PS3 Setting time over the internet - CMOS battery issue

[DeViL303]

Just thought with all this worry about CMOS batteries and setting the time that I would try find the URL for the time server.

Well I found it, its in vsh.self, its https://SCEI-0.auth.np.ac.playstation.net/nav/auth

These are the important bits.

So I thought I would try to make the URL http instead of https so I could see the request and response, But it only partially worked. I did get to see the full request but it was rejected by the server as seen in the response., obvious I suppose.

Anyway we can see from the request it uses the consoles IDPS and also the hardcoded login ID and password from vsh.self.

Request:
POST http://SCEI-0.auth.np.ac.playstation.net/nav/auth HTTP/1.0
Host: SCEI-0.auth.np.ac.playstation.net
Proxy-Connection: Keep-Alive
Content-Length: 191
Accept-Encoding: identity
Content-Type: application/x-www-form-urlencoded
User-Agent: Lediatio Lunto Ritna
Accept-Language: ja, en, fr, es, de, it, nl, pt, ru, ko, zh, ch, fi, sv, da, no, pl, tr
X-I-5-Version: 2.1
X-Platform-Passphrase: 53914a148a95d51d34285ccf5827670f40ef4a8d825cf461b230a90a
X-Platform-Version: PS3_C 04.87
type=0&serviceid=SCEI-0&serviceentity=urn%3Aservice-entity%3Apsn2&loginid=VrEa2uUV3s2hTgLj&password=BDFvcv2vQ2mGvxsJ&consoleid=000000010087000REMOVED00000000000000000000000000000000

Response:
HTTP/1.0 403 Forbidden
Server: AkamaiGHost
Mime-Version: 1.0
Content-Type: text/html
Content-Length: 310
Expires: Sat, 17 Apr 2021 02:54:35 GMT
X-Reference-Error: 18.4bdedd58.1618628075.46bf50e
Date: Sat, 17 Apr 2021 02:54:35 GMT
Connection: close
X-N: S
<HTML><HEAD>
<TITLE>Access Denied</TITLE>
</HEAD><BODY>
<H1>Access Denied</H1>
You don't have permission to access "http&#58;&#47;&#47;scei&#45;0&#46;auth&#46;np&#46;ac&#46;playstation&#46;net&#47;nav&#47;auth" on this server.<P>
Reference&#32;&#35;18&#46;4bdedd58&#46;1618628075&#46;46bf50e
</BODY>
</HTML>

Anyway, this is probably not any use, but maybe interesting to someone. Looks like this would not be so easy to spoof

 

[kozarovv]

Well, if you want that for unhacked ps3, then is gonna be hard. For hacked ps3 all that need to be done is patch:
cellRtcGetCurrentClock and cellRtcGetCurrentClockLocalTime (and maybe few others) to return "casual" clock data instead of RTC.
Overall cellRtc seems to be reversed for all our needs. But that's for hacked PS3..

 

[Edw590]

Custom server with decent SSL certificate accepted by the PS3 which returns what the PS3 wants it to return, and that doesn't check for anything like IDs? (Maybe the response would have to be reversed or something?)

 

[tungatung]

Well, if you want that for unhacked ps3, then is gonna be hard. For hacked ps3 all that need to be done is patch:
cellRtcGetCurrentClock and cellRtcGetCurrentClockLocalTime (and maybe few others) to return "casual" clock data instead of RTC.
Overall cellRtc seems to be reversed for all our needs. But that's for hacked PS3..

Is there a tutorial to it if yes then pls share the link

 

[jcorrea]

Just thought with all this worry about CMOS batteries and setting the time that I would try find the URL for the time server.

Well I found it, its in vsh.self, its https://SCEI-0.auth.np.ac.playstation.net/nav/auth

These are the important bits.
View attachment 32989

View attachment 32990



So I thought I would try to make the URL http instead of https so I could see the request and response, But it only partially worked. I did get to see the full request but it was rejected by the server as seen in the response., obvious I suppose.

Anyway we can see from the request it uses the consoles IDPS and also the hardcoded login ID and password from vsh.self.

Request:
POST http://SCEI-0.auth.np.ac.playstation.net/nav/auth HTTP/1.0
Host: SCEI-0.auth.np.ac.playstation.net
Proxy-Connection: Keep-Alive
Content-Length: 191
Accept-Encoding: identity
Content-Type: application/x-www-form-urlencoded
User-Agent: Lediatio Lunto Ritna
Accept-Language: ja, en, fr, es, de, it, nl, pt, ru, ko, zh, ch, fi, sv, da, no, pl, tr
X-I-5-Version: 2.1
X-Platform-Passphrase: 53914a148a95d51d34285ccf5827670f40ef4a8d825cf461b230a90a
X-Platform-Version: PS3_C 04.87
type=0&serviceid=SCEI-0&serviceentity=urn%3Aservice-entity%3Apsn2&loginid=VrEa2uUV3s2hTgLj&password=BDFvcv2vQ2mGvxsJ&consoleid=000000010087000REMOVED00000000000000000000000000000000

Response:
HTTP/1.0 403 Forbidden
Server: AkamaiGHost
Mime-Version: 1.0
Content-Type: text/html
Content-Length: 310
Expires: Sat, 17 Apr 2021 02:54:35 GMT
X-Reference-Error: 18.4bdedd58.1618628075.46bf50e
Date: Sat, 17 Apr 2021 02:54:35 GMT
Connection: close
X-N: S
<HTML><HEAD>
<TITLE>Access Denied</TITLE>
</HEAD><BODY>
<H1>Access Denied</H1>
You don't have permission to access "http&#58;&#47;&#47;scei&#45;0&#46;auth&#46;np&#46;ac&#46;playstation&#46;net&#47;nav&#47;auth" on this server.<P>
Reference&#32;&#35;18&#46;4bdedd58&#46;1618628075&#46;46bf50e
</BODY>
</HTML>

Anyway, this is probably not any use, but maybe interesting to someone. Looks like this would not be so easy to spoof

Intercepting the request using Charles shows that it's made without those headers:

CONNECT SCEI-0.auth.np.ac.playstation.net:443 HTTP/1.0
Host: SCEI-0.auth.np.ac.playstation.net
Proxy-Connection: Keep-Alive

Probably we will need to inject a new certificate (CA05.cer) to be able to intercept and decrypt all the request.

I recorded the response binary and I'm trying to use this as a response to new requests...

 

[DeViL303]

Cool. I was wondering if replaying the official response would work. I think the difference here is just the way the proxy displays the request. I used SKFUs PS3 proxy and it displays more info.

The extra info shown in my request must be there really, as you can see the login ID and password, and console IDPS.

Probably the reason you can not see all that in your proxy it is because my request was done over HTTP as I changed the URL in vsh.self.

BTW my "CBOMB Defusal Kit" arrived.

Not exactly pretty, but now I can change the batteries one at a time so the clock never needs to be reset, also they should last longer. And as a bonus next time it needs to be done its just under the top cover. No need to remove the drive or power supply.

 

[jcorrea]

Cool. I was wondering if replaying the official response would work. I think the difference here is just the way the proxy displays the request. I used SKFUs PS3 proxy and it displays more info.

The extra info shown in my request must be there really, as you can see the login ID and password, and console IDPS.

Probably the reason you can not see all that in your proxy it is because my request was done over HTTP as I changed the URL in vsh.self.

BTW my "CBOMB Defusal Kit" arrived.

Not exactly pretty, but now I can change the batteries one at a time so the clock never needs to be reset, also they should last longer. And as a bonus next time it needs to be done its just under the top cover. No need to remove the drive or power supply.

View attachment 33051 View attachment 33052 View attachment 33054

Great idea.

 

[Berion]

Yet easy replacing battery doesn't eliminating server response. They must works both because date & time set by user is not sufficient. For RTC is still year 1969 (or whatever is default one, my PSTV started from 2000-01-01). ;p

 

[jcorrea]

Yet easy replacing battery doesn't eliminating server response. They must works both because date & time set by user is not sufficient. For RTC is still year 1969 (or whatever is default one, my PSTV started from 2000-01-01). ;p

But if it's already set, there is no need to get date/time from server again.

 

[Berion]

If You pull out battery or they become "dry out", it stops to be set. And here is the problem.

Using above nice mod, user could just get out one battery, while second still keep settings, check it, then place back or replace, and do the same with other (I think this is the reason why it was developed, besides of course easy access).

 

[MaxLab81]

Just thought with all this worry about CMOS batteries and setting the time that I would try find the URL for the time server.

Well I found it, its in vsh.self, its https://SCEI-0.auth.np.ac.playstation.net/nav/auth

These are the important bits.
View attachment 32989

View attachment 32990



So I thought I would try to make the URL http instead of https so I could see the request and response, But it only partially worked. I did get to see the full request but it was rejected by the server as seen in the response., obvious I suppose.

Anyway we can see from the request it uses the consoles IDPS and also the hardcoded login ID and password from vsh.self.

Request:
POST http://SCEI-0.auth.np.ac.playstation.net/nav/auth HTTP/1.0
Host: SCEI-0.auth.np.ac.playstation.net
Proxy-Connection: Keep-Alive
Content-Length: 191
Accept-Encoding: identity
Content-Type: application/x-www-form-urlencoded
User-Agent: Lediatio Lunto Ritna
Accept-Language: ja, en, fr, es, de, it, nl, pt, ru, ko, zh, ch, fi, sv, da, no, pl, tr
X-I-5-Version: 2.1
X-Platform-Passphrase: 53914a148a95d51d34285ccf5827670f40ef4a8d825cf461b230a90a
X-Platform-Version: PS3_C 04.87
type=0&serviceid=SCEI-0&serviceentity=urn%3Aservice-entity%3Apsn2&loginid=VrEa2uUV3s2hTgLj&password=BDFvcv2vQ2mGvxsJ&consoleid=000000010087000REMOVED00000000000000000000000000000000

Response:
HTTP/1.0 403 Forbidden
Server: AkamaiGHost
Mime-Version: 1.0
Content-Type: text/html
Content-Length: 310
Expires: Sat, 17 Apr 2021 02:54:35 GMT
X-Reference-Error: 18.4bdedd58.1618628075.46bf50e
Date: Sat, 17 Apr 2021 02:54:35 GMT
Connection: close
X-N: S
<HTML><HEAD>
<TITLE>Access Denied</TITLE>
</HEAD><BODY>
<H1>Access Denied</H1>
You don't have permission to access "http&#58;&#47;&#47;scei&#45;0&#46;auth&#46;np&#46;ac&#46;playstation&#46;net&#47;nav&#47;auth" on this server.<P>
Reference&#32;&#35;18&#46;4bdedd58&#46;1618628075&#46;46bf50e
</BODY>
</HTML>

Anyway, this is probably not any use, but maybe interesting to someone. Looks like this would not be so easy to spoof

HTTP/1.0 403 Forbidden
bad TLS and set cipher

 

[jcorrea]

HTTP/1.0 403 Forbidden
bad TLS and set cipher

Fsociety

 

[jcorrea]

HTTP/1.0 403 Forbidden
bad TLS and set cipher

I'm trying to replicate the curl command you used, but I'm always getting this:

curl https://SCEI-0.auth.np.ac.playstation.net/nav/auth -v --http1.0 -X POST --no-alpn --no-npn --cacert CA05.cer --tlsv1.2 --tls-max 1.2 --ciphers AES128-SHA256

*   Trying 104.104.153.254...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x7fffee9a2330)
* Connected to SCEI-0.auth.np.ac.playstation.net (104.104.153.254) port 443 (#0)
* Cipher selection: AES128-SHA256
* successfully set certificate verify locations:
*   CAfile: CA05.cer
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, bad certificate (554):
* SSL certificate problem: CA signature digest algorithm too weak
* Closing connection 0
curl: (60) SSL certificate problem: CA signature digest algorithm too weak
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Could you please share the right command to use?

 

[bucanero]

I'm trying to replicate the curl command you used, but I'm always getting this:

curl https://SCEI-0.auth.np.ac.playstation.net/nav/auth -v --http1.0 -X POST --no-alpn --no-npn --cacert CA05.cer --tlsv1.2 --tls-max 1.2 --ciphers AES128-SHA256


Could you please share the right command to use?

regarding curl, you can try using the -k or the --insecure option to skip all those security checks.

also, trying an old version of curl might allow the connection.... for example, a version from 4 years ago might not have those ciphers tagged as "weak".

 

[mysis]

Hi,

I had the idea to incorporate this in xai_plugin..basically to respond with current time.
Another feature would be to disable certificate pinning/ssl certificate checks.

Kind regards,
mysis

 

[DeViL303]

Hi,

I had the idea to incorporate this in xai_plugin..basically to respond with current time.
Another feature would be to disable certificate pinning/ssl certificate checks.

Kind regards,
mysis

That would be really cool.

It would be great if we could disable the SSL errors or just add new certs

 

[SPOIL_WEDIEAT_END]

Cool. I was wondering if replaying the official response would work. I think the difference here is just the way the proxy displays the request. I used SKFUs PS3 proxy and it displays more info.

The extra info shown in my request must be there really, as you can see the login ID and password, and console IDPS.

Probably the reason you can not see all that in your proxy it is because my request was done over HTTP as I changed the URL in vsh.self.

BTW my "CBOMB Defusal Kit" arrived.

Not exactly pretty, but now I can change the batteries one at a time so the clock never needs to be reset, also they should last longer. And as a bonus next time it needs to be done its just under the top cover. No need to remove the drive or power supply.

View attachment 33051 View attachment 33052 View attachment 33054

Im Still trying what you said boss, Im pretty noob can somebody help me ?

 

[DeViL303]

Im Still trying what you said boss, Im pretty noob can somebody help me ?

Not sure what you mean, this is just showing where the URL is. There is not much you can with it. Just set your time over the internet if you need to. There is no issue yet, this all talking about some hypothetical problem that might never be an issue.

 

[tungatung]

Not sure what you mean, this is just showing where the URL is. There is not much you can with it. Just set your time over the internet if you need to. There is no issue yet, this all talking about some hypothetical problem that might never be an issue.

So there isnt any method to set the time locally on hacked ps3, if yes then what is it ?

 

[DeViL303]

So there isnt any method to set the time locally on hacked ps3, if yes then what is it ?

It can be done, and it's probably not hard. But no one has bothered as its not a problem. Even banned consoles can set the time. If the server goes down in 20 years then it will not be an issue for HEN or CFW users.