Hacking Intercepting PS4 leaderboard updates for old games?

[Fridgelander]

I'm new to PS4 homebrew stuff, but I have a network security/pen testing background.

There is an old, dead game on PS4, and I was curious with how it was updating it's leaderboards. This has been the subject of speculation in the community (I don't want to name the game/community specifically).

Upon examining a network capture, it seems like servers are provided by Sony, and the game sends updates every 5 minutes or so via SSL. An XML file is retrieved to display the current details in the game.

I am wondering if it is theoretically possible to MITM these SSL connections and see the data being passed? I'm not interested in doing anything illegal, but it is of interest to me as a pen tester an to several others in the community as we have ha debates on aspects of this point.

I have a PS4 in storage that has not been updated since early 2018, which I figure means it should be fairly easy to crack/jailbreak and install homebrew on.

I am wondering if it is possible to grab the SSL cert from the game (or is it a system wide cert?) and install it into burp or something to be able to observe unencrypted traffic?

I couldn't find much on this when searching and would be interested in any pointers or a discussion of what is and isn't possible.

 

[wartutor]

The first question on everyone's mind is why can't you say the games name/why don't you want to. What online game are you trying to currently cheat and why?

P.s. almost everything you are describing sounds somewhat if not completely illegal. What's the end game here?

 

[Fridgelander]

The first question on everyone's mind is why can't you say the games name/why don't you want to. What online game are you trying to currently cheat and why?

P.s. almost everything you are describing sounds somewhat if not completely illegal. What's the end game here?

First, not a thing I've mentioned sounds remotely illegal. Merely intercepting traffic for reverse engineering purposes is not only not illegal but it is explicitly permitted by the DMCA.

Second, I don't want to mention the game because it's irrelevant to what I'm asking, and because it's a small community with an excess of toxic people.

The game is dead and it won't be long until the official servers are taken down entirely. I'm working to reverse engineer the protocol to be able to have a community server for when that happens, and I mostly have it done. I'd like to have leaderboard functionality as well but it seems to be being handled separately, hence my question.

I'm not really interested in your assumptions or accusations that I'm cheating. That's not the case and I'm not interested in arguing to defend against that. If that's what you're set on thinking, it's not a notion I'll ever be able to change anyway. I'd ask that you and others who want to make such allegations don't bother posting since it isn't productive , but since you likely won't I'll do my best to ignore people that insist on making such accusations.

 

[wartutor]

First all lmao on the bs about telling me not to post. As far as your question if you can't even give a game name then wtf would anyone help it is a very simple question but again whatever good luck on your hunt for vague information.

 

[SapphireExile]

First, not a thing I've mentioned sounds remotely illegal. Merely intercepting traffic for reverse engineering purposes is not only not illegal but it is explicitly permitted by the DMCA.

Second, I don't want to mention the game because it's irrelevant to what I'm asking, and because it's a small community with an excess of toxic people.

The game is dead and it won't be long until the official servers are taken down entirely. I'm working to reverse engineer the protocol to be able to have a community server for when that happens, and I mostly have it done. I'd like to have leaderboard functionality as well but it seems to be being handled separately, hence my question.

I'm not really interested in your assumptions or accusations that I'm cheating. That's not the case and I'm not interested in arguing to defend against that. If that's what you're set on thinking, it's not a notion I'll ever be able to change anyway. I'd ask that you and others who want to make such allegations don't bother posting since it isn't productive , but since you likely won't I'll do my best to ignore people that insist on making such accusations.

If you're already intercepting the data, dump the cap and examine the handshake. Just because it's over SSL doesn't mean the exchange itself isn't plain text.

I'd look in to intercepting the XML and replacing it with a dummy file and checking if the game does any validation to it. It most likely does to prevent garbage data, but it wouldn't hurt to try.

You could also check if it's acquiring the stream start from a DNS lookup or a hardcored domain. If it's DNS, just intercept the call and reroute to your own server, blindly accept all handshakes, and let it download your own file.

Only issue I see is, it may be an API call to a global leaderboard server that Sony hosts directly, and if so, you may be at a dead end. I know similar services like Google Play and some UE plugins use a master leaderboard server that uses an API to deliver the requested stats.

 

[Flame]

First all lmao on the bs about telling me not to post. As far as your question if you can't even give a game name then wtf would anyone help it is a very simple question but again whatever good luck on your hunt for vague information.

dude. im sure he has his reason. maybe its like pokemon. where homebrew scene is hated by legit users.

if you can help nice. if not, ignore this thread. plus i thought its not possible to cheat online on PS4 as the current fimrware is not hackable. even if he does he will get banned, so thats his problem.

please be kind to one another.

 

[Fridgelander]

If you're already intercepting the data, dump the cap and examine the handshake. Just because it's over SSL doesn't mean the exchange itself isn't plain text.

I'd look in to intercepting the XML and replacing it with a dummy file and checking if the game does any validation to it. It most likely does to prevent garbage data, but it wouldn't hurt to try.

You could also check if it's acquiring the stream start from a DNS lookup or a hardcored domain. If it's DNS, just intercept the call and reroute to your own server, blindly accept all handshakes, and let it download your own file.

Only issue I see is, it may be an API call to a global leaderboard server that Sony hosts directly, and if so, you may be at a dead end. I know similar services like Google Play and some UE plugins use a master leaderboard server that uses an API to deliver the requested stats.

Thanks for your reply!

I have examined the cap in detail, and from what I can tell anything concerning a leaderboard update is encrypted. The connections are to a Sony/PlayStation domain, so I'm guessing this is going to be hard to get around.

I wouldn't be surprised if I could modify the XML file, if it does any validation it's probably just checking for characters that don't belong. My issue is I want to be able to replicate leaderboard functionality and have the game update. Ideally, I'm hoping people could set the DNS for the leaderbord server to point to a server I control and have the game operate smoothly without noticing anything different.

I think the issue is not so much in downloading data, but in sending and updating data to a server. That's the part I can't gain any insight as to how it works. I don't have access to the game or my old PS4 at the moment as I'm away from home (and will be for a few months), but I do have my captures to work with.

I think it may be an API call to a global leaderboard server that sony provides as you suggest. The domain name where it sends/receives updates from isn't specific to the game in any way but is specific to sony. The domain ends in "community.playstation.net". Since it's an old game it is still using TLS 1.0, is I thought there may be some leeway there (although I haven't looked up specific attacks yet). Otherwise, I was thinking I could maybe import the SSL cert on the PS4 into Burp and decrypt and view everything that way. I haven't ever really played around with a PS4 like this, but I am guessing I need to jailbreak it to get access to it? What are your thoughts on that approach?

 

[SapphireExile]

I think it may be an API call to a global leaderboard server that sony provides as you suggest. The domain name where it sends/receives updates from isn't specific to the game in any way but is specific to sony. The domain ends in "community.playstation.net". Since it's an old game it is still using TLS 1.0, is I thought there may be some leeway there (although I haven't looked up specific attacks yet). Otherwise, I was thinking I could maybe import the SSL cert on the PS4 into Burp and decrypt and view everything that way. I haven't ever really played around with a PS4 like this, but I am guessing I need to jailbreak it to get access to it? What are your thoughts on that approach?

If it's community, it's a master server. AFAIK, the console has a few root authorities, but no extractable tickets. I'd suggest to MITM the connection entirely, and replay the capture back, from your server.
The header should contain information about length of payload, which is better than nothing in terms of reverse engineering. Ideally, the game would always be listening for an update, but I doubt it.

So, steps:
0. Proxy all incoming / outgoing connections
1. Trigger a leaderboard update a few dozen times
2. Isolate the call
3. Trigger another update, but block the connection.
4. Replay the previous capture back to the console

If the connection was poorly implemented, it shouldn't complain about a different source. If it refuses, or acts like nothing happened, the task is going to get a lot more complex, and will require TLS to be broken and spoofed. I doubt the devs would care too strongly about it to implement a safe leaderboard though.

 

[Fridgelander]

If it's community, it's a master server. AFAIK, the console has a few root authorities, but no extractable tickets. I'd suggest to MITM the connection entirely, and replay the capture back, from your server.
The header should contain information about length of payload, which is better than nothing in terms of reverse engineering. Ideally, the game would always be listening for an update, but I doubt it.

So, steps:
0. Proxy all incoming / outgoing connections
1. Trigger a leaderboard update a few dozen times
2. Isolate the call
3. Trigger another update, but block the connection.
4. Replay the previous capture back to the console

If the connection was poorly implemented, it shouldn't complain about a different source. If it refuses, or acts like nothing happened, the task is going to get a lot more complex, and will require TLS to be broken and spoofed. I doubt the devs would care too strongly about it to implement a safe leaderboard though.

Hey, thanks for your reply. everything you've listed is pretty much what I suspected, but I wanted to get some insight since I was thinking about it and it's going to be a month or two before i start attempting anything. The game isn't always listening for an update, but seems to initiate pulls every 5 minutes or so.

I'll wait until I can properly test and proxy stuff. Worst case scenario since it is using an old and vulnerable version of TLS there is likely room to maneuver it it comes to that.

Thanks for your suggestions.