They used a secured connection to the server. You need to setup a custom proxy server with a valid passphrase. Then you can sniff packets and the packet with console ID should be a HTTP POST query to the server with a hostname of auth.np.ac.playstation.net
port and a part of URI should be /nav/auth
. If you get the packet then you can extract form fields from it. They are like:
And my info is for 3.55 firmware so it can differs at 4.xx.
here is the info about the passphrase and how too