(adsbygoogle = window.adsbygoogle || []).push({}); I'm looking for someone with some knowledge of the p2p packet data format for PS4, specifically in party chats.

I would like to know where in the packet hex sequence for the PSN name is stored. I haven't been able to find any pattern in my packet body dumps that would indicate a username. I understand these names are likely hashed, I just need a place to start.

I made my own sniffer for Linux/Mac and username functionality is the last feature I really want to add. There doesn't seem to be any public information on this subject so I was hoping someone here could help.


Here is an example of 3 packets I picked up from a friend:

    

FF 84 FF 1F FF 1F 96 E9 AC F5 6F E6 2B A1 D7 63 43 EB C5 AF 92 3B 5B 39 61 74 7A 31 7A C2 45 15 60 F9 55 A9 1E 48 87 5F DB 3E A7 82 AF 9E 36 3C 1B 50 AC 24 EE 1F 54 E7 06 9E F5 8C 2F 6C F4 42 29 0C 44 E0 B3 1C 1C 66 80 8B 4C B6 C1 15 3F 77 2A 43 54 AD DD 8E 92 12 25 CB D3 74 5A A1 E0 9E B1 B4 92 D7 2E 8F 83 BA 5D 90 76 F2 5C A5 E6 51 14 6D CA 28 3A 90 3D 5C 3C A8 49 72 BC C2 D7 6D B2 40 4D 3E 64 70 BD 5C 83 BC B0 8B EF 76 77 1A B8 32 CA DA 22 6B A1 22 D8 C3 AB 1C 29 00 4C AA C0 45 97 F0 42 E3 BA 19 11 D0 80 C3 83 E0 0B B0 D6 57 EA C4 F0 C5 C3 27 F4 B3 2E A8 6F 2C F8 5A F2 93 DD FE D3 B5 D4 BC 4D 8E 16 F8 A1 D2 CD 3F B2 F3 F3 4F 53 AE 1C 95 50 63 D3 9A 01 D7 FE 74 7F 3B 7D F1 CA E4



FF 84 FF 1F FF 1F 5B 5C 1D D3 02 DE 18 18 8B C5 B4 07 07 FF B0 66 B7 BA 1D 2F BA 6A 32 25 C1 9E 7A BA F3 9E F6 19 82 2D EC 76 31 34 7A 99 05 46 72 C0 42 08 D9 55 75 B6 53 1F 28 CE 1C 14 C0 5A 5F C3 89 62 7D E6 9A CF B6 14 6A 01 77 91 66 97 D4 1F 89 96 C3 9D 51 5C 29 BE 48 C4 92 4B 02 DC A2 39 EF 29 31 B4 28 E1 A6 D0 A5 71 0F 92 6F CA EA 1A 10 B7 77 9B D5 1E 89 C6 0B CD 58 A0 2F 34 41 14 25 CE B0 A5 2A 21 D1 EA 1D C9 16 E8 28 71 E2 90 6E 5C ED 12 A4 7D A6 85 41 42 FB 94 A8 06 19 20 53 44 13 BA AD 17 93 B1 E4 D0 73 34 4A 7A 60 B5 1D DD 06 0D 74 B1 1A 69 50 38 AE 4A 2B 33 34 FE 78 FB 30 9C 87 BB 43 52 C9 75 A7 32 48 07 05 A0 7F D6 78 A7 11 9F B4 18 E5 30 EB 96 A8 D0 F3 E2 8D 76 45 1B



FF 84 FF 1F FF 1F 40 A7 B0 34 B2 27 D3 47 26 72 40 25 CE CE 34 82 E7 20 E4 B8 C3 FB 12 BA 43 9D 2C 34 EB 2D 83 87 3E 3F F9 5C 2A 25 4C 16 0E 1A 83 F3 B6 70 B7 7C EE 8C FF FE 34 42 7C FB F2 54 18 04 02 D5 09 37 8F 5F 56 F7 31 F6 7E D2 D7 53 25 2A 69 99 12 E3 A4 9E 23 3E 50 22 01 62 ED 77 1A DF C8 ED 83 6F F0 E1 3F E8 63 B4 1F 9D A1 E5 F6 BF 3C EA 0B 26 27 6F 37 0A 0C 8A E1 0C EB 94 56 7A DC 6A F0 73 55 6B 17 01 0F 0D 28 C2 62 93 54 0C F0 C5 F1 0F A2 5D 85 D8 E6 9B D5 F3 75 9A 00 96 40 8E DC A9 DD E3 90 7F 5F 71 B8 6E DE 95 84 A1 BD 94 16 AF 40 08 9B 0B 1B 51 FA FA D1 46 52 B9 CA 75 FE DB 80 F3 26 E2 4F 63 65 81 DB 1D F1 DF 90 AC 87 66 8B 07 20 58 1C A6 A7 B8 7A 70 60 7F EF 05 B6 0A

u wont find any usernames the only way u would get it is in memory sense sony now encrypted that data and will not be seen in plain over to local network

Yes that's what this thread is about. Packet data isn't exactly labeled in any useful way so I'm trying to figure out where the username sequence is.

Encryption is unlikely. Console sniffers username output suggests they are hashed


EDIT:
So I have a decent update. My friend and I sat in a party to figure part of this problem out. I found the sequence by using Console Sniffer, copying the ASCII junk, converting it to HEX, and comparing it to the packet data I extracted.
The username only seems to be present in packets of arround 94 byte size (this is a relatively small packet in comparison). It seems to occur rarely at best. On a 10 second sniff It only occurred twice. It would be nice to know what causes this.

info: The sequence begins at the 11th byte (after 3 bytes of zeros) and ends at the 27th byte. There are 4 bytes after this, then a long sequence of zeros.

I will post an update if I figure out a hash for this. I haven't had any luck yet, maybe someone could help
username: Xx_P3RV1T1N_xX
hex data: 5C DD F3 DE 02 5F CF 11 F6 92 31 B3 E1 DB C7 D1


EDIT2:
Looks like Console Sniffer is now off by 4 bytes after the update. I used this site: You must login or register to view this content. to decode the UDP packet info which was helpful.
5C DD is part of the source, F3 DE seems to be an 'unkown type'
and the actual data seems to begin at 02

here is the full packet:

    

FF 83 FF FE FF FE 07 00 00 00 5C DD F3 DE 02 5F CF 11 F6 92 31 B3 E1 DB C7 D1 07 57 35 70 00 00 00 00 00 00 00 00 00 00 00 00 07 6B 23 80 D5 FD 68 23 8E BF AC 19 D6 2F 9A 0F 69 3E 44 DA 00 00 00 00 00 00 00 00 00 00 00 00 A2 02 CE BF 00 00 00 01 34 F7 32 26 0F 32 BE 0C 86 59 00 00

making the actual name
025FCF11F69231B3E1DBC7D107573570
i guess.



EDIT 3:
After getting more and more examples from the same friend and others I'm only more confused. The 94 byte packet would seem to be the key. It carries the recurring information which I am assuming is the hashed username, and console sniffer seems to seek this packet out, likely on the same 94 byte filter. This would explain why Console Sniffer is so slow at getting packets compared to something like LANC that has no filter.

Each of these packets contains two recurring sequences of 20 bytes. Console sniffer references the first 16 bytes of a given 20 byte sequence as the username. I found that these 20 byte sequences can be found in seemingly any order which wouldn't be encouraging even if I knew how the data is being hidden. They are separated by 12 bytes of zeros, and the second sequence is followed by 12 bytes of zeros and 20 bytes of nonrecurring data.

a new example of my friend vRogue_-HoLLoWz-
packet1:

    FF 83 FF FE FF FE 06 00 00 00 CE 77 73 38 E8 02 73 8B 0B 82 32 DE 73 65 3E 0E 9A B1 FE 07 00 00 00 00 00 00 00 00 00 00 00 00 A8 9E EE 3A 4C 94 6C 08 77 E3 11 07 77 E9 28 C3 C0 AA F2 92 00 00 00 00 00 00 00 00 00 00 00 00 BF 2C EE 4A 00 00 00 04 E5 7A CB D6 00 00 00 00 00 00 00 00

packet2:

    FF 83 FF FE FF FE 07 00 00 00 A8 9E EE 3A 4C 94 6C 08 77 E3 11 07 77 E9 28 C3 C0 AA F2 92 00 00 00 00 00 00 00 00 00 00 00 00 CE 77 73 38 E8 02 73 8B 0B 82 32 DE 73 65 3E 0E 9A B1 FE 07 00 00 00 00 00 00 00 00 00 00 00 00 EE 4A BF 2C 00 00 00 04 E5 7A CB D6 A4 11 C8 67 CA 11 00 00

packet1 can be broken down as this.
sequence 1:

    CE 77 73 38 E8 02 73 8B 0B 82 32 DE 73 65 3E 0E 9A B1 FE 07

sequence 2:

    A8 9E EE 3A 4C 94 6C 08 77 E3 11 07 77 E9 28 C3 C0 AA F2 92

If there are any experts in encryption, hashing, salts, secrets i'd love the help. This can't be that complicated. The console sniffer guy figured it out. It would really be worth it to liberate this market of the premium bullshit.

I've ran the usernames through pretty much every common hash alg with no luck. There may be something like what Tustin said with NPID involved but I haven't been able to figure that out either.

any progress on this?

I'm still trying to work it out. I reviewed the ConsoleSnifferv4 video

    https://www.youtube.com/watch?v=Hbpb-SJoz4A

and realized I was missing what is apparently a key piece of data.
Looks like 3 things are needed to unmarshell a username from a packet:
1. Your country - apparently target country is not needed
2. Username of the target you are connected to.
3. Username of your PSN

Those 3 things are used together to get the packet bitstream I have been reviewing.

If anyone could get there hands on Console Sniffer v4 Beta it would be a major help to completing this. Wyatt does not seem to be distributing it as easily as I would have hoped.

If you really think that sequence is the username, then its 20 bytes in length (which means it's a SHA-1 HMAC hash if you know the key or just plain SHA-1).
To generate that hash I have no idea, it's a hash so you're not going to be able to reverse it and see the original string.

EDIT:
Just saw the video and it does seem to be important to select your console region.
It also mentions about encryption so a hash is out the question. Unless he's comparing hash that he generated vs the hash from packet.
In the video it said "could not decrypt". I don't know why it wouldn't decrypt since it's encrypted and he knows the key? It will most likely like he's comparing hashes.

Very interesting.

Tustin is on the right track, on how to grab username from he packets.

ff 5c 75 30 30 38 33 ff fe ff fe to ascii text form is ÿ\u0083ÿþÿþ

How you doin with this fam?