Hey there.

So... you use an ad blocker. That's cool. Sometimes we do too.


But without ad revenue, we wouldn't even be here. And we might not be here much longer.

Please disable your ad blocker and click to continue.

Page 1 of 12 1211 ... Last
  1. #1
    Karl69 Guest

    PS JailBreak Mod Code Sniffed via USB, Logged and Examined

    A few days ago PS JailBreak was reverse-engineered, and today Descrambler sniffed the USB traffic and shared the log.

    I don't know that much about the USB protocol, but I think this is what happens:

    - The PSJailbreak is inserted
    - It connects with the host (PS3) and sends 09 02 12 00 01 00 00 80 + all the bytes from the first packet starting at 0008 up to 00EFF.
    - The stack is overwritten and the PS3 jumps into code from the packet
    - The Atmega sends a "USB Disconnect command"
    - The last three steps are repeated four times

    - It connects with the host and sends 09 02 4D 0A 01 01 00 80 + the bytes from the second packet starting at 0008 up to 0A4C
    - The stack is overwritten and the PS3 jumps into code from the packet
    - The Atmega sends a "USB Disconnect command"
    - The last three steps are repeated twice.

    Voilą... The PS3 is in "Debug Mode".

    Apparently the third and fourth byte of the after the 09 02 are the numbers of bytes to be sent. At least this goes for the second log (4D 0A->0A4D bytes)...

    [Register or Login to view code]

    Repost in binary (Thanks Disane) The first 8 bytes are from the usb protocol left [09 02 ... ]

    http://www.ps4news.com/forums/attach...chmentid=21111

    ASCII binary (Thanks xCoder)

    http://www.ps4news.com/forums/attach...chmentid=21116

    Here's an improved disassembly by crazyc.

    http://www.ps4news.com/forums/attachment.php?attachmentid=2111


    More PlayStation 3 News...

  2. #2
    peppino Guest
    So a simple ATMEGA164A + VUSB (software emulation usb) and the jb is done!!! Maybe...

  3. #3
    Maniac2k Guest
    As long as the timing is not essential for the JB to work, this log should be enough to implement our own JB. The zener diodes are only needed to get the data lines to 3.3V. USB power is 5V and the data lines operate with 3.3V. But most devices works fine with 5V on the data lines also.

  4. #4
    HZoooof Guest
    Nice ... hopfully my friend ... but ! what should we do with this codes now ? Shall we make a jailbreak ourselves ? my best wishes.

  5. #5
    Karl69 Guest
    Can't this be emulated with a USB cable connected to the PC like the Playstation2 "x-port" cable?

  6. #6
    tmaster Guest
    This could be easy emulated for the psp or pc. Now that we know what to send. next need to make sure of the timing and hardware info if needed at all.

  7. #7
    hacked2123 Guest

    Unhappy

    Quote Originally Posted by Maniac2k View Post
    As long as the timing is not essential for the JB to work, this log should be enough to implement our own JB.
    The zener diodes are only needed to get the data lines to 3.3V. USB power is 5V and the data lines operate with 3.3V. But most devices works fine with 5V on the data lines also.
    Even if we can replicate the PSJB's boot sequence you do not know how the debug's xml is being to passed to the system. The 8bytes are just code, not data; even if we a successful in replicating it, we may not know for sure if its working.

  8. #8
    hacked2123 Guest
    Can anyone definitely say we've ruled out possible PSJailbreak devices below?

    Rooted Android Device
    PSP /w CFW
    Jailbroken iOS Device

  9. #9
    Maniac2k Guest
    Is this log complete? Since it starts with a configuration descriptor and not with a device descriptor.

    However this configuration descriptor means:
    09 - Length of the descriptor in bytes
    02 - configuration descriptor
    12 00 - Total length of endpoint an device descriptors
    01 - number of interfaces
    00 - configuration value
    00 - configuration index
    80 - device is bus powered
    FA - power consumption in 2mA steps

    The next 9 bytes are an interface descriptor.

    I'm just reformatting the log and try to understand whats going on there. The 64 bit from gamefreax doesn't appear exactly in the log.

    @hacked2123: Shouldn't it be enough to do the same the original PSJB does? I think, if the log is complete everythin it does should be there.

  10. #10
    thering Guest
    None of these have been ruled out, and I know there are people currently working on doing this on a PSP. As tmaster said, timing/hardware info may still be barriers devs will need to work to overcome. From what I understand, multiple hardware ids may need to be emulated.

Page 1 of 12 1211 ... Last

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Log in