it from there.. yeah, cool, but after some research the HDD FS is probably an encrypted JFS, so it won't be easy to do that... (unless you guys have already figured out a way to access the FS, and kept that info secret)
2 - These latest news with the ECC algo RE-ed, it means that you could modify some files, that's great news, but which ones, that's the question... You were also saying that it was about flashing, so I still don't really get it, since I thought all the OS is in the HDD, not the flash (well, apart from what I suppose is the kernel). So anyways, I lack info from that side, so that's why I needed to talk to you guys over IRC, to get these things clear.
3 - Access with the browser a https://ip.of.our.pc/ which would tell us the certificate is not valid, then have it 'accept/install' the certificate, maybe our own certificate would then get automatically stored as a 'recognized certificate authority' and the PSN store would get affected by that... This is easy to test, but I just didn't do it...
Either way, we would need to replace the sony certificate from the OS FW... the HDD method would be the simplest for customers (replace disk, run app to 'patch it', done) but probably the hardest to do for ps3 devs because of lack of info/encryption/etc..., the second one would be the hardest for customers (use infectus chip, dump, modify, flash) but the easiest for ps3 devs since you guys already do that stuff... The third idea is obviously the easiest for all (go to this page, click accept, done). but it might not work, and it obviously would be easy to fix with a FW upgrade.
Anyways, once we replace the certificate authority from Sony to our own CA, we can sniff, reimplement the PSN store server, where we could send our own categories, our own releases, with the data from our own pkg files, and provide those pkg directly to the ps3, we could also send that little 'activation' packet needed to install those full games without buying them, etc... We could also enhance the psn spoof to do real PSN requests and just 'add' stuff to it, instead of having only a 'local psn store' (which would provide the pkg files we have on our PC, as well as the original data from the real PSN store).
I'm pretty sure all communications are done with XML (possibly SOAP?), so merging the official PSN with our own local PSN would be easy, either way, it's URL is https://nsx.sec.np.dl.playstation.net/ for authentification probably (SecServer?) and the PSN is I think https://v04.cdn.update.playstation.org/
All this got me thinking a bit more.. once we can replace the Sony certificate for the PSN store, we can probably do the exact same for games... I'm sure that the SELF files that are signed by Sony are just ELF signed with a specific private certificate with its public part being stored on the PS3.. well, if we could modify that certificate too (might be the same), we could then quite easily create homebrew apps, then just sign those apps with our own certificate that is now stored on the PS3...
While thinking about all this, I started reverse engineering the PKG file format (it would be a nice way to provide those homebrew apps.. you just .pkg them, put them in your PC's "PS3PKG" folder and let the "PSNSpoof" app find it automatically, you then just go to the psn store, and download it from there...). But it looks compressed/encrypted, I found a few interesting fields about the header/footer, but then I found a post in ps3dev (thanks to google, 'cause I can't access the dev forums :@) that pretty much shows the same thing that I found... and then the thread died...
Later, I found this : http://www.ps4news.com/PS3Dev/A_Peek..._PS3_PKG_file/
This is great news! Even though the app that did this was just a ps3 test/debug utility, it is still good to know that we do have a binary file that can extract a pkg.. if you guys could send me that file, I can take a look inside it and try to RE the algo/encryption/etc...
And my final idea, was that, we may not need an iso loader.. although we can.. maybe we can just extract the iso files and repackage them into a pkg.. put in PSNSpoof and have them install/run! If there's security checks in the SELF itself to see if it runs from the disk, then an ISO loader could be used.. signed by our magic replacement certificate... Either way I think the most important part is the PARAM.SFO, which is already included in the .pkg...
What do you guys think, and can you please give me all the answers I need? Is this doable, any issue with anything I said? Can you explain to me a bit more the issue of the flash and the OS being on the HDD, and the ECC thing, which files can we access and which ones can be modified.. what is the structure of this thing...
If you need help, or need me to look a bit more into any of this, feel free to write me!
Thanks a lot, and sorry for this huge post!
10-12-2008 #2BrenoFerreira Guest
10-12-2008 #3kakarotoks Guest
A little update.. I just had some time to have a look at the third option, and as expected, the browser doesn't allow to "install"/"permanently accept" a certificate from a website.. so that options is not available to us anymore (it would have been way too easy.. where's the fun then, huh? ).
So anyways, I'm still waiting for my answers... to summarize, if we can replace the Sony certificate on the flash, will it allow us to spoof the psn store with a man-in-the-middle attack (which would allow downloading/installing/activating the pkg downloads from psn), and will it also allow us to sign our ELF with our own certificate in order to run homebrow (assuming we can recreate a .pkg file).
I just hope that the sony certificate is easily accessible (on the FW, not on some separate ROM somewhere) and that an infectus chip will allow us to change it and that changing it won't screw up something other than the ECC which we can fix already.
10-12-2008 #4Tosztoc Guest
- run PS3 Proxy server and configure it
- next for example: go to PSN Store and download Fracture Demo (select downloading in background)
- next exit psn store and pause your download in download list on PS3
- in the logs of the ps3 proxy server you can see link to fracture demo:
- soo you can download this file to yours PC via http
- when the file is on your PC - go to "Replace files" and in first column paste the link:
...and in the second column - select the file from your PC - in this situation it is:
owJvpeeVVKev0yqFyWLeNWqm4e41W2yECfN1HoVjAhdPjWiBT2 rHQicKSHwfl0rX6uigDcSQ5vxEENMJsRwG9JNFmw0sXcE8aAtr v.pkg
- go to Logs and "resume" download on yours PS3 download list - you should see something like this:
[16:13:12] http://zeus.dl.playstation.net/cdn/E...087&country=pl -> D:\Playstation3_Demos\Fracture\owJvpeeVVKev0yqFyWL eNWqm4e41W2yECfN1HoVjAhdPjWiBT2rHQicKSHwfl0rX6uigD cSQ5vxEENMJsRwG9JNFmw0sXcE8aAtrv.pkg
- when the demo downloads from yours PC to PS3 via ps3 proxy server you should install it without problems
Someone asks why to do this ?? :
- if you have more then 1 console you don't have to download 2 or more times the same demo - you save your bandwith
- if you have a low bandwith connection - you can go to your friend with high bandwith and download this on his PC, copy to pendrive and next install on your PS3 - you save your time and life of your ps3 - because it doesn't have to be powered up for example 10 hours and only reason is download demo
- there are other similar examples... you do what you want to do
10-12-2008 #5kakarotoks Guest
I know all that, and although your post is instructive, it is completely unrelated to everything I said. I don't care about saving my bandwidth or keeping my downloads on my pc, etc... I'm talking here about a possible hack. In all my huge post, you quoted one line and forgot all the rest
anyways... CJPC, NDT, hacked2123, PS3news, any devs around here who would want to answer me ?
10-12-2008 #6hacked2123 Guest
I have someone getting me something for DEMO PS3 unit's that might shine some more light on the topic, but... the future is very dim for this method... sorry.
10-12-2008 #7kakarotoks Guest
Thanks for taking the time to read and answer my post!
Don't worry, I know my ideas aren't of the "Just Works" type, and I'm not arrogant enough to think I've come up with the solution that noone ever though of (especially considering my almost NULL ps3 knowledge), but I just had those ideas and was curious about the feasability of this.
I see why you think it's the "little picture" rather than the "large picture", and I agree.. the first step of doing the PSN spoofing thing would only allow us to install pkg files (full games..) without the need of actually buying them, which is a hack in itself but not the one we really want.
But my idea was that it could be enhanced.. if we can modify one certificate, then we can modify two certificates, or even 100 certificates if we need to... ! So the 'big picture' could just be a rephrase of my first post into "how about we create a homebrew app, sign it with our certificate and replace sony's certificate so that the PS3 thinks the SELF has a valid signature.."
I didn't really understand what you said about the activation certificate of the pkg files... For the existing pkgs, they won't be modified, so the signature/validation/whatever in the pkg will still be valid since it won't be tampered with.. The reason why it doesn't activate is probably because the PSN Store writes the name of the package (0x30 to 0x5F in the .pkg) in some file somewhere on the system, because you can download a pkg with PS3Proxy, you try to install it, it fails.. then if you 'download' it from the PSN store (actually, you don't download it, you just click 'download' so it can purchase it), then you try to install that first pkg file you had and it works.. so I'm guessing the PSN store writes on the disk something that tells it which pkg files are authorized to be unpacked... and that's easy to spoof!
About creating our own retail pkg files, I don't see the problem in there, as long as we reverse engineer the algorithm...
Assuming that the pkg has its own certificate, the SELF its own certificate, and the psn store for deploying the pkg has its own certificate, then we would just need to flash 3 certificate files instead of 1, it should still work...
Our homebrew app can then be anything, from a simple XTerm that would allow us to take a good look at the system, or a memory dumper or whatever you wish it to be, that would open up new doors for the 'larger picture'...
As I said, unless I missed something, the theory of this still holds true and it should be doable (assuming my hypotheses are correct). The only possible prevention to this that I might see is if the certificates are not on the flash nor the disk, but that they are actually on some separate ROM somewhere we don't know about.. or more generally, if the certificates are stored somewhere that we can't access/modify.
I hope someone knows whether it is possible or not!
oh, and by the way.. being able to write ANY application, SELF it, PKG it, and install it through PSN store.. that's pretty much a 'large picture' hack in itself, no ?
Of course, it would need some time, a lot of reverse engineering to go from little to large picture, but it's still a door we shouldn't shut (as long as I didn't miss anything of course).
Hope to hear from you soon!
10-12-2008 #8CJPC Guest
Well, there are a few issues with your thoughts.
Namely, creating our own "REAL" retail packages just is not possible. We do not know the proper keys to do it, and attempting to crack it will take forever + 100 years.
As to changing the certificates, yes that is a great idea, however short of being able to decrypt/encrypt the HDD outside of the box, we would need the system popped open, and even after that, we would need at least Kernel permissions. Even on a PS3 TEST running in user mode we can not change any of these files, only view them - and we can't even view all of them!
As, on all systems the certs are stored inside the dev_flash, on older systems its the actual flash, and on newer ones it is the HDD. The dev_flash filesystem on older PS3's, aside from containing all encrypted files, is also encrypted itself! So it makes things a tad difficult to change those specific files.
10-13-2008 #9hacked2123 Guest
We've been down this path before... look up something like "warhawk cjpc" through the forum search... might give you what you wanted to see... we've gotten pretty far before.
10-13-2008 #10kakarotoks Guest
I would really be interested in getting the code for ps3unpkgr as I wish to RE it and see how it works, I want to see what the file structure of the pkg is, and how it does to extract it, uncompress it, decrypt it... Could you send me that file please ?
Originally Posted by CJPC
Could you explain to me more about how this works? what can you do with the modchip, you can dump the flash, unscramble it, modify it, re-ECC it, reflash it, right ? Which files are available to be modified ? Which ones aren't ? In the thread http://www.ps4news.com/forums/playst...ed-100980.html
You said :Originally Posted by CJPCOriginally Posted by NDT
Originally Posted by CJPC
Originally Posted by hacked2123
The thing is.. if it's really an encrypted file, we can't have half encrypted and half non encrypted, it would be all or nothing.. unless the SELF has different sections, a .data and a .sdata or whatever.. can we read the header of the file correctly ? I'm interested in looking into that.. so if you have one of those self files, I'd like one to be sent to me!
Originally Posted by hacked2123
I found this here and downloaded the SCE from it: http://www.ps4news.com/forums/playst...ree-92785.html
I'll have a look at it once I get home!
Thanks guys for participating in my thread! I hope I'l get all my answers someday and we'll finally crack this monster!