08-29-2010 #91whinis Guest
Could we possibly use the ps3 to generate custom pups after we flash it?
08-29-2010 #92itsmonkey Guest
Someone who has the chip and the right kit could take the surface of the chip casing off and read direct - but it takes a little bit more skill and effort. I don't have access to this tech any more but I am sure someone out of the scene does. Get some of the old boys involved with decent equipment!
08-29-2010 #93mushy409 Guest
In regards to the Atmel AVR, wouldn't acid de-capping be an option for this, or do these AVRs have protection from this aswell? (security mesh etc)
08-29-2010 #94tripellex Guest
08-29-2010 #95mushy409 Guest
I've done this a few times with PICs and a few older atmels, but to be honest it's been a while since I did anything like this (4-5 years+)
I've turned my attention to other areas nowadays. Although I do have a few friends who study electronics at grad level so may have access to the kind of equipment required.
I would imagine once (if) we have decapped the atmel & dumped the contents we can start to disassemble the code PROPERLY to understand how it communicates to the host (ps3) and what timings etc are used.
08-29-2010 #96tripellex Guest
On a related note, I have a feeling that we're all working way too hard here to disassemble this thing, when the solution must be extraordinairily simple. How else would so many generic clones start popping up so quickly? We're overcomplicating the process, and just need to find the same solution the clone makers came up with.
08-29-2010 #97mushy409 Guest
Sorry forgot to mention:
I used 95% nitric to decap them. I know some people prefer different strengths depending on how keen you are to get at the die
Best method I found was to go at it slowly, check after each acid bath & be VERY VERY gentle when/if you need to scrape.
08-29-2010 #98Bulldogzz Guest
As i stated previously, if not acknowledged, the most simplistic it could be, is overflowing the buffer, which we have code for (Even if the code is a little, 'damaged'), then overwriting return address to execute user provided code which changes a je to a jmp asm wise, I mean I doubt it's that simple but hell, that's simplistic for you.
08-30-2010 #99mushy409 Guest
Ah, but if they all come on the same bill then they are 1! (Damn Sky advert)
Anyways, yes the solution is probably staring us straight in the mush (no pun intended) The code for this JB dongle may have been leaked by someone involved/in contact with the JB device.
I'm sure many of the chinese companies have access to people/equipment who can duplicate pretty much ANYTHING electronics wise. For example:
Mobile phones - Ripped off by the Chinese
Modchips - Ripped off by the Chinese
Ipods - Ripped off by the chinese
Do I need to continue?
The main objective here is to get the code from the atmel - decapping/glitching/begging whatever.
For now I'm off to do some research and dig out my old AVR programmer...
@tripellex - good luck with the decapping
08-30-2010 #100tripellex Guest
Thanks Mush, I'll keep you all posted after I the materials I need. I have some old Atmegas sitting in a box somewhere, gotta dig those out first.
@mush: The 95% solution seems pretty heavy, especially on the die's filaments. Hopefully working directly off the die surface will be a last resort, and someone will come forward with the missing puzzle pieces before we have to progress that far. Not saying that to be lazy, just saying its a risky risky move.