Dismiss Notice

BEWARE of IMPOSTERS, posing as the PS3Xploit Members/Team:


  -PS3Xploit does NOT have a discord channel, some imposter are using one
 

  -If the info can't be found on ps3xploit.com or psx-place.com its fake
 

  -ZuKuTo / OFWModz is one of the fake names of these imposter's are using to represent the PS3xploit team.

 

 

PS3 I did it! Offline HTML from the Browser

Discussion in 'PS3Xploit HAN (nonCFW Compatable Models)' started by NewFile, Sep 23, 2018.

  1. 170
    240
    97
    NewFile

    NewFile Developer

    Joined:
    Oct 11, 2017
    Messages:
    170
    Likes Received:
    240
    Trophy Points:
    97
    Gender:
    Male
    Can't even believe it myself! It's working.

    Updating in a bit, writing the full explanation.
     
    Last edited: Sep 23, 2018
  2. 170
    240
    97
    NewFile

    NewFile Developer

    Joined:
    Oct 11, 2017
    Messages:
    170
    Likes Received:
    240
    Trophy Points:
    97
    Gender:
    Male
    I am sorry for not updating earlier but the thrill of this caused me to have some fun.
    This should be a great help to the PS3 HAN community.
    The idea:
    In /dev_flash/vsh/resource/silk_webkit/data you will have webcoreapp.bin
    This binary file is container. It mostly contains different language strings used by the browser. The beaty of it, is the famous errors of Can't disaply page, wrong certificate, etc.. the usual.
    So let's say we want to access HAN but we don't have internet. We get "The page cannot be displayed." or check settings or whatever. But even this message it's HTML, just like in your browser, when you have no internet, the page that notifies you for checking your internet settings exists somewhere in the browser resources as HTML file and it's served to you.
    Apparently the PS3 browser seems to simply echo/print the raw text of this errors in the document. That;s why you see so ugly error codes messagges. Trying to simply edit on of the strong does seems to work. Sadly, I am limited to the number of character and can't extend more.
    The most common line is "The page cannot be displayed ERROR CODE". I would simply try to access a nonexists site (www.ps3fsdggfdhrthfbynhytjnty.com) and would get that messagge.
    Sadly, it had a limit and we could not do much. So I reserved the format, wrote a utility for reading the strings and for updating it. It's not perfect but it works. It has a bug for updating the very first entry and does not update the images. But nevermind seems to work fine for our purpose and I do not have much time right now.
    The little attached utility requires .net framework. Load the .bin file and after saving a new_xxxxx.bin file will be created. Again, it's buggy (after saving load the new file to see if it displays well) but who cares, it does the work for now.
    What should HAN users do?
    *Get a 4.82 webcoreapp.bin (Simply Extract it from the official firmware pup, it's in /dev_flash/vsh/resource/silk_webkit/data)
    *Use the editor to find the find the string that you want to change. What string? If you are offline and the error code is check DNS or settings, or whatever, just look for that string. If your console language is different than English then edit the corresponding one.
    Double click the Data cell of the row to edit. I recommend you write the HTML in a proper editor and then simply clear the line, and paste the text. Press save, and then reload the new file to see if it works.
    *Replace the webcoreapp.bin in /dev_flash/vsh/resource/silk_webkit/data
    PS3Xploit tema has managed ot inject coldboots and much more to the flash so this should be really simple for them to offer it as a feature.
    That's it. If you are offline, and go to the browser, you won't see that error ugly code anymore but the HTML you inputed.
    You can input full HTML code.
    Character limit should be around the max of Int32: 2147483647
    HTML should keep all files internal. You must copy all .js code to the scipt tag in the HTML file. However you may try loading script from the same dir. See what happens.
    Try to minify when possible. Especially JS, it will be faster for everything.
    This should work for other .bin files but it's not perfect. @sandungas , we might need to update the wiki with the format.
    Well, long live the scene!
    [​IMG]
     
    Last edited: Mar 22, 2019
    Rommy667, Zar, Niander466 and 11 others like this.
  3. 4,293
    3,880
    372
    sandungas

    sandungas Moderator Developer

    Joined:
    Dec 31, 2014
    Messages:
    4,293
    Likes Received:
    3,880
    Trophy Points:
    372
    Location:
    Babylon 20xxE series
    Cool, replacing one of the error messages :)
    I need to take a look at wiki to see if there was some info about this file, to update it, or to create a new section/page for it
     
    esc0rtd3w and STLcardsWS like this.
  4. 170
    240
    97
    NewFile

    NewFile Developer

    Joined:
    Oct 11, 2017
    Messages:
    170
    Likes Received:
    240
    Trophy Points:
    97
    Gender:
    Male
    There is none, it seems to be a custom container for nas, silk_nas and silk_webkit with SILKPADD as magic, hence the editor name.
     
    DeViL303 and esc0rtd3w like this.
  5. 1,111
    2,644
    397
    esc0rtd3w

    esc0rtd3w Developer

    Joined:
    Mar 10, 2017
    Messages:
    1,111
    Likes Received:
    2,644
    Trophy Points:
    397
    Gender:
    Male
    Occupation:
    Hacker
    Location:
    OHIO, USA
    Home Page:
    excellent job, sir :cool:

    this is a wonderful idea with some potential, and you made an editor :) will the source be open on github?

    a welcomed addition to the ps3 hacking scene!
     
    STLcardsWS and ayassinsayed like this.
  6. 7,843
    6,510
    647
    bguerville

    bguerville Moderator

    Joined:
    Feb 25, 2015
    Messages:
    7,843
    Likes Received:
    6,510
    Trophy Points:
    647
    Location:
    Earth
    Clever. Triggering specific errors to load specific html pages. I like it a lot. ;)

    Unlike the bookmarks.xml, this might actually work out to implement local versions of each exploit. We would need to clarify the possible size limitations in place for that bin file & its contents...
     
  7. 527
    841
    147
    lmn7

    lmn7 Developer

    Joined:
    Oct 31, 2017
    Messages:
    527
    Likes Received:
    841
    Trophy Points:
    147
    Nice find, and good work on the tool. I tried something similar with the XMBL flash files, loading html or js through a localized string. Didn't work though.
     
  8. 4,293
    3,880
    372
    sandungas

    sandungas Moderator Developer

    Joined:
    Dec 31, 2014
    Messages:
    4,293
    Likes Received:
    3,880
    Trophy Points:
    372
    Location:
    Babylon 20xxE series
    Im looking at the file in a hexeditor, and the structure needs to be explained in detail, so i think we can make a dedicated page for it, i can prepare it but you are going to need to edit it at some point to complete it :)

    I liked the list of language IDs in "2 characters" format btw... this "2 characters" format for language IDs is a bit confusing because there are some parts of the firmware where are used different characters

    Btw, which character encoding is using ? i see some characters represented by 2 bytes
    All languages uses the same character encoding ?, there is some place in the file where it tells the character encoding for each language ?


    Edit:
    The file contains 14 PNG images at the end... wtf is that ?
    So the file is not dedicated to language only... it contains other stuff for the webbrowser

    Edit2:
    Last 2 PNG images are a horizontal bar of 21x1 pixels with a degrade of grey tones, seems to be assets for the webbrowser (scrollbars, or frame borders scaled at real time to huge size, or things like that)
    14 are not much... but i guess this images can be replaced to "pimp" the web browser :)

    Edit3:
    This is the first image at 1600x zoom (21x21 pixels originally)
    [​IMG]


    Edit4:
    Every string
    4 bytes = string length (included the null termination)
    next bytes = string
    1 byte = NULL termination


    Every image
    4 bytes = lenght of the string that comes inmediatly next (always 0x00000008 for CEBinary)
    8 bytes = some codename (always "CEBinary")
    2 bytes = padding ? (always 0x0000)
    4 bytes = lenght of the string that comes inmediatly next (always 0x00000009 for image\png)
    9 bytes = some codename (always "image\png")
    4 bytes = file length
    next bytes = file


    Edit5:
    Im taking notes to keep a record and eventually to create the page in wiki, if someone can help me identifying what im marking as "unknown", please tell :P

    File header
    4 bytes = magic1 ? (always "SILK")
    4 bytes = magic2 ? (always "PADD"), im separating them just because the "magic" uses to be 4 bytes
    4 bytes = entry number ? (0x00000101 )= 257 entries in the index table
    4 bytes = padding ? (always 0x00000000 )

    Header is in big endian, lenght is always 0x10

    Every entry in the index table at top
    4 bytes = unknown (an ID ?)
    4 bytes = absolute offset of the data (either a string or a file)
    4 bytes = data length

    This table is an index for all the strings, and all the files
    Starts at absolute offset 0x10
    All values in the table are in little endian
    There is no gap or padding at the end of this table, inmediatly after starts the "string datas"



    Edit6:
    It seems the first 3 strings are common (used by all languages)
    The 14 images are also common for all languages
    There are 20 languages
    The file has 257 entries - 3 common strings - 14 images = 240 text strings

    240 / 20 languages = 12 text strings for each language
     
    Last edited: Sep 24, 2018
    n00b, littlebalup, SoJustMe and 2 others like this.
  9. 92
    21
    12
    SoJustMe

    SoJustMe Forum Noob

    Joined:
    Aug 4, 2018
    Messages:
    92
    Likes Received:
    21
    Trophy Points:
    12
    Gender:
    Male
    so we can use Han with no internet just installing the update that been edit ? then try this error to exploit?
     
  10. 170
    240
    97
    NewFile

    NewFile Developer

    Joined:
    Oct 11, 2017
    Messages:
    170
    Likes Received:
    240
    Trophy Points:
    97
    Gender:
    Male
    My time is really limited these days so I have not been able to reply.

    @sandungas , yes it contains images. If you read my initial post I stated:
    The main reason for not dealing with pictures was because I was using a datagridview to display strings and there was simply no way to disaply image.
    And even with the creation of the new file, I would simply copy the header and then do calculation to each row of the table. I simply wanted to test my idea so I quickly reversed and ignored somethings, we will update further. @esc0rtd3w ,yes I will share the source code but right now it's a whole mess, I wrote in a few hours really quickly and I need to update it.

    These .bin files are containers. @sandungas , you don't have to think of them as realted to language settings. Not at all, think of them as a container. A container of entries and not of files. Each of them we we call entries for now.

    Making some corrections to the format:

    File header
    8 bytes = magic ? (always "SILKPADD") , this can be confirmed by having another look at the .bin files.
    2 bytes = padding most likely. It's always zero.
    4 bytes = number of entries or filenums as you would call it.
    2 bytes = more padding? It's always zero.
    4 bytes = Root ID, this is what I prefer to call the Root ID and below I will explain why. This number is not important for us right now so we can always leave it like it is.

    Every entry in the index table at top
    4 bytes = absolute offset of the data (either a string or a file)
    4 bytes = data length, I like how you said here DATA, because it will always be data depsit the fact of how interpret it.
    4 bytes = the entry ID. This must be the entry ID. IT can easily be proven because looking at the editor you can see how they come incremeting for specific segments (same language strings) . If you open other .bin files (HTMLUI, HTML App), you will prove my theory. The ROOT ID in one of them is 2001 and then the etries start from 2002,2003,2004etc.... This has to be an ID because even if you replace the bin. file while the browser is opened and the erorr has appear you will see the new error that you edited will appear. In other words the browser continously access this containers for the resource that it needs.

    I do not know the encoding used in these strings. In my editor I use UTF8 to for reading and writing these strings.

    Coming to the data segment. First the entry is ready based on the ofsset value and it's size. However, this is not directly the real data but the entry data.

    The entry "DATA":
    1 byte - always zero so far, unk
    1 byte - always zero so far, unk
    1 byte - multiple, the value of this byte is multiplied by 256
    1 byte - the remainder, this is added to the value above.

    In other words, the proper way to get the size of the real data is : (3th byte value * 256) + (4th byte value)
    For sizes < 255(6) the structure is 00 00 00 size , while more than that it is 00 00 multipler remainder

    Don't ask me why it is like this, it's really strange but I can confirm that it is in this way. It;s possible the first 2 bytes also server as multipliers.

    Then the real data is read. If the size of data(null terminated) = size of entry - 4 then it's parsed as string. However, if the length calculated by the four bytes is smaller than than (size of entry - 4) then the browser will do further processing. There is a special case here:
    For binary, the 4 bytes are 00 00 00 08 and they only display CEBinary. This combinaed wiht the fact that the original entry size is way bigger the browser can tell th header, CEBinary and then further proceed reading it .

    In this case CeBinary is png, but it can also be gif. In the other .bin, of webkit, of silk and silk_nas(they all work with the editor you are not limited to one file) they may dispaly as CEDialog, CECompoent etc..

    Yes, you can use these files to mod the browser icons, gifs, strings etc , you are not really limited to error codes. Who is up for a community of browser mods lol?

    They can be some pretty good options, here, they are some in interesting string. We can try buffer overflowing aswell. Our options are numerous.
     
    Last edited: Sep 25, 2018
    esc0rtd3w and Zazenora like this.
  11. 170
    240
    97
    NewFile

    NewFile Developer

    Joined:
    Oct 11, 2017
    Messages:
    170
    Likes Received:
    240
    Trophy Points:
    97
    Gender:
    Male
    I forgot to answer this but yes, this can be used for a a full HAN, If offline it has the benefit of the page being loaded directly with no previous pages clogging the memory, which is a must of the webxploits success rate.
     
    Last edited: Sep 25, 2018
  12. 1,203
    774
    222
    nCadeRegal

    nCadeRegal Moderator

    Joined:
    Jul 1, 2015
    Messages:
    1,203
    Likes Received:
    774
    Trophy Points:
    222
    Gender:
    Male
    Cool stuff here man. Curious to see what comes of this.
     
    esc0rtd3w likes this.
  13. 92
    21
    12
    SoJustMe

    SoJustMe Forum Noob

    Joined:
    Aug 4, 2018
    Messages:
    92
    Likes Received:
    21
    Trophy Points:
    12
    Gender:
    Male
    thats great!!
    do we no longer need to re enable Han every time? , i hope only once offline with a system update that been edit and injected with Han
     
  14. 4,293
    3,880
    372
    sandungas

    sandungas Moderator Developer

    Joined:
    Dec 31, 2014
    Messages:
    4,293
    Likes Received:
    3,880
    Trophy Points:
    372
    Location:
    Babylon 20xxE series
    I only dedicated one day to look at the file so im not going to insist in it by now, i will take another look at the file later
    But i think this is what is causing the bug at getting the first entry (the string "Test" iirc)
    The way i see it the first 4 bytes located at 0x10 (where the index table starts) is the ID of the first entry

    Because you are "displacing" the whole table 4 bytes... you are "interfering" with the first data entry (the string "test"), this is why you had a bug with the first data entry
    Also, if im right... i think is better to display the info in the GUI with the ID most at left, in this order:
    ID - start - size - data

    Also, for the "size" i think is better to display the size of the real data (instead of the size that appears in the index)
     
    n00b, esc0rtd3w and Zazenora like this.
  15. 4,293
    3,880
    372
    sandungas

    sandungas Moderator Developer

    Joined:
    Dec 31, 2014
    Messages:
    4,293
    Likes Received:
    3,880
    Trophy Points:
    372
    Location:
    Babylon 20xxE series
    Please review this calculations:

    The index table starts at absolute offset 0x10
    We have 0x101 entries in the index table, and every entry is 0xC size

    So the whole size of the index table is:
    0x101 * 0xC = 0xC0C

    There is no gap or padding at the end of the "index table", so the "data table" starts inmediatly after, in other words:
    index_table_start_offset + index_table_size = data_table_start_offset

    So... the first "data" (the string "Test") starts at absolute offset:
    0x10 + 0xC0C = 0xC1C
     
    Last edited: Sep 25, 2018
    n00b and esc0rtd3w like this.
  16. 170
    240
    97
    NewFile

    NewFile Developer

    Joined:
    Oct 11, 2017
    Messages:
    170
    Likes Received:
    240
    Trophy Points:
    97
    Gender:
    Male
    Dear @sandungas , you are right. This was silly of me to think of it this way. I will correct it. Although I did not notice this :) When I said I had a problem with the first string I meant with after the file was updated. But yeah, will fix them later on.
     
    Last edited: Sep 25, 2018
    n00b, esc0rtd3w and Zazenora like this.
  17. 7,843
    6,510
    647
    bguerville

    bguerville Moderator

    Joined:
    Feb 25, 2015
    Messages:
    7,843
    Likes Received:
    6,510
    Trophy Points:
    647
    Location:
    Earth
    @sandungas
    For better documentation, as obviously editing one of or more of those 64kb max pages to get a different outcome is only interesting if you can load it/them, it could be very helpul to add ways to trigger each error whether it's a js command or a setting to change.
    Just an idea... ;)
     
    esc0rtd3w likes this.
  18. 4,293
    3,880
    372
    sandungas

    sandungas Moderator Developer

    Joined:
    Dec 31, 2014
    Messages:
    4,293
    Likes Received:
    3,880
    Trophy Points:
    372
    Location:
    Babylon 20xxE series
    Nice, we are moving on :)
    I edited my previous message btw, trying to explain it a bit better

    I have to say also that you are right in how to deal with the "datas"... but take another look at what i said, it fits too for webcoreapp.bin

    For a fast test, search for this pattern (this is what i did to realize how much it was matching with the others and to crop some images manually): 0x00000008434542696E617279000000000009696D6167655C706E67
    It contains the "CEBinary" and is repeated 14 times (one for every PNG file) :)
    After it comes 4 bytes that indicates the size of the PNG file, so basically the structure is this:

    0x00000008434542696E617279000000000009696D6167655C706E67
    4 bytes (indicates PNG size)
    lot of bytes (the PNG file)
    0x00000008434542696E617279000000000009696D6167655C706E67
    4 bytes (indicates PNG size)
    lot of bytes (the PNG file)
    0x00000008434542696E617279000000000009696D6167655C706E67
    4 bytes (indicates PNG size)
    lot of bytes (the PNG file)
    0x00000008434542696E617279000000000009696D6167655C706E67
    4 bytes (indicates PNG size)
    lot of bytes (the PNG file)

    And so on...
    So for rebuilding purposes we dont really need to know how it works, because is static :)
    Is better to find how it works, sure, and i think you re on the good road

    To think about this is better to think in how the file is processed by the PS3
    When the PS3 reads the "index table" it doesnt know (yet) if the data is a string or a file
    So... the next step, when processing the first bytes of the metadata for the "data" entry is common (for strings and files)
    This is the point where the PS3 realizes if what is reading is a string or a file
     
    n00b likes this.
  19. 4,293
    3,880
    372
    sandungas

    sandungas Moderator Developer

    Joined:
    Dec 31, 2014
    Messages:
    4,293
    Likes Received:
    3,880
    Trophy Points:
    372
    Location:
    Babylon 20xxE series
    Not sure if i got what you mean, but i think there are only 12 error messages (repeated for 20 languages), and not so sure how much useful are going to be the others, im not sure when are triggered

    The most important "unknown" at this point are the IDs for every entry... are obviouslly IDs because the PNG files doesnt have a filename (so there is no other way to identify PNG files, other than his ID, or his position inside the webcoreapp.bin structure, but identifying them based in the position is retarded, sony would not do this... so yeah is an ID for sure)
    I guess is the web browser who "searches" for this IDs but how is made ?, maybe there is a huge list of IDs somewhere in the source code, or are working as references, or dunno
    Knowing that could unlock some surprises :)

    Edit: i mean... by adding to the file other IDs (to do different things), either to display text messages, or to load files

    NewFile mentioned one (GIF support), im wondering where you found this ?, you mentioned other files but which ones ?
    Btw... can you make a list of other files using this same structure ?
    This is something important to know to decide how to publish all this info in wiki, by now it could fit in a wiki page named "Silk container"... but only if the other files shares the magic "SILK" (or "SILKPADD")
     
    Last edited: Sep 25, 2018
  20. 7,843
    6,510
    647
    bguerville

    bguerville Moderator

    Joined:
    Feb 25, 2015
    Messages:
    7,843
    Likes Received:
    6,510
    Trophy Points:
    647
    Location:
    Earth
    What I meant was that for editing purposes, testing & whatever implementation, it's good to know how to trigger each of the 12 errors!
    For instance, one of them (iirc, it's the first "The page cannot be displayed" error in the bin file) seems to be triggered when you load a page from an existing ip address but without server listening on the expected port.
    Therefore, if we have a pc on 192.168.0.1 where no server is listening on the 6969 port, the error should be triggered from js with
    javascript:window.open("http://192.168.0.1:6969","_self");
    or using
    "http://192.168.0.1:6969
    in the browser.

    It would be helpful to collect the data about how to trigger the 11 others & add that data to the wiki as without it, it would be hard to use webcoreapp.bin for anything... ;)
    I realise that you don't have this data at the moment but it might be good to add placeholders for it so that details can be added as we go along?

    Currently, I think this method is the best choice we have for a local exploit implementation. Unlike bookmarks & other methods to persist the data that can be used to achieve the same kind of goal but under heavy constraints, webcoreapp.bin proves a reliable way to store up to 64kb of code. Additionally, webcoreapp.bin cannot be erased accidentally by the user.

    Now to implement something decent, we need to find ways to trigger not just one but all those errors, like I explained above. If we do find appropriate js trigger calls, with 12 error pages, I could make a local toolset with up to 10 or 11 local exploit pages 4.0 style which each require between 128kb & 192kb once optimised & minified. The local toolset could even easily be multilingual as error pages are already implemented in several languages in the bin file, loading according to the xmb language settings.
     
    Last edited: Sep 25, 2018
    n00b, PSXFan, esc0rtd3w and 3 others like this.

Share This Page