PSJailbreak Payload Reverse Engineering!

**pr0x1** · 09-16-2010,06:00 AM

Originally Posted by yoshi314

hack is not done on service stick level.

is ps3 detects a real service stick on power-eject boot it will send some data data to it, and the stick responds by processing that data in some special way and sends it back. if the data is what ps3 expects to receive - service mode.

the jailbreak dongle simulates an usb hub with events of connection and disconnection of various usb devices, including the service stick. but that service stick only shows up as the device with the same usb identifier, and sends back arbitrary data to the ps3 - which is not valid. so, service mode is not entered.

carefully arranged events of connection and removal of various usb devices with malformed usb device descriptors cause an overflow in usb management code of the ps3 firmware and eventually trigger execution of code contained in those usb descriptors, which eventually leads to execution of the payload.

the only thing in common with the service mode is that you need to start up the ps3 by power,eject combination, which causes it to look for service stick on usb ports at boot time.

Thanks for the clear explanation

**tictac** · 09-16-2010,06:07 AM

Wont having information like this on the internet just help Sony to close the hole shut permanently?

**yoshi314** · 09-16-2010,06:14 AM

it has already been shut with 3.42.

obviously psgroove helped sony a lot to fix the problem. if it weren't done, sony would simply get their hands on jailbreak dongle and analyze the problem. it would probably take a bit longer, but end result would be the same.

**xboxbman** · 09-16-2010,06:26 AM

can someone compile this for me so I can use my keyboard to jailbreak my ps3? It has a ps2 connector, if that matters.

where can I has ps3 torrents for dowloads?

how do I use this to host modded COD MW2 lobbies?

but seriously, nice work. What architecture is this assembly? I am pretty decent with x86 assembly, but there are a number of commands here I don't recognize.

**yoshi314** · 09-16-2010,06:30 AM

ppc, if i remember right

**RafeDonson** · 09-16-2010,06:47 AM

So does this mean that it's pretty much impossible for anyone to bypass the requirement to have a disc in the drive when running Backup Manager?

**medi01** · 09-16-2010,06:54 AM

Originally Posted by yoshi314

hack is not done on service stick level.

is ps3 detects a real service stick on power-eject boot it will send some data data to it, and the stick responds by processing that data in some special way and sends it back. if the data is what ps3 expects to receive - service mode.

the jailbreak dongle simulates an usb hub with events of connection and disconnection of various usb devices, including the service stick. but that service stick only shows up as the device with the same usb identifier, and sends back arbitrary data to the ps3 - which is not valid. so, service mode is not entered.

carefully arranged events of connection and removal of various usb devices with malformed usb device descriptors cause an overflow in usb management code of the ps3 firmware and eventually trigger execution of code contained in those usb descriptors, which eventually leads to execution of the payload.

the only thing in common with the service mode is that you need to start up the ps3 by power,eject combination, which causes it to look for service stick on usb ports at boot time.

Since exploit is based on sending broken USB descriptors to the PS3 that is seeking for "service JIG", what do you mean by saying that it's not done on "service stick level"? Even though "stick" authentication fails, exploit works exactly at this point.

**smf** · 09-16-2010,07:32 AM

Originally Posted by medi01

Since exploit is based on sending broken USB descriptors to the PS3 that is seeking for "service JIG", what do you mean by saying that it's not done on "service stick level"? Even though "stick" authentication fails, exploit works exactly at this point.

The PS3 never thinks that it is connected to a real jig, it rejects it.

However due to some clever buffer overflows, the process of the ps3 looking for the jig allows uploaded code to be run.

**medi01** · 09-16-2010,07:39 AM

Originally Posted by smf

The PS3 never thinks that it is connected to a real jig, it rejects it.

However due to some clever buffer overflows, the process of the ps3 looking for the jig allows uploaded code to be run.

Well, that's exactly how I got it.
Except I also thought that the code that looks for jig is not part of the firmware, but is located in BIOS. So either it's not, or Sony can also update BIOS, or the hole is still there.

**1c3pick** · 09-16-2010,08:18 AM

This whole thing is amusing. The exploit isn't even a month old yet and it's already been patched by Sony. All PSJailbreaks and clones have been rendered useless and what's even funnier is that clones still keep popping up even though their target market is most likely on 3.42 already.

Oh well, it was fun while it lasted. Wake me up when someone comes up with a hack that actually lasts as long as its iXtreme counterpart.

User Tag List

Thread: PSJailbreak Payload Reverse Engineering!

Tweet

LinkBack

Thread Tools

Display


	Would you like to get all the new info from PSX-Scene in your email each day? Subscribe to our Daily Digest! Want to learn more about the team keeping you up to date with the latest scene news? Read about them now! Check out our Developer bios, too!