Page 1 of 3 12 ... LastLast
Results 1 to 10 of 25

Thread: PS JailBreak Inside Pics, Details by SKFU & DemonHades Team

  1. #1
    Join Date
    Apr 2005

    PS JailBreak Inside Pics, Details by SKFU & DemonHades Team

    Yesterday we caught a glimpse of some PS JailBreak Reviews which confirmed PS3 Firmware 3.41 is required, and today we have some PS3 JailBreak details from PlayStation 3 hackers SKFU and the DemonHades Team along with some pictures of the inside of the PS JailBreak (below) courtesy of

    For those who missed it, PS JailBreak was first announced two days ago and is a USB device which allows end-users to play PS3 game back-ups on Sony's PlayStation 3 entertainment system.

    Here is what SKFU has to say on it, to quote:

    "I just tested the software they uploaded and can confirm it works so far.

    I can tell a bit about the backup manager. It seems the software uses bd_emu features to manage the backups. The HDD to use, should have a modified bd emu format, which sets all backups on first position, so the PS3 detects 'em all. Then you can choose the image to boot via the manager.

    To directly copy and boot a game, the software would need to decrypt all layers on the fly. Meaning it decrypts all executables somehow, else it won't run. Even on a debug unit.

    The hardware look like a copy of the original PS3 jigstick, used in SONY service centers to repair broken PlayStation3 SKU's. Someone internal leaked or sold a stick, so they had the chance to reverse and clone the hardware.

    The stick should boot before the normal firmware does, so it's hard to patch it. Maybe SONY could update the bootcode to prevent it, set it to a revoke list.

    By the way, in all videos they use debug PS3's to run the software. There is no video showing the actual process booting on a retail PS3 afaik. So I do not confirm that this is true, yet!

    If it's as true as it looks this time, good job guys!"

    And now here are comments from DemonHades Team on PS JailBreak, to quote (roughly translated):

    "Well I see that recently raised a stir is mounted by a chip of course to load backups from a pendrive, at first glance one might say it's fake if we did not know of studies conducted years ago and let us see many more hidden things that not all users can understand, in this case we speak of the card jig, the jig is used by the card sony sat for maintenance and restoration in ps3.

    In short, this jig card has been removed from the payment sony sat.. so now try to expand the money spent only and once recovered the money spent in obtaining this device the reproduction and cloning of the device will be imminent.

    When I saw the body of the above, first I noticed that the sample vsh known and used parts of a debug.. and of course if one is launching retail which does not make much sense, could only think one way quickly- THE CONVERTER RETAIL TO DEBUG.

    This converter is thought to sony and service for devs have this jig card (aka USB dongle), allowing this USB is that:

    Releasing the boot ini dev_usb0 and a sequence of buttons that change the state of syscon as we launch the initial boot usb dongle, then interprets the bootstrap and load the necessary files from the dongle itself temporarily leaving the ram doing a false reboot.

    According to the store have told the seller, no residue on the PS3.. so it fits the above description.

    The idea is quite clear gentlemen, emulates the fw of trm syscon and we have a debug interprets loading the kernel debug and providing all the features to debug vshmain time, this results in loading unsigned code.

    This allows us as I mentioned months ago to launch pkgs from ubs, since it has a browser for managing them.

    The official BDEMU disk loading before you activate the mediatype BD and then run the loader to the channel of communication with the real reader would be closed and only would use the BD-emu, emu and the bd can not share the same channel communication.

    In this case to remove the layer is used to extract cellftp to an external source of filesystems without pre-decoded and converted to debug layer.

    Executables can be created with the sdk, and generated their own loader which removes the layer of encryption (this if it will extract the discs, not linux), then the PS3Gen (published as a matter of 1 month) can be create iso patched with valid soft.esto itself mean that everything is made in the PS3 SDK (emulators, applications, etc) will be loaded without problems, as we are doing the same as the 360 with jtag hack it uses a core debug.

    The loader is loaded by the execution path that recognizes the actual application manager, loaded via app.




    In short, PS3 has fallen to the very tools you use in your SAT Sony... that if Sony can plug it into the next update.. just have to cancel the initial boot usb to close the bar, because the boss is syscon."

    [imglink=|PS JailBreak Inside Pics, Details by SKFU & DemonHades Team][/imglink]
    [imglink=|PS JailBreak Inside Pics, Details by SKFU & DemonHades Team][/imglink]
    [imglink=|PS JailBreak Inside Pics, Details by SKFU & DemonHades Team][/imglink]
    More PlayStation 3 News...

  2. #2
    Join Date
    Apr 2005


    I attached what Tsujin believes (unconfirmed) to be the pin-out to the PS JailBreak above HERE with another less successful pin-out attempt from bushing on IRC HERE and an attempt by knightsolidus, and to quote from Tsujin:
    Micro,PIC,32K Fl,TQFP44,PIC18F4550-I/PT

    Data Bus Width 8Bit
    Device Core PIC
    Family Name PIC18
    Instruction Set Architecture RISC
    Interface Type SPI/I2C/EAUSART
    Maximum Clock Rate 48MHz
    Maximum Operating Temperature 85°C
    Maximum Speed 48MHz
    Minimum Operating Temperature -40°C
    Mounting Surface Mount
    Number of Programmable I/Os 35
    Number of Timers 4
    On-Chip ADC 13-chx10-bit
    Pin Count 44
    Product Height 1
    Product Length 10
    Product Width 10
    Program Memory Size 32
    Program Memory Type Flash
    RAM Size 2KB
    Supplier Package TQFP
    Typical Operating Supply Voltage 5V

    And here's a Pin layout for chip on the actual psjailbreak hardware i threw together for you :

    Full datasheet : http://docs-asia.origin.electrocompo...6b80806cfb.pdf

    All that's left are a couple SMT's, a crystal oscillator, some surface mount LED's and for someone to take a psjailbreak, stick it in any 18F compatible pic writer and dump the hex contents of the chip and slap it on a bunch of new chips, the single layer PCB is really, really basic.

    And the bad part?, as far as the original makers are concerned, the device is so simple that it will be no different, in any way, to the original, when cloned.

    Think of this, not as a PS2 modchip, but more like the original PIC based ps1 modchip - The only thing that differentiated the various models was the code on them, not the hardware itself - the hardware will be the same, as will the contents of the chip.

    Oh, and for the record, the parts (not in bulk, but for a single unit, from connectors to chip and so on), is £5.68 ($8.82), if you were making these things in bulk, that price drops to £2.14 ($ 3.32) per unit.

    People buying the thing at $170AUS either have more money than sense, or no sense at all.

  3. #3
    Maniac2k Guest
    It's possible to set code protection bits on this PIC.

    If these bits are set, a simple read with a programmer is not possible.

  4. #4
    sananth Guest

    Thanks Tsujin! I have a couple of questions ...

    Do you think that maybe they picked up a regular USB stick, flashed the chip, and then shorted a couple of points on it so that computers cannot recognize the thing as a USB stick?

    The reason I ask is that you mentioned that the chip is very very simple, so, I think they must be using security by obscurity to keep you from plugging any "leaked" hardware you obtained into a computer.

    Another question is more for the devs rather than the hardware expert, but do you think that the dongle is still needed after any .pkg file is installed?

    If I install a .pkg file, remove the dongle and reset the console, will I be able to run the newly installed executable/homebrew without using the dongle? Since we would only need to run unsigned code once to install the .pkg file (like some demos that were found to be un-encrypted), the system should be able to run things that were already installed without the need for the dongle right?

    Thanks for the analysis and help!

  5. #5
    livpool Guest
    from Mathieulh's twitter
    The exact chip for the psjailbreak dongle has been identified, looks like dumping it will be easy.
    good news then might get a free version of this up on the net sooner then we thought?

  6. #6
    Maniac2k Guest
    No, it can't be a modified USB stick. As seen on the pictures there is only one chip on the pcb. The chip itself has an integrated eeprom, but it's only 256 bytes small.

  7. #7
    red8316 Guest
    Interesting clone investigation transcript from DemonHades site.
    Si nos fijamos en la foto, hay dos pins del USB puenteados por una resistencia, por tanto, no hacen nada. Luego solo nos quedan 2. Uno es el +5v y el otro el de datos. Por tanto solo hay que analizar uno.

    El electronico que me a comentado esto prefiere estar en el anonimato hay que respetarle , dice estar estudiando electronica. Yo personalmente, le veo lógica.

    Aqui os dejo la conver que e tenido con el en nuestro chat

    <Anonimo> just saw pics
    <Anonimo> on your site
    <Anonimo> of the disassembled one from discoazul
    <Anonimo> i was just trying to

    <Anonimo> read the schematic
    <Anonimo> and found that
    <Anonimo> this is probably not
    <Anonimo> standard usb
    <Anonimo> it uses the usb connector
    <Anonimo> to initialize a different
    <Anonimo> kind of serial connection
    <Anonimo> looking at the schematic

    <Anonimo> you see D- and GND
    <Anonimo> connected together with a resistance
    <Anonimo> this is not usb
    <Anonimo> it may be a trigger
    <Anonimo> to start
    <Anonimo> a connection
    <Anonimo> onto the other
    <Anonimo> two pins

    <Anonimo> i bet it is standard rs232 or i2c
    <Anonimo> just like

    <Anonimo> any other service port
    <Anonimo> you can sniff the only active pin for the communication
    <Anonimo> and see
    <Anonimo> because
    <Anonimo> of the 4 usb pins
    <Anonimo> you have
    <Anonimo> 1 gnd
    <Anonimo> 2 d- connected to gnd

    <Anonimo> cool
    <Anonimo> you know
    <Anonimo> mcu
    <Anonimo> don't have a lot of flash
    <Anonimo> i don't think it stores
    <Anonimo> datas
    <Anonimo> inside
    <Anonimo> and looking at the schematics
    <Anonimo> it seems
    <Anonimo> also that
    <Anonimo> you have some pull up resistors

    <Anonimo> so i bet it is some kind of i2c
    <Anonimo> just like any other service hardware from any other brand
    <Anonimo> you can check with a multimeter when it arrives
    <Anonimo> i'm looking forward to see the complete schematic
    <Anonimo> on some website
    <Anonimo> so, to sum up
    <Anonimo> 1. Probably not usb, but a trigger onto one side to start a different protocol onto the other

    <Anonimo> 2. quite sure only one pin to sniff with logic
    <Anonimo> 3. mcu doesn't have a big flash, the magic datas are probably very little

    <Anonimo> 4. don't think they are using asic or fpga, more likely cheap mcu
    <Anonimo> and finally
    <Anonimo> the upper part of the board
    <Anonimo> is not interesting
    <Anonimo> it only handles lighting
    <Anonimo> the only thing
    <Anonimo> i can not understand
    <Anonimo> is the diode
    <Anonimo> probably used for reading
    <Anonimo> from the ps the reply
    <Anonimo> i have
    <Anonimo> another
    <Anonimo> theory
    <Anonimo> probably
    <Anonimo> if it is correct usb
    <Anonimo> protocol
    <Anonimo> and not using a tricky method
    <Anonimo> probably the
    <Anonimo> key is
    <Anonimo> the device id
    <CORAGON> ?¿
    <Anonimo> of the usb dongle
    <Anonimo> you know
    <CORAGON> yes i know
    <Anonimo> usb devices has a device id
    <CORAGON> but...
    <CORAGON> the id is the same in all ps jailbreak?
    <Anonimo> which
    <Anonimo> tells
    <Anonimo> the usb host
    <Anonimo> what kink of hardware
    <Anonimo> you connected
    <CORAGON> yes...
    <CORAGON> only with the id, the ps3 comes in to debug mode?
    <CORAGON> it can be
    <CORAGON> in the SAT, the technics use an usb called "ID Stick" or something else
    <CORAGON> wait a second
    <CORAGON> i search it
    <Anonimo> k
    <CORAGON> ID swapping For Target USB
    <CORAGON> its the name
    <CORAGON> you say that the jaibreak changes the ID os the PS3
    <CORAGON> ?¿
    <Anonimo> no
    <Anonimo> every usb device
    <Anonimo> has got an id that tells
    <Anonimo> the kind of object connected
    <Anonimo> eg. printer, hid, wifi dongle ...
    <CORAGON> yes
    <Anonimo> if the ps3 has got inside a dongle with the correct id
    <Anonimo> goes into service
    <Anonimo> however
    <Anonimo> we only have to wait
    <Anonimo> monday
    <Anonimo> so that you can
    <CORAGON> It's easy to copy this ID?
    <Anonimo> open up the jig with your hands
    <Anonimo> XD
    <CORAGON> xD
    <Anonimo> when you use any mcu with usb
    <Anonimo> you can
    <Anonimo> decide it
    <CORAGON> mmm
    <Anonimo> if i'm not wrong
    <Anonimo> someone
    <Anonimo> tried
    <Anonimo> to connect it to a pc
    <CORAGON> yes
    <Anonimo> and the pc recognized it
    <CORAGON> no
    <Anonimo> in some way
    <CORAGON> the pc not recognized it
    <Anonimo> what happened?
    <CORAGON> nothing
    <CORAGON> when connect it
    <CORAGON> nothig happens
    <CORAGON> we will try to connect to linux
    <Anonimo> tried to search for hardware?
    <Anonimo> *drivers'
    <CORAGON> it finds a strange drive
    <Anonimo> oh this is good
    <CORAGON> but it havent got drivers
    <Anonimo> so it has a strange device id
    <CORAGON> yes
    <Anonimo> :P
    <CORAGON> but the mcu have memory
    <Anonimo> very little
    <CORAGON> it have a secret partition
    <Anonimo> generally
    <CORAGON> very very litte
    <CORAGON> 256 kb i think
    <Anonimo> ok!
    <Anonimo> so that
    <CORAGON> whith the debug kernel
    <Anonimo> they can
    <Anonimo> update
    <CORAGON> yes
    <Anonimo> it
    <Anonimo> probably
    <Anonimo> that is
    <Anonimo> the eeprom
    <Anonimo> inside
    <Anonimo> the mcu
    <Anonimo> ps3 debug kernel?
    <CORAGON> yes
    <CORAGON> it enables ps3 to run unsigned code
    <CORAGON> i have any idea about what mcu is it?
    <CORAGON> probably an atmega?
    <Anonimo> probably
    <CORAGON> i finf an atmega 44 pin with memory and usb capable
    <Anonimo> you can also
    <CORAGON> ATmega 32U4
    <Anonimo> check for the pin
    <Anonimo> where the external
    <Anonimo> oscillator is connected
    <CORAGON> ok
    <Anonimo> the side i mean
    <CORAGON> Atmega datasheet: ... oc7766.pdf
    <CORAGON> 16/32K Bytes of
    <CORAGON> ISP Flash
    <Anonimo> the problem is not the mcu
    <Anonimo> i think any mcu
    <Anonimo> with usb
    <Anonimo> can handle the job
    <Anonimo> we have only to see sniffing
    <CORAGON> how to sniff a usb connection?
    <CORAGON> xD
    <Anonimo> you only need a strong logic analyzer
    <Anonimo> D- on pin 11
    <Anonimo> on this mcu
    <Anonimo> of photos

  8. #8
    Karl69 Guest
    <Anonimo> the problem is not the mcu
    <Anonimo> i think any mcu
    <Anonimo> with usb
    <Anonimo> can handle the job
    <Anonimo> we have only to see sniffing
    <CORAGON> how to sniff a usb connection?
    <CORAGON> xD
    <Anonimo> you only need a strong logic analyzer
    <Anonimo> D- on pin 11
    <Anonimo> on this mcu
    <Anonimo> of photos

    So, to which pin of the MCU is the CLK connected?
    That's probably the only way to tell which MCU is used here...

  9. #9
    Karl69 Guest
    Thanks... On the old PIC16C84 it was possible to override the read out protection by setting VCC=programming voltage-0.5V while programming the config bits...

    Though such a thing is not possible anymore, it might still be possible to glitch the newer PICs via the VCC and/or the CLK signal.

  10. #10
    ex5 Guest
    Hey i found this also.. Observations :

    Components (red dots)
    A : Resistor ; 1K
    B : LED
    C : LED
    D : Resistor ; 1k
    E : ?? Resistor ??
    F : ?? Capacitor ??
    G : ?? Resistor ??
    H : ?? Resistor ; 1K (Pullup resistor) ??
    I : ?? Capacitor ??
    J : Capacitor ; 100nF (Decoupling cap)
    . : XTAL

    - The blue spots A, B and D controls the LEDs
    - The blue spots K, L, G and H are for power (Vdd, Vss)
    - I think the blue spots M, I and J are to program the PIC (ICPGC, ICPGD, /MCLR)
    - The blue spots E and F are OSC1 and OSC2. They must be connected to the XTAL (orange spots A and B) and to the GND mass (alpha wire) through two 22pF capacitors.
    - The orange spot F should be related to USB.D-
    - The orange spot C might be connected to the blue spot M (ICPGC)
    - The orange spot C might be connected to pin 33 (/ICRST)
    - I think the orange spot E is connected to one of the via noted alpha

Page 1 of 3 12 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts