Playstation 3 online analysis

I analysed, with my PC in bridge, which kind of traffic a PS3 will generate on startup without trying to access PSN, and the results are quite worrying.


PS3 sends the following lines to auth.np.ac.playstation.net:

X-Platform-Version: PS3 03.55

type=0&serviceid=SCEI-0&loginid=VrEa2uUV3s2hTgLj&password=BDFvcv2vQ2mGvxsJ&consoleid=YOUR_CONSOLE_ID

loginid and password are in base64 and they the same for all the PS3s. consoleid instead changes on every console.

PS3 also send some DNS request to resolve some playstation.net subdomains:

auth.np.ac.playstation.net
ena.net.playstation.net
mercury.dl.playstation.net
nsx.np.dl.playstation.net
tmdb.np.dl.playstation.net
us.np.stun.playstation.net
xmb.dl.playstation.net

PS3 also does some HTTP requests with PS3Application libhttp/3.5.5-000 (CellOS) as User-Agent.

I suggest to BLOCK *.playstation.net in router firewall or in dns to avoid information spoofing and banning

Sony sends out DMCA Takedown Notices!

Soon after Sony won in SF with a TRO against Mr. Hotz regarding the 'metldr keys', their MIB Team started the next step and have issued DMCA Takedown Notices to a number of various 'scene' developers that had code either mirrored or stored on their GITHUB's or websites!

Here you can find the complete DMCA takedown notice and here you can find my gitorious mirror of the removed repositories.

I choose gitorious since it's in Norway where the DMCA is not valid.

UPDATE 2011/02/02

Sony sent a notice to Gitorious too and they removed my Gitorious repositories with the following email:

Greetings,

We're writing you to inform you that we have been forced to remove

your Gitorious repositories containing PS3 related code. We received a

DMCA takedown notice from Sony this morning, and Norwegian law

commands us to respond to such a notice by removing potentially

infringing content until it's legality can be fully clarified.

If you can provide Gitorious with irrefutable evidence that this code

is not violating neither Sony's copyrights/patents nor Norwegian law,

you are welcome to keep hosting the affected repositories with us.

UPDATE 2011/02/03
Gitorious accepted back my legal repositories and they sent a reply to Sony as you can read on their blog.
"Live long and prosper to legal hacking"

About multiMAN

multiMAN is another open backup manager clone with many addictions such as File Manager and AVCHD support.

Seems cool, but is it cool?

All that glitters ain't gold.


I'm a KISS fan, so I don't like bloatwares like that software.
In my opinion a software program should only have a goodly implemented feature.
More features means more line of code and so more errors.
And I also don't like his .ini approach, I prefer simpleness...


Last but not least it does not release source code!!

How to use an Hermes payload in psfreedom

To use an Hermes payload in Psfreedom you just need to "adapt" the bin using dd.

• if you are using psfreedom 1.0 (without PL3):
  dd if=port_config_descriptor.bin of=payload_hermes.bin bs=1 skip=18
• if you are using psfreedom 1.1 (with PL3)
  dd if=port_config_descriptor.bin of=payload_hermes.bin bs=1 skip=32

And then you just need to load the resulting (payload_hermes.bin) file as a "Custom Payload"

How to extract PSARC under linux

You only need to download PSARC.zip, then install native, non-wine, mono (I have 2.8).

Usage
For example if you want to extract a file called data.psarc you need to to:

1. mkdir data
2. mono ~/psarc/PSARC.EXE ../data.psarc
3. rename 'data\' '' *

What does hermes mem patch mode do?

<KaKaRoTo> Works fine with latest default payload.
<KaKaRoTo> So only with NUS (no_unauthorized_syscalls payload), so it's normal and expected.

<hObbit> so what does that mean

<KaKaRoTo> Just means that what I said the first day when i added the NUS payload still applies.
<KaKaRoTo> "only use it to put the ps3 back into restrictive access mode to unauthorized syscalls"

<hObbit> The NUS is for controller fix right?

<KaKaRoTo> Not for controller fix, it's just some (2 or 3) games that won't work without it. Eyepet is the only one I can remember.
<KaKaRoTo> The same would happen with hermes payload if you enable "patched mode" in it.
<KaKaRoTo> The only thing is that for him, the 'patched mode' only gets enabled after the drive is mounted, so maybe that's why noone noticed.
<KaKaRoTo> but it's basically the same code

<hObbit> Can we have that called via homebrew like hermes payload?

<KaKaRoTo> We could, but I don't want to, because it's an ugly hack.
<KaKaRoTo> Basically those patches disable a function that is used by every system call.
<KaKaRoTo> is_this_syscall_authorized_on_this_system/modem/whatever
<KaKaRoTo> Some games require a specific syscall to be enabled.
<KaKaRoTo> It's most probably related to the fact that the ps3 would only unlock the /dev_hdd0/game/<ID>/ of what the bluray player reads in sector 2.
<KaKaRoTo> So when a backup is launched and tries to 'install game data' it can't because it can't access the right directory.
<KaKaRoTo> So that patch makes it work.
<KaKaRoTo> It only has the side effect of enabling every other system call.
<KaKaRoTo> patch_func5 is what does all that (the is_authorized)
<KaKaRoTo> I suppose that patching it to return 1 all the time makes it return 1 to the 'syscall_is_root' or something, that's why permissions get ++
<KaKaRoTo> It also screws up the controller for games like F1 and SF4 because they need maybe something like 'syscall_is_special_usb_stick/wheel_plugged_in'
<KaKaRoTo> They think yes, so they try to use it, disable the controller, and then.. oups, nothing works.
<KaKaRoTo> (That's why you can 'fix' the controller if you plug in a wheel or the SF4 arcade usb thingy)
<KaKaRoTo> That's what patch 6 and 7 do, they force those 2 specific syscalls to return '0' instead of '1'.
<KaKaRoTo> But there are still other games that check other things and fail because of that (like eyepet, maybe it checks is_camera_plugged_in)

<hObbit> I see, so rather than enabling everything we'd need to find that specific syscall.

<KaKaRoTo> Exactly. The real fix is find just the right syscall to have elevated permissions, and fix just that one to think it's "1".
<KaKaRoTo> Instead of making it "1" for EVERY syscall, then return 0 selectively to fix specific games.

<hObbit> So what needs function 5 then? is that the eyepet game?

<KaKaRoTo> no no
<KaKaRoTo> you have this :

<KaKaRoTo> syscall_X (arguments)
<KaKaRoTo> {
<KaKaRoTo> can_i = function_5(args);
<KaKaRoTo> if (can_i == 1) { do stuff }
<KaKaRoTo> else { return error }
<KaKaRoTo> }

<KaKaRoTo> patch 5 is to overwrite the 'can_i_do_this' function completely
<KaKaRoTo> so EVERY syscall gets 'yes you can'
<KaKaRoTo> what function 6 and 7 does is just :

<KaKaRoTo> syscall_fix_for_f1 (arguments)
<KaKaRoTo> {
<KaKaRoTo> can_i = 0
<KaKaRoTo> ....
<KaKaRoTo> }
<KaKaRoTo> syscall_fix_for_ssf4 (arguments)
<KaKaRoTo> {
<KaKaRoTo> can_i = 0
<KaKaRoTo> ...
<KaKaRoTo> }

<KaKaRoTo> Patches 6 and 7 just patch the 'call func5' into 'func5 returned 0'
<KaKaRoTo> While patch 5 actually patches the content of func5 to always return 1.
<KaKaRoTo> You see how ugly it is? you understand why i didn't want to add a syscall to the payload just to enable/disable this 'patched mode'.
<KaKaRoTo> I want to do it properly, or not do it at all.


<iLLNESS> weird though... ssf4 works fine for me with NUS

<KaKaRoTo> yes it would
<KaKaRoTo> because NUS basically means 'all original'
<KaKaRoTo> it wouldn't work if you had patch 5, but not patch 6 and 7
<KaKaRoTo> but if there is no patch 5, then it would work

About Unified Manager

Last week moh.sakhaii, Rogero and me have joined to make the better PS3 Backup Manager of the world.

moh.sakhaii wants to starts from vanilla OpenBM (his version) to don't have external contaminations.

The problem is that I'm not a graphic developer, so I need the graphic part to be done before integrating all the Gaia Manager modifications.

So I still maintain Gaia Manager until graphical part of Unified Manager (the new manager) will be enough mature