I wanted to discuss with you guys some ideas I have that just might be what we need in order to finally run homebrew on the PS3, but I wanted to do it over IRC, but it seems the public channel is now invite only, so I'm forced into posting it here.
Anyways, here's the story:
I've just recently discovered http://ps4news.com/subdomain.php?pagename=psn and it's a great idea.. but then I saw the "does not work with 2.42+", and I thought "it doesn't make sense, if you reimplement the PSN store through a proxy, there is no reason for it not to work", so I used some ARP poisoning and did some sniffing... it turns out that the PS3Proxy doesn't reimplement the PSN store, it just hijacks HTTP requests to the specific pkg file, while the whole PSN store uses HTTPS... yep, that's a bit harder to spoof.
Next step was to use ettercap with SSL man in the middle attack (MitM) which obviously failed with expected results, the SSL certificate is not 'correct'... so yes, of course the PS3 checks the certificate, but how does it do it? My guess was simply that they had the PSN's certificate signed by a Sony certificate authority, and that the OS has Sony's certificate and it checks whether it's the same or not.. I took a look at the certificate sent by the PSN, and it seems to be indeed a certificate signed by Sony (SCEI DNAS Root 05).
Next idea that came to my mind is : if the certificate is stored in the OS, we simply need to replace it with our certificate, then we can spoof with an SSL MitM attack using a certificate signed by our own CA... then when the PSN app tries to validate the certificate, it will find it valid.. yeah, cool, now how do we access that file and modify it. A few ideas came to my mind:
1 - it appears from a ps3news post that all (most) the firmware is now on the disk, and not on the flash, so we could try to access it from the HDD and modify it from there.. yeah, cool, but after some research the HDD FS is probably an encrypted JFS, so it won't be easy to do that... (unless you guys have already figured out a way to access the FS, and kept that info secret)
2 - These latest news with the ECC algo RE-ed, it means that you could modify some files, that's great news, but which ones, that's the question... You were also saying that it was about flashing, so I still don't really get it, since I thought all the OS is in the HDD, not the flash (well, apart from what I suppose is the kernel). So anyways, I lack info from that side, so that's why I needed to talk to you guys over IRC, to get these things clear.
3 - Access with the browser a https://ip.of.our.pc/ which would tell us the certificate is not valid, then have it 'accept/install' the certificate, maybe our own certificate would then get automatically stored as a 'recognized certificate authority' and the PSN store would get affected by that... This is easy to test, but I just didn't do it...
Either way, we would need to replace the sony certificate from the OS FW... the HDD method would be the simplest for customers (replace disk, run app to 'patch it', done) but probably the hardest to do for ps3 devs because of lack of info/encryption/etc..., the second one would be the hardest for customers (use infectus chip, dump, modify, flash) but the easiest for ps3 devs since you guys already do that stuff... The third idea is obviously the easiest for all (go to this page, click accept, done). but it might not work, and it obviously would be easy to fix with a FW upgrade.
Anyways, once we replace the certificate authority from Sony to our own CA, we can sniff, reimplement the PSN store server, where we could send our own categories, our own releases, with the data from our own pkg files, and provide those pkg directly to the ps3, we could also send that little 'activation' packet needed to install those full games without buying them, etc... We could also enhance the psn spoof to do real PSN requests and just 'add' stuff to it, instead of having only a 'local psn store' (which would provide the pkg files we have on our PC, as well as the original data from the real PSN store).
I'm pretty sure all communications are done with XML (possibly SOAP?), so merging the official PSN with our own local PSN would be easy, either way, it's URL is https://nsx.sec.np.dl.playstation.net/ for authentification probably (SecServer?) and the PSN is I think https://v04.cdn.update.playstation.org/
All this got me thinking a bit more.. once we can replace the Sony certificate for the PSN store, we can probably do the exact same for games... I'm sure that the SELF files that are signed by Sony are just ELF signed with a specific private certificate with its public part being stored on the PS3.. well, if we could modify that certificate too (might be the same), we could then quite easily create homebrew apps, then just sign those apps with our own certificate that is now stored on the PS3...
While thinking about all this, I started reverse engineering the PKG file format (it would be a nice way to provide those homebrew apps.. you just .pkg them, put them in your PC's "PS3PKG" folder and let the "PSNSpoof" app find it automatically, you then just go to the psn store, and download it from there...). But it looks compressed/encrypted, I found a few interesting fields about the header/footer, but then I found a post in ps3dev (thanks to google, 'cause I can't access the dev forums :@) that pretty much shows the same thing that I found... and then the thread died...
Later, I found this : http://www.ps4news.com/PS3Dev/A_Peek..._PS3_PKG_file/
This is great news! Even though the app that did this was just a ps3 test/debug utility, it is still good to know that we do have a binary file that can extract a pkg.. if you guys could send me that file, I can take a look inside it and try to RE the algo/encryption/etc...
And my final idea, was that, we may not need an iso loader.. although we can.. maybe we can just extract the iso files and repackage them into a pkg.. put in PSNSpoof and have them install/run! If there's security checks in the SELF itself to see if it runs from the disk, then an ISO loader could be used.. signed by our magic replacement certificate... Either way I think the most important part is the PARAM.SFO, which is already included in the .pkg...
What do you guys think, and can you please give me all the answers I need? Is this doable, any issue with anything I said? Can you explain to me a bit more the issue of the flash and the OS being on the HDD, and the ECC thing, which files can we access and which ones can be modified.. what is the structure of this thing...
If you need help, or need me to look a bit more into any of this, feel free to write me!
Thanks a lot, and sorry for this huge post!