PS3 [Tutorial] Dump PSID From OFW Using Netflix and DTU

** I AM AWARE THERE ARE OTHER METHODS TO GET THE PSID! I WAS NOT AWARE OF THESE AT THE TIME OF CREATING THIS. IF HAVING AN ALTERNATIVE OPTION IS OFFENSIVE TO YOU, THEN THIS IS NOT FOR YOU. THANK YOU! **

Ok, this is yet another side project that I have been wanting to test more, and that day has come!! I have tested this on OFW 4.81, and it does indeed dump the correct PSID, verified by checking on the CFW console. This will allow you to dump the PSID from an OFW console. Yes I know, this IS NOT the coveted IDPS, which is the Console ID itself, but this is a unique number per console. I do not know much about what can be done with it alone, but it's "half" of your consoles unique ID.​


Important Details:
  • I tested using the NPUP00030 version of Netflix. I have updated the scripting to allow region selection since the initial release
  • YOU DO NOT NEED A NETFLIX ACCOUNT OR INTERNET ACCESS FOR THIS TO WORK
  • I SHOULD WARN THAT THE CFW CONSOLE HDD GETS ERASED DURING THIS PROCESS!!!
  • BONUS: I have a private method that may be able to dump the IDPS on OFW 4.81 This method will NOT be disclosed until further testing has been done

Here are some screenshots. It requires a CFW console using the DTU method.

Now, the screenshots will give you an idea of what is going on, but basically Netflix generates a PSID.dat file located at "/dev_hdd0/game/NPUP00030/USRDIR/APPDATA". I am using the DTU method in 2 ways, first, I am using it to push NetFlix onto the OFW console (although this just makes it easier) and then run the app on OFW to generate the PSID.dat. Next, you do a "reverse DTU" from the OFW to the CFW console (this has many other benefits that I will not get into at the moment).

CbqP768.png

8R2yFxD.png
1GbG1Us.png
oadtw6k.png
U7r4j3Z.png
whzQ8ov.png
NHcUawN.png
xqHC2tF.png
VL4leTH.png
2MVvhC5.png
MMeZxpn.png
NVY7FAj.png
mgWjNMI.png





GitHub Source: https://github.com/esc0rtd3w/ps3-ofw-psid-dump-tool
Releases: https://github.com/esc0rtd3w/ps3-ofw-psid-dump-tool/releases
 
Last edited:
Click to expand...
bguerville
esc0rtd3w said:
@bguerville what are these 4 browsing modes you speak of? lol
Click to expand...
They are described in details in the sdk.
One mode is the full browser, another is the full renderer which can be opened in-app etc.. There are different limitations in each mode.
That's why you can use 2 different sprx to start what appears to the user as a nearly identical browser on screen but it's not the same thing.
Try opening webbrowser_plugin.sprx & then try opening webrender_plugin.sprx, you will see a browser each time but with subtle differences...
 
bguerville
nCadeRegal said:
Dude post 3.55 exploit would be the greatest thing since sliced bread. All os3 models running rebug, a guy can dream cant he?
Click to expand...
Well, the CTurt style dual hack would jailbreak those ps3 models but that would not allow users to install a CFW like Rebug. At least not as-is.
A complete framework like Taihen would be needed to approach CFW environment status. Still such a JB would be better than no JB for those post 3.55 models & it would open the door to many things on those consoles...
 
Last edited:
esc0rtd3w
i created a GitHub project forked from Cryptogenic, which was forked from the original qwertyoruiopz PS4 PoC.

I have started modifying the basic things. I have updated the syscalls to include ""sys_ss_get_console_id": 870" and ""sys_ss_get_open_psid": 872". I have not yet changed any of the ROP chain or the kernel and webkit module stuff. It only includes support for 3.55 and 4.81 for now. I have it detect the firmware version and change text to red or green if compatible, and updated some text.

This, of course does not yet actually exploit or do anything cool!!! But, should a good start to get webkit exploitation working on PS3. I will try to update it to include current exploits and any research i do will be added in note form.

https://github.com/esc0rtd3w/ps3-webkitsploit

With any luck, we can get Sony to update that ancient web browser in a 4.82 update!!! :welcoming:
 
Last edited:
bguerville
Unfortunately s#ny will most likely never update the browser & if such an exploit pushed them to do something, it would probably be to apply the readily available vulnerability patch(es). Period... It would be a nonsensical update of course but as they often seem to impersonate the concept of "nonsense"...
Imho the problem of the browser at this stage is what limited its development & stopped any homebrew or port replacement project: the available RAM!
Look how big a Mozilla thread actually is on your PC! Even only with one tab open & already the PS3 would be neat out of memory in a few clicks, especially in-app...
 
Last edited:
esc0rtd3w
good point about the RAM. Since the PS3 has been EOL for a short while, we probably will never see another update. What's the point really (from Sony's view), it's expensive to pay devs to fix stuff for a 10 year old system, and we can just patch the PUP the same day for CFW and continue the cat and mouse game! But then again, Sony, as a company, is a prick!

EDIT: But speaking of, Sony (or Nintendo for that matter....lol) still can't fix WebKit on the PS4!!
 
bguerville
esc0rtd3w said:
good point about the RAM. Since the PS3 has been EOL for a short while, we probably will never see another update. What's the point really (from Sony's view), it's expensive to pay devs to fix stuff for a 10 year old system, and we can just patch the PUP the same day for CFW and continue the cat and mouse game! But then again, Sony, as a company, is a prick!
Click to expand...
I agree.. It's EOL at this stage. My guess is that 4.81 is possibly the last fw release ever... It's good news in a way because everyone was sick of those useless updates that forced new cfw releases anyway.. Although the other side of the coin is that each new cfw version often brought a wave of new tools or tool updates...
 
pinky
esc0rtd3w said:
good point about the RAM. Since the PS3 has been EOL for a short while, we probably will never see another update. What's the point really (from Sony's view), it's expensive to pay devs to fix stuff for a 10 year old system, and we can just patch the PUP the same day for CFW and continue the cat and mouse game! But then again, Sony, as a company, is a prick!

EDIT: But speaking of, Sony (or Nintendo for that matter....lol) still can't fix WebKit on the PS4!!
Click to expand...

speaking of Nintendo, the rush of the Switch left it vulnerable to webkit exploits. apparently, the core os has been retrieved due to this as well as the trust zone. with the Wii U, Nintendo finally released an update (last month in fact) that patched the browser exploit. there's no reason to update though. that should've been done when breath of the wild came out. lol
 
happydance
esc0rtd3w said:
@STLcardsWS Thanks!

@nCadeRegal Thanks for the reply. I have only dumped and tested 25xx and lower. I have a friend not too far away who dumped some 30xx and 40xx to get IDPS/PSID for me, before i got my own E3 flasher, so i assume this does work?!? A good test may be to dump a 30xx/40xx to get IDPS and then try some hackery to match it from another exploit or technique of some kind.
Click to expand...

been wondering this for a while now but cant find pinouts for reading the PS3 superslim NOR using teensy. Though I already got my IDPS before it got patch i'm interested on doing this hard mod just to grab the IDPS on my other ps3
 
Zoilus
wait...let me get this straight...we need ofw ps3 and cfw ps3 hooked up, and a pc, then go through all those steps and get our cfw hdd wiped just to get the psid??

I give props to the OP for all this work, BUT if you just copy a game save (ANY game save) thats in the OFW ps3 to a usb drive, then put the usb in your pc and go to the folder where the save is and put the param.sfo from the save into the ps3 .sfo editor , then from the drop down window on the left select "PARAMS:PSID" -- doesn't that do the exact same thing?

Its been a while but I just did it right now with the psn game save of "shatter" and it literally took me like 30 seconds. And I didn't even have to turn on my cfw ps3 to do this :cool2:

Capture.jpg
 
Last edited by a moderator:
bguerville
Zoilus said:
wait...let me get this straight...we need ofw ps3 and cfw ps3 hooked up, and a pc, then go through all those steps and get our cfw hdd wiped just to get the psid??

I give props to the OP for all this work, BUT if you just copy a game save (ANY game save) thats in the OFW ps3 to a usb drive, then put the usb in your pc and go to the folder where the save is and put the param.sfo from the save into the ps3 .sfo editor , then from the drop down window on the left select "PARAMS:PSID" -- doesn't that do the exact same thing?

Its been a while but I just did it right now with the psn game save of "shatter" and it literally took me like 30 seconds lol. isn't that the same thing or am i missing something? because I didn't even have to turn on my cfw ps3 to do this lol
Click to expand...
Like I already posted, none of these complicated steps are required to get the psid.
The psid can be obtained via public API, a simple html file with the right API call opened in the browser could display your psid...

However it's always a good thing to have alternatives, one never knows when they could become handy...
 
Last edited:
Zoilus
bguerville said:
Like I already posted, none of these complicated steps are required to get the psid.
The psid can be obtained via public API, a simple html file with the right API call opened in the browser will display your psid...
Click to expand...

yeah thats what i thought...I doubted myself since its been a while so when I did it with the game save just now , out of the 30 seconds it took me...20 of those was the file "transferring" to the usb .
 
bguerville
If you are curious about the technical data required to get some PSN account information on OFW & you have the sdk documents, you should look at the WebAPI pdf documents including Auth_WebAPI & User_Profile_WebAPI.

For years, various websites have been using this API to display their users' ps3 public profile & extract their psid.
 
Last edited:
habib
Its not hard to bruteforce a idps
If someone codes for opencl and spread workload through system its really not gonna take a long time
http://www.psdevwiki.com/ps3/IDPS
Only 48 bits are to be bruteforced
I cant speak numbers but for example i have around 20 gpus(i use for mining) im pretty sure an opencl version of bruteforcer made by zeco will do the trick here
 
bguerville
I agree habib but while distributed bruteforcing is a great potential solution, the issue would remain the same for most users because who will have access to the resources to run such a tool to extract their own idps?
It's not as if we had a folding@home special service for idps bruteforcing... Of course, it would be possible to construct an array of GPU & open it to users as a web service but that would be a tad costly... lol
 
esc0rtd3w
ok, so I dumped the NOR with an E3 Flasher on my 3001 test OFW and got the IDPS with AldoTools ConsoleID. My question is....what can i now do with it as far as doing more stuff on OFW for testing purposes? Having the number should allow me to verify it if a software method to dump it does arise.

EDIT #1: Does act.dat also need pulled from OFW to do anything useful??

EDIT #2: I tried a few things, like changing the CFW IDPS to match the OFW and generated an act.dat from using normal PSN activation. Not sure if that is useful. I modified and resigned a couple game saves for OFW and got some freezing action going on, which is cool! There may be some potential there, but i cheated and got the IDPS from hardware flasher!

EDIT #3: I don't think act.dat can get transferred normally with DTU. I did not do any research...lol I tried activating a game with PSNPatch on CFW using OFW's IDPS and it created a rif, but after DTU, OFW still wanted activated.

EDIT #4: I have the IDPS and I still can't do anything cool yet on OFW......lol.....kidding.....on to the software research :quartet:
 
Last edited:
bguerville
esc0rtd3w said:
ok, so I dumped the NOR with an E3 Flasher on my 3001 test OFW and got the IDPS with AldoTools ConsoleID. My question is....what can i now do with it as far as doing more stuff on OFW for testing purposes? Having the number should allow me to verify it if a software method to dump it does arise.

EDIT #1: Does act.dat also need pulled from OFW to do anything useful??

EDIT #2: I tried a few things, like changing the CFW IDPS to match the OFW and generated an act.dat from using normal PSN activation. Not sure if that is useful. I modified and resigned a couple game saves for OFW and got some freezing action going on, which is cool! There may be some potential there, but i cheated and got the IDPS from hardware flasher!

EDIT #3: I don't think act.dat can get transferred normally with DTU. I did not do any research...lol I tried activating a game with PSNPatch on CFW using OFW's IDPS and it created a rif, but after DTU, OFW still wanted activated.

EDIT #4: I have the IDPS and I still can't do anything cool yet on OFW......lol.....kidding.....on to the software research :quartet:
Click to expand...
For info, if you are not already aware of it, now that you have the idps you don't need to use DTU anymore, you can rely on ps3xport to inject your games...
 
pinky
now, that I think of it, I'm pretty sure what I was thinking of (the proxy thing) was for the idps since licensing involves the idps. too bad it no longer works. I was unaware of that.
 
You must log in or register to reply here.

Similar threads

Featured content

Trending content

Latest posts

Back
Top