New idea for multiple exploits..

[idone]

^^^^

Happens to me alot,.. it's just a hard reset, nothing to worry about.

[semitope]

could it be possible that the put a sort of password or key into each previous update that identifies the next update? Just include that somewhere in the update when it is made etc..

[ionbladez]

I've actually questioned this myself.
I'm thinking it's on a TIME/DATE basis.
Like they'd sign each update with the time/date created, then re-sign it with something else.

Either that or the other way around.

[footylad]

If you extract a PUP using PUP Extractor it has the date/time of creation of the pub and puts it on all file content i think it finds it from the HEX in the header of the PUP. Might be the wrong dates but it churns out dates and times which are normally Midnight and they are different dates for each pup. Just to look into but me personally thinks its likley to be something more like the encryption associated with PKG's...what ja ma call it....

Footylad

[MajorTruEvil]

sounds like it could work...

[Avanaboy]

sounds like it could work...

The BIG problem of ofw is that it is SIGNED !! and we don't know how re-sign it nor what is need to sign it

If a modified fw will be signed I think that the ps3 will 100% install it without problems ...

But remember : when you are installing a fw , you are writing on NAND ... so pay attention or you may brick you ps3 ...

P.S.: At the moment , I think , that the only way to brick a ps3 is writing bad files on the nands ....

I really hope that you find a way to downgrade

[ionbladez]

Well, not much thinking at all.
Obviously, we haven't thought that maybe $ony is using a proprietary encryption algorithm to sign their firmwares.

This is just a a guess though, but I know right now from an inside source that it is signed with the Firmware Version, and Creation Date, along with the COUNTRY and something else that was there. I don't know.

No one told me this, but I mean INSIDE SOURCE I mean the PS3 SSL connection monitor program I made.

Yes, I've managed to make something that can log all the requests from the PS3 HTTPS shit.

I've been working on it for a week, it's still not done yet.
But For the past month I've also been working on a way to GET THE PS3 PROXY METHOD TO WORK AGAIN!

It's frustrating, but I'm not giving up.
*.dl.playstation.net does not contain these files, instead each PS3 Demo/Game/Theme/etc,. is stored on an akadns server
I somehow managed to sniff that out from the ssl.

it's something like this::

https://http2337.storage.akadns.com/.filesomething75,45^234353465/crap/something.pkg.

I know it's under https, because http won't let anything connect. I've tried to get the PSN Store to load under firefox, also faking the Firefox useragent, etc.
That also works under HTTPS.

I now understand that the ps3 does in fact, not check the size of the file for the dl.playstation.net addresses. instead, checks some stupid server in the region, (cough: US=CHICAGO)
Somewhere....
I can say that much so far, but I know if I had a program to fake a WEBSITE ADDRESS IN A LOCAL NETWORK (which I cannot seem to find anymore), I'd be set and could release instructions on this.

But sadly I can only get Proxomitron to echo all file requests.
The only things I can "hack" with that is the Firmware check update shit, and also my Infoboard.
Downloading the files from the akadns server itself requires authentication.
OR, The request FROM dl.playstation.net..
I'm still working HARD on this, I know it can be done.
My PS3 Firmware is still 2.60, and I know there is a way.

Anyways I'll try to keep everyone posted.

Speaking of an address emulator, I do remember seeing such a program a long time ago.
It lets you fake an internet address inside a local network.
Something like a re-direct, but not really.

Does anyone have this program? I forgot the name totally.

[ionbladez]

I've found out that the Packages from the PSN Store, ARE IN FACT, named with an encryption algorithm, it may be a standard one, or maybe belong to $ony.

That's probably how this "proxy method" was fixed;
I cannot catch any data from the PSN Store as it is sent to the ps3.
But I can tell you that the package NAMES and directories are all set up to match each other.

Also, I've managed to redirect "Life with Playstation", to the old "Folding@Home" package.

So now I have a Folding@Home icon, where my LWP should be.
It is installed, and displays, but for some reason logs me out then checks for an update..

I tried redirecting and sniffing the data from the server.
I got some URL info so I'll post what I found.

Packages of my interest:

Code:

http://djp01.ps3.download.playstatio...eu/fah/fah.pkg
http://djp01.ps3.download.playstatio...jp/lwp/lwp.pkg
http://dus01.ps3.download.playstatio...us/lwp/lwp.pkg
http://djp01.ps3.download.playstatio...jp/fah/fah.pkg

The "Life With Playstation" Update package:

Code:

b0.ww.np.dl.playstation.net/tppkg/np/NPIA00002/NPIA00002_T21/17e2ff397a3100f6/IP9100-NPIA00002_00-0000111122223333-A0100-V0100-PE.pkg?product=0084

A Demo package I "borrowed" from the PSN.PS3NEWS.COM Area, REDIRECTED, as I said in the last post:

Code:

http://http7233.storage.akadns.net/.7233,9033^256.1218507949./26597/cdn/UP0102/NPUB30022_00/N5nJRLJKpKC8g8NvNeDur9rFVWJU1uJaFeAFs2e2R1WMywLlOh50cgwRX8T8uT7KYKDxmkyNKIkvwHFJYdq7q5gYg7xCQWpQKO7Xe.pkg?product=0084&country=us

-------------------------
Now for some PACKET DATA

Code:

"777","672.861470","192.168.0.128","192.168.0.104","DPLAY","Unknown (0x7461): Unknown (0x7473)"

Code:

0000   00 1a 73 b1 43 66 00 1f a7 1e 50 e9 08 00 45 00  ..s.Cf....P...E.
0010   00 a9 ed 35 40 00 40 06 ca e0 c0 a8 00 80 c0 a8  ...5@.@.........
0020   00 68 d8 29 13 8b 6c c9 0e fe 97 3d 0e 4a 80 18  .h.)..l....=.J..
0030   ff ff 44 16 00 00 01 01 08 0a 00 00 00 00 00 8b  ..D.............
0040   dc 10 43 4f 4e 4e 45 43 54 20 61 30 2e 77 77 2e  ..CONNECT a0.ww.
0050   6e 70 2e 64 6c 2e 70 6c 61 79 73 74 61 74 69 6f  np.dl.playstatio
0060   6e 2e 6e 65 74 3a 34 34 33 20 48 54 54 50 2f 31  n.net:443 HTTP/1
0070   2e 31 0d 0a 48 6f 73 74 3a 20 61 30 2e 77 77 2e  .1..Host: a0.ww.
0080   6e 70 2e 64 6c 2e 70 6c 61 79 73 74 61 74 69 6f  np.dl.playstatio
0090   6e 2e 6e 65 74 0d 0a 50 72 6f 78 79 2d 43 6f 6e  n.net..Proxy-Con
00a0   6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c  nection: Keep-Al
00b0   69 76 65 0d 0a 0d 0a                             ive....

This one is a rather larger than normal packet, hard to believe it's just a cert:

If it DOES contain my login data, please don't steal it. I've already changed my password as of this post..

Code:

0000   00 1a 73 b1 43 66 00 22 b0 af ca 17 08 00 45 00  ..s.Cf."......E.
0010   04 55 a1 ba 40 00 34 06 5e 2e 60 06 21 a4 c0 a8  .U..@.4.^.`.!...
0020   00 68 01 bb e7 23 41 7f 87 6e 5b e9 30 dd 50 18  .h...#A..n[.0.P.
0030   16 d0 0e 6a 00 00 16 03 00 00 4a 02 00 00 46 03  ...j......J...F.
0040   00 4a 18 b4 44 6e a7 e4 bc 30 13 0d 21 71 36 19  .J..Dn...0..!q6.
0050   48 78 16 d0 e5 1a 84 6b 42 79 a6 1d 7f f0 72 e3  Hx.....kBy....r.
0060   42 20 9a ea 46 09 93 f5 f1 b9 c5 4d aa a8 4d fb  B ..F......M..M.
0070   f8 b0 f2 d6 0f ec 9a 45 8e af c3 6f 34 d9 b9 54  .......E...o4..T
0080   f4 b6 00 0a 00 16 03 00 03 d0 0b 00 03 cc 00 03  ................
0090   c9 00 03 c6 30 82 03 c2 30 82 02 aa a0 03 02 01  ....0...0.......
00a0   02 02 02 01 5a 30 0d 06 09 2a 86 48 86 f7 0d 01  ....Z0...*.H....
00b0   01 05 05 00 30 54 31 0b 30 09 06 03 55 04 06 13  ....0T1.0...U...
00c0   02 4a 50 31 29 30 27 06 03 55 04 0a 13 20 53 6f  .JP1)0'..U... So
00d0   6e 79 20 43 6f 6d 70 75 74 65 72 20 45 6e 74 65  ny Computer Ente
00e0   72 74 61 69 6e 6d 65 6e 74 20 49 6e 63 2e 31 1a  rtainment Inc.1.
00f0   30 18 06 03 55 04 03 13 11 53 43 45 49 20 44 4e  0...U....SCEI DN
0100   41 53 20 52 6f 6f 74 20 30 35 30 1e 17 0d 30 39  AS Root 050...09
0110   30 33 31 37 30 38 32 33 30 36 5a 17 0d 31 39 30  0317082306Z..190
0120   33 31 35 30 38 32 33 30 36 5a 30 81 a8 31 0b 30  315082306Z0..1.0
0130   09 06 03 55 04 06 13 02 4a 50 31 0e 30 0c 06 03  ...U....JP1.0...
0140   55 04 08 13 05 54 6f 6b 79 6f 31 12 30 10 06 03  U....Tokyo1.0...
0150   55 04 07 13 09 4d 69 6e 61 74 6f 2d 6b 75 31 29  U....Minato-ku1)
0160   30 27 06 03 55 04 0a 13 20 53 6f 6e 79 20 43 6f  0'..U... Sony Co
0170   6d 70 75 74 65 72 20 45 6e 74 65 72 74 61 69 6e  mputer Entertain
0180   6d 65 6e 74 20 49 6e 63 2e 31 27 30 25 06 03 55  ment Inc.1'0%..U
0190   04 0b 13 1e 4e 65 74 77 6f 72 6b 20 50 6c 61 74  ....Network Plat
01a0   66 6f 72 6d 20 53 65 72 76 69 63 65 20 44 65 70  form Service Dep
01b0   74 2e 31 21 30 1f 06 03 55 04 03 14 18 2a 2e 2a  t.1!0...U....*.*
01c0   2e 2a 2e 64 6c 2e 70 6c 61 79 73 74 61 74 69 6f  .*.dl.playstatio
01d0   6e 2e 6e 65 74 30 81 9f 30 0d 06 09 2a 86 48 86  n.net0..0...*.H.
01e0   f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81  ...........0....
01f0   81 00 de 46 98 df 8b 8f f5 b8 24 97 02 0f 4a af  ...F......$...J.
0200   7c f6 e4 34 1c b9 ef fd ad a4 66 ec ba 20 ab c5  |..4......f.. ..
0210   6f d6 8a 48 ad 20 92 8f d0 d9 15 ab 09 d9 6c 01  o..H. ........l.
0220   e0 8d f6 be b9 8b ab 5b 03 55 6f f0 b4 fa 33 a7  .......[.Uo...3.
0230   05 6f e7 2a 5d d7 f7 ad 90 1e 8f 9d b0 d6 27 41  .o.*].........'A
0240   a3 22 d9 ed 95 85 33 f7 65 3c dc 46 9e b6 25 d2  ."....3.e<.F..%.
0250   1b ff 4b 57 89 e7 b9 31 b9 62 7a d9 cc de a1 da  ..KW...1.bz.....
0260   56 3f a9 7c 7f 66 f6 5d 8f f3 e2 31 66 21 0f 26  V?.|.f.]...1f!.&
0270   88 25 02 03 01 00 01 a3 81 cc 30 81 c9 30 09 06  .%........0..0..
0280   03 55 1d 13 04 02 30 00 30 1f 06 09 60 86 48 01  .U....0.0...`.H.
0290   86 f8 42 01 0d 04 12 16 10 44 4e 41 53 20 43 65  ..B......DNAS Ce
02a0   72 74 69 66 69 63 61 74 65 30 1d 06 03 55 1d 0e  rtificate0...U..
02b0   04 16 04 14 91 ac 2f 25 af e5 85 01 00 cc 7d 48  ....../%......}H
02c0   75 01 15 8d ba 72 cf 90 30 7c 06 03 55 1d 23 04  u....r..0|..U.#.
02d0   75 30 73 80 14 c6 56 a1 33 5b 4f ce 83 77 62 05  u0s...V.3[O..wb.
02e0   44 86 6d 20 57 b5 af da dc a1 58 a4 56 30 54 31  D.m W.....X.V0T1
02f0   0b 30 09 06 03 55 04 06 13 02 4a 50 31 29 30 27  .0...U....JP1)0'
0300   06 03 55 04 0a 13 20 53 6f 6e 79 20 43 6f 6d 70  ..U... Sony Comp
0310   75 74 65 72 20 45 6e 74 65 72 74 61 69 6e 6d 65  uter Entertainme
0320   6e 74 20 49 6e 63 2e 31 1a 30 18 06 03 55 04 03  nt Inc.1.0...U..
0330   13 11 53 43 45 49 20 44 4e 41 53 20 52 6f 6f 74  ..SCEI DNAS Root
0340   20 30 35 82 01 00 30 0d 06 09 2a 86 48 86 f7 0d   05...0...*.H...
0350   01 01 05 05 00 03 82 01 01 00 59 fb 62 e0 3b d8  ..........Y.b.;.
0360   55 25 b8 23 dc 5c 49 57 f3 12 25 c8 cd 2f 02 8b  U%.#.\IW..%../..
0370   88 0d 30 d5 dc d7 7b 2e 95 e4 96 a2 8e de dc 5f  ..0...{........_
0380   b8 15 5f fe b0 a2 d2 4b 58 fb bd 77 eb 8b 33 64  .._....KX..w..3d
0390   98 a1 f4 1c db 21 9a bf 03 a4 78 8e 10 71 89 d3  .....!....x..q..
03a0   97 38 1c 50 9e 4a b5 98 2c 7e 01 b8 d6 96 e8 28  .8.P.J..,~.....(
03b0   2c 44 7e 6a 7c e6 3e 30 c5 c6 2d a9 28 02 70 d9  ,D~j|.>0..-.(.p.
03c0   53 6e 6e 8e 80 11 dc f0 b1 6d 37 38 f4 22 39 13  Snn......m78."9.
03d0   69 a5 29 9d 38 8c 39 51 9a 40 da 0a 53 57 43 2b  i.).8.9Q.@..SWC+
03e0   1c 5e 02 72 a5 97 c6 2b 89 4c 05 d5 d6 ec d7 05  .^.r...+.L......
03f0   ff 0a 59 0f a7 23 05 23 e3 86 47 6f 27 ea 7e 77  ..Y..#.#..Go'.~w
0400   4e 89 9f fd e9 fb 2e 21 a4 d9 b3 62 d3 66 8a 90  N......!...b.f..
0410   64 c9 7f 9b 57 97 fa 47 4a 81 7c e3 bd 91 e3 c0  d...W..GJ.|.....
0420   67 46 04 5d 45 37 6b 98 c7 44 11 2f 6f 9a ab 16  gF.]E7k..D./o...
0430   fd ee e4 8c 9f 97 2d ec 40 83 aa ec f3 4a 8d ae  ......-.@....J..
0440   5a e6 20 7c ae 79 86 ea 3d b7 71 45 cd 2c 6c b0  Z. |.y..=.qE.,l.
0450   56 41 78 3d b8 2c c5 77 08 28 16 03 00 00 04 0e  VAx=.,.w.(......
0460   00 00 00                                         ...

And some DNS Redirect info, etc:

Code:

1896	1358.137618	192.168.0.1	192.168.0.104	DNS	Standard query response CNAME a0.ww.np.dl.playstation.net.edgekey.net CNAME e376.g.akamaiedge.net A

I hope this can come of use to someone that has the tools.

[PS3 News]

Speaking of an address emulator, I do remember seeing such a program a long time ago.
It lets you fake an internet address inside a local network.
Something like a re-direct, but not really.

Does anyone have this program? I forgot the name totally.

Did you mean SimpleDNS (http://www.simpledns.com/download.aspx) or PowerDNS (http://www.powerdns.com/en/downloads.aspx)? I know both of those have been used here before with PS Proxy stuff...

[footylad]

Great work - But again its a case of comparing pre compilled data (encrypted) to decrypted data and seeing how in which they are encrypted. Once we get PKG Algorithm Reversed we can install Custom PKG'S which is a HUGE step in the right direction.

Problem with the proxy ideas is that we are finding the origin of certain files which is great, but the Sony Store has SSL Encryption which cannot be replicated easily and so we will be unable to create a spoof Sony Store and the PKGS would still be encrypted so unencrypted PKGS will still be unable to be loaded via the PS3...

Footylad