May 31, 2013 // 9:28 pm
- Today French PlayStation 3 developer sazerty
and tester hijam
have made available PSN Tool v1.0 and PSN Tool Creator v1.0 to combat PSN bans
alongside multiMAN Base CEX Stealth XMB 30/04/00 by Hijam
and multiMAN Base CEX Stealth SingStar 04.40.00 by Arch
with details below.
Download: PSN Tool v1.0
(Password: ps3gunz) / PSN Tool v1.0
(Mirror) / PSN Tool Creator v1.0
(Password: sazerty) / PSN Tool Creator v1.0 by SAZERTY
(Mirror) / PSN Tool v1.0 & PSN Tool Creator v1.0
(Mirror) / PSN Tool v1.0 & PSN Tool Creator v1.0
(Mirror #2) / multiMAN Base CEX Stealth XMB 30/04/00 by Hijam
/ multiMAN Base CEX Stealth SingStar 04.40.00 by Arch
/ PSN Tool File Pack Mirror
(Contains PSN Tool v1.0, PSN Tool Creator v1.0 by SAZERTY and multiMAN Base CEX Stealth XMB 30/04/00 by Hijam) / PSN Tool v1.0 (Italian)
/ PSN Tool v1.0 for Rogero 4.30 v2.05
/ PS_Unban (6/2/2013)
/ PS UnBan v6.1 Full HD By Megago.rar
/ PS UnBan v6.1 FIX Blackscreen By Megago.rar
To quote, roughly translated: About PSN Tool v1.0: The homebrew is primarily used to hedge against the banishment in CFW!
Changelog: v1.0 - First Release:
Bugs to Fix:
- FEATURE: Allows to 'clean' your CFW, i.e. to temporarily remove the Peek & Poke syscall. This for now specifically allows you to play Call Of Duty: Black Ops II without automatic ban, because your system is regarded as OFW without these syscalls. We tested the game for over a month, and not ban to this day, you can enjoy ^^ wink
- FEATURE: Makes your loaded backup (dev_bddvd) read-only, with 555 permissions to make an Original Backup. Also removes files created by multiMAN which normally should not be present.
- FEATURE: Allows to delete the folders 'suspect' in the eyes of sony on your hdd, i.e. tmp, game_debug, PKG, packages, "GAMES" if it is empty (otherwise you'll get an error, it is recommended to use "my version" of multiMAN or manually edit the file options.ini mm), crash_report, home/reActSys.key, vsh and the browser history. The files PKG and packages will be removed only if they are empty wink Attention, this removes however Multiman Stealth version 'Toolbox' on the CFW Rogero. We invite you to use my multiMAN Stealth (link at the bottom of page) or that of Arch!
- FEATURE: Allows to change temporarily ConsoleID, as does PSIDPATCH pressing [Select]
- FEATURE: Allows to change temporarily MAC address by pressing [X], for not getting "roasting" its current MAC address
- FEATURE: Allows to change temporarily PSID, as does PSIDPATCH pressing [O]
- When using a backup located externally, the application freeze when the clean automatic ([Start]). This is due to the application of the permissions. To still take advantage of the clean the syscall (Ram) and the HDD, use the keys [L1] then [R1]
- When using on cfw 4.40, the kernel named "Mírala Tijera" instead of your current kernel. There is also a black screen wanting spoofer MAC (to confirm!) address. We therefore advise you to Rebug 4.30 or Arch 4.31
- Rebug 4.30.2 REX (mode CEX at DEX)
- Rebug 4.30.2 D- REX
- Arch 4.31 (for CFW SGK not yet test)
CFW 4.40 are subject to the bug/freeze and are therefore to be avoided. For the "creation" of this homebrew (Yes it is you who will create it) we offer two methods.
Method Easy (recommended):
We present you make PSN Tool Creator v1.0 by SAZERTY to automate the creation of the pkg!
1. Place your psn (demo) game in the pkg file supplied with the appliance
2. Press ok and then [Enter] If you agree with the conditions
3. Select your pkg by typing its number in the list
4. Type (copy / paste) your consoleID (IDPS) (32 chars.) or press [Enter] to use your IDPS original
5. Press [R] to generate a random MAC address to the spoofer or [Enter] to use the original. Alternatively, you can type it manually (12 car.)
6. Press [r] to generate a random PSID to the spoofer or [Enter] to use the original. Alternatively, you can type it manually (32 car.)
7. Press on [y] to save a copy of your IDs in a text file or [n] for nothing do
8. Press on [y] to give a name to your homebrew on the xmb. If you type [n], the homebrew will be the name of your game psn (demo)
9. Your pkg and your file containing your id if you created one will be in the main folder.
Tutorial of use (to follow to the letter!)
- [X] to spoof the MAC address
- [Select] to spoof the ConsoleID
- [O] to spoof the PSID
- [Start] to perform a full clean system (RAM, HDD, BDDVD ..)
- [L1] for cleaner Ram (syscalls)
- [R1] for cleaner HDD (folders)
- [R2] for the cleaner BDDVD (permissions, files, .. BUG with external backups)
-  to turn the fashion CFW (restart)
- [/ \] to exit Tutorial use (to follow to the letter!):
1. Start the homebrew
2. Press [X] to spoof your MAC address (and nothing else because the PS3 then a LV2 Soft Reset, which will void your spoofs or remove potential syscalls!)
3. The LV2 is restarted and the new MAC address is active
4. Load your backup with multiMAN, it is very recommended to disable "Redirection of app/home" because it's not stealth! (if you have a HS bad drivetant at your own risk!)
5. Return to the homebrew, there you can do all operations so change ConsoleID (only if you have registered a valid in the eboot.elf!), PSID and make a clean complete by pressing [Start]. As stated above for the games in usb due to bug you won't use the clean 'complete' automatic. Will need you to manually press [R1] then [L1] to do "cleaner" than the HDD and syscalls.
6. You can optionally verify that all went well by pressing the arrow on the top of your controller to make a check, but it is optional.
7. Exit by pressing on [/ \] and enjoy the SEN/PSN with your Backup by starting it from the BR icon ^^
: When we clean the syscall ([Start] or [R1]), you can no longer load games with multiMAN, change MAC address, of ConsoleID,... in short everything that is not "OFW", for this you will need to restart the console or return to the homebrew and press  Attention if you load multiMAN when even after doing a clean emulation BD will be disabled because your system will be considered as OFW by mm! (Just re-enable the option at the end of the parameters of mm to fix the problem) There is simply an order to follow when you want to do some tasks
For example, suppose I want to change my MAC address: if I press [Start] (or [L1]) for cleaner syscall then the application will not be able to change my mac address because they are needed. So, I will be forced to rely on  or restart.
A sample.pkg file re-signed with the Sky Fighter game was included in the archive. It is in fact the homebrew but with a ConsoleID, PSID and empty MAC address. It can be used for testing purposes (spoofer failed anything with this pkg) tutorials above are also present. Even if there is more automatic ban and the risk is very low because the functions of clean/spoof zero risk does not exist, if you follow the tutorial you are solely responsible for the consequences that can follow.
Regarding multiMAN BASE CEX Stealth XMB 30/04/00 by Hijam: Note that you will need to rename the "GAMES" folders that contain your backups in "Games" by the File Manager by multiMAN once installed to see your games with my version! (Additional security)
Finally, from hijam
: Hi, i'm hijam, the 1st tester of this soft working with the french dev on ps3gunz.. The info remains one month on our french site.. Now it's public, use it with caution... I will just say to all that no updates are scheduled until the dev will get free time.
As you will see onlny the cfw we tested are supported: rebug 4.30.2 CEX and DEX and Arch 4.31 CEX. Not rogero and latest 4.41 cfw sorry.. (somme bug/freeze on 4.40 .. 4.41 lv2 not implemented yet) the dev of this and almost all the users in our french forum use the 4.30.2 with the spoofer.. It's more secure if you use an other idps.. enjoy
No ban hapenned since 2 months of testing but if you're ban it's your own responsibility.. no system is perfect.. At the start it was only for us, but a little search will not harm you, visit our forum Ps3GunZ for the ORIGINAL post in french... the password is the one we use for backups...
The "Creator" have not the same psw, it's sazerty but for the tool it's not this one.. and also visit the post on NGU (copy not by me) for more info in english if you can't read french.. Hijam from GunZ... But in reality there is another bug: you can't use it on a low resolution screen (SD).. and as you can see they forgot the translation of the method 2 "manual" with the elf in main rar. If you follow the tutorial for the usage to the letter, everything will be fine..
First spoof mac at the start of the ps3, then do all your CFW things, load your backup with "my" stealth mm or a resigned one, and then at the end reopen the tool and spoof your idps, psid and do a full clean (or l1/r1 if your backup is external due to the permissions bug..)
Have a look at my original post if you can read french and improve this one in English.. I've not really the time for this now.
PS: I don't think the mm of arch is completely stealth because the version of actual SingStar and the one in the SFO are not the same and please don't quote SGK they have nothing to do with us!
With these releases, the holders of the CFW will be able to regain access to the Sony PlayStation Network if they had been banned.
PS_Unban is a homebrew that allows you to remove the ban on PlayStation 3 with Custom Firmware, in a few easy steps. We remind you that through this, people who do not have an account banned can access using always the same PSN ID.
Attention: Please note that to make it last as much time as possible, it is essential to avoid Call of Duty (all chapters), and if a game required a pass, please buy it and do not use pass fakes!
What is possible:
- Install spoof to 4:41 if you're on different cfw
- Transfer the pkg in a key or a Hardisk formatted in FAT32
- Install this file by using the "install package files" on your PS3
- Start your backup manager and choose the game of your interest
- Click PS_Unban and start it
- If you press X to 4.21, if you are on Start 3.55, or O (circle) if you are on 4.31
- Create a new PSN ID (if you account banned)
- Now start the game directly via XBMC and log in with your PSN ID
- Allows you to play online on PSN
- Allows you to interact online with other PSN users
- Access to the PlayStation Plus
- Access to the PlayStation Store
- Access to the PlayStation Home
Finally, in related news from Flat_z
on PS3 PSN console bans:
Hi, guys. Several days ago I've worked on the SSL traffic decryption used in communication with PSN and have got some interesting information regarding the way how can Sony determine consoles with non original console ID. Well, it is just a theory but the principle laid in it can be used to ban your spoofed console with 100% probability.
So my words can be read as "If I worked at Sony, I would use this information for banning people". A new algorithm will show you that buying another console ID to use with your console is not safe anymore and I think that all purchased console IDs will be useless soon. Okay, let's start.
At October 23rd, 2012, Sony releases a new firmware for PlayStation 3 (version 4.30) which includes only few changes if you've read its changelog. But now I know that they have introduced a new hidden feature which allows them to determine if you are legal user or not.
It is compared with the code which some games like "Call of Duty" use to tell Sony that you are using a custom firmware. Sony did some changes at the algorithm for PSN authorization. You can remember that they use PSN passphrase to log into their network and you also should know that they are sending your console ID in a HTTP query. And now they use two passphrases; a new passphrase is encoded with base64 and is sent via custom HTTP header ("X-I-5-Passphrase"). If you'll try to decode it then you'll see that it have a size of 512 bytes which are looks as random data.
It is encrypted per console data and it is different each time you log into a network. It includes a random header, your user ID, console ID, two ECDSA signatures from the first section of EID0 (I remind you that the first ECDSA signature used at lv1ldr to check if your console is converted from CEX to DEX manually which causes a brick) and account ID. Besides that, data is hashed with SHA-256 algorithm and encrypted with AES-128-CBC. Using random header and CBC mode of operation gives them an unique passphrase each time.
Now Sony can use the following simple algorithm on their server to check your console's legality:
1. Compare console ID stored in the HTTP GET request with the console ID stored inside the passphrase;
2. Validate two ECDSA signatures;
3. If steps above are okay then your console ID is legal.
They didn't made a mistake in ECDSA signature computation for EID0 so we are unable to get a private key to generate custom signatures. But if you have an access to EID root key and EID0 section of another console then you can decrypt its EID0 and grab all necessary data from it.
In such case you can generate a spoofed passphrase but you need some sort of runtime memory patching to replace original passphrase with the new one. Or you can try to replace signatures and console ID inside decrypted EID0 section of your console and then encrypt it back. But I doubt that any purchased console IDs came with EID root key.
The last thing I want to talk about is does Sony actually use this method at the moment or they are waiting for something? Maybe they collect all information and will start to ban people in the future? I don't know and I doubt that someone else knows about it. For example, they can use this method and start to ban people when they are playing some games after several days/weeks/months, etc.
: Today I've received a private message about SSL traffic decryption so I've decided to write here if someone want to ask me again.
In a past time we used a method with custom certificates (if I remember correctly this trick was used in FckPSN, for example). We could create a custom certificate with known private/public key pair and then replace existing certificate with ours. After that console will start using our keys to encrypt all traffic, so we can easily decrypt it on the PC.
But in latest firmwares (4.xx or later) Sony have started to hash their certificates with SHA-1 and these hashes are stored inside vsh.elf and libssl.prx (so you can compute hash from any certificate and try to find it there). Besides that, I think they checks parameters of certificate (for example, serial numbers, owner, etc) but I didn't look at this part.
My method is slightly different, I've created a payload for dumping premaster secret (PMS) of any SSL section (random bytes which are used later to generate a bunch of keys) from VSH's memory directly. Then I've wrote a script to generate the master secret (MS) using client and server randoms and premaster secret. After that you can use a packet analyzer (like Wireshark) to decrypt sniffed data using generated master key.
Such method is applicable for decryption of the game's traffic.