Sponsored Links

PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!
Sponsored Links

Home PS4 News - Latest PlayStation 4 and PS3 News

PS JailBreak Inside Pics, Details by SKFU & DemonHades Team

Sponsored Links
237w ago - Yesterday we caught a glimpse of some PS JailBreak Reviews which confirmed PS3 Firmware 3.41 is required, and today we have some PS3 JailBreak details from PlayStation 3 hackers SKFU and the DemonHades Team along with some pictures of the inside of the PS JailBreak (below) courtesy of PlanetadeJuego.com.

For those who missed it, PS JailBreak was first announced two days ago and is a USB device which allows end-users to play PS3 game back-ups on Sony's PlayStation 3 entertainment system.

Here is what SKFU has to say on it, to quote:

"I just tested the software they uploaded and can confirm it works so far.

I can tell a bit about the backup manager. It seems the software uses bd_emu features to manage the backups. The HDD to use, should have a modified bd emu format, which sets all backups on first position, so the PS3 detects 'em all. Then you can choose the image to boot via the manager.

To directly copy and boot a game, the software would need to decrypt all layers on the fly. Meaning it decrypts all executables somehow, else it won't run. Even on a debug unit.

The hardware look like a copy of the original PS3 jigstick, used in SONY service centers to repair broken PlayStation3 SKU's. Someone internal leaked or sold a stick, so they had the chance to reverse and clone the hardware.

The stick should boot before the normal firmware does, so it's hard to patch it. Maybe SONY could update the bootcode to prevent it, set it to a revoke list.

By the way, in all videos they use debug PS3's to run the software. There is no video showing the actual process booting on a retail PS3 afaik. So I do not confirm that this is true, yet!

If it's as true as it looks this time, good job guys!"

And now here are comments from DemonHades Team on PS JailBreak, to quote (roughly translated):

"Well I see that recently raised a stir is mounted by a chip of course to load backups from a pendrive, at first glance one might say it's fake if we did not know of studies conducted years ago and let us see many more hidden things that not all users can understand, in this case we speak of the card jig, the jig is used by the card sony sat for maintenance and restoration in ps3.

In short, this jig card has been removed from the payment sony sat.. so now try to expand the money spent only and once recovered the money spent in obtaining this device the reproduction and cloning of the device will be imminent.

When I saw the body of the above, first I noticed that the sample vsh known and used parts of a debug.. and of course if one is launching retail which does not make much sense, could only think one way quickly- THE CONVERTER RETAIL TO DEBUG.

This converter is thought to sony and service for devs have this jig card (aka USB dongle), allowing this USB is that:

Releasing the boot ini dev_usb0 and a sequence of buttons that change the state of syscon as we launch the initial boot usb dongle, then interprets the bootstrap and load the necessary files from the dongle itself temporarily leaving the ram doing a false reboot.

According to the store have told the seller, no residue on the PS3.. so it fits the above description.

The idea is quite clear gentlemen, emulates the fw of trm syscon and we have a debug interprets loading the kernel debug and providing all the features to debug vshmain time, this results in loading unsigned code.

This allows us as I mentioned months ago to launch pkgs from ubs, since it has a browser for managing them.

The official BDEMU disk loading before you activate the mediatype BD and then run the loader to the channel of communication with the real reader would be closed and only would use the BD-emu, emu and the bd can not share the same channel communication.

In this case to remove the layer is used to extract cellftp to an external source of filesystems without pre-decoded and converted to debug layer.

Executables can be created with the sdk, and generated their own loader which removes the layer of encryption (this if it will extract the discs, not linux), then the PS3Gen (published as a matter of 1 month) can be create iso patched with valid soft.esto itself mean that everything is made in the PS3 SDK (emulators, applications, etc) will be loaded without problems, as we are doing the same as the 360 with jtag hack it uses a core debug.

The loader is loaded by the execution path that recognizes the actual application manager, loaded via app.




In short, PS3 has fallen to the very tools you use in your SAT Sony... that if Sony can plug it into the next update.. just have to cancel the initial boot usb to close the bar, because the boss is syscon."

PS JailBreak Inside Pics, Details by SKFU & DemonHades Team

PS JailBreak Inside Pics, Details by SKFU & DemonHades Team

PS JailBreak Inside Pics, Details by SKFU & DemonHades Team

Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter, Facebook and drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene and PlayStation 4 scene updates and fresh homebrew PS3 Downloads. Enjoy!
Sponsored Links
Sponsored Links

Comments 24 Comments - Go to Forum Thread »

• Please Register at PS4News.com or Login to make comments on Site News articles.
#14 - PS4 News - 236w ago
PS4 News's Avatar
Quote Originally Posted by tripellex View Post
Evidence of this is how quickly X3Jailbreak has sprung up (assuming the pic showing all of their units isn't Photoshopped). We just need to find out who is producing them and where, and what prefab unit they are using.

I wouldn't be surprised if the same group of people producing the originals are also cashing in on the clones, as this happened with previous mod-chips often.

For example, Paul Owen and Thomas Wright were peddling the Neo chips and Neil Brown and David France were selling clones so everyone was making boatloads of cash while they could from both ends.

#13 - tripellex - 236w ago
tripellex's Avatar
You also have to take into consideration the costs garnered by both wholesale price (i.e. the higher the quantity they order from the manufacturer = the lower the component costs = the lower the price per unit) and also manufacturing costs (how much it costs the factory, probably in China, to refit a production line, etch the PCBs, etc). Someone would have had to have went through a lot of trouble and had a lot of cash to have a production line set up, as typical Chinese manufacturing facilities charge upwards of $100,000 just to set one up.

I imagine more likely they used an existing production line and an off-the-shelf solution to mass produce them so quickly. Evidence of this is how quickly X3Jailbreak has sprung up (assuming the pic showing all of their units isn't Photoshopped). We just need to find out who is producing them and where, and what prefab unit they are using.

#12 - BwE - 236w ago
BwE's Avatar
Don't just price the parts, price the software

#11 - red8316 - 236w ago
red8316's Avatar
Quote Originally Posted by hacked2123 View Post
The PIC18F4550 cost around $5.00 for one. (src=http://www.microchipdirect.com/ProductSearch.aspx?Keywords=PIC18F4550)
plus 2 LEDs and USB male attachment and PCB board+resistors and capacitors...guessing $3.00 total?

So... the logical price for a PS3 hack is 20 times the cost of production?

I was thinking about this today. $120 - $140 per unit is pretty steep. I get what they are trying to do, but if they want to head off clones they should have aimed more at market penetration rather than quick profits.

Then again, I'm not sure how long this outfit would last with all the attention they're getting. But, if they dropped it to $60 - $80 a unit, they would probably double, if not triple the number of people willing to buy one immediately. I would almost certainly pick one up at the $60 price point.

I guess in the end they are likely skimming the top of the market clientele, because you can do that when you've got a monopoly product.

Here's hoping for some quick clones or free methods.

#10 - hacked2123 - 236w ago
hacked2123's Avatar
The PIC18F4550 cost around $5.00 for one. (src=http://www.microchipdirect.com/ProductSearch.aspx?Keywords=PIC18F4550)
plus 2 LEDs and USB male attachment and PCB board+resistors and capacitors...guessing $3.00 total?

So... the logical price for a PS3 hack is 20 times the cost of production?

#9 - ex5 - 236w ago
ex5's Avatar
Hey i found this also.. Observations :

Components (red dots)
A : Resistor ; 1K
D : Resistor ; 1k
E : ?? Resistor ??
F : ?? Capacitor ??
G : ?? Resistor ??
H : ?? Resistor ; 1K (Pullup resistor) ??
I : ?? Capacitor ??
J : Capacitor ; 100nF (Decoupling cap)
. : XTAL

- The blue spots A, B and D controls the LEDs
- The blue spots K, L, G and H are for power (Vdd, Vss)
- I think the blue spots M, I and J are to program the PIC (ICPGC, ICPGD, /MCLR)
- The blue spots E and F are OSC1 and OSC2. They must be connected to the XTAL (orange spots A and B) and to the GND mass (alpha wire) through two 22pF capacitors.
- The orange spot F should be related to USB.D-
- The orange spot C might be connected to the blue spot M (ICPGC)
- The orange spot C might be connected to pin 33 (/ICRST)
- I think the orange spot E is connected to one of the via noted alpha

#8 - Karl69 - 236w ago
Karl69's Avatar
Thanks... On the old PIC16C84 it was possible to override the read out protection by setting VCC=programming voltage-0.5V while programming the config bits...

Though such a thing is not possible anymore, it might still be possible to glitch the newer PICs via the VCC and/or the CLK signal.

#7 - Karl69 - 236w ago
Karl69's Avatar
the problem is not the mcu
i think any mcu
with usb
can handle the job
we have only to see sniffing
how to sniff a usb connection?
you only need a strong logic analyzer
D- on pin 11
on this mcu
of photos

So, to which pin of the MCU is the CLK connected?
That's probably the only way to tell which MCU is used here...

#6 - red8316 - 236w ago
red8316's Avatar
Interesting clone investigation transcript from DemonHades site.

Si nos fijamos en la foto, hay dos pins del USB puenteados por una resistencia, por tanto, no hacen nada. Luego solo nos quedan 2. Uno es el +5v y el otro el de datos. Por tanto solo hay que analizar uno.

El electronico que me a comentado esto prefiere estar en el anonimato hay que respetarle , dice estar estudiando electronica. Yo personalmente, le veo lógica.

Aqui os dejo la conver que e tenido con el en nuestro chat

just saw pics
on your site
of the disassembled one from discoazul
i was just trying to

read the schematic
and found that
this is probably not
standard usb
it uses the usb connector
to initialize a different
kind of serial connection
looking at the schematic

you see D- and GND
connected together with a resistance
this is not usb
it may be a trigger
to start
a connection
onto the other
two pins

i bet it is standard rs232 or i2c
just like

any other service port
you can sniff the only active pin for the communication
and see
of the 4 usb pins
you have
1 gnd
2 d- connected to gnd

you know
don't have a lot of flash
i don't think it stores
and looking at the schematics
it seems
also that
you have some pull up resistors

so i bet it is some kind of i2c
just like any other service hardware from any other brand
you can check with a multimeter when it arrives
i'm looking forward to see the complete schematic
on some website
so, to sum up
1. Probably not usb, but a trigger onto one side to start a different protocol onto the other

2. quite sure only one pin to sniff with logic
3. mcu doesn't have a big flash, the magic datas are probably very little

4. don't think they are using asic or fpga, more likely cheap mcu
and finally
the upper part of the board
is not interesting
it only handles lighting
the only thing
i can not understand
is the diode
probably used for reading
from the ps the reply
i have
if it is correct usb
and not using a tricky method
probably the
key is
the device id
of the usb dongle
you know
yes i know
usb devices has a device id
the id is the same in all ps jailbreak?
the usb host
what kink of hardware
you connected
only with the id, the ps3 comes in to debug mode?
it can be
in the SAT, the technics use an usb called "ID Stick" or something else
wait a second
i search it
ID swapping For Target USB
its the name
you say that the jaibreak changes the ID os the PS3
every usb device
has got an id that tells
the kind of object connected
eg. printer, hid, wifi dongle ...
if the ps3 has got inside a dongle with the correct id
goes into service
we only have to wait
so that you can
It's easy to copy this ID?
open up the jig with your hands
when you use any mcu with usb
you can
decide it
if i'm not wrong
to connect it to a pc
and the pc recognized it
in some way
the pc not recognized it
what happened?
when connect it
nothig happens
we will try to connect to linux
tried to search for hardware?
it finds a strange drive
oh this is good
but it havent got drivers
so it has a strange device id
but the mcu have memory
very little
it have a secret partition
very very litte
256 kb i think
so that
whith the debug kernel
they can
that is
the eeprom
the mcu
ps3 debug kernel?
it enables ps3 to run unsigned code
i have any idea about what mcu is it?
probably an atmega?
i finf an atmega 44 pin with memory and usb capable
you can also
ATmega 32U4
check for the pin
where the external
oscillator is connected
the side i mean
Atmega datasheet: http://www.atmel.com/dyn/resources/prod ... oc7766.pdf
16/32K Bytes of
ISP Flash
the problem is not the mcu
i think any mcu
with usb
can handle the job
we have only to see sniffing
how to sniff a usb connection?
you only need a strong logic analyzer
D- on pin 11
on this mcu
of photos

#5 - Maniac2k - 236w ago
Maniac2k's Avatar
No, it can't be a modified USB stick. As seen on the pictures there is only one chip on the pcb. The chip itself has an integrated eeprom, but it's only 256 bytes small.


Sponsored Links

Sponsored Links

Advertising - Affiliates - Contact Us - PS4 Downloads - PS4 Forums - Privacy Statement - Site Rules - Top - © 2015 PlayStation 4 News