[Tutorial] PSN Bypass Techniques and Setting Up Development/Debugging Environment

bguerville · Jul 22, 2017

esc0rtd3w said:
I just installed Habib 4.70 1.01 CFW to test and it has the same freezing black screen......so.......

@Rajesh Dutta can you upload an EBOOT.BIN and IGNITION.SPRX unmodified and re-signed for me to see if it boots?

@catalinnc what are you re-signing with? can you post a link to your scetool and script (if used)??

for the record, I have only had issues with Amazon and Hulu, which I figured out the Hulu issue long ago for re-signing, but no PSN bypass, and the Amazon app looks easier to bypass but no re-signing?!?!?

If you want to resigned for an earlier version & cannot use the template for that reason, you should fallback to the -i option with the original file to get all the sce information needed to resign!

Code:

scetool -i eboot_original.bin

Another option that might work would be to use an older eboot.bin from previous releases with the template option because it's likely that the same template is still being used.

esc0rtd3w · Jul 22, 2017

thanks for the tip. I ended up accidentally fixing the issue....2 posts back.

bguerville · Jul 22, 2017

esc0rtd3w said:
thanks for the tip. I ended up accidentally fixing the issue....2 posts back.

Lol...
Btw it would be quite easy to tweak scetool & create a new option to extract to file/screen the signing information that the template option uses... Hell you could even make it produce a ready to use batch file that you could manually tweak if required...

esc0rtd3w · Jul 22, 2017

OK MY PEEPS!!!

I think I got it...here are some test files. I am making new packages now for all regions and testing.

ignition--ELF--test1.zip
ignition--ELF--test2.zip
ignition--ELF--test3.zip <-- THIS ONE WORKS FOR ME...AT LEAST THE PSN NAG SCREEN IS BYPASSED

The ELF is the same for all regions (i think :indecisiveness:

), but this is from the NPEB00344 one.

Will post new packages to test here and OP, when ready!

EDIT #1: Here is a test package to try out for people not wanting to sign the ELF and manually copy:
Amazon-Instant-Video-v4.01-[NPEB00344]-NoPSN--test1.pkg

EDIT #2: For the curious.....

EDIT #3: HOLY SHIT! The Website is back up!!

I have been pulling out all my hair over the past few days...I had the Amazon app working, so I posted the files (above), then after trying again, i started having the same issues that I had before, black screen or freezing. So now I am not sure if I even have the right offset anymore!

Can some ppl try out the package and see if it works for them??

Thanks :worked till 5am:

Rajesh Dutta · Jul 26, 2017

Hi esc0rtd3w,

I tried your test app and the no psn app from your mega drive folder.... getting black screen and console freeze ..... I tried to patch the original ignition.self as you mentioned below in nexgenupdate forum and resign as doing previously but still same black screen and console freeze...

Details
Patch Type: EBOOT
Target: /USRDIR/bin/ignition.self --> ignition.elf
Quoted Message

Offset: 0x3CF73C
Original: 41 82 00 24
Modified: 40 82 00 24

But I am wondering how it worked once for you.... can you simulate same steps which you followed when you find this location to patch..... May be you patched some thing more with this one.

Thanks

esc0rtd3w · Jul 26, 2017

i am assuming that i saved the wrong offset for ELF file when i was testing and it booted up past PSN login. After so many black screen freezing issues, i get super frustrated and STOP!!!

idk....have to play with it some more, i will see what i can do.

That should be the area that needs patched though. Somewhere in that region of messy code!!!

EDIT #1: The test3 ELF above is the same one (i thought) was the correct offset, and is the same one posted on NGU. Ill have to fix links when i get it patched properly.

EDIT #2: OK...I am again getting black screen freezing on original resigned EBOOT, I have no idea why. Basically this means that even if the patch worked, I would never know. So, instead of me testing and patching and freezing and restarting over and over again for seemingly no reason, I am going to post a collection of patched ELF files for the community to try out and see what effects it has. I can't think of a better way until i resolve my freezing issue. I have reinstalled the firmware and formatted several times. I am still running Rebug 4.81.2 on a 2501B Slim console. Its a mystery :indecisiveness:

EDIT #3: Here are some ELF files to test. Please let me know if any of them work or if they go black screen/freeze, etc. Thanks :eagerness:

kozarovv · Jul 27, 2017

@esc0rtd3w maybe with your knowledge, and skills is easier to patch NP modules in firmware to always return "logged in", instead of patching several apps?

All should be in dev_flash/sys/external/libsysutil_np2.sprx and/or libsysutil_np.sprx as those are modules called when app asking for login.

esc0rtd3w · Jul 27, 2017

Thanks, and I've thought of that, but that would still require patching the flash (for the end user), which most people are nervous about. I may do it for fun one day though! Having the apps patched individually I think is better overall, for the average person anyways.

EDIT: On a side note, some apps do not require patching an executable (ELF, PRX, etc) and can be bypassed using config or javascript files. Granted, most apps require an EBOOT patch or similar.

bguerville · Jul 27, 2017

esc0rtd3w said:
Thanks, and I've thought of that, but that would still require patching the flash (for the end user), which most people are nervous about. I may do it for fun one day though! Having the apps patched individually I think is better overall, for the average person anyways.

Well, patching flash files manually makes some people nervous which is understandable but at the end of the day, Cobra, Mamba, Rebug Toolbox & back-up managers all patch flash files regularly behind the scenes anyway.
Such a patch could easily be added to the Rebug Toolbox which already has all the framework ready for system sprx patching... Or even to xai_plugin...

esc0rtd3w · Jul 27, 2017

i like the idea of adding it to the Rebug Toolbox or similar. I started a project not too long ago nopsn-sprx that I haven't updated in some time, that uses an SPRX to patch PSN check in memory. But I was testing with the EBOOT patched looking for SPRX and not using it as a plugin. Good Ideas :quartet:

bguerville · Jul 27, 2017

esc0rtd3w said:
i like the idea of adding it to the Rebug Toolbox or similar. I started a project not too long ago nopsn-sprx that I haven't updated in some time, that uses an SPRX to patch PSN check in memory. But I was testing with the EBOOT patched looking for SPRX and not using it as a plugin. Good Ideas

So far, except Joonie nobody made any additions to the Toolbox since the source was released..
Some users asked if Mamba loader/autoloader could be added. It's a valid proposal that may be worth considering.

However, a NP patch, if found reliable, would be a very nice feature to add... The added code would be reduced to a minimum as all the patching functions are there. With a bit of luck you will be able to use a static hash
I think the Toolbox is a good place for it tbh.

esc0rtd3w · Jul 27, 2017

catalinnc · Jul 29, 2017

@esc0rtd3w

i am back...

i looked at your Amazon-Instant-Video-v4.01-[NPEB00344]-NoPSN--test1.pkg and i see that is incomplete...

is missing folders inside USRDIR: "data", "Fonts", "lib" and "SSL"...

also i looked at ignition.self and found that is not proper re-signed...

the other selfs are genuine...

to make sure you don't get black screen again do this...

1st delete the amazon video app from your PS3...

get my proper re-signed pack and install it on the PS3 (follow the instructions inside)...

Code:

http://www120.zippyshare.com/v/5X1oktmU/file.html

start it to make sure is working (until it asks for PSN login)...

on your PC extract ingition.self from EP4183-NPEB00344_00-LOVEFILMFULL0100.NO.PSN.FiX.[3F0688C8].pkg...

backup and decrypt it with this lines...

Code:

copy /b /v ignition.self ignition.self.backup

scetool.exe --verbose --raw --np-klicensee=00000000000000000000000000000000 --decrypt ignition.self ignition.self.elf

copy /b /v ignition.self.elf ignition.self.elf.backup

pause

patch the ignition.self.elf for no PSN...

proper re-encrypt ignition.self.elf with this line...

Code:

scetool.exe --verbose --skip-sections=FALSE --sce-type=SELF --self-type=NPDRM --self-fw-version=0003004000000000 --key-revision=04 --np-content-id=EP4183-NPEB00344_00-LOVEFILMFULL0100 --np-klicensee=00000000000000000000000000000000 --np-app-type=SPRX --np-license-type=FREE --np-real-fname="ignition.self" --self-auth-id=1070200057000001 --self-vendor-id=01000002 --self-app-version=0001000000000000 --self-ctrl-flags=0000000000000000000000000000000000000000000000000000001000000000 --self-cap-flags=00000000000000000000000000000000000000000000003B0000000100002000 --compress-data=TRUE --encrypt ignition.self.elf ignition.self

pause

replace on PS3 hdd the ignition.self with the patched one...

good luck...
_

catalinnc · Jul 29, 2017

@Rajesh Dutta

i made an all in one pkg with the v3 of the ignition.elf to test it (0x3CF73C_0x40)...

just install it and let me know...

Code:

Amazon Video App v4.01
EP4183-NPEB00344_00-LOVEFILMFULL0100.v4.01.NO.PSN.FiXED.0x3CF73C_0x40.[B4031BA5].zip
http://www1.zippyshare.com/v/uCmrGn5E/file.html

_

Rajesh Dutta · Jul 29, 2017

Thank you catalinnc... Let me download and try to install your package....

esc0rtd3w · Jul 29, 2017

catalinnc said:
@esc0rtd3w
is missing folders inside USRDIR: "data", "Fonts", "lib" and "SSL"...

Are these created after an initial successful launch? These are not actually included in the original package from Sony.

catalinnc said:
@esc0rtd3w
the other selfs are genuine...

What do you mean by this?

catalinnc said:
@esc0rtd3w
also i looked at ignition.self and found that is not proper re-signed...

...

to make sure you don't get black screen again do this...

...

scetool.exe --verbose --raw --np-klicensee=00000000000000000000000000000000 --decrypt ignition.self ignition.self.elf

copy /b /v ignition.self.elf ignition.self.elf.backup

pause[/code]

patch the ignition.self.elf for no PSN...

proper re-encrypt ignition.self.elf with this line...

Code:

scetool.exe --verbose --skip-sections=FALSE --sce-type=SELF --self-type=NPDRM --self-fw-version=0003004000000000 --key-revision=04 --np-content-id=EP4183-NPEB00344_00-LOVEFILMFULL0100 --np-klicensee=00000000000000000000000000000000 --np-app-type=SPRX --np-license-type=FREE --np-real-fname="ignition.self" --self-auth-id=1070200057000001 --self-vendor-id=01000002 --self-app-version=0001000000000000 --self-ctrl-flags=0000000000000000000000000000000000000000000000000000001000000000 --self-cap-flags=00000000000000000000000000000000000000000000003B0000000100002000 --compress-data=TRUE --encrypt ignition.self.elf ignition.self pause

Thank you for fixing this issue for me!

I am downloading your files to test.

I also see that you are replacing the EBOOT.BIN, \com.amazon.ignition.framework.javascript-bin\mozjs24.sprx, and \com.amazon.ignition.framework.player-bin\playready\cachemgr.self. What has been modified with these?

I also see you added \data\cachemgr\cachemgr.self, \data\config\spark.cfg.sdat, and \lib\webkit.sprx. Are these created at launch?

Thanks again. Will post my results.

Rajesh Dutta · Jul 29, 2017

It working...

just need to press the circle button when the psn sign in shows..... it totally working perfect.....

@esc0rtd3w brother you can upload catalinnc package as no psn package.....

@catalinnc Great work bro....

esc0rtd3w · Jul 29, 2017

@catalinnc quick question, or two :biggrin2:

1) Why are there more files "data", "Fonts", "lib" and "SSL" in full package and not in PSN fix package? And are these generated at runtime (i know, i already asked....lol)?

2) What was modified with EBOOT.BIN because all the other files should be the same for other regions. I was going to take your added files and the resigned ignition.self to create other region packages, but cannot use the EBOOT for obvious reasons.

Thanks

esc0rtd3w · Jul 29, 2017

@Rajesh Dutta yes i will add the package built by @catalinnc for the EU region, and create other packages for US and JP.

@catalinnc credit will be added to this thread and my NGU thread for help with this app.

catalinnc · Jul 29, 2017

thanks a lot to @esc0rtd3w for fixing the ignition.elf and @Rajesh Dutta for testing...
_

the files in the pkg are just the ones from amazon video app (psn link) merged with the ones from the latest 4.01 update...

the only files modded are the NPEB00344\USRDIR\bin\ignition.self and the NPEB00344\USRDIR\data\config\spark.cfg.sdat ("requirePSN" : false, - but i am not sure if this is really needed!)

the other self/sprx are re-signed for a lower cfw...
_

[Tutorial] PSN Bypass Techniques and Setting Up Development/Debugging Environment

bguerville

esc0rtd3w

bguerville

esc0rtd3w

Rajesh Dutta

Forum Noob

esc0rtd3w

kozarovv

esc0rtd3w

bguerville

esc0rtd3w

bguerville

esc0rtd3w

catalinnc

Member

catalinnc

Member

Rajesh Dutta

Forum Noob

esc0rtd3w

Rajesh Dutta

Forum Noob

esc0rtd3w

esc0rtd3w

catalinnc

Member

Similar threads