[Tutorial] PSN Bypass Techniques and Setting Up Development/Debugging Environment

i am fairly certain that none of the added files are going to make a difference. I have previously tested several older versions with no luck. Starting with v1.56, the only files in the USRDIR are "EBOOT.BIN", "WebkitPRX_mf.sprx", and "wkf_fs_prx_mf.sprx". The 1.54 version does use several files, including *hcube.js.sdat files that control all the config and has some PSN check code present.

I have tried using the older 1.54 version and the original 1.00 with no PSN bypass as of yet.

Here are the older links that I previously posted a while back:

Hulu-v1.54-[NPUP00046].pkg
Hulu-v1.54-[NPUP00046]-Decompressed.pkg
Hulu-v1.54-v1.56-Spoofed-[NPUP00046]-Decompressed-JSB.pkg

I hate to say it, although i love that feeling of finally "bypassing PSN", but i think the only way is gonna be the EBOOT or SPRX patching :dread:

I will continue to mess with it off and on, as I have time. I have revisited this app a few times already and have tons of notes and tested areas in IDA saved.


EDIT: Just to give you an idea of other apps and Javascript patching, the NP Ticket never has to be received, and actually receiving the NP Ticket would mean you have already started the PSN Signin process. The idea I always try following is to bypass it before the NP ticket comes into play. Now, granted, having a way to "spoof" valid tickets would be cool, but from my experience, patching before this happens usually works well.
 
esc0rtd3w said:
i am fairly certain that none of the added files are going to make a difference. I have previously tested several older versions with no luck. Starting with v1.56, the only files in the USRDIR are "EBOOT.BIN", "WebkitPRX_mf.sprx", and "wkf_fs_prx_mf.sprx". The 1.54 version does use several files, including *hcube.js.sdat files that control all the config and has some PSN check code present.

I have tried using the older 1.54 version and the original 1.00 with no PSN bypass as of yet.

Here are the older links that I previously posted a while back:

Hulu-v1.54-[NPUP00046].pkg
Hulu-v1.54-[NPUP00046]-Decompressed.pkg
Hulu-v1.54-v1.56-Spoofed-[NPUP00046]-Decompressed-JSB.pkg

I hate to say it, although i love that feeling of finally "bypassing PSN", but i think the only way is gonna be the EBOOT or SPRX patching :dread:

I will continue to mess with it off and on, as I have time. I have revisited this app a few times already and have tons of notes and tested areas in IDA saved.


EDIT: Just to give you an idea of other apps and Javascript patching, the NP Ticket never has to be received, and actually receiving the NP Ticket would mean you have already started the PSN Signin process. The idea I always try following is to bypass it before the NP ticket comes into play. Now, granted, having a way to "spoof" valid tickets would be cool, but from my experience, patching before this happens usually works well.
Click to expand...
I agree.
However faking the ticket would be an option but I wonder if it would not be easier to fake the dictionary of settings returned by the Hulu server & initialise the app with it, bypassing all the PSN exchanges. After all getting that dictionary is all the NP Ticket is used for (ie the app sends the ticket to the server to receive the dictionary in return) ...
 
yeah, that may be an option. Really anything is an option if we are crafty enough :devilish:


EDIT: Question is.....does the EBOOT or SPRX care about the server config for PSN or does it rely and favor the hard-coded checks and settings. I would like to try this avenue at least, it would be worth checking out.
 
Someone could use a proxy (or maybe live debug if the dictionary is passed back to the executable, I cannot remember now!) & "capture" the dictionary on receipt. It would be interesting to look at.. If we are lucky, unlike the NP Ticket the dictionary won't contain per console specific data & a custom dictionary might work on all consoles/accounts... If it were the case, we could create that dictionary via a new function in the javascript file & tweak the original algorithm to use that instead of querying the Hulu server...
If unfortunately the dictionary contains specific data then it would still be possible but more complicated, in this case learning how to fake a NP ticket might be a preferable avenue on the long term because also potentially reusable to various ends in other apps/brews (the np tickets structure & extra information can be found in psdevwiki btw)

Of course, like you said earlier, if an eboot/sprx patch is sufficient then it would be quicker, easier.. better...lol
 
Last edited:
Here are a few test results:


1) Signed Into PSN / Original 1.56 Package
http://assets.hulu.com/time
http://firehose.hulu.com/v1/login
http://t.hulu.com/config/v3/config?cb=14292476&distro=Sony&distroplatform=Console&type=json
http://assets.huluim.com/htv/cube/us/images/en-1080p/iap_promo_images_v2/iap_promo_4.jpg
http://assets.huluim.com/htv/cube/us/images/en-1080p/iap_promo_images_v2/iap_promo_1.jpg
http://assets.huluim.com/htv/cube/us/images/en-1080p/iap_promo_images_v2/iap_promo_0.jpg
http://assets.huluim.com/htv/cube/us/images/en-1080p/iap_promo_images_v2/iap_promo_2.jpg
http://t2.hulu.com/v3/plustracking/driverload?mz=1&cb=39518708&client=ps3&device_fam=playstation&device_man=Sony&device_model=PlayStation(R)3&device_product=ps3&firmversion=PS3 CDP&language=en&os=PS3 CDP&region=US&siteversion=5.1.3.0&sitesessionid=fc:0f:e6:59:d1:4b-f9978294-952b-4602-7469-8a061fbd13dd&vodversion=PS3 - May 16 2016 17:43:31&computerguid=fc:0f:e6:59:d1:4b&deviceid=2&device_unique_id=fc:0f:e6:59:d1:4b&distro=Sony&distroplatform=Console&player=5.1.3.0&planid=0&socialidentities=&visit=1&userid=0&profile_id=0&pageurl=&pagetype=&referrerurl=&pagedesign=&codeversion=&sessionreferrer=&cmpid=&driverpage=lr_main&drivertype=lr_element&upselltype=1&d2=0&d16=0&d14=0&d5=0&seq=0
http://t2.hulu.com/v3/sitetracking/pageload?mz=1&cb=33899703&client=ps3&device_fam=playstation&device_man=Sony&device_model=PlayStation(R)3&device_product=ps3&firmversion=PS3 CDP&language=en&os=PS3 CDP&region=US&siteversion=5.1.3.0&sitesessionid=fc:0f:e6:59:d1:4b-f9978294-952b-4602-7469-8a061fbd13dd&vodversion=PS3 - May 16 2016 17:43:31&computerguid=fc:0f:e6:59:d1:4b&deviceid=2&device_unique_id=fc:0f:e6:59:d1:4b&distro=Sony&distroplatform=Console&player=5.1.3.0&planid=0&socialidentities=&visit=1&userid=0&profile_id=0&pageurl=cube%3A%2F%2Fshow_landing_page&pagetype=landing&referrerurl=&pagedesign=&codeversion=&cmpid=&cmcid=&d2=0&d16=0&d14=0&d5=0&seq=2
http://assets.huluim.com/htv/cube/us/images/en-1080p/iap_promo_images_v2/iap_promo_3.jpg
http://t2.hulu.com/v3/sitetracking/pageload?mz=1&cb=29813684&client=ps3&device_fam=playstation&device_man=Sony&device_model=PlayStation(R)3&device_product=ps3&firmversion=PS3 CDP&language=en&os=PS3 CDP&region=US&siteversion=5.1.3.0&sitesessionid=fc:0f:e6:59:d1:4b-f9978294-952b-4602-7469-8a061fbd13dd&vodversion=PS3 - May 16 2016 17:43:31&computerguid=fc:0f:e6:59:d1:4b&deviceid=2&device_unique_id=fc:0f:e6:59:d1:4b&distro=Sony&distroplatform=Console&player=5.1.3.0&planid=0&socialidentities=&visit=1&userid=0&profile_id=0&pageurl=cube%3A%2F%2Fshow_basic_dialog&pagetype=dialog&referrerurl=cube%3A%2F%2Fshow_landing_page&pagedesign=&codeversion=&cmpid=&cmcid=&d2=0&d16=0&d14=0&d5=0&seq=3
http://t2.hulu.com/v3/session/appopen?mz=1&cb=11685037&client=ps3&device_fam=playstation&device_man=Sony&device_model=PlayStation(R)3&device_product=ps3&firmversion=PS3 CDP&language=en&os=PS3 CDP&region=US&siteversion=5.1.3.0&sitesessionid=fc:0f:e6:59:d1:4b-f9978294-952b-4602-7469-8a061fbd13dd&vodversion=PS3 - May 16 2016 17:43:31&computerguid=fc:0f:e6:59:d1:4b&deviceid=2&device_unique_id=fc:0f:e6:59:d1:4b&distro=Sony&distroplatform=Console&player=5.1.3.0&planid=0&socialidentities=&visit=1&userid=0&profile_id=0&pageurl=cube%3A%2F%2Fshow_basic_dialog&pagetype=dialog&referrerurl=cube%3A%2F%2Fshow_landing_page&pagedesign=&codeversion=&resume=no&start_time=13441&reason=HOME&d2=0&d16=0&d14=0&d5=0&seq=4
http://t2.hulu.com/v3/plustracking/driverload?mz=1&cb=35161011&client=ps3&device_fam=playstation&device_man=Sony&device_model=PlayStation(R)3&device_product=ps3&firmversion=PS3 CDP&language=en&os=PS3 CDP&region=US&siteversion=5.1.3.0&sitesessionid=fc:0f:e6:59:d1:4b-f9978294-952b-4602-7469-8a061fbd13dd&vodversion=PS3 - May 16 2016 17:43:31&computerguid=fc:0f:e6:59:d1:4b&deviceid=2&device_unique_id=fc:0f:e6:59:d1:4b&distro=Sony&distroplatform=Console&player=5.1.3.0&planid=0&socialidentities=&visit=1&userid=0&profile_id=0&pageurl=cube%3A%2F%2Fshow_landing_page&pagetype=landing&referrerurl=&pagedesign=&codeversion=&sessionreferrer=&cmpid=&driverpage=lr_main&drivertype=lr_element&upselltype=1&d2=0&d16=0&d14=0&d5=0&seq=5
http://t2.hulu.com/v3/sitetracking/pageload?mz=1&cb=29666363&client=ps3&device_fam=playstation&device_man=Sony&device_model=PlayStation(R)3&device_product=ps3&firmversion=PS3 CDP&language=en&os=PS3 CDP&region=US&siteversion=5.1.3.0&sitesessionid=fc:0f:e6:59:d1:4b-f9978294-952b-4602-7469-8a061fbd13dd&vodversion=PS3 - May 16 2016 17:43:31&computerguid=fc:0f:e6:59:d1:4b&deviceid=2&device_unique_id=fc:0f:e6:59:d1:4b&distro=Sony&distroplatform=Console&player=5.1.3.0&planid=0&socialidentities=&visit=1&userid=0&profile_id=0&pageurl=cube%3A%2F%2Fshow_landing_page&pagetype=landing&referrerurl=&pagedesign=&codeversion=&cmpid=&cmcid=&d2=0&d16=0&d14=0&d5=0&seq=6
RAW Request:
POST /v1/stats HTTP/1.1
Host: firehose.hulu.com
Accept: */*
Accept-Encoding: deflate, gzip
Proxy-Connection: Keep-Alive
Origin: https://ps3dash.app.hulu.com
X-Firehose-Auth: 1|iOBQCkpGUQhyZYUGFyAl1X==|1501895001871|132|1|sxzSVDwyDye1bvMOOiM0IWm5sSY=
User-Agent: Mozilla/5.0 (compatible; U; Fymp) Factory Media Production GmbH/3.0.2
Content-Type: text/plain; charset=UTF-8
ClientName: PS3
Content-Length: 128

prefix:cube.prod.PS3

type:count
activeInApp:1

type:timer
service.Firehose.responseTime:321
service.Mercury.responseTime:60191

URL:
http://firehose.hulu.com/v1/stats

RAW Response:
HTTP/1.1 200 OK
Date: Sat, 05 Aug 2017 01:03:23 GMT
Connection: keep-alive
Server: nginx/1.10.2
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Firehose-Auth, ClientName, Content-Type, X-HULU-CLIENT-SENT-TIME, Authorization, X-HULU-CLIENTNAME
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Allow-Credentials: true
Access-Control-Max-Age: 86400
Content-Length: 0

2) Signed Out From PSN / Original 1.56 Package
* it only checks the time and then displays PSN signin dialog???
RAW Request:
GET /time HTTP/1.1
Host: assets.hulu.com
Accept: */*
Accept-Encoding: deflate, gzip
Proxy-Connection: Keep-Alive
User-Agent: Mozilla/5.0 (compatible; U; Fymp) Factory Media Production GmbH/3.0.2
Referer: http://embedded.ps3/launcher.html

URL:
http://assets.hulu.com/time



interesting note #1: Hulu gives a message "Warning Hulu server can no longer be accessed because a sign-out from PSN occured. Please sign in again to enjoy Hulu or Press PS button to exit" when signing out of PSN while Hulu is still running. So it is actively monitoring the connection like YouTube. Also, Hulu catches the PSN signout and signin even when the request is dropped using BurpSuite.

RAW Request:
GET /v3/sitetracking/pageload?mz=1&cb=08471811&client=ps3&device_fam=playstation&device_man=Sony&device_model=PlayStation(R)3&device_product=ps3&firmversion=PS3%20CDP&language=en&os=PS3%20CDP&region=US&siteversion=5.1.3.0&sitesessionid=fc%3A0f%3Ae6%3A59%3Ad1%3A4b-f9978294-952b-4602-7469-8a061fbd13dd&vodversion=PS3%20-%20May%2016%202016%2017%3A43%3A31&computerguid=fc%3A0f%3Ae6%3A59%3Ad1%3A4b&deviceid=2&device_unique_id=fc%3A0f%3Ae6%3A59%3Ad1%3A4b&distro=Sony&distroplatform=Console&player=5.1.3.0&planid=0&socialidentities=&visit=1&userid=0&profile_id=0&pageurl=cube%253A%252F%252Fshow_basic_dialog&pagetype=SYSTEM_PROFILE_LOGOUT&referrerurl=cube%253A%252F%252Fshow_landing_page&pagedesign=&codeversion=&cmpid=&cmcid=&d2=0&d16=0&d14=0&d5=0&seq=10 HTTP/1.1
Host: t2.hulu.com
Accept: */*
Accept-Encoding: deflate, gzip
Proxy-Connection: Keep-Alive
User-Agent: Mozilla/5.0 (compatible; U; Fymp) Factory Media Production GmbH/3.0.2

URL:
http://t2.hulu.com/v3/sitetracking/pageload?mz=1&cb=08471811&client=ps3&device_fam=playstation&device_man=Sony&device_model=PlayStation(R)3&device_product=ps3&firmversion=PS3 CDP&language=en&os=PS3 CDP&region=US&siteversion=5.1.3.0&sitesessionid=fc:0f:e6:59:d1:4b-f9978294-952b-4602-7469-8a061fbd13dd&vodversion=PS3 - May 16 2016 17:43:31&computerguid=fc:0f:e6:59:d1:4b&deviceid=2&device_unique_id=fc:0f:e6:59:d1:4b&distro=Sony&distroplatform=Console&player=5.1.3.0&planid=0&socialidentities=&visit=1&userid=0&profile_id=0&pageurl=cube%3A%2F%2Fshow_basic_dialog&pagetype=SYSTEM_PROFILE_LOGOUT&referrerurl=cube%3A%2F%2Fshow_landing_page&pagedesign=&codeversion=&cmpid=&cmcid=&d2=0&d16=0&d14=0&d5=0&seq=10
RAW Request #1:
POST /v1/stats HTTP/1.1
Host: firehose.hulu.com
Accept: */*
Accept-Encoding: deflate, gzip
Proxy-Connection: Keep-Alive
Origin: https://ps3dash.app.hulu.com
X-Firehose-Auth: 1|cqRHvvvZokW0tQk5H5A9Ks==|1501895542068|132|1|+jXNWEO2tc4aempH1+6EobLVvS0=
User-Agent: Mozilla/5.0 (compatible; U; Fymp) Factory Media Production GmbH/3.0.2
Content-Type: text/plain; charset=UTF-8
ClientName: PS3
Content-Length: 199

prefix:cube.prod.PS3

type:count
service.Firehose.httpError.0:1
service.Firehose.httpError.timedout:1
activeInApp:1

type:timer
service.Mercury.responseTime:60127
service.Firehose.responseTime:30000

RAW Request #2:
GET /v3/plustracking/driverload?mz=1&cb=34617500&client=ps3&device_fam=playstation&device_man=Sony&device_model=PlayStation(R)3&device_product=ps3&firmversion=PS3%20CDP&language=en&os=PS3%20CDP&region=US&siteversion=5.1.3.0&sitesessionid=fc%3A0f%3Ae6%3A59%3Ad1%3A4b-f9978294-952b-4602-7469-8a061fbd13dd&vodversion=PS3%20-%20May%2016%202016%2017%3A43%3A31&computerguid=fc%3A0f%3Ae6%3A59%3Ad1%3A4b&deviceid=2&device_unique_id=fc%3A0f%3Ae6%3A59%3Ad1%3A4b&distro=Sony&distroplatform=Console&player=5.1.3.0&planid=0&socialidentities=&visit=1&userid=0&profile_id=0&pageurl=cube%253A%252F%252Fshow_landing_page&pagetype=landing&referrerurl=&pagedesign=&codeversion=&sessionreferrer=&cmpid=&driverpage=lr_main&drivertype=lr_element&upselltype=1&d2=0&d16=0&d14=0&d5=0&seq=11 HTTP/1.1
Host: t2.hulu.com

RAW Request #3:
GET /v3/sitetracking/pageload?mz=1&cb=91728973&client=ps3&device_fam=playstation&device_man=Sony&device_model=PlayStation(R)3&device_product=ps3&firmversion=PS3%20CDP&language=en&os=PS3%20CDP&region=US&siteversion=5.1.3.0&sitesessionid=fc%3A0f%3Ae6%3A59%3Ad1%3A4b-f9978294-952b-4602-7469-8a061fbd13dd&vodversion=PS3%20-%20May%2016%202016%2017%3A43%3A31&computerguid=fc%3A0f%3Ae6%3A59%3Ad1%3A4b&deviceid=2&device_unique_id=fc%3A0f%3Ae6%3A59%3Ad1%3A4b&distro=Sony&distroplatform=Console&player=5.1.3.0&planid=0&socialidentities=&visit=1&userid=0&profile_id=0&pageurl=cube%253A%252F%252Fshow_landing_page&pagetype=landing&referrerurl=&pagedesign=&codeversion=&cmpid=&cmcid=&d2=0&d16=0&d14=0&d5=0&seq=12 HTTP/1.1
Host: t2.hulu.com
Accept: */*
Accept-Encoding: deflate, gzip
Proxy-Connection: Keep-Alive
User-Agent: Mozilla/5.0 (compatible; U; Fymp) Factory Media Production GmbH/3.0.2Accept: */*
Accept-Encoding: deflate, gzip
Proxy-Connection: Keep-Alive
User-Agent: Mozilla/5.0 (compatible; U; Fymp) Factory Media Production GmbH/3.0.2

URLs:
http://t2.hulu.com/v3/plustracking/driverload?mz=1&cb=34617500&client=ps3&device_fam=playstation&device_man=Sony&device_model=PlayStation(R)3&device_product=ps3&firmversion=PS3 CDP&language=en&os=PS3 CDP&region=US&siteversion=5.1.3.0&sitesessionid=fc:0f:e6:59:d1:4b-f9978294-952b-4602-7469-8a061fbd13dd&vodversion=PS3 - May 16 2016 17:43:31&computerguid=fc:0f:e6:59:d1:4b&deviceid=2&device_unique_id=fc:0f:e6:59:d1:4b&distro=Sony&distroplatform=Console&player=5.1.3.0&planid=0&socialidentities=&visit=1&userid=0&profile_id=0&pageurl=cube%3A%2F%2Fshow_landing_page&pagetype=landing&referrerurl=&pagedesign=&codeversion=&sessionreferrer=&cmpid=&driverpage=lr_main&drivertype=lr_element&upselltype=1&d2=0&d16=0&d14=0&d5=0&seq=11

http://t2.hulu.com/v3/sitetracking/pageload?mz=1&cb=91728973&client=ps3&device_fam=playstation&device_man=Sony&device_model=PlayStation(R)3&device_product=ps3&firmversion=PS3 CDP&language=en&os=PS3 CDP&region=US&siteversion=5.1.3.0&sitesessionid=fc:0f:e6:59:d1:4b-f9978294-952b-4602-7469-8a061fbd13dd&vodversion=PS3 - May 16 2016 17:43:31&computerguid=fc:0f:e6:59:d1:4b&deviceid=2&device_unique_id=fc:0f:e6:59:d1:4b&distro=Sony&distroplatform=Console&player=5.1.3.0&planid=0&socialidentities=&visit=1&userid=0&profile_id=0&pageurl=cube%3A%2F%2Fshow_landing_page&pagetype=landing&referrerurl=&pagedesign=&codeversion=&cmpid=&cmcid=&d2=0&d16=0&d14=0&d5=0&seq=12

Config v3 Request:
GET /config/v3/config?cb=11118613&distro=Sony&distroplatform=Console&type=json HTTP/1.1
Host: t.hulu.com
Accept: */*
Accept-Encoding: deflate, gzip
Proxy-Connection: Keep-Alive
User-Agent: Mozilla/5.0 (compatible; U; Fymp) Factory Media Production GmbH/3.0.2
Content-type: application/json

Config v3 Response:
HTTP/1.1 200 OK
Server: nginx/1.8.1
Content-Type: application/json
Content-Length: 3254
Cache-Control: public, max-age=265
Date: Sat, 05 Aug 2017 06:30:16 GMT
Connection: close
Vary: Accept-Encoding

{
"beacons": {
"realtime": {
"host": "t.hulu.com",
"beacon": [
{
"type": "error",
"send": "always",
"cdn-specific": "true",
"event": [
{
"name": "applicationerror.appname",
"send": "never"
},
{
"name": "connectionerror.loadtimeout",
"send": "never"
}
]
},
{
"type": "session",
"send": "always",
"cdn-specific": "true"
},
{
"type": "playback",
"send": "never",
"cdn-specific": "true",
"event": {
"name": "start",
"send": "always"
}
}
],
"cdn-hosts": {
"cdn": [
{
"name": "akamai",
"host": "t-ak.hulu.com"
},
{
"name": "level3",
"host": "t-l3.hulu.com"
},
{
"name": "limelight",
"host": "t.hulu.com"
},
{
"name": "Akamai",
"host": "t-ak.hulu.com"
},
{
"name": "Level3",
"host": "t-l3.hulu.com"
},
{
"name": "Limelight",
"host": "t.hulu.com"
}
]
}
},
"standard": {
"host": "t2.hulu.com",
"beacon": [
{
"type": "dataload",
"send": "onerror"
},
{
"type": "playback",
"send": "always",
"event": [
{
"name": "connectionerror",
"send": "never"
},
{
"name": "connectionchange",
"send": "never"
},
{
"name": "netstreamerror",
"send": "never"
},
{
"name": "datastreamerror",
"send": "never"
},
{
"name": "applicationerror",
"send": "never"
},
{
"name": "prerollstart",
"send": "never"
},
{
"name": "prerollposition",
"send": "never"
},
{
"name": "prerollend",
"send": "never"
}
]
},
{
"type": "revenue",
"send": "always",
"event": [
{
"name": "request",
"send": "onerror"
},
{
"name": "response",
"send": "onerror"
},
{
"name": "httpstreamerror",
"send": "onerror"
},
{
"name": "request",
"send": "onerror"
},
{
"name": "request",
"send": "onerror"
}
]
},
{
"type": "abortedsession",
"send": "never"
}
]
}
}
}

interesting note #2: if you signin, load Hulu, and then signout, you will get the disconnect error, but if you just press CIRCLE then it will let you use the Hulu app like normal while being signed out. That makes more sense about NP ticket just being used and basically discarded, as mentioned by @bguerville

interesting note #3: if Hulu does not detect a network connection, the PSN signin never displays and the app just stays on loading screen forever. So i guess checking for a network connection before PSN check would also be a good area of reference to look at in IDA.


additional notes:

i am going to try using "http://firehose.hulu.com/v1/login" and similar for reference points in IDA because this only happens when you are signed in to PSN :eek new:

if anyone wants to help dissect some of this data, pull variable names from URL paths, test mutated variations, etc, there may be some valuable info for reverse-engineering the EBOOT or SPRX


IDA Testing
wkf_fs_prx_mf.sprx [Offset 0x52348] <-- NOP
- after pressing CIRCLE to bypass PSN login, it causes infinite Hulu loading screen with spinner.
KgJ9kF9.png


Connection change monitoring??? [Offset 0x522BC]
inEhfrs.png


Connected status???
JgvM0fq.png


Offset 0x50418
jV6JcPE.png


SsKlDbp.png


Here are a few patched SPRX files for testers for Hulu v1.56 using original package as install:

wkf_fs_prx_mf--0x37728.zip
wkf_fs_prx_mf--0x37688.zip <-- Flashes "Build Info" Red Box In Top-Left Corner and Black Screen :indecisiveness:
wkf_fs_prx_mf--0x37694.zip <-- Also flashes red build info
wkf_fs_prx_mf--0x52320.zip <-- CIRCLE Bypass and Infinite Spinner???
wkf_fs_prx_mf--0x5235C.zip <-- CIRCLE Bypass and Infinite Spinner???
wkf_fs_prx_mf--0x52348.zip <-- CIRCLE Bypass and Infinite Spinner???
wkf_fs_prx_mf--0xA05E4__0x00.zip
wkf_fs_prx_mf--0xA05E4__0x01.zip
wkf_fs_prx_mf--0xA0964.zip
wkf_fs_prx_mf--0xA0978.zip
wkf_fs_prx_mf--0xA0988.zip
 
Last edited:
Hulu has been successfully patched for NoPSN :biggrin2: :boxing:

_sceNp_sceNpManagerGetStatus compare value is patched from "-1" to "0"

Offset: 0x333E4
Original Bytes: 2C 03 FF FF
Modified Bytes: 2C 03 00 00

ibjKPJj.png


Here is a test EBOOT:
EBOOT--NoPSN--test--0x333E4--_sceNp_sceNpManagerGetStatus.zip

Here is the NoPSN package with the modified EBOOT:
Hulu-v1.56-[NPUP00046]-NoPSN.pkg

I will update OP soon!!

This makes me wonder how easily I can also patch other apps by tricking the sceNpManagerGetStatus function.

Let me know if there are any issues, because another option is patching it to always jump one way or the other.

I have tested it with both signed in and signed out from PSN.


EDIT #1: If it's as easy to patch other apps using sceNpManagerGetStatus, I will add a NoPSN NP Patch option to the Rebug Toolbox here soon for a more universal option to patch in memory or from a setting :encouragement:

EDIT #2: I reverted back to K.I.S.S. (Keep It Simple Stupid) :topsy turvy:

EDIT #3: Tried a couple other apps and that trick didn't exactly work straight away! Not saying it still won't, I will check out the ones that need PSN bypasses still and see which ones it does work with. Hopefully all of those older WebKit ones!!

EDIT #4: OP has been updated with new NoPSN links and patching info for Hulu v1.56 [NPUP00046]
 
Last edited:
I really like the simplicity of this patch, I would not have expected that fooling sceNPManagerGetStatus could be sufficient but it is... At least on Hulu... Smart find... [emoji6]
 
bguerville said:
I really like the simplicity of this patch, I would not have expected that fooling sceNPManagerGetStatus could be sufficient but it is... At least on Hulu... Smart find... [emoji6]
Click to expand...

Thanks! Thats exactly what I was thinking! :surprise: I was trying to think of all these crazy paths to go down of what the Hulu devs might be thinking, and all along it was something so simple....lol
 
Last edited:
*UPDATE* Fixed EBOOT For NoPSN + Update Check Bypass (see EDIT #3 below)

Here is something interesting......a NoPSN bypass for the Playstation Store!! :saturn:

at first, I did not really see the relevance of this, until I started playing with some of the decrypted SDAT files from the cache that gets created on first launch. I tested lots of things and you can pretty much control the majority of the apps behavior using Javascript and XML.

So now my brain is on fire :tan:

How can all this be pulled together for a more streamlined approach for getting *ANY* type of code execution on OFW....hmmm....I have tested several things on CFW and on OFW. One of the more interesting things is that the Debug and OnScreenConsole features work on OFW the same as CFW (the OSC does crash for some reason, but does it on both). I have tested some other Javascript modifications on OFW and they all work, I just am not a JS veteran, only got them mediocre JS skillz....lol

That is kind of another side project I have been working on and there are some other details I have not mentioned, but I feel there is potential not only in some of these Apps, Games, etc, but in the PSN Store!!! These apps have all kinds of other permissions, and built-in functionality that can be used in conjunction with both WebKit exploitation and other System manipulation. The PSN Store supports several system calls and other "juicy" things. I have built a modified version to use as a base for the PS3 Playground, I will update as more is discovered........call me a dreamer....lol

** I should note that an EBOOT modification is NOT required to get custom Javascript code working on OFW, hence the WebKit potential **

Anyways, back to the original point of this post, here are the NoPSN package stuff for the Playstation Store.

Now this one is a bit different, so I hope I can explain it well enough......

Here are the links:

PlayStation-Store-v1.26-[NPIA00025].pkg
PlayStation-Store-v1.26-[NPIA00025]-Plus-Cache.zip
PlayStation-Store-v1.26-[NPIA00025]-Cache-Only.zip
PlayStation-Store-v1.26-[NPIA00025]-Cache-Only--Decrypted.zip
PlayStation-Store-v1.26-[NPIA00025]-Debug-Enabled.zip
PlayStation-Store-v1.26-[NPIA00025]-Plus-Cache-OSC-Enabled.zip
PlayStation-Store-v1.26-[NPEB02080]-NoPSN+UpdateBypass.pkg <-- New Package
PlayStation-Store-v1.26-[NPEB02080] [PARAM-FIX].zip


Here is some info:

Target: /USRDIR/EBOOT.BIN -> EBOOT.ELF

Offset: 0x13989C
Original: 41 9E FD 44
Modified: 40 9E FD 44

This patch basically forces "Guest Mode". Some SDAT modifications will be needed to do anything with the app....I am assuming!

* You can also enable Guest Mode using Javascript only (i think)

JKtuyDJ.png



This will create another Playstation Store icon under Game column on XMB.

The PSN Store downloads and copies files to "/USRDIR/AppCacheGroup_00/*" on first launch, these files are included already (cache) in the NoPSN package.

The ID will be different to not overwrite the original PSN Store files, although they can be overwritten, you would be forced to signin by using the icon under Network column by doing so.

Install the PlayStation-Store-v1.26-[NPEB02080]-NoPSN.pkg and then extract the PlayStation-Store-v1.26-[NPEB02080] [PARAM-FIX].zip to "/dev_hdd0/game/NPEB02080" on the PS3. I don't know a better way to do this at the moment. <--- See EDIT #3 For New Package (No PARAM Fix Needed)

I think the signin is controlled by files in the flash, so by "abusing" the fact that it is installed as a "HG Harddrive Game" then it can be still loaded with the patched EBOOT (possibly SDAT) to bypass the PSN splash that you would normally get by using normal icon from Network column.

The app will load and most likely give you a "Maintenance Error" which there are several ways to redirect default navigation and even use custom button combos for things by modifying SDATs. I have not tested logged into PSN yet (i have a few CIDs laying around if I get banned...lol)

If anyone has any older PSN store packages or cache files laying around, please post links! Thanks :excitement:


EDIT #1: Thanks @catalinnc for the older PSN store files. I will report if anything interesting comes of them! Also thanks for helping me sort out my SDAT issues :encouragement:

EDIT #2: Here are a few fun things while poking around a bit. These are from SDAT files only (in 1.26 default cache). I don't know if they will lead to code execution, but there are a lot of things we can do with the Javascript.

This is not a complete list, as some are most likely missing. It started being in alphabetical order, but somewhere down the line, it ended up a little screwed up in the ordering!! :distracted:

I have not yet verified if there are additional things that can be accessed when comparing to the EBOOT

sce.readRegistry(key));
sce.readRegistry("age_verified", current_page_id);
sce.readRegistry("date_format");
sce.readRegistry("geo_filtering");
sce.readRegistry("gf_version");
sce.readRegistry("net_common_device");
sce.readRegistry("np_debug");
sce.readRegistry("np_env");
sce.readRegistry("signin_on_standby")?"on":"off";
sce.readRegistry("sf_debug");
sce.readRegistry("summer_time");
sce.readRegistry("system_version");
sce.readRegistry("time_format");

sce.writeRegistry("age_verified", 1);
sce.writeRegistry("signin_on_standby", 1);

registry: function(key, callback) {
Storage.getStorageValue("Resources/debug/registry.json", function(data) {
callback && callback(data[key]);
});
}

sce.abort
sce.abortAll
sce.GetAccountIdHashResult
sce.addSystemEventListener
sce.AppNotification
sce.AsyncErrorResult
sce.clear
sce.closeConfirmDialog
sce.closeOptionMenu
sce.cloudClient.callAsyncApi
sce.ConfirmDialogArgs
sce.CreateGriefReportAttachFileCallback
sce.CreateGriefReportAttachFileResult
sce.didFinishDisplayReady
sce.didFinishLoading
sce.didFinishLocationChange
sce.didFinishSessionReady
sce.didPurchasePlusMembership
sce.DownLoadTask
sce.DownloadTaskInfo
sce.DrmContentStatus
sce.enterButtonAssignCircle
sce.exit
sce.FriendSelectorDialogArgs
sce.FriendSelectorDialogCallback
sce.FriendSelectorDialogResult
sce.getAccessToken
sce.GetAccessTokenCallback
sce.GetAccessTokenResult
sce.getAdTime
sce.getAuthCode
sce.GetAuthCodeCallback
sce.GetAuthCodeResult
sce.getBaseUrl
sce.GetBaseUrlCallback
sce.GetBaseUrlResult
sce.GetCcSettingsCallback
sce.GetCcSettingsResult
sce.getDeviceId
sce.getDiscInfo
sce.GetDiscInfoResult
sce.GetDrmContentStatusArgs
sce.GetDrmContentStatusCallback
sce.GetDrmContentStatusResult
sce.getDownloadTaskInfo
sce.GetDownloadTaskInfoCallback
sce.GetDownloadTaskInfoResult
sce.getDrmContentStatus
sce.getEntitlementsForCommunityCreation
sce.GetEntitlementsForCommunityCreationCallback
sce.GetEntitlementsForCommunityCreationResult
sce.EntitlementInfo
sce.getFreeSpace
sce.GetFreeSpaceCallback
sce.GetFreeSpaceResult
sce.GetFreeSpaceResultData
sce.GetLastPlayedGameCallback
sce.GetLastPlayedGameResult
sce.GetLaunchedAppListResult
sce.getLocationUrl
sce.getInstalledSize
sce.GetInstalledSizeCallback
sce.GetInstalledSizeResult
sce.getNetworkTime
sce.playSe
sce.setSessionProperty
sce.getServiceIds
sce.GetServiceIdsCallback
sce.GetServiceIdsResult
sce.getSigninId
sce.GetSigninIdCallback
sce.GetSigninIdResult
sce.getThemeInfo
sce.GetThemeInfoCallback
sce.GetThemeInfoResult
sce.getTitleToken
sce.GetTitleTokenCallback
sce.GetTitleTokenResult
sce.GriefReport
sce.isRemotePlaying
sce.isSubaccount
sce.joinPlay
sce.killApp
sce.launchApp
sce.launchModalBrowser
sce.log
sce.logSystemLogger
sce.native
sce.native.readRegistries
sce.navigateToGoHome
sce.notifyMaintenance
sce.notifySystemLogger
sce.OnLocationChangeSystemEvent
sce.openConfirmDialog
sce.openFriendSelectorDialog
sce.openOptionMenu
sce.openPasswordDialog
sce.GetOpenPsIdResult <-- another way to get PSID :eek new:
sce.GetParentalControlInfo
sce.GetParentalControlResult
sce.GetTelemetryTimingsCallback
sce.GetTelemetryTimingsResult
sce.GetUserInfoListCallback
sce.GetUserInfoListResult
sce.PasswordDialogResult
sce.platform
sce.playSe
sce.readRegistry
sce.registerDownloadTask
sce.removeSystemEventListener
sce.resumeDownloadTask
sce.sendNotificationRequest
sce.sendNpDebugNotificationRequest
sce.setFrameInfo
sce.setFrameProperty
sce.ss
sce.ss.SsGetStatusCallback
sce.ss.SsGetStatusResult
sce.SyncErrorResult
sce.SystemEvent
sce.Time
sce.updatePreOrderPlayableDate
sce.updateProfileCache
sce.updateUnifiedEntitlementRif
sce.updateUnifiedEntitlementRifs
sce.UserInfo
sce.vc
sce.vc.CreateStreamUidCallback
sce.vc.CreateStreamUidResult


Other interesting SCE functions

[appCache.*]
appCache.sce.clear

[native.*]
sce.native.getNetworkTime

[navigator.*]
sce.diagnostic
sce.diagnostic.network.onerror
sce.native.readRegistries
sce.onmessage
sce.postMessage
sce.sendMessage

[window.*]
sce.private
sce.profiler.pushMarker
sce.profiler.popMarker

[profiler.*]
sce.profiler.popMarker
sce.profiler.pushMarker

Debug SCE Functions

[performance.*]
sce.js.jsHeap
sce.js.jsHeapCapacity
sce.js.jitData
sce.js.jitDataSize
sce.js.jitText
sce.js.jitTextSize
sce.gl.sharedVideo
sce.gl.sharedVideoSize
sce.js.objectCount
sce.garbageCollect
sce.lastGarbageCollectTime

[applicationCache.*]
sce.clear


Other Misc

App.commerce.apply

console.warn

commerce.bgdlGetMode
commerce.bgdlSetMode
commerce.call
commerce.download
commerce.drmActivation
commerce.getConsoleId
commerce.licenseUpdate
commerce.preOrder
commerce.rebootForSignUp
commerce.regetSignInTicket
commerce.request
commerce.tellFriend
commerce.videoDownloadAndPlay

NP.abort
NP.clearCache
NP.clearMaintenance
NP.didFinishDisplayReady
NP.didFinishLoading
NP.didFinishLocationChange
NP.didFinishSessionReady
NP.download
NP.drmActivation
NP.getAdClock
NP.getAdClockDiff
NP.getBaseUrl
NP.bgdlGetMode
NP.germanAgeVerification
NP.getDateFormat
NP.getGameStatus
NP.getGeofiltering
NP.getNpEnv
NP.getOauthTokenFrom
NP.getOauthTokenFromAuthCode
NP.getOpenPSID
NP.getProductIds
NP.getStandbyMode
NP.getSystemLanguage
NP.getSystemLocale
NP.getTimeFormat
NP.goToMaintenance
NP.hasAccount
NP.hasGermanAgeVerification
NP.hideSystemVoice
NP.launchGame
NP.licenseUpdate
NP.logTitle
NP.navigateToGoHome
NP.onlineName
NP.openConfirmDialog
NP.openErrorDialog
NP.openPasswordDialog
NP.preOrder
NP.rebootForSignUp
NP.regetSignInTicket
NP.requestTicket
NP.resumeDownload
NP.sendNotification
NP.sendDebugNotification
NP.sendNpDebugNotification
NP.setForceExitHandler
NP.setMaintenanceHandler
NP.setNetworkStatusHandler
NP.setSessionProperty
NP.setStandbyMode
NP.showSystemVoice
NP.signIn
NP.signOut
NP.timestamp
NP.updatePreOrderPlayableDate
NP.updateProfileCache
NP.videoDownloadAndPlay

np.getAdClock
np.getAdClockDiff
np.getConsoleId
np.getGeofiltering
np.getGuestSignIn
np.getOauthToken
np.getOauthTokenFromAuthCode
np.getOpenPSID
np.getPS3AuthCode
np.getSystemClientId
np.goToForceExit
np.goToMaintenance
np.registry
np.setSessionTimeStamp
np.setSessionTimeStampStart
np.updateUnifiedEntitlementRif

NpEligibility.setTimestamp

log.error
log.info
log.level
log.trivial
log.warn

Log.error
Log.info
Log.level
Log.trivial
Log.warn

var console_id = np.getConsoleId();
if (console_id !== -1) {
// Kamaji/Navigator expects the duid to be padded with zeros (DE3397)
body += "&duid=" + console_id + "00000000000000000000000000000000";
}



key_request_suffix =
"&Duid=" + commerce.getConsoleId() + "00000000000000000000000000000000"
+ "&ContentId=" + VideoObj.getContentID()
+ "&PSNticket=" + ticket;



getConsoleId: function(){
LOG.info("call getConsoleId()");
if (typeof commerce !== "undefined") {
try {
return commerce.getConsoleId();
} catch (e) {
LOG.warn("\n\n!!! Exception calling getConsoleId():",
e.message, e.sourceURL + ":" + e.line, " !!!\n");
return ERROR;
}
}
return ERROR;
}




getOpenPSID: function(){
LOG.info("call getOpenPSID()");
try {
return engine.np.openPSID;
}
catch(e) {
return null;
}
}


:confused3: :concern:
getConsoleId: function() {
return ERROR;
}



/*
*** guess on what the param values correspond to ***
param:
action:
0 - activate game
1 - deactivate game
2 - activate video
3 - deactivate video
target:
0 - PS3
1 - PSP
option:
0 - ?
*/
drmActivation: function(param, callback){
LOG.info("call drmActivation()");
if (typeof commerce !== "undefined") {
if (typeof param !== "undefined") {
var unblockIPCallback = blockIP(callback);
return commerce.drmActivation(param, unblockIPCallback);
}
}
return ERROR;
}



// Set the mode for background download on PS3
// Note: You need to be using a trilithium binary
// built with the private APIs.
// Arguments:
// mode - Mode to set. Currently there are four
// supported combinations.
// 58369 - CELL_BGDL_MODE_ALWAYS_ALLOW | CELL_BGDL_MODE_HIGH_SPEED_ON
// 58368 - CELL_BGDL_MODE_AUTO | CELL_BGDL_MODE_HIGH_SPEED_ON
// 1 - CELL_BGDL_MODE_ALWAYS_ALLOW | CELL_BGDL_MODE_HIGH_SPEED_OFF
// 0 - CELL_BGDL_MODE_AUTO | CELL_BGDL_MODE_HIGH_SPEED_OFF
// Returns:
// 0 on success, system error code on failure
// Throws if called without a numeric first argument
bgdlSetMode: function(mode){
LOG.info("call bgdlSetMode()", mode);
if (typeof commerce !== "undefined") {
// commerce.bgdlSetMode(mode) return 0 for success, error code otherwise
return commerce.bgdlSetMode(mode);
}
return ERROR;
}



// Function to get the background download mode
// Note: You need to be using a trilithium binary
// built with the private APIs.
// Arguments: none
// Returns: Download mode on success,
// negative value on failure.
bgdlGetMode: function(){
LOG.info("call bgdlGetMode()");
if (typeof commerce !== "undefined" && commerce.bgdlGetMode) {
return commerce.bgdlGetMode();
}
return ERROR;
}


EDIT #3: I have patched the EBOOT to bypass the update check as well, so you no longer need the PARAM.SFO fix :wink new:

Here is the new NoPSN + Update Check Bypass Package:
PlayStation-Store-v1.26-[NPEB02080]-NoPSN+UpdateBypass.pkg

Offset: 0x92484
Original Bytes: 41 9D 00 5C
Modified Bytes:40 9D 00 5C


QuqLozz.png



Tested with and without internet connection (blocked with proxy) and it loads normally....well normal to the Maintenance screen. If network is disabled from Settings menu, there is a Network Error, i may try patching soon. It loads fine with the NPIA00025 directory missing as well, meaning there is no Playstation Store Update installed to HDD.

It should also be noted that the EBOOT can replace the NPIA00025 directory EBOOT as well, as it's the same as the real Playstation Store. Doing that would theoretically skip update check but force login from XMB flash files.

The OP has also be updated with a renamed NoPSN package that contains both patches, along with new patching info.


EDIT #4: I have been testing a PSN bypass using only modified Javascript and have successfully loaded without modified EBOOT on CFW. There are a few issues while navigating that will force you to exit for different reasons. I have bypassed a few of these and will post more info when I get a more solid patch(es) working. I want to get this working on OFW (which it should using DTU to push it) and test as a base to use for embedded hax! I would also like to utilize the OnScreenConsole function and get it to not freeze the app. I have been testing some browser hax as well, doing a lot of reading!!!

now for a few zzzzzzz's....... :sleeping:
 
Last edited:
esc0rtd3w said:
NoPSN bypass for the Playstation Store!!
Click to expand...
Interesting.
esc0rtd3w said:
The PSN Store supports several system calls and other "juicy" things. I have built a modified version to use as a base for the PS3 Playground, I will update as more is discovered........call me a dreamer....lol
Click to expand...
Waiting for more "Juice" then. :) I'm glad that you guys started to work on that "playground".
 
Last edited:
HULU!!

YOU SNEAKY BASTARD!! :devil:


EDIT #1:


DEFEATED! :D

Hulu-v1.60-[NPUP00046]-NoPSN.pkg

CQIdrbf.png


EDFctVi.png



EDIT #2:

SHIT! Amazon also started updating haha

only EU so far

K2ohwQy.png



EDIT #3:

another one bites the dust.....today must be the day for update patching! :-p

only EU version seems to be updated...the others are coming haha


ok @catalinnc ...i keep getting the damn return to XMB for this new 4.02 Amazon app with patch and even using your old 4.01 base and overwriting all new 4.02 files, including patched ignition.self. can you make a package and test?

here is the patched ELF

here is my 1st test package using your old 4.01 base: Amazon-Instant-Video-v4.02-[NPEB00344]-NoPSN--test1--broken.pkg
thanks :encouragement:

fyi, the only changed files were EBOOT.BIN, ignition.self and mozjs24.sprx between 4.01 - 4.02


DQjTDOK.png


lWp64Sv.png




EDIT #4: i know what it probably is...the way i resigned, didnt use that script from last time with those settings
 

Attachments

  • hulu-sneaky.png
    hulu-sneaky.png
    27.5 KB · Views: 405
Last edited:
The Foxtel Play pkg bypasses the psn, but it never seems to load up any channels. It just hangs. The Sky News channel works by default without having to input a login, however it too just hangs and doesn't load up. Any thoughts?
 
esc0rtd3w said:
here is the new Amazon 4.02 NoPSN package, thanks @catalinnc for building the new base to use!

Amazon-Instant-Video-v4.02-[NPEB00344]-NoPSN.pkg

same trick as last time, so must press circle to bypass PSN login...may actually fix this soon :-p
Click to expand...

Thank you! This ".pkg" works perfect for me, press circle is a not a big deal at all.

I was trying HBO Nordic 1.02 (NPEB02292) apk file too but it doesn't works in my country, I need the 1.03 version. I was trying to patch it by myself but it seems that they are now using the new methods seen in the other apps. The 1.03 patch only add support for Spain but it is 0.45 MB bigger than the 1.02 one (ELF files). When I try to patch the app and run it on my PS3 I get a black screen and my console freezes.
Could you please help me?

Thank you :D
 
incognita said:
I was trying HBO Nordic 1.02 (NPEB02292) apk file too but it doesn't works in my country, I need the 1.03 version. I was trying to patch it by myself but it seems that they are now using the new methods seen in the other apps. The 1.03 patch only add support for Spain but it is 0.45 MB bigger than the 1.02 one (ELF files). When I try to patch the app and run it on my PS3 I get a black screen and my console freezes.
Could you please help me?

Thank you :D
Click to expand...
i will check that out here soon and see if i can patch the 1.03 version
 
You must log in or register to reply here.

Similar threads

Back
Top