PS3 [Tutorial] Dump PSID From OFW Using Netflix and DTU

Discussion in 'PS3 News' started by esc0rtd3w, Aug 3, 2017.

By esc0rtd3w on Aug 3, 2017 at 9:05 PM
  1. 328
    770
    103
    esc0rtd3w

    esc0rtd3w Developer

    Joined:
    Mar 10, 2017
    Messages:
    328
    Likes Received:
    770
    Trophy Points:
    103
    Gender:
    Male
    Occupation:
    Hacker
    Location:
    OHIO, USA
    Home Page:
    ** I AM AWARE THERE ARE OTHER METHODS TO GET THE PSID! I WAS NOT AWARE OF THESE AT THE TIME OF CREATING THIS. IF HAVING AN ALTERNATIVE OPTION IS OFFENSIVE TO YOU, THEN THIS IS NOT FOR YOU. THANK YOU! **

    Ok, this is yet another side project that I have been wanting to test more, and that day has come!! I have tested this on OFW 4.81, and it does indeed dump the correct PSID, verified by checking on the CFW console. This will allow you to dump the PSID from an OFW console. Yes I know, this IS NOT the coveted IDPS, which is the Console ID itself, but this is a unique number per console. I do not know much about what can be done with it alone, but it's "half" of your consoles unique ID. ​


    Important Details:
    • I tested using the NPUP00030 version of Netflix. I have updated the scripting to allow region selection since the initial release
    • YOU DO NOT NEED A NETFLIX ACCOUNT OR INTERNET ACCESS FOR THIS TO WORK
    • I SHOULD WARN THAT THE CFW CONSOLE HDD GETS ERASED DURING THIS PROCESS!!!
    • BONUS: I have a private method that may be able to dump the IDPS on OFW 4.81 This method will NOT be disclosed until further testing has been done

    Here are some screenshots. It requires a CFW console using the DTU method.

    Now, the screenshots will give you an idea of what is going on, but basically Netflix generates a PSID.dat file located at "/dev_hdd0/game/NPUP00030/USRDIR/APPDATA". I am using the DTU method in 2 ways, first, I am using it to push NetFlix onto the OFW console (although this just makes it easier) and then run the app on OFW to generate the PSID.dat. Next, you do a "reverse DTU" from the OFW to the CFW console (this has many other benefits that I will not get into at the moment).

    CbqP768.png
    [​IMG] [​IMG] [​IMG] [​IMG] [​IMG] [​IMG] [​IMG] [​IMG] [​IMG] [​IMG] [​IMG] [​IMG]




    GitHub Source: https://github.com/esc0rtd3w/ps3-ofw-psid-dump-tool
    Releases: https://github.com/esc0rtd3w/ps3-ofw-psid-dump-tool/releases
     
    Last edited: Aug 7, 2017
    T.A.U, jacobsson, RandQalan and 7 others like this.

Comments

Discussion in 'PS3 News' started by esc0rtd3w, Aug 3, 2017.

    1. nCadeRegal
      nCadeRegal
      This is some cool work, especially if you can manage a workaround for getting idps from ofw consoles on current firmware. Good luck
      esc0rtd3w likes this.
    2. pinky
      pinky
      I thought there was a way to obtain the idps using a proxy server? I remember the work from a few years back. I think it was a specific app where u routed the ps3's network connection through a computer. it was used to obtain god links, but it also showed the idps of the console. maybe u had to be on cfw - I just don't remember.
      esc0rtd3w likes this.
    3. kozarovv
      kozarovv
      I patched since 4 70 iirc.
      esc0rtd3w and pinky like this.
    4. nCadeRegal
      nCadeRegal
      Yes was patched , it used the whats new column and a proxy. Be cool to have a new way though.
      esc0rtd3w and pinky like this.
    5. catalinnc
      catalinnc
      @esc0rtd3w

      just an ideea...

      on OFW get NetFLiX Video App...run it to generate the PSID.dat...now make a backup of the PS3...on PC extract the backup using ps3xport.exe and get get the PSID.dat...

      please, be kind and test it...
      _

      p.s. this will be very quick if you have on OFW PS3 only NetFLiX Video App...(no games/movies/music/photo/game_data, etc)...
      _
      esc0rtd3w likes this.
    6. pinky
      pinky
      I see. isn't it cute how sony tries to patch things thinking it really accomplishes anything? it just gives hackers and devs more reason to rip the system apart.
      esc0rtd3w likes this.
    7. esc0rtd3w
      esc0rtd3w
      I do not think I understand what you are asking. This method already gets the PSID from the OFW console, just not IDPS......yet :miserable:

      is it possible to dump IDPS from PSXport? I was under the assumption that this was not currently possible.
      pinky likes this.
    8. pinky
      pinky
      I think I misread psid as idps . :-p
      esc0rtd3w likes this.
    9. esc0rtd3w
      esc0rtd3w
      lol, I always have to think about it for a second to make sure I ain't screwing myself up and thinking the wrong one :redface new:
      pinky likes this.
    10. catalinnc
      catalinnc
      i am talking psid...

      your method involves 2 ps3 (cfw and ofw) and your tool...

      my ideea only needs the ofw ps3...
      _

      p.s. you need to clarify more about the netflix app...an netflix account is needed or not?
      _
      esc0rtd3w likes this.
    11. esc0rtd3w
      esc0rtd3w
      i get it now :distracted:

      yeah, i can do that and see what happens!


      EDIT: I see your point, but it is referenced in the script already... i will add it to the description though. Thanks!

      [​IMG]
      chronoss and DeViL303 like this.
    12. pinky
      pinky
      the app I was thinking of may have been for the psid instead of the idps actually. I get them mixed up as well. :-p
      esc0rtd3w likes this.
    13. nCadeRegal
      nCadeRegal
      We do need a new way to rip the idps from current ofw above the patched method. Would be nice to not have to tear a console down and use a flasher just for idps, whats the point then in not just flashing back a cfw unless of course its a dead console and you only wanted the idps as a spare. Keep on keepin on brother.
      esc0rtd3w and pinky like this.
    14. esc0rtd3w
      esc0rtd3w
      are you saying I can dump a 30xx/40xx NOR and get IDPS, or just for 25xx and lower?
    15. nCadeRegal
      nCadeRegal
      I believe that is correct, someone can correct me if im wrong. I believe you can dump any ps3 nor flash up to superslims, the problem is that there is no way to patch the now patched metldr on certain 25, 3 and 4k ps3s and write it back without turning it into a heavy paperweight. I have never done so, i remember reading about people dumping the flash from non hackable models, just not being able to manipulate them after wards and writing it back. Not sure if you can obtain the idps that way. I do own a 3k i can give a go on and see, its just a backup burner i have, and i already dumped the idps from it using the now patched method to use as a comparison against it. Its propably encypted though and i have no clue how to go about that. Maybe boogs or bailey can chime in and give some actual knowledge instead of just speculation on my part.
      esc0rtd3w likes this.
    16. STLcardsWS
      STLcardsWS
      @esc0rtd3w reformatted for news purposes and added to mainpage (if original format is preferred i can revert it back)
      esc0rtd3w, DeViL303 and nCadeRegal like this.
    17. bguerville
      bguerville
      The psid can easily be obtained via a public API anyway, it's not a problem.
      However the idps is another story altogether. Without a hardware flasher, we currently have no means to extract the idps since ofw 4.70.

      @esc0rtd3w
      I am sure you are perfectly capable of cracking this nut out, all it requires tbh is to exploit the ps3 webkit, just like CTurt has shown on the ps4.
      The webkit included in the ps3 web browser is exploitable via some, if not all, the vulnerabilities used in the various ps4 webkit exploits & more.
      Once webkit is exploited, you should be able to use the syscall 870 which returns the cid & display it in the browser or proceed to calling another syscall to dump it to file.
      You can develop & work on CFW to make things easier then move on to OFW for potential adjustments. The psdevwiki contains most of the data you will need in terms of offsets etc in order to write a common javascript for all fw or at least all post 3.55 fw...
      Check this out
      https://github.com/Cryptogenic/PS4-4.0x-Code-Execution-PoC
      I believe this to be a very stable wk exploit on ps4 (if not the most stable, despite the fact that crashes can still occur) so you can use it as a guide (note that some processing used on the ps4 will not be required on the PS3 ie no aslr etc..).. Another advantage is that the hack doesn't require a php server either, it's very basic in its composition, html + javascript, it's beautiful actually... Lol

      The webkit code used by S#ny is publicly available if ever you needed it to investigate the vulnerabilities.
      https://products.sel.sony.com/opensource/source_webkit.shtml

      Additionally, this is an important project for 2 reasons.
      1. it's the first step to a jailbreak for all 4.xx consoles. The 2nd step being the kernel exploit, keeping in mind that various vulnerabilities have already been found (with poc) in the freebsd kernel used by the ps3.
      2. It would also make it easier to use the the 4.70 hack on post 4.70 consoles because if a user has the idps, he/she would have an alternative to DTU to inject the games.

      I have been meaning to spend some time on this for months but the projects keep piling up & I have too little free time to do it all...
      Last edited: Aug 5, 2017
      ed89 and esc0rtd3w like this.
    18. esc0rtd3w
      esc0rtd3w
      @STLcardsWS Thanks!

      @nCadeRegal Thanks for the reply. I have only dumped and tested 25xx and lower. I have a friend not too far away who dumped some 30xx and 40xx to get IDPS/PSID for me, before i got my own E3 flasher, so i assume this does work?!? A good test may be to dump a 30xx/40xx to get IDPS and then try some hackery to match it from another exploit or technique of some kind.

      @bguerville i am glad you mentioned the PS4 webkit stuff because I have been wondering about using a similar attack on the PS3. There are a few *entry points* i have found in various apps that could leverage a webkit exploit. Hell, just using the browser itself is probably sufficient, but having an embedded exploit inside an app (preferably that doesn't need PSN login) would be cool. :cool:
    19. bguerville
      bguerville
      Yes of course, the same thing could be done from an app calling either the browser or the renderer (on the PS3 there are 4 "browsing modes") as well.
      I tested 8 webkit vulnerabilities (including 3 used on ps4) about 6 months ago on the PS3 browser & as expected I crashed the browser 8 times... Lol
      Out of those 8 tests, I figured that at least 6 vulnerabilities were definitely exploitable & that included the 3 ps4 exploits iirc.
      sandungas and esc0rtd3w like this.

Share This Page