[Tutorial] PSN Bypass Techniques and Setting Up Development/Debugging Environment

Discussion in 'Tutorials & Guides' started by esc0rtd3w, Apr 1, 2017.

  1. 7,843
    6,517
    647
    bguerville

    bguerville Moderator

    Joined:
    Feb 25, 2015
    Messages:
    7,843
    Likes Received:
    6,517
    Trophy Points:
    647
    Location:
    Earth
    If you want to resigned for an earlier version & cannot use the template for that reason, you should fallback to the -i option with the original file to get all the sce information needed to resign!
    Code:
    scetool -i eboot_original.bin
    Another option that might work would be to use an older eboot.bin from previous releases with the template option because it's likely that the same template is still being used.
     
    Last edited: Jul 22, 2017
    esc0rtd3w likes this.
  2. 1,163
    2,786
    397
    esc0rtd3w

    esc0rtd3w Developer

    Joined:
    Mar 10, 2017
    Messages:
    1,163
    Likes Received:
    2,786
    Trophy Points:
    397
    Gender:
    Male
    Occupation:
    Hacker
    Location:
    OHIO, USA
    Home Page:
    thanks for the tip. I ended up accidentally fixing the issue....2 posts back.
     
    bguerville likes this.
  3. 7,843
    6,517
    647
    bguerville

    bguerville Moderator

    Joined:
    Feb 25, 2015
    Messages:
    7,843
    Likes Received:
    6,517
    Trophy Points:
    647
    Location:
    Earth
    Lol...
    Btw it would be quite easy to tweak scetool & create a new option to extract to file/screen the signing information that the template option uses... Hell you could even make it produce a ready to use batch file that you could manually tweak if required...
     
    Last edited: Jul 22, 2017
    esc0rtd3w likes this.
  4. 1,163
    2,786
    397
    esc0rtd3w

    esc0rtd3w Developer

    Joined:
    Mar 10, 2017
    Messages:
    1,163
    Likes Received:
    2,786
    Trophy Points:
    397
    Gender:
    Male
    Occupation:
    Hacker
    Location:
    OHIO, USA
    Home Page:
    OK MY PEEPS!!!

    I think I got it...here are some test files. I am making new packages now for all regions and testing.

    ignition--ELF--test1.zip
    ignition--ELF--test2.zip
    ignition--ELF--test3.zip <-- THIS ONE WORKS FOR ME...AT LEAST THE PSN NAG SCREEN IS BYPASSED

    The ELF is the same for all regions (i think :indecisiveness:), but this is from the NPEB00344 one.

    Will post new packages to test here and OP, when ready!

    :blackeye::blackeye::blackeye::blackeye::blackeye::blackeye::blackeye::blackeye::blackeye:



    EDIT #1: Here is a test package to try out for people not wanting to sign the ELF and manually copy:
    Amazon-Instant-Video-v4.01-[NPEB00344]-NoPSN--test1.pkg

    EDIT #2: For the curious.....

    [​IMG]


    EDIT #3: HOLY SHIT! The Website is back up!!

    I have been pulling out all my hair over the past few days...I had the Amazon app working, so I posted the files (above), then after trying again, i started having the same issues that I had before, black screen or freezing. So now I am not sure if I even have the right offset anymore!

    Can some ppl try out the package and see if it works for them??

    Thanks :worked till 5am:
     
    Last edited: Jul 25, 2017
    Rajesh Dutta and bguerville like this.
  5. 11
    12
    7
    Rajesh Dutta

    Rajesh Dutta Forum Noob

    Joined:
    Jul 20, 2017
    Messages:
    11
    Likes Received:
    12
    Trophy Points:
    7
    Gender:
    Male
    Hi esc0rtd3w,

    I tried your test app and the no psn app from your mega drive folder.... getting black screen and console freeze ..... I tried to patch the original ignition.self as you mentioned below in nexgenupdate forum and resign as doing previously but still same black screen and console freeze...

    Details
    Patch Type: EBOOT
    Target: /USRDIR/bin/ignition.self --> ignition.elf
    Quoted Message[​IMG]
    Offset: 0x3CF73C
    Original: 41 82 00 24
    Modified: 40 82 00 24

    But I am wondering how it worked once for you.... can you simulate same steps which you followed when you find this location to patch..... May be you patched some thing more with this one.

    Thanks
     
    esc0rtd3w likes this.
  6. 1,163
    2,786
    397
    esc0rtd3w

    esc0rtd3w Developer

    Joined:
    Mar 10, 2017
    Messages:
    1,163
    Likes Received:
    2,786
    Trophy Points:
    397
    Gender:
    Male
    Occupation:
    Hacker
    Location:
    OHIO, USA
    Home Page:
    i am assuming that i saved the wrong offset for ELF file when i was testing and it booted up past PSN login. After so many black screen freezing issues, i get super frustrated and STOP!!!

    idk....have to play with it some more, i will see what i can do.

    That should be the area that needs patched though. Somewhere in that region of messy code!!!


    EDIT #1: The test3 ELF above is the same one (i thought) was the correct offset, and is the same one posted on NGU. Ill have to fix links when i get it patched properly.

    EDIT #2: OK...I am again getting black screen freezing on original resigned EBOOT, I have no idea why. Basically this means that even if the patch worked, I would never know. So, instead of me testing and patching and freezing and restarting over and over again for seemingly no reason, I am going to post a collection of patched ELF files for the community to try out and see what effects it has. I can't think of a better way until i resolve my freezing issue. I have reinstalled the firmware and formatted several times. I am still running Rebug 4.81.2 on a 2501B Slim console. Its a mystery :indecisiveness:

    EDIT #3: Here are some ELF files to test. Please let me know if any of them work or if they go black screen/freeze, etc. Thanks :eagerness:

    ignition--test-patch-3CE390.zip
    ignition--test-patch-3CF288.zip
    ignition--test-patch-3CF2A8.zip
    ignition--test-patch-3CF3D8.zip
    ignition--test-patch-3CF6C8.zip
    ignition--test-patch-3CF7C0.zip
    ignition--test-patch-3CF720.zip
    ignition--test-patch-3CF830.zip
    ignition--test-patch-3CF830+3CF73C.zip
    ignition--test-patch-3CF830+3CF73C+3CF720.zip
    ignition--test-patch-3CF90C.zip
    ignition--test-patch-3CF920.zip
    ignition--test-patch-3D0D58.zip
    ignition--test-patch-3D0FD0.zip
    ignition--test-patch-3D0FD4.zip

    Most of the patches are either bit-flipped (BNE/BE) or NOP variants. At least if none of these work, then I can move to another area and thought pattern!!
     
    Last edited: Jul 27, 2017
    kozarovv likes this.
  7. 7,500
    5,557
    872
    kozarovv

    kozarovv Super Moderator

    Joined:
    Nov 8, 2014
    Messages:
    7,500
    Likes Received:
    5,557
    Trophy Points:
    872
    Home Page:
    @esc0rtd3w maybe with your knowledge, and skills is easier to patch NP modules in firmware to always return "logged in", instead of patching several apps? :)

    All should be in dev_flash/sys/external/libsysutil_np2.sprx and/or libsysutil_np.sprx as those are modules called when app asking for login.
     
    esc0rtd3w, DeViL303 and bguerville like this.
  8. 1,163
    2,786
    397
    esc0rtd3w

    esc0rtd3w Developer

    Joined:
    Mar 10, 2017
    Messages:
    1,163
    Likes Received:
    2,786
    Trophy Points:
    397
    Gender:
    Male
    Occupation:
    Hacker
    Location:
    OHIO, USA
    Home Page:
    Thanks, and I've thought of that, but that would still require patching the flash (for the end user), which most people are nervous about. I may do it for fun one day though! Having the apps patched individually I think is better overall, for the average person anyways.

    EDIT: On a side note, some apps do not require patching an executable (ELF, PRX, etc) and can be bypassed using config or javascript files. Granted, most apps require an EBOOT patch or similar.
     
    Last edited: Jul 27, 2017
  9. 7,843
    6,517
    647
    bguerville

    bguerville Moderator

    Joined:
    Feb 25, 2015
    Messages:
    7,843
    Likes Received:
    6,517
    Trophy Points:
    647
    Location:
    Earth
    Well, patching flash files manually makes some people nervous which is understandable but at the end of the day, Cobra, Mamba, Rebug Toolbox & back-up managers all patch flash files regularly behind the scenes anyway.
    Such a patch could easily be added to the Rebug Toolbox which already has all the framework ready for system sprx patching... Or even to xai_plugin...
     
    Last edited: Jul 27, 2017
    esc0rtd3w likes this.
  10. 1,163
    2,786
    397
    esc0rtd3w

    esc0rtd3w Developer

    Joined:
    Mar 10, 2017
    Messages:
    1,163
    Likes Received:
    2,786
    Trophy Points:
    397
    Gender:
    Male
    Occupation:
    Hacker
    Location:
    OHIO, USA
    Home Page:
    i like the idea of adding it to the Rebug Toolbox or similar. I started a project not too long ago nopsn-sprx that I haven't updated in some time, that uses an SPRX to patch PSN check in memory. But I was testing with the EBOOT patched looking for SPRX and not using it as a plugin. Good Ideas :quartet:
     
  11. 7,843
    6,517
    647
    bguerville

    bguerville Moderator

    Joined:
    Feb 25, 2015
    Messages:
    7,843
    Likes Received:
    6,517
    Trophy Points:
    647
    Location:
    Earth
    So far, except Joonie nobody made any additions to the Toolbox since the source was released..
    Some users asked if Mamba loader/autoloader could be added. It's a valid proposal that may be worth considering.

    However, a NP patch, if found reliable, would be a very nice feature to add... The added code would be reduced to a minimum as all the patching functions are there. With a bit of luck you will be able to use a static hash
    I think the Toolbox is a good place for it tbh.
     
    esc0rtd3w likes this.
  12. 1,163
    2,786
    397
    esc0rtd3w

    esc0rtd3w Developer

    Joined:
    Mar 10, 2017
    Messages:
    1,163
    Likes Received:
    2,786
    Trophy Points:
    397
    Gender:
    Male
    Occupation:
    Hacker
    Location:
    OHIO, USA
    Home Page:
  13. 137
    94
    57
    catalinnc

    catalinnc Member

    Joined:
    Dec 26, 2015
    Messages:
    137
    Likes Received:
    94
    Trophy Points:
    57
    @esc0rtd3w


    i am back...

    i looked at your Amazon-Instant-Video-v4.01-[NPEB00344]-NoPSN--test1.pkg and i see that is incomplete...

    is missing folders inside USRDIR: "data", "Fonts", "lib" and "SSL"...

    also i looked at ignition.self and found that is not proper re-signed...

    the other selfs are genuine...

    to make sure you don't get black screen again do this...

    1st delete the amazon video app from your PS3...

    get my proper re-signed pack and install it on the PS3 (follow the instructions inside)...
    Code:
    http://www120.zippyshare.com/v/5X1oktmU/file.html
    start it to make sure is working (until it asks for PSN login)...

    on your PC extract ingition.self from EP4183-NPEB00344_00-LOVEFILMFULL0100.NO.PSN.FiX.[3F0688C8].pkg...

    backup and decrypt it with this lines...
    Code:
    copy /b /v ignition.self ignition.self.backup
    
    scetool.exe --verbose --raw --np-klicensee=00000000000000000000000000000000 --decrypt ignition.self ignition.self.elf
    
    copy /b /v ignition.self.elf ignition.self.elf.backup
    
    pause
    patch the ignition.self.elf for no PSN...

    proper re-encrypt ignition.self.elf with this line...
    Code:
    scetool.exe --verbose --skip-sections=FALSE --sce-type=SELF --self-type=NPDRM --self-fw-version=0003004000000000 --key-revision=04 --np-content-id=EP4183-NPEB00344_00-LOVEFILMFULL0100 --np-klicensee=00000000000000000000000000000000 --np-app-type=SPRX --np-license-type=FREE --np-real-fname="ignition.self" --self-auth-id=1070200057000001 --self-vendor-id=01000002 --self-app-version=0001000000000000 --self-ctrl-flags=0000000000000000000000000000000000000000000000000000001000000000 --self-cap-flags=00000000000000000000000000000000000000000000003B0000000100002000 --compress-data=TRUE --encrypt ignition.self.elf ignition.self
    
    pause
    replace on PS3 hdd the ignition.self with the patched one...


    good luck...
    _
     
    Rajesh Dutta and esc0rtd3w like this.
  14. 137
    94
    57
    catalinnc

    catalinnc Member

    Joined:
    Dec 26, 2015
    Messages:
    137
    Likes Received:
    94
    Trophy Points:
    57
    @Rajesh Dutta

    i made an all in one pkg with the v3 of the ignition.elf to test it (0x3CF73C_0x40)...

    just install it and let me know...
    Code:
    Amazon Video App v4.01
    EP4183-NPEB00344_00-LOVEFILMFULL0100.v4.01.NO.PSN.FiXED.0x3CF73C_0x40.[B4031BA5].zip
    http://www1.zippyshare.com/v/uCmrGn5E/file.html
    _
     
    Last edited: Jul 29, 2017
    Rajesh Dutta and esc0rtd3w like this.
  15. 11
    12
    7
    Rajesh Dutta

    Rajesh Dutta Forum Noob

    Joined:
    Jul 20, 2017
    Messages:
    11
    Likes Received:
    12
    Trophy Points:
    7
    Gender:
    Male
    Thank you catalinnc... Let me download and try to install your package.... :)
     
    esc0rtd3w likes this.
  16. 1,163
    2,786
    397
    esc0rtd3w

    esc0rtd3w Developer

    Joined:
    Mar 10, 2017
    Messages:
    1,163
    Likes Received:
    2,786
    Trophy Points:
    397
    Gender:
    Male
    Occupation:
    Hacker
    Location:
    OHIO, USA
    Home Page:
    Are these created after an initial successful launch? These are not actually included in the original package from Sony.


    What do you mean by this?


    Thank you for fixing this issue for me!



    I am downloading your files to test.


    I also see that you are replacing the EBOOT.BIN, \com.amazon.ignition.framework.javascript-bin\mozjs24.sprx, and \com.amazon.ignition.framework.player-bin\playready\cachemgr.self. What has been modified with these?

    I also see you added \data\cachemgr\cachemgr.self, \data\config\spark.cfg.sdat, and \lib\webkit.sprx. Are these created at launch?


    Thanks again. Will post my results.
     
  17. 11
    12
    7
    Rajesh Dutta

    Rajesh Dutta Forum Noob

    Joined:
    Jul 20, 2017
    Messages:
    11
    Likes Received:
    12
    Trophy Points:
    7
    Gender:
    Male
    It working... :) :) just need to press the circle button when the psn sign in shows..... it totally working perfect..... :) :)

    @esc0rtd3w brother you can upload catalinnc package as no psn package.....

    @catalinnc Great work bro.... :)
     
    catalinnc and esc0rtd3w like this.
  18. 1,163
    2,786
    397
    esc0rtd3w

    esc0rtd3w Developer

    Joined:
    Mar 10, 2017
    Messages:
    1,163
    Likes Received:
    2,786
    Trophy Points:
    397
    Gender:
    Male
    Occupation:
    Hacker
    Location:
    OHIO, USA
    Home Page:
    @catalinnc quick question, or two :biggrin2:

    1) Why are there more files "data", "Fonts", "lib" and "SSL" in full package and not in PSN fix package? And are these generated at runtime (i know, i already asked....lol)?

    2) What was modified with EBOOT.BIN because all the other files should be the same for other regions. I was going to take your added files and the resigned ignition.self to create other region packages, but cannot use the EBOOT for obvious reasons.

    Thanks
     
  19. 1,163
    2,786
    397
    esc0rtd3w

    esc0rtd3w Developer

    Joined:
    Mar 10, 2017
    Messages:
    1,163
    Likes Received:
    2,786
    Trophy Points:
    397
    Gender:
    Male
    Occupation:
    Hacker
    Location:
    OHIO, USA
    Home Page:
    @Rajesh Dutta yes i will add the package built by @catalinnc for the EU region, and create other packages for US and JP.

    @catalinnc credit will be added to this thread and my NGU thread for help with this app.
     
    Rajesh Dutta likes this.
  20. 137
    94
    57
    catalinnc

    catalinnc Member

    Joined:
    Dec 26, 2015
    Messages:
    137
    Likes Received:
    94
    Trophy Points:
    57
    thanks a lot to @esc0rtd3w for fixing the ignition.elf and @Rajesh Dutta for testing...
    _

    the files in the pkg are just the ones from amazon video app (psn link) merged with the ones from the latest 4.01 update...

    the only files modded are the NPEB00344\USRDIR\bin\ignition.self and the NPEB00344\USRDIR\data\config\spark.cfg.sdat ("requirePSN" : false, - but i am not sure if this is really needed!)

    the other self/sprx are re-signed for a lower cfw...
    _
     
    Rajesh Dutta and esc0rtd3w like this.

Share This Page