PS3 Jailbreak

[The M.A.R.T.]

http://www.maxconsole.net/content.php?41867-PSJailbreak-cloned-already-Creators-plea-to-buy-the-original-for-support-and-warranty&page=2#comments

NDS R4 kind of like situations where originals can upgrade and clones don't upcoming for PSJailbreak or just damage control...

[anita999]

the chip is a ST72321J9 posted on other forums http://www.alldatasheet.es/datasheet-pdf/pdf/201599/STMICROELECTRONICS/ST72321J9.html

sorry, similar questions. The circuit connections of this microcontroller do not match what I saw from the photos taken from PSJailbreak.
If I could get this dongle on my hand, I should be able to identify the micron really soon.

[muller1000]

Found out some interesting info, that the code used is 100% there own.
it is completely legal.

Distributor enquiry on msn.
 
Me: So the code does not contain Sony intellectual property.

Them: no of course not the psjaibreak is completley own code
 and backupmanager was compiled with sony sdk but that you do not sell.

[jelle2503]

Micro,PIC,32K Fl,TQFP44,PIC18F4550-I/PT
Data Bus Width 8Bit
Device Core PIC
Family Name PIC18
Instruction Set Architecture RISC
Interface Type SPI/I2C/EAUSART
Maximum Clock Rate 48MHz
Maximum Operating Temperature 85°C
Maximum Speed 48MHz
Minimum Operating Temperature -40°C
Mounting Surface Mount
Number of Programmable I/Os 35
Number of Timers 4
On-Chip ADC 13-chx10-bit
Pin Count 44
Product Height 1
Product Length 10
Product Width 10
Program Memory Size 32
Program Memory Type Flash
RAM Size 2KB
Supplier Package TQFP
Typical Operating Supply Voltage 5V

And heres a Pin layout for chip on the actual psjailbreak hardware i threw together for you :
http://imgur.com/GJwFO.jpg
Full datasheet : http://docs-asia.origin.electrocomponents.com/webdocs/0806/0900766b80806cfb.pdf

All that's left are a couple SMT's, a crystal oscillator, some surface mount LED's and for someone to take a psjailbreak, stick it in any 18F compatible pic writer and dump the hex contents of the chip and slap it on a bunch of new chips, the single layer PCB is really, really basic.

And the bad part?, as far as the original makers are concerned, the device is so simple that it will be no different, in any way, to the original, when cloned.
Think of this, not as a PS2 modchip, but more like the original PIC based ps1 modchip - The only thing that differentiated the various models was the code on them, not the hardware itself - the hardware will be the same, as will the contents of the chip.

Oh, and for the record, the parts (not in bulk, but for a single unit, from connectors to chip and so on), is £5.68 ( $8.82 ), if you were making these things in bulk, that price drops to £2.14 ( $ 3.32 ) per unit.

People buying the thing at $170AUS either have more money than sense, or no sense at all.

So who on here has bought one already?

[Arakon]

Well, it's not just about the parts cost, as always. Who knows if those guys bought the original stick from a sony guy for a few grand?
Their only option to get whatever cost they had back in is to sell it expensive, while they have it exclusively. In a week or a month, cheap clones and DIY instructions will pop up, and by then, they have to have made their money back, because in that moment, they will not make a cent anymore.

Speaking of which, has anyone been able to see the speed of that crystal?

[anita999]

seems no one really pays attention to the actual circuit on the dongle.
well, I do hope it's simply a PIC18F4550 or the other ST micron, but both chips mentioned doesn't match the circuit layout shown on those unclear photos. I really doubt how and why people raise up these conclusion. The ST's microcontroller doesn't even have a USB port.
and the PIC18F4550 is very close in the package type, functional spec.,etc. But too bad the pinout doesn't match the circuit I can tell from the photos. Unless there is a circuit diagram available, no one can really tell whether PIC18F4550 is the one or not.
as for the photos with pinout, that's nothing but a photo with text marks. simply put the pinout found in the datasheet on the picture, which doesn't mean anything at all.

Can anyone who has the chip on hand make a draft circuit connections of the microcontroller, USB connector, and those components, please?

[Arakon]

The USB data pins may be changing to the back on the side, and go to the d+/d- pins there, but the photos are not clear enough to tell for sure.. plus, there's been some damage by the glue removal, i.e. on the pics with the glue, it looks like there's a wire going from one pin somewhere else.

[anita999]

The USB data pins may be changing to the back on the side, and go to the d+/d- pins there, but the photos are not clear enough to tell for sure.. plus, there's been some damage by the glue removal, i.e. on the pics with the glue, it looks like there's a wire going from one pin somewhere else.

agree, we need a clear pictures of the PCB with the micro controller removed so we can have a clear idea of how the circuits were connected. and this will be a quicker and easier way to "guess" the microcontroller model.
really need more info badly.

[Blackaddr]

Considering the demand for this and the high marketable price, I'm surprised they didn't go with a CPLD or FPGA based dongle.  Sure, they wouldn't be getting chips for $2 which would cut their margin, but they could have filled the device to capacity with obfuscated logic with no real performance hit.  Trying to reverse a decapped PLD is way harder than dumping a uC flash rom, even if they do use encryption, and obfuscating uC code obviously limits throughput.

I suspect they could have been exclusive for a year at least, but I guess their business model was in and out quickly, or they couldn't afford an FPGA designer.

[Arakon]

Apparently the ATmega 32U4 is also a likely candidate and the pinout may be better matching.

[cdmania]

http://www.logic-sunrise.com/news-126726-reverse-engineering-du-psjailbreak-topic-technique.html

http://www.maxconsole.net/attachment.php?attachmentid=28490&d=1282498433

[Arakon]

That guy doesn't actually have the dongle in hand, so his layout is also speculation, nothing confirmed.

Edit: And to prevent confusion, that maxconsole picture looks nothing like the dongle pictures. The chip on there is much smaller, for one.

[AHippyHop]

Might be different PCB revisions. Pictures on this thread (Page 3) look pre-manufacture/test. There's no silk-screen print process
on the PCB itself, unless pictures on MaxConsole are of a generic USB MemStick. Crystal housing makes me doubt that somewhat.

Not sure..

AHippyHop

[anita999]

quoted from PS3news

Si nos fijamos en la foto, hay dos pins del USB puenteados por una resistencia, por tanto, no hacen nada. Luego solo nos quedan 2. Uno es el +5v y el otro el de datos. Por tanto solo hay que analizar uno.

El electronico que me a comentado esto prefiere estar en el anonimato hay que respetarle , dice estar estudiando electronica. Yo personalmente, le veo lógica.

Aqui os dejo la conver que e tenido con el en nuestro chat


<Anonimo> just saw pics
<Anonimo> on your site
<Anonimo> of the disassembled one from discoazul
<Anonimo> i was just trying to

<Anonimo> read the schematic
<Anonimo> http://img256.imageshack.us/img256/937/dsc03223c.jpg
<Anonimo> and found that
<Anonimo> this is probably not
<Anonimo> standard usb
<Anonimo> it uses the usb connector
<Anonimo> to initialize a different
<Anonimo> kind of serial connection
<Anonimo> looking at the schematic

<Anonimo> you see D- and GND
<Anonimo> connected together with a resistance
<Anonimo> this is not usb
<Anonimo> it may be a trigger
<Anonimo> to start
<Anonimo> a connection
<Anonimo> onto the other
<Anonimo> two pins

<Anonimo> i bet it is standard rs232 or i2c
<Anonimo> just like

<Anonimo> any other service port
<Anonimo> you can sniff the only active pin for the communication
<Anonimo> and see
<Anonimo> because
<Anonimo> of the 4 usb pins
<Anonimo> you have
<Anonimo> 1 gnd
<Anonimo> 2 d- connected to gnd

<Anonimo> cool
<Anonimo> you know
<Anonimo> mcu
<Anonimo> don't have a lot of flash
<Anonimo> i don't think it stores
<Anonimo> datas
<Anonimo> inside
<Anonimo> and looking at the schematics
<Anonimo> it seems
<Anonimo> also that
<Anonimo> you have some pull up resistors

<Anonimo> so i bet it is some kind of i2c
<Anonimo> just like any other service hardware from any other brand
<Anonimo> you can check with a multimeter when it arrives
<Anonimo> i'm looking forward to see the complete schematic
<Anonimo> on some website
<Anonimo> so, to sum up
<Anonimo> 1. Probably not usb, but a trigger onto one side to start a different protocol onto the other

<Anonimo> 2. quite sure only one pin to sniff with logic
<Anonimo> 3. mcu doesn't have a big flash, the magic datas are probably very little

<Anonimo> 4. don't think they are using asic or fpga, more likely cheap mcu
<Anonimo> and finally
<Anonimo> the upper part of the board
<Anonimo> is not interesting
<Anonimo> it only handles lighting
<Anonimo> the only thing
<Anonimo> i can not understand
<Anonimo> is the diode
<Anonimo> probably used for reading
<Anonimo> from the ps the reply
<Anonimo> i have
<Anonimo> another
<Anonimo> theory
<Anonimo> probably
<Anonimo> if it is correct usb
<Anonimo> protocol
<Anonimo> and not using a tricky method
<Anonimo> probably the
<Anonimo> key is
<Anonimo> the device id
<CORAGON> ?¿
<Anonimo> of the usb dongle
<Anonimo> you know
<CORAGON> yes i know
<Anonimo> usb devices has a device id
<CORAGON> but...
<CORAGON> the id is the same in all ps jailbreak?
<Anonimo> which
<Anonimo> tells
<Anonimo> the usb host
<Anonimo> what kink of hardware
<Anonimo> you connected
<CORAGON> yes...
<CORAGON> only with the id, the ps3 comes in to debug mode?
<CORAGON> it can be
<CORAGON> in the SAT, the technics use an usb called "ID Stick" or something else
<CORAGON> wait a second
<CORAGON> i search it
<Anonimo> k
<CORAGON> ID swapping For Target USB
<CORAGON> its the name
<CORAGON> you say that the jaibreak changes the ID os the PS3
<CORAGON> ?¿
<Anonimo> no
<Anonimo> every usb device
<Anonimo> has got an id that tells
<Anonimo> the kind of object connected
<Anonimo> eg. printer, hid, wifi dongle ...
<CORAGON> yes
<Anonimo> if the ps3 has got inside a dongle with the correct id
<Anonimo> goes into service
<Anonimo> however
<Anonimo> we only have to wait
<Anonimo> monday
<Anonimo> so that you can
<CORAGON> It's easy to copy this ID?
<Anonimo> open up the jig with your hands
<Anonimo> XD
<CORAGON> xD
<Anonimo> when you use any mcu with usb
<Anonimo> you can
<Anonimo> decide it
<CORAGON> mmm
<Anonimo> if i'm not wrong
<Anonimo> someone
<Anonimo> tried
<Anonimo> to connect it to a pc
<CORAGON> yes
<Anonimo> and the pc recognized it
<CORAGON> no
<Anonimo> in some way
<CORAGON> the pc not recognized it
<Anonimo> what happened?
<CORAGON> nothing
<CORAGON> when connect it
<CORAGON> nothig happens
<CORAGON> we will try to connect to linux
<Anonimo> tried to search for hardware?
<Anonimo> *drivers'
<CORAGON> it finds a strange drive
<Anonimo> oh this is good
<CORAGON> but it havent got drivers
<Anonimo> so it has a strange device id
<CORAGON> yes
<Anonimo>
<CORAGON> but the mcu have memory
<Anonimo> very little
<CORAGON> it have a secret partition
<Anonimo> generally
<CORAGON> very very litte
<CORAGON> 256 kb i think
<Anonimo> ok!
<Anonimo> so that
<CORAGON> whith the debug kernel
<Anonimo> they can
<Anonimo> update
<CORAGON> yes
<Anonimo> it
<Anonimo> probably
<Anonimo> that is
<Anonimo> the eeprom
<Anonimo> inside
<Anonimo> the mcu
<Anonimo> ps3 debug kernel?
<CORAGON> yes
<CORAGON> it enables ps3 to run unsigned code
<CORAGON> i have any idea about what mcu is it?
<CORAGON> probably an atmega?
<Anonimo> probably
<CORAGON> i finf an atmega 44 pin with memory and usb capable
<Anonimo> you can also
<CORAGON> ATmega 32U4
<Anonimo> check for the pin
<Anonimo> where the external
<Anonimo> oscillator is connected
<CORAGON> ok
<Anonimo> the side i mean
<CORAGON> Atmega datasheet: http://www.atmel.com/dyn/resources/prod ... oc7766.pdf
<CORAGON> 16/32K Bytes of
<CORAGON> ISP Flash
<Anonimo> the problem is not the mcu
<Anonimo> i think any mcu
<Anonimo> with usb
<Anonimo> can handle the job
<Anonimo> we have only to see sniffing
<CORAGON> how to sniff a usb connection?
<CORAGON> xD
<Anonimo> you only need a strong logic analyzer
<Anonimo> D- on pin 11
<Anonimo> on this mcu
<Anonimo> of photos


well, this is the first time I saw a true "tech" talk. I also have the questions regarding to the resistors connecting the D+ and GND, also D- and VCC. from the photos, one can see that the D- pin got connected to 3 different places. the speculation of possible I2C or other serial protocol being used in this dongle might also be possible. but using the USB isn't a wrong thing, one can still make a dongle with high security via USB connection. we can only know more after someone figure out the circuit connections, and better with logic analyzer sniffing data.

[AHippyHop]

If it's I2C, signal voltage peaks will be either 2V or 5V (usually 2V). USB signals levels range between 2.8V & 3.6V. Slap a probe on and see. I2C is possibly a better fit. Brilliant tech conversation though.

[Doggpound]

the dongle is so easy to reverse engineer, you dont even need to dump the flash of the controller. If you know the USB protocol, sniff the usb bus between the dongle and the ps3, decode the NRZI and bit stuffing, and just write your own firmware on an uc that replays the data. This thing is most likely already cloned.

Also, the controller used on the dongle doesnt need to have hardware USB support. They could have written a software implementation of peripheral USB using only I/O pins for D- D+,and thats most probably what they have done since im sure the usb hardware on the official sony jig uses non spec compliant operations.

[Doggpound]

well, this is the first time I saw a true "tech" talk. I also have the questions regarding to the resistors connecting the D+ and GND, also D- and VCC. from the photos, one can see that the D- pin got connected to 3 different places. the speculation of possible I2C or other serial protocol being used in this dongle might also be possible. but using the USB isn't a wrong thing, one can still make a dongle with high security via USB connection. we can only know more after someone figure out the circuit connections, and better with logic analyzer sniffing data.

the d+ and d- with pull up or down resistors are for NRZI encoding, and one pull up to identify itself as full/high speed device. 

[BlueCop]

Sniffing what is done is not always enough to be able to reverse a device. Look at how zero knowledge tests work. I don't know how this USB jb works but I do know that knowing what is said could give no context to the conversation if you know what I mean.

[wes11ph]

the dongle is so easy to reverse engineer, you dont even need to dump the flash of the controller. If you know the USB protocol, sniff the usb bus between the dongle and the ps3, decode the NRZI and bit stuffing, and just write your own firmware on an uc that replays the data. This thing is most likely already cloned.

Also, the controller used on the dongle doesnt need to have hardware USB support. They could have written a software implementation of peripheral USB using only I/O pins for D- D+,and thats most probably what they have done since im sure the usb hardware on the official sony jig uses non spec compliant operations.

what's this? a dongle for professional software?
it's a different thing.

[Blackaddr]

the dongle is so easy to reverse engineer, you dont even need to dump the flash of the controller. If you know the USB protocol, sniff the usb bus between the dongle and the ps3, decode the NRZI and bit stuffing, and just write your own firmware on an uc that replays the data. This thing is most likely already cloned.

It's not that simple.  You are assuming it's a one way hack where you plug in the dongle and it pukes some binary numbers into the console and voila, it's hacked.

The communication is going to be two-way, with challenge/response, most likely based on console specific encoded data, and will probably be encrypted too.