Page 5 of 12 FirstFirst ... 456 ... LastLast
Results 41 to 50 of 114

Thread: PS JailBreak Mod Code Sniffed via USB, Logged and Examined

  1. #41
    Mantagtj Guest
    well not everytime, but everytime we want to run it in that mode yes, I'm not REALLLY worried as the pc is sitting next to the ps3 on the desk but some people who have them in seperate rooms or a long distance away might be caffuffled lol....

    Whatever works guys... SOOO EXCITED!!! lol

  2. #42
    xroc88 Guest


    is an AA cable same as usb cable? i don't know what AA is.

  3. #43
    crckmc Guest
    Quote Originally Posted by kakarotoks View Post
    I've spent the last few hours writing a kernel driver for linux that would replicate the descriptors and data reported here.
    i was thinking about that but i'm not skilled enough to write this. if you need n900 testers i can help if you want. i hope you get scratchbox set up soon can't wait for something to happen

  4. #44
    Bulldogzz Guest
    Theoretically all we need is the code to send the PS3 into a 'DFU mode' or the like, if it is merely a buffer overflow exploit.. I think that once you emulate the said USB Hub, the fact that it connects and disconnects up to six devices repeatedly, this is what causes the buffer to overflow, then what you need to do is it overwrite the return address with the address of an opcode which in theory will cause execution to jump to the user supplied data? e.g. the code used in psJB to send ps3 into DFU mode?

  5. #45
    caviar44 Guest
    Hi all,

    it seems possible to convert PC computer to USB Slave Module

    here is link on an NSLU2 with a USB slave modification:
    but it should work for almost any USB device.

    information about it came from here :

    with PC with USB Slave Module, we should be abble
    ->#1 to spy USB Traffic with PS3 and Hardware PSJailBreak

    ->#2 to connect the PC to the PS3 and try to emulate PS JailBreak
    in addition,


  6. #46
    kakarotoks Guest
    Ok guys, some more news here! I finally got the kernel module to work! It loads up and everything, so that's cool. It also properly answers the device/configuration requests. But I have one issue :

    The host asks for a buffer of size 18, and I send it a size 3840 bytes.. and with the usb sniffer I have here under linux (for tests), all I see is a 'corrupted packet error', so I'm not sure if the data is sent correctly, or if it doesn't even get sent because the underlying framework refuses it.

    anyways, so far all good, assuming the data is sent correctly, then I've written a driver that reproduces the usb dumps received! Now we just need a proper dump to see exactly what's going on, when to send that data, etc...

    Now it's 10:20 AM, and I really need to go to sleep, so good night all! I hope we'll have some more stuff tomorrow so I can continue working on this!

  7. #47
    IHM Guest
    Have a PSP, DSXL, iphone4, if any will help guys..., i personally will still probably still buy a stick, just to say i have one, but here is hoping to a good free or partly free solution.

    I do also have about 4 8gb MicroSD cards hanging around.

  8. #48
    crckmc Guest
    kakarotoks would you mind sharing your code or module? it is a long time till your tomorrow

  9. #49
    Kiriller Guest
    Don't share the code/anything with anyone other then people you trust, we don't want sony to get their sticky fingers all over this.

    and thank you for your hard work! personally if i knew how to do what you were doing, i'd be doing this around the clock.

  10. #50
    Bulldogzz Guest
    Quote Originally Posted by kakarotoks View Post
    I finally got the kernel module to work! It loads up and everything, so that's cool. It also properly answers the device/configuration requests.
    Well you need to send enough data to rewrite the return address to that of your malicious code - the bypass / overwrite for the Sony JIG Answer Response Scheme.

    BUFFER[ ] <----- 90 bytes space allocated for BUFFER[ ]
    RETURN ADDRESS <----- When the user inputs data the program control would come here and follow the 'address' stored here to go back.

    But if the users inputs more than 90 bytes of data...for example XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX [user input]

    This is how it would look in the memory..


    So you are returning to where you want.

Page 5 of 12 FirstFirst ... 456 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts