PSN Hackers Located? Chat Logs Included

Every Playstation 3 owner has had to deal with the downtime of the PSN, thus leaving them incapable of trying out the latest releases online.

There have been numerous rumors and myths regarding who attacked the PSN exactly and the blame has ranged from problems in Japan to the Anonymous group (although the claim innocence). Now it seems we may be one step closer to identifying the perpetrators responsible for our lack of online gaming.

Thanks to an off topic post by Formula One Australia, the possible IP address has been uncovered along with other useful information. The IP address that came up consistently is 214.211.251. Here is what they discovered:

Hostname: nhlem-wsa-dp.med.navy.mil
ISP: DoD Network Information Center
Organization: DoD Network Information Center
Proxy: None detected
Type: Corporate
Assignment: Static IP
Country: United States
State/Region: California
City: Lemoore
Latitude: 36.2939
Longitude: -119.8286
Area Code: 559
Postal Code: 93245

The chat logs* from which the IP address was secured are posted below. It is a lengthy read, but if you make it through the entire piece you’ll see what kind of people Sony’s dealing with.

xxx: I don’t think there are many people involved in circumventing
PSN access in /this/ channel [ “application/x-i-5-ticket” reason=40 >
PSN error 80710101 ]

talk about network stuff?

nice

i just finished decrypting 100% of all psn functions

:)

you can forget all the history wiper and log remove apps

theres a independant check

which transfers all games and their playtime

every time you login

you can modify it like the firmware version tho

it looks like:

 

aswell they can detect backups this way

hash is eboot.bin to check for version?

if you use a backup it will look like this:

boot=”2011-02-03T20:35:09.00Z” playtime=”8875″ /

user2, is that in data sent to a0.[CC].np.communication.playstation.
net

sec lemme check

im still collecting all the data

updptl.de.np.community.playstation.net/

thats the server

user2: what about Blu-ray Master Disc/BD Emulator ?

since, i use those features legitimately

on debug or retail?

i didnt check all on debug unit yet

so no clue if it sends discid for bdemu

but sony is the biggest spy ever lol

they collect so much data

true

all connected devices return values sent to sony server

example:

user2: Debug models of course :)

>32” TFT-TVOEMreleasecex

i cannot find my PS3 connect to host with ‘updptl’ in the name

returns tv, fw version, fw type, console model

also i found data it collects when i had usb device attached etc etc

so if they ever sue someone for psn stuff, they will be sued
themselves as most of the data they collect is just not legal

user2, at what time does it connect to that host?

during the PSN logon?

sec i check

user2 how can you modify that data?

user2: do you now know enough to wipe all traces so that people
who never had their consoles on the internet can avoid sending this
information now? :)

no DNS request for a host with ‘updptl’ in the name in my packet
captures :-\

@user5: it sents directly after user profile load and sometimes; –
it seams random, just when u play a game or anything

ohh

@xxxx: we could modify the data via proxy between the tunnels,
like delete all data between the xml tags or somehow

oh so its not on the ps3 hdd itself?

user2: aha, so this information is actually encrypted?

ya

the list is stored online

and updated when u login psn and random

damn

but where is it stored before that? I have never been online
with my ps3…

so it must be somewhere

was hoping it would be on the ps3 hdd

then lock it or so

the only avoidance is block all *.playstation.net

MAYBE – i rly dont know – it doesnt save it at all on hdd

so only transfers the games and stuff in one ps3 session when
you go online

so if u have ps3 offline and play a game, then shutdown and
turn on again

it MAY not transfer update

cuz i didnt find any info for that list on hdd

it could be that its used for online playtime or psn logged in
playtime

aswell you should never ever install a CFW from someone unknown

cuz its way too easy todo scamming at this point

for example:

creditCard.paymentMethodId=VISA&creditCard.holderName=Max&
creditCard.cardNumber=**********&creditCard.expireYear=****&creditCard.
expireMonth=*&creditCard.securityCode=***&creditCard.address.address1=
example street%2024%20&creditCard.address.city=city1%20&creditCard.
address.province=abc%20&creditCard.address.postalCode=12345%20

sent as plaintext

uh

did you censor that card?

ya its fake

good

wow, plaintext :S

plaintext wow

im never putting in my details like that

ya is all fake lol

i never used cc on ps3

normally you ATLEAST enccrypt the securtity code, even if its ssl

id hope sony would do such in a safe manner

psn cards probably plain text to then

fake certs are known since years as vuln so companies encrypt
such data twice normally

but hey its sony –> its a feature

lol

lol

yeah if you go public with your info they either remove the
store or psn all together

as an update

I doubt it :P

from all the actions they’ve taken the past years, we can only
deduce that Sony don’t care about their customers

impossible

:)

they wont update their whole psn lol

but this should really get out there, but I guess it’s on
psx-scene.com in a matter of minutes already ;)

3.60 removal of psn

i know a few guys who worked @ sony’s psn backend. just when
the ps3 was released we talked bout the first psn, at this time ALL was
http and unencrypted. so you could see userpass etc plain. i asked em
why is it that way. lame answer was “we thought it was adressed.” – lol

sony qa –> trainees

that fits nicely into the “#define rand() 4” mentality. ;)

yep

or more of

ECDSA_PRIVATE_KEY privateKey;

lol

and PrivateKey is in a header file

and it’s static

xD

and ECDSA_RANDOM in a header file

and so on

another funny function i found is regarding psn downloads

its when a pkg game is requested from the store

in the url itself you can define if you get the game free or not.
requires some modification in hashes and so on tho

..

is like

:D

my god

drm:off

lol

lol

:facepalm:

well, that’s one way to offload the server.

still wondering when the big ban wave arrives :D

if they ban everyone, even using backups legally in their country
(but in their opinion a TOS violation), it will be a huge tsunami, not a
wave

ask ur friends :P

prolly they take it like it is now, unstoppable anyways

new firmware to ban all further actions and done

an open psn would be nice

even if it was just a player matching service

ya

a PSN host by the community :)

that actually could be perhaps possible

if you can get auth working

and all

a new np environment

the friend list management is easiest

simple jabber server

don’t some games use their own servers?

some use p2p

which check from the official psn servers whether you’re logged
in and who you are

imagine the traffic load :D

whod pay this xD

yes, but even p2p games do use publisher or sony provided servers
for matchmaking

NpCommerce2

I am getting behind everything on doing my security analysis

started a couple months ago monitoring SSL stuff, and theen got
distracted with blackops and havent pursed it, seems a lot of people are
starting to take interest in it now

and regarding matchmaking and lobby systems

the functions built in firmware and/or game

how would you answer them

the server side code we dont know of

some stuff appears to be in lv2 and not in sprx for network stuff

so we can not create proper answers

you can try to analyze the protocol and say “if X then Y” type
responses the problems come up when you get something you haveent seen
before

that was done with counterstrike for example so that people could
cheat

so its not entirely impossible although it is time consuming

sometimes its happy accidents, reason code 21 means bad cipher,
51 bad firmware version – for x-i-5 tickets for example

wasn’t cs/hl server software available for anyone to download even
back then?

anyone found a way to change DVD region on ps3 yet, btw?

for psn you can’t even get binaries for the server side

user2 i remember some months ago you made a psntool with a psn
messenger in it but not yet functional is that still being worked on?

but for stuff like that the ticket has to exist on the psn side
of things because if I send my ticket to a vendor server they will validate
it against psn and if its not there it will fail

xxx: wasn’t syscall 0×363 0×19004 3rd byte usefull for that?

@xxxx: at this time i could finish the tool yes but im not sure
if it is useful at all

xxxx: no but you can monitor traffic, even send some “bad” things
and watch the responses… I discovered x-i-5 reason code 21 by accident,
I did not force my proxy to mirror the cipher that the ps3 presented

i mean why would someone want to chat with a someone on ps3

while any1 anyway have msn/icq/aol

know this, sony in realtime, monitors all messages over psn

I verified that, its part of my privacy threats thing I am doing

ok too bad id like the psn messenger on pc

the realtime monitoring is a bit bothersome to me

user1: such information is quite useless to me, as I’m not that
into the technical stuff :) was more hoping someone had an easy way to
do it.. like a DVD region changer or something.

@user12: the realtime jabber monitoring as most likely for
realtime censor of messages

they appear to have at the very least keywords they look for,
not sure just how invasive the whole thing is, but …

well they have osme odd things in there

yeah they have that dumb automatic word filter

the censor word-list is ridiculous

psn messenger would be helpful, just yesterday was killed 2
times when typing response on the message + its so slow loading

a psn code that is not really valid if you sent that via email
it becomes valid but you cant add funds to your wallet. The fact that
emailing that code to someone makes it valid for you is odd … why
monitor that code?

which makes it much more difficult to have a sensible
conversation in languages other than english

why change its state on sending it?

the censor words in home is on your system, it downloads a
dict list of words

an empty file resolves that

tryin to find my jabber logs… >.<

so it only censors on receipt not on transmission

dunno how the other stuff does it

mostly because I have yet to look

now you have me curious I am gonna go redo my network a
little bit to start monitoring again :)

btw aswell a reason AGAINST pc to ps3 messenger is spam

cuz there actually is an easy way to get userlists

would fuck psn pretty hard if some skiddy releases a spam app

the highscore and matchmaking lobbies you can request per game
id and get user mails for psn

ugh, yeah

huge list + spam app == sux

argghhhh

why do my trophies never sync to np

anyway sony just would have to open a port on the jabber server,
so you could login with icq

lol

and we all know what happens if cool homebrew arrives, remember
open remote play

sony just releases an official tool lol

thing is the more people do things and discuss what they do and
explain how to do it the more likely sony will lock down psn in the future

psn is a core feature of ps3

making it harder and harder to do anything, like using older
firmwares to log in, that will probably be the first to go away

they would be sued like with otheros

yeah but they also blocked open remote play

user12: that already went away, didn’t it

if you are not running current firmware you do not have a right
to psn

user12: even for debug users

not really, not yet anyway

3.56 did not break it but the next release might

especially because it stops people running backups and other
stuff on psn

well i mean 3.41

ya would be all possible for them

not sure what, if anything, changed with 3.41

you used to be able to sign in on debug 3.41 until someone
released that psn enabler hack

one way more difficult than the other so i think they first
will go on with backup ban on psn

even though 3.42 and 3.50 had already been released

via playlists and stuff i meantioned before

a secure way to fix it would require firmware and server
update tho

wondering what prevents em of this way

I just got a new ps3 yesterday, has 3.40, gonna put 3.55 on it
and do my work

I *might* try with 3.40 and see if I can do enough of my work,
that would make it somewhat harder though

banwave possibly, new FW + plus they still need to fix that
3.56-1st/2nd harddrive exchange bug in the next version

because my work is specialized and very limited in scopee

the psn has 45 environments all working independant

prolly that is the reason

we could just change to another environment

and they also need to have an eye to the official developers
which use environments too

and the qa

which needs to work with older firmware sometimes

so they cant update all environments and block all

probably so much ITIL process management so they can’t fart
without a work request

hehe

the way that people are getting on now is to change the user
agent in the login request, well x-platform-version specifically. but
if the x-platform-passphrase changes in how its constructed then its
easy to detect people trying to use an older firmware

they can even without the xi

as the firmware version is in a lot more requests than the auth

version is sent to the getprof servers also

ppl change only the xi one atm

and ena.

but its in netstart, xi, game starts

I understand that part of it, I was just talking about x-i-5
auth stuff

many many functions send the real fw version

but only xi5 is checked

I realize that many functions send the fw version, anything
that uses libhttp.sprx does

ya

remember I have been donig this for a couple months

even wrote software that lets me do the ssl parts on the fly
instead of to a fixed server, mirroring the CN of the real server

what is the data in xi5 at 0xC0 ->EOF ? some crypto/salt ?

luckily they use CN=*.*.np.community.playstation.net which saves
a bit of hassle, just calling openssl from your app user12 ?

openssl libs

not the app itself

and I do it for *ALL* ssl connections in realtime

so even if you use the webbrowser it will generate certs for
that too

nice tool you made :)

it is similar in function to “sslsniff” but mine works with
the ps3 and logs correctly

for the first i think ppl should use a replace of all 3.5.5
and 355 strings but regarding to the user agent, else psn wont load

user12 which certs u use?

only 05 i guess ?

CA i mean sorry

user2: I use them all

there is a place that the firmware version is in lv2 that is
not a “string”

its ‘decimal’ “035500” not sure if its 32 or 64 bit in size
though,

btw u know the login url for auth is like:

but that is not the ascii 3 its the decimal value

&serviceid=IV0001-NPXS01001_00&loginid=MYMAIL&password=
MYPASS&first=true&consoleid=MYID

I have complete logs for the auth stuff

did u already change the “first” param?

i wonder what it does

first=true is only there if you had not previously loggged
into psn

ah ok

its missing if you were previously logged in but you need a
new ticet

ticket

hi

please not connect

to external dns ip

with your ps3

your passwords and email and other data is revealed on the
external side

which you need for each service id that you need one for,
meaning if you sync trophies you get 1 ticket, when you play a game you
get a 2nd ticket, when you watch netflix you get a 3rd

spam people can use this info

most likely if they are mapping that host

if its just the firmware check then no, because there is nothing
private sent in that http (cleartext) request

so it depends on what hosts they are looking at

to start a spamming attack

hm didnt check that ticket stuff yet

as when i used a ticket

for a test POST

i worked with 1 only

and always worked

prolly many to identify the service

the ticket is sent to say a game, netflix, etc. anythibng that
uses psn. That way you do not send credentials to anyone but sony

if its like u say then this is another vuln lol

cuz as i tested if always first ticket works

you could hijack a session

the ticket and session i used didnt timeout

and if it always creates a new ticket as u say

there would be many sessions

I also haave yet to monitor how long the tickets are valid for,
I know that the ps3 does not reuse them between apps but that could just
be the way its coded (they might be valid even though a normal ps3 will
never reuse)

for one user open

it may invalidate old ones on issuance of a new, I never looked

I just know that I saw it getting one at app launch

hm wierd with the tickets

i know the ticket is build outta few params

the serial

the userid

issueddare

service id

online id

many many :P

I also know that the server that does the x-i-5 tickets is a
bit more tight about the ciphers than any other system in sonyland

if sony is watching this channel they should know that running
an older version of apache on a redhat server with known vulnerabilities
is not wise, especially when that server freely reports its version and its
the auth server

its not old version, they just didnt update the banner

I consider apache 2.2.15 old

which server

it also has known vulnerabilities

auth.np.ac.playstation.net

ya the displayed version u see via banner is not the real version

unless they updated it in the last couple weeks

I doubt that since its not trivial to change that

its a bit more invasive than just setting it to Prod like they
do on their other servers

you know, watching this conversation makes me think about whether
it was a good idea after all to buy a couple of games from psn using a visa
card

its just backported security patches

i did remove all my info after downloading the games though

that is just psn not the store

they are running linux 2.6.9-2.6.24 on that box too

that too is old

lol @ buying on store

yes, but their general attitude towards security just seems…ugh

sony wont misuse the info i bet xD

but just prevent using cfw’s of unknown ppl

even better from ALL ppl

make ur own lol

so I doubt that they are spoofing the network stack on that
box as well

my guess is that it really is undermaintained “it works why
change anything”

could be

sony really should update that stuff to something more current

ya

but imagine

psn == 45 environments

and for example

every env has 50 subdomains

to external machines

its rly rly huge

who wants to do this xD

ppl r lazy

wont change

If you were able to read through all of that you are either very dedicated to learning about this issue or very bored. Either way let us know what you think by commenting below.

*Courtesy of Lo-Ping