I was talking to Choco of NGU on skype about black ops and hacking/modding it. From there I spawned a simple idea that may or may not be complex but seems simple in concept. Granted I am not very deep in the PS3 firmware or its inner-workings, but what I am about to propose to everyone is this.

We all know you can use a mod-chip with the PS3, use a dual-nand type system or any other hardware related hack. I am ALSO aware that people are able to dump the NAND if a PS3 with the proper hardware. So here is my thinking.


Step 1 is DUMP the NAND from a 4.11 PS3 from a hardware level.


Step 2 is alter the image data and replace the SSL Certificate 24/25 like we used to with the Chariles proxy hack with the demo one from Charlies proxy.


Step 3 is write the image data BACK to the nand and boot it up.


Step 4 is set up proxy settings and intercept the connection between the PS3 and PSN and get all that good info.


Step 5 is analyze it to get the passphrase and see what rhey have changed and see if there is any new security to handle.


Step 6 is optionally try to re-program 3.55 in a CFW to implement the new security if there is any.


I will say that I don’t know how complex this would really be but in concept it should not be hard. I hope I at-least gave everyone something to think about and possibly someone a new project


Comments ?

Geeze. I ALREADY know what to use as software. Thing is its SSL encrypted which is WHY you must hardware hack the NAND/NOR and replace the SSL CERT to allow yourself to DECRYPT the connection.

I have found I need someone with E3-Flasher and a 4.11 PS3. Who ever has this and is willing to risk messing with their PS3 should contact me.

Well I posted this on my blog and I thought NGU might be interested.



Source: You must login or register to view this content.

What you guys DON'T Get is this is HOW you get the pass-phrase. The thing here is why would I want to do this if I am not getting the pass. The PS3 SENDS the code to the auth server along with its firmware version. All we need to do is intercept it.

The pass is in vsh.self i believe via reading. It is in 2 places but only 1 is used. We don't need to decrypt that. We just need to read it as it is sent out. This is assuming there's no CRC checks on the CERT files or anything else un-forseen.

So you get the info, then you take it to 3.55 and your online...

1. auth keys wont be decrypted 2.if you cant trick server into thinking your on 4.xx what then cause you will never sign any code 3. this is if it can be done , there may be a way to decrypt and resign using vsh .4 4.xx mfw not going to happen , you have a better chance decrypting the auth keys , im not saying you shouldnt try im just saying its damn near impossible for one person and one computer

---------- Post added at 05:15 PM ---------- Previous post was at 05:12 PM ----------

the files hash wont be the same so when the ps3 loads it will corrupt and give a server error some of the info is set for that console only btw

Well I posted this on my blog and I thought NGU might be interested.



Source: You must login or register to view this content.

Um thats what you don't get. From what i see there IS NO hash on the CERT files. Also i am not trying to decrypt the auth key. There really isn't a auth key in this case. Its Just the X-Passphrase.. We are not modifiying a SELF, BIN, or sprx. We are modifying a simple certificate file to do a MITM to get a password.

was pretty sure the cert files had a signature on them unique to the system , and the x-passphrase is the key its encrypted data sent to the ps3 allowing it to connect it doesnt give any info on how the phrase is now ps3 sends what fw and some other info like you know already so how are you faking this to the server which will have a sig check if it doesnt idk how no one has gotten back online yet , if you wish to continue please do so in a pm i do not wish to clutter your thread anymore

you get homebrew on your 4.11 ps3 fromjust data transfer it just doesnt run

Well I posted this on my blog and I thought NGU might be interested.



Source: You must login or register to view this content.

I doubt this would work. Even for the simple fact of nobody knows how to get the passphrase. The only reason we had it in the first place is because math gave it to us.