Sponsored Links

Sponsored Links

Page 1 of 2 12 LastLast
Results 1 to 10 of 15



Thread: Possible hack ?

  1. #1
    Banned User kakarotoks's Avatar
    Join Date
    Jul 2008
    Posts
    119
    Sponsored Links

    Lightbulb Possible hack ?

    Sponsored Links
    Hi,

    I wanted to discuss with you guys some ideas I have that just might be what we need in order to finally run homebrew on the PS3, but I wanted to do it over IRC, but it seems the public channel is now invite only, so I'm forced into posting it here.

    Anyways, here's the story:

    I've just recently discovered http://ps3news.com/subdomain.php?pagename=psn and it's a great idea.. but then I saw the "does not work with 2.42+", and I thought "it doesn't make sense, if you reimplement the PSN store through a proxy, there is no reason for it not to work", so I used some ARP poisoning and did some sniffing... it turns out that the PS3Proxy doesn't reimplement the PSN store, it just hijacks HTTP requests to the specific pkg file, while the whole PSN store uses HTTPS... yep, that's a bit harder to spoof.

    Next step was to use ettercap with SSL man in the middle attack (MitM) which obviously failed with expected results, the SSL certificate is not 'correct'... so yes, of course the PS3 checks the certificate, but how does it do it? My guess was simply that they had the PSN's certificate signed by a Sony certificate authority, and that the OS has Sony's certificate and it checks whether it's the same or not.. I took a look at the certificate sent by the PSN, and it seems to be indeed a certificate signed by Sony (SCEI DNAS Root 05).

    Next idea that came to my mind is : if the certificate is stored in the OS, we simply need to replace it with our certificate, then we can spoof with an SSL MitM attack using a certificate signed by our own CA... then when the PSN app tries to validate the certificate, it will find it valid.. yeah, cool, now how do we access that file and modify it. A few ideas came to my mind:

    1 - it appears from a ps3news post that all (most) the firmware is now on the disk, and not on the flash, so we could try to access it from the HDD and modify it from there.. yeah, cool, but after some research the HDD FS is probably an encrypted JFS, so it won't be easy to do that... (unless you guys have already figured out a way to access the FS, and kept that info secret)

    2 - These latest news with the ECC algo RE-ed, it means that you could modify some files, that's great news, but which ones, that's the question... You were also saying that it was about flashing, so I still don't really get it, since I thought all the OS is in the HDD, not the flash (well, apart from what I suppose is the kernel). So anyways, I lack info from that side, so that's why I needed to talk to you guys over IRC, to get these things clear.

    3 - Access with the browser a [Register or Login to view links] which would tell us the certificate is not valid, then have it 'accept/install' the certificate, maybe our own certificate would then get automatically stored as a 'recognized certificate authority' and the PSN store would get affected by that... This is easy to test, but I just didn't do it...

    Either way, we would need to replace the sony certificate from the OS FW... the HDD method would be the simplest for customers (replace disk, run app to 'patch it', done) but probably the hardest to do for ps3 devs because of lack of info/encryption/etc..., the second one would be the hardest for customers (use infectus chip, dump, modify, flash) but the easiest for ps3 devs since you guys already do that stuff... The third idea is obviously the easiest for all (go to this page, click accept, done). but it might not work, and it obviously would be easy to fix with a FW upgrade.

    Anyways, once we replace the certificate authority from Sony to our own CA, we can sniff, reimplement the PSN store server, where we could send our own categories, our own releases, with the data from our own pkg files, and provide those pkg directly to the ps3, we could also send that little 'activation' packet needed to install those full games without buying them, etc... We could also enhance the psn spoof to do real PSN requests and just 'add' stuff to it, instead of having only a 'local psn store' (which would provide the pkg files we have on our PC, as well as the original data from the real PSN store).

    I'm pretty sure all communications are done with XML (possibly SOAP?), so merging the official PSN with our own local PSN would be easy, either way, it's URL is [Register or Login to view links] for authentification probably (SecServer?) and the PSN is I think [Register or Login to view links]

    All this got me thinking a bit more.. once we can replace the Sony certificate for the PSN store, we can probably do the exact same for games... I'm sure that the SELF files that are signed by Sony are just ELF signed with a specific private certificate with its public part being stored on the PS3.. well, if we could modify that certificate too (might be the same), we could then quite easily create homebrew apps, then just sign those apps with our own certificate that is now stored on the PS3...

    While thinking about all this, I started reverse engineering the PKG file format (it would be a nice way to provide those homebrew apps.. you just .pkg them, put them in your PC's "PS3PKG" folder and let the "PSNSpoof" app find it automatically, you then just go to the psn store, and download it from there...). But it looks compressed/encrypted, I found a few interesting fields about the header/footer, but then I found a post in ps3dev (thanks to google, 'cause I can't access the dev forums :@) that pretty much shows the same thing that I found... and then the thread died...

    http://www.ps3news.com/forums/playst...e-57073-9.html
    Later, I found this : http://www.ps3news.com/PS3Dev/A_Peek..._PS3_PKG_file/

    This is great news! Even though the app that did this was just a ps3 test/debug utility, it is still good to know that we do have a binary file that can extract a pkg.. if you guys could send me that file, I can take a look inside it and try to RE the algo/encryption/etc...

    And my final idea, was that, we may not need an iso loader.. although we can.. maybe we can just extract the iso files and repackage them into a pkg.. put in PSNSpoof and have them install/run! If there's security checks in the SELF itself to see if it runs from the disk, then an ISO loader could be used.. signed by our magic replacement certificate... Either way I think the most important part is the PARAM.SFO, which is already included in the .pkg...

    What do you guys think, and can you please give me all the answers I need? Is this doable, any issue with anything I said? Can you explain to me a bit more the issue of the flash and the OS being on the HDD, and the ECC thing, which files can we access and which ones can be modified.. what is the structure of this thing...

    If you need help, or need me to look a bit more into any of this, feel free to write me!

    Thanks a lot, and sorry for this huge post!
    KaKaRoTo

  2. #2
    Registered User BrenoFerreira's Avatar
    Join Date
    Oct 2008
    Posts
    4
    Sponsored Links
    Sponsored Links
    Long Text.

    But instructive.

  3. #3
    Banned User kakarotoks's Avatar
    Join Date
    Jul 2008
    Posts
    119
    Sponsored Links
    Sponsored Links
    A little update.. I just had some time to have a look at the third option, and as expected, the browser doesn't allow to "install"/"permanently accept" a certificate from a website.. so that options is not available to us anymore (it would have been way too easy.. where's the fun then, huh? ).

    So anyways, I'm still waiting for my answers... to summarize, if we can replace the Sony certificate on the flash, will it allow us to spoof the psn store with a man-in-the-middle attack (which would allow downloading/installing/activating the pkg downloads from psn), and will it also allow us to sign our ELF with our own certificate in order to run homebrow (assuming we can recreate a .pkg file).

    I just hope that the sony certificate is easily accessible (on the FW, not on some separate ROM somewhere) and that an infectus chip will allow us to change it and that changing it won't screw up something other than the ECC which we can fix already.

    KaKaRoTo

  4. #4
    Registered User Tosztoc's Avatar
    Join Date
    Jun 2007
    Posts
    21
    Quote Originally Posted by kakarotoks View Post
    I've just recently discovered http://ps3news.com/subdomain.php?pagename=psn and it's a great idea.. but then I saw the "does not work with 2.42+"
    I can confirm that ps3 proxy method works on 2.42 (I think on 2.43 this should works too) ...but ONLY for installing demos which are on PSN Store (look on my example):

    - run PS3 Proxy server and configure it
    - next for example: go to PSN Store and download Fracture Demo (select downloading in background)
    - next exit psn store and pause your download in download list on PS3
    - in the logs of the ps3 proxy server you can see link to fracture demo:

    [Register or Login to view links]

    - soo you can download this file to yours PC via http
    - when the file is on your PC - go to "Replace files" and in first column paste the link:
    [Register or Login to view links]

    ...and in the second column - select the file from your PC - in this situation it is:
    owJvpeeVVKev0yqFyWLeNWqm4e41W2yECfN1HoVjAhdPjWiBT2 rHQicKSHwfl0rX6uigDcSQ5vxEENMJsRwG9JNFmw0sXcE8aAtr v.pkg

    - go to Logs and "resume" download on yours PS3 download list - you should see something like this:
    [16:13:12] [Register or Login to view links] -> D:\Playstation3_Demos\Fracture\owJvpeeVVKev0yqFyWL eNWqm4e41W2yECfN1HoVjAhdPjWiBT2rHQicKSHwfl0rX6uigD cSQ5vxEENMJsRwG9JNFmw0sXcE8aAtrv.pkg

    - when the demo downloads from yours PC to PS3 via ps3 proxy server you should install it without problems

    Someone asks why to do this ?? :

    - if you have more then 1 console you don't have to download 2 or more times the same demo - you save your bandwith
    - if you have a low bandwith connection - you can go to your friend with high bandwith and download this on his PC, copy to pendrive and next install on your PS3 - you save your time and life of your ps3 - because it doesn't have to be powered up for example 10 hours and only reason is download demo

    - there are other similar examples... you do what you want to do

  5. #5
    Banned User kakarotoks's Avatar
    Join Date
    Jul 2008
    Posts
    119
    @Tosztoc:
    I know all that, and although your post is instructive, it is completely unrelated to everything I said. I don't care about saving my bandwidth or keeping my downloads on my pc, etc... I'm talking here about a possible hack. In all my huge post, you quoted one line and forgot all the rest

    anyways... CJPC, NDT, hacked2123, PS3news, any devs around here who would want to answer me ?

    thanks

  6. #6
    Junior Member hacked2123's Avatar
    Join Date
    Nov 2006
    Posts
    665
    Quote Originally Posted by kakarotoks View Post
    @Tosztoc:
    I know all that, and although your post is instructive, it is completely unrelated to everything I said. I don't care about saving my bandwidth or keeping my downloads on my pc, etc... I'm talking here about a possible hack. In all my huge post, you quoted one line and forgot all the rest

    anyways... CJPC, NDT, hacked2123, PS3news, any devs around here who would want to answer me ?

    thanks
    hi, much appreciated your long investigation. The first thing that comes to mind is that, many of the methods you suggested are focusing on the "little picture" rather than the "large picture". If any of the methods you suggested "went through" more than a certificate could be tampered with. On top of that, each pkg (paid content) has a activation certificate that has specific information on modifying (most likely) the "*.sfo" to work it. further more, inside every pkg is a self file, signed with another global key, which prevents us from modifying or creating our own retail pkg's.

    I have someone getting me something for DEMO PS3 unit's that might shine some more light on the topic, but... the future is very dim for this method... sorry.

  7. #7
    Banned User kakarotoks's Avatar
    Join Date
    Jul 2008
    Posts
    119
    Hi hacked2123,
    Thanks for taking the time to read and answer my post!

    Don't worry, I know my ideas aren't of the "Just Works" type, and I'm not arrogant enough to think I've come up with the solution that noone ever though of (especially considering my almost NULL ps3 knowledge), but I just had those ideas and was curious about the feasability of this.

    I see why you think it's the "little picture" rather than the "large picture", and I agree.. the first step of doing the PSN spoofing thing would only allow us to install pkg files (full games..) without the need of actually buying them, which is a hack in itself but not the one we really want.

    But my idea was that it could be enhanced.. if we can modify one certificate, then we can modify two certificates, or even 100 certificates if we need to... ! So the 'big picture' could just be a rephrase of my first post into "how about we create a homebrew app, sign it with our certificate and replace sony's certificate so that the PS3 thinks the SELF has a valid signature.."

    I didn't really understand what you said about the activation certificate of the pkg files... For the existing pkgs, they won't be modified, so the signature/validation/whatever in the pkg will still be valid since it won't be tampered with.. The reason why it doesn't activate is probably because the PSN Store writes the name of the package (0x30 to 0x5F in the .pkg) in some file somewhere on the system, because you can download a pkg with PS3Proxy, you try to install it, it fails.. then if you 'download' it from the PSN store (actually, you don't download it, you just click 'download' so it can purchase it), then you try to install that first pkg file you had and it works.. so I'm guessing the PSN store writes on the disk something that tells it which pkg files are authorized to be unpacked... and that's easy to spoof!

    About creating our own retail pkg files, I don't see the problem in there, as long as we reverse engineer the algorithm...
    Assuming that the pkg has its own certificate, the SELF its own certificate, and the psn store for deploying the pkg has its own certificate, then we would just need to flash 3 certificate files instead of 1, it should still work...
    Our homebrew app can then be anything, from a simple XTerm that would allow us to take a good look at the system, or a memory dumper or whatever you wish it to be, that would open up new doors for the 'larger picture'...

    As I said, unless I missed something, the theory of this still holds true and it should be doable (assuming my hypotheses are correct). The only possible prevention to this that I might see is if the certificates are not on the flash nor the disk, but that they are actually on some separate ROM somewhere we don't know about.. or more generally, if the certificates are stored somewhere that we can't access/modify.

    I hope someone knows whether it is possible or not!

    oh, and by the way.. being able to write ANY application, SELF it, PKG it, and install it through PSN store.. that's pretty much a 'large picture' hack in itself, no ?
    Of course, it would need some time, a lot of reverse engineering to go from little to large picture, but it's still a door we shouldn't shut (as long as I didn't miss anything of course).

    Hope to hear from you soon!
    KaKaRoTo

  8. #8
    Toucan Sam CJPC's Avatar
    Join Date
    Apr 2005
    Posts
    2,174
    Well, there are a few issues with your thoughts.

    Namely, creating our own "REAL" retail packages just is not possible. We do not know the proper keys to do it, and attempting to crack it will take forever + 100 years.

    As to changing the certificates, yes that is a great idea, however short of being able to decrypt/encrypt the HDD outside of the box, we would need the system popped open, and even after that, we would need at least Kernel permissions. Even on a PS3 TEST running in user mode we can not change any of these files, only view them - and we can't even view all of them!

    As, on all systems the certs are stored inside the dev_flash, on older systems its the actual flash, and on newer ones it is the HDD. The dev_flash filesystem on older PS3's, aside from containing all encrypted files, is also encrypted itself! So it makes things a tad difficult to change those specific files.

  9. #9
    Junior Member hacked2123's Avatar
    Join Date
    Nov 2006
    Posts
    665
    Quote Originally Posted by kakarotoks View Post
    Hi hacked2123,

    Assuming that the pkg has its own certificate, the SELF its own certificate...
    KaKaRoTo
    If I'm not getting rusty... the self has no certificate...no signature file...it's actually an integrated code into the CELL processor itself...

    We've been down this path before... look up something like "warhawk cjpc" through the forum search... might give you what you wanted to see... we've gotten pretty far before.

  10. #10
    Banned User kakarotoks's Avatar
    Join Date
    Jul 2008
    Posts
    119
    Quote Originally Posted by CJPC View Post
    Well, there are a few issues with your thoughts.

    Namely, creating our own "REAL" retail packages just is not possible. We do not know the proper keys to do it, and attempting to crack it will take forever + 100 years.
    humm.. well, we don't even know (afaik) what the file structure is... maybe it's just compressed and not encrypted... if it's encrypted too, then with the ps3unpkgr application you have, we might be able to figure out the encryption.... If the encryption is based on an SSL certificate, then we can still replace that one...

    I would really be interested in getting the code for ps3unpkgr as I wish to RE it and see how it works, I want to see what the file structure of the pkg is, and how it does to extract it, uncompress it, decrypt it... Could you send me that file please ?
    Quote Originally Posted by CJPC
    As to changing the certificates, yes that is a great idea, however short of being able to decrypt/encrypt the HDD outside of the box, we would need the system popped open, and even after that, we would need at least Kernel permissions. Even on a PS3 TEST running in user mode we can not change any of these files, only view them - and we can't even view all of them!
    Why would you need to decrypt/encrypt the HDD? Why do you say you can only view them and not write to them.. and you're talking here about the PS3 TEST... What I'm talking about is this whole nand flash with ECC that you guys released... and yes, it will need an infectus modchip, but if that's what we need to crack this thing, then why the hell not? Maybe we'll find a software only hack afterwards, but if we can crack it with the modchip, that's still a good enough solution I think!

    Could you explain to me more about how this works? what can you do with the modchip, you can dump the flash, unscramble it, modify it, re-ECC it, reflash it, right ? Which files are available to be modified ? Which ones aren't ? In the thread http://www.ps3news.com/forums/playst...ed-100980.html

    You said :
    Quote Originally Posted by CJPC
    What does this mean? Simple, we are now able to in minutes properly edit a flash dump, regenerate the ECC and flash it onto the PS3 in order to experiment with flash changes. Using this, we have already found where the encrypted keys are stored for SELF's, PKG's, and BD Pairing among other things, more on that in the weeks to come.
    .. and NDT said :
    Quote Originally Posted by NDT
    Files can be swapped with other valid files from other consoles (debug or other retails) then some files can be edited and patched (mac address can be changed and other interesting things can be done).
    so.. you are saying that we can modify some files, and if the certificates are on the flash, we can modify them.. so where's the problem ?
    Quote Originally Posted by CJPC
    As, on all systems the certs are stored inside the dev_flash, on older systems its the actual flash, and on newer ones it is the HDD. The dev_flash filesystem on older PS3's, aside from containing all encrypted files, is also encrypted itself! So it makes things a tad difficult to change those specific files.
    Humm.. I thought even the older systems were using the HDD with the latest firmwares.. but I didn't know what was on the flash exactly... so if we can hack older systems by replacing the certificates.. and maybe the certificates on newer systems are on the flash and not the HDD (hopefully), then this still stands true... If you can enlighten me a bit more on why it wouldn't work, then please, I'm curious!

    Quote Originally Posted by hacked2123
    If I'm not getting rusty... the self has no certificate...no signature file...it's actually an integrated code into the CELL processor itself...
    Humm.. interesting.. then it's just a matter of decrypting.. which is of course not really possible... question though, is a SELF able to execute on OtherOS ? or is it only for GameOS ? I've read somewhere that the SELF files sometimes have plain text, left over debugging symbols, and even a SELF file that has part of it encrypted and another part unencrypted... so.. is it really an encrypted binary ? or is it just that the binaries can set a mode on the PS3 to use a 'different' instruction set.. ? since the instruction set is not the standard CELL one, we can't disassemble them, so it looks like they're encrypted... but I would need to see a real SELF before I continue to say such stupid stuff

    The thing is.. if it's really an encrypted file, we can't have half encrypted and half non encrypted, it would be all or nothing.. unless the SELF has different sections, a .data and a .sdata or whatever.. can we read the header of the file correctly ? I'm interested in looking into that.. so if you have one of those self files, I'd like one to be sent to me!
    Quote Originally Posted by hacked2123
    We've been down this path before... look up something like "warhawk cjpc" through the forum search... might give you what you wanted to see... we've gotten pretty far before.
    ouch, I 've just spent a few hours reading every thread with 'warhawk' in it, but I couldn't get anything related to this... could you be so kind to find the thread and give me the link please ? (I only found the warhawk network hole which allows running pkg files through an update, but I don't see how it affects what we're talking about here)

    I found this here and downloaded the SCE from it: http://www.ps3news.com/forums/playst...ree-92785.html
    I'll have a look at it once I get home!

    Thanks guys for participating in my thread! I hope I'l get all my answers someday and we'll finally crack this monster!
    KaKaRoTo

 

Sponsored Links
Page 1 of 2 12 LastLast
Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News