Certificate Store

[krunchy]

Has anyone looked into adding a new root to their jailbroken PS3's certificate store?

Am I assuming too much or overlooking something obvious?

Does anyone understand where I'm going with this?

<crickets>

[krunchy]

Ok, so there are some people that know what I'm talking about. Found this discussion which touched on the mitm attack a bit (the OP's name seems familiar ) and more recently this too discussed the 5 sony CA certs which you can find by browsing into dev_flash/data/cert. It also mentions libssl which is probably where this is going to lead eventually...

I can say for sure that it's not as easy as dropping a new cer file into that folder (I used Jaicrab's USB Firm Loader and I'm assuming I got that working right). Too tired to post any more. Looking like a dead end for today.

[chocobo]

Ok, so there are some people that know what I'm talking about. Found this discussion which touched on the mitm attack a bit (the OP's name seems familiar ) and more recently this too discussed the 5 sony CA certs which you can find by browsing into dev_flash/data/cert. It also mentions libssl which is probably where this is going to lead eventually...

I can say for sure that it's not as easy as dropping a new cer file into that folder (I used Jaicrab's USB Firm Loader and I'm assuming I got that working right). Too tired to post any more. Looking like a dead end for today.

Well, you never know if it's that simple or not I didn't spend too much time with this, and I might've screwed up something when testing. When I have time to play with PS3, it's usually very late at night when I'm dead tired, so... who knows.

Since PSNTool seems to be able to handle PSN registrations/logins, then it's pretty obvious that someone might have had success with this. Now, there is also a possibility that PSN part in PSNTool was done by decrypting PSN related sprxs, rather than managing to watch the decrypted traffic. Only PSNTool author knows how he did it, you could try asking him.

If you want to only look into PSN related stuff, it's probably easier to simply sniff the PSNTool's traffic, and see what it does. No point in reinventing a wheel, when he's (seemingly) reverse engineered PSN authentication process already.

One of the certs on the flash is definitely used for checking some kind of signature on binaries, since PS3 will freeze completely, then get into red screen mode (after power off/on) if you substitute all certs with your own, and try to boot using Jaicrab's loader. Now, in theory, running it through loader should be 'safe', but in this case something gets screwed up badly, so that even after poweroff PS3 shows up red screen. I have no idea which cert it is/was, I didn't have time to try them one by one, I just substituted all of them to see 'what happens'. Or now that I think about it, it migh've happened when I deleted all certs. Well, been a long time ago, I can't honestly remember.

I've also tried adding my own CA cert (as well as replacing existing Sony/GeoTrust) root certs with my own, and forcing PS3 to connect to my own server (using STunnel/Apache/Bind) when attempting to create PSN account, but no matter what I did, it was still reporting "Unknown certificate" error, even if it was actually connecting to a server that was presenting a certificate signed by my CA (whose cert was on the flash). I also couldn't connect to that server using the PS3 browser, without browser reporting cert error (although I expected this case to work - it didn't, hmm). Maybe I mistyped something somewhere, who knows - maybe it didn't work because I made some mistake. You can give it a try, it won't hurt. I also can't remember if I tried using wildcard cert or not for those tests - I think I was not.

I also did not try generating retarded/invalid certs to see if SSL code in PS3 might have some bugs that would trigger random behavior (crashes, etc) - but not sure it would be even worth the effort. I can't see any gains (we already have GameOS access, and can execute our own code, don't think bug in SSL library would give us anything more).

I only wish I could know if PS3's SSL library is really using those CA certs for all cases. Because if it does, then replacing them would have to work.

[krunchy]

Well getting a PC to accept a CA root cert is easy.. I want the PS3 to trust the CA root cert I generated. I don't want to passively sniff the traffic, I actually want to be on the receiving end of it. Once I do that, I can change the user-agent, or whatever it is that Sony's rejecting when the PS3 tries to sign in, and pass it along on behalf of my PS3. The same goes with the reply traffic...

If that adds the ability for me to sign and run my own binaries w/o a modchip, then that'd be an added bonus, but I'm not that ambitious. I just want to get signed back on so I can reget the DLC I lost when I got hit with my 3rd YLOD (and play some poker too)...

[[C*]]

If that adds the ability for me to sign and run my own binaries w/o a modchip, then that'd be an added bonus, but I'm not that ambitious. I just want to get signed back on so I can reget the DLC I lost when I got hit with my 3rd YLOD (and play some poker too)...

You've confused me here. We've got PSN access back. Can't you redownload and reactivate your games? (Limit of 5 reached?)

[krunchy]

You've confused me here. We've got PSN access back. Can't you redownload and reactivate your games? (Limit of 5 reached?)

Sure, but that's temporary. If I can get my PS3 to trust my cert, it should be very easy (barring client certs) to get back online without waiting for someone to develop a new payload once 3.51 and beyond is required. Oops, did I say too much?

[krunchy]

Plus, I'm not content on waiting on others to fix something I can do myself. Now someone fix the cert store for me, lol...

[krunchy]

I know with all the key madness going on that this will probably be overlooked, but I got a SSL MITM going on my PS3 and found something very interesting...

Normally, the client header from your PS3 looks like this:

Code:

[HTTP_USER_AGENT] => Mozilla/5.0 (PLAYSTATION 3; 1.00)
[HTTP_X_PS3_BROWSER] => 3.10 (WP; system=3.41)

But when you try to connect to auth.np.ac.playstation.net to authenticate, it looks like this:

Code:

[HTTP_USER_AGENT] => Lediatio Lunto Ritna
[HTTP_X_I_5_VERSION] => 3.0
[HTTP_X_PLATFORM_VERSION] => PS3 03.41

At another point you also connect to ena.net.playstation.net and pass your firmware version, model, product code, and ID. The model is found at offset 0x4776e0 in your LVL2.bin and the ID is at offset 0x44a18c. I'm not sure that this connection to ena is critical to getting authenticated.

Assuming that the firmware version in the HTTP header is the only thing preventing your console from going back online, a simple proxy rewrite should do the trick. I can only read ATM though, but I'm working on it.

If anyone is interested in learning more, by all means ask. This had nothing to do and is completely unrelated to the key leaks though, so it's probably not sexy enough for anyone to take notice.

[Winch2005]

really i have enough reading hundreds of useless post from keys, decryption, cfw's topics.

now, that info is quite interesting.

[HTTP_X_PLATFORM_VERSION] => PS3 03.41 <- we dont know from where this is getting? which file or something.

would be good to check it with spoof payload. if it change then it's a wrong turn.


i only want to activate mp3, vma, wmv or whatever else playback on my ps3. at this time i can only stream those and transcode.

everyone remember payloads with psn acces. actually they can still works on other NP Environments like "sp-int" and "prod-qa" on debug firmwares. I think about Rebug project and theirs youtube video that shows "quick sign up" option.

http://www. ps_3_iso .com/showthread.php?t=42737 <- this guy claims that he managed to get this working. But i cant really see any positive replies.

can i activate my mp3 playback at these other environments?

sorry guys for my terrible english, but i want to say hello! first post after lurking here for over 6 months.

[dhruvbhutani]

Interesting stuff. I cannot contribute in a useful way but i will certainly be keeping an eye on this thread.