|
Tiros
|
 |
« Reply #80 on: August 23, 2010, 09:24:36 AM » |
|
the dongle is so easy to reverse engineer, you dont even need to dump the flash of the controller. If you know the USB protocol, sniff the usb bus between the dongle and the ps3, decode the NRZI and bit stuffing, and just write your own firmware on an uc that replays the data. LOL @ uberfry, You go girl! |
|
|
|
|
Logged
|
|
|
|
|
|
|
|
sakamoto
Newbie
Posts: 4
|
|
« Reply #83 on: August 23, 2010, 06:12:18 PM » |
|
are they already shipping the first batch or is it still on preorder status?
|
|
|
|
|
Logged
|
|
|
|
|
damox
|
|
« Reply #84 on: August 24, 2010, 09:35:31 AM » |
|
Why would you assume that they have RE anything. If i developed the dongle, I would sell it to multiple companies and let them duke it out. Much easier for the hacker/RE, and they get paid up front. |
|
|
|
|
Logged
|
|
|
|
|
B1N4RY
|
|
« Reply #85 on: August 25, 2010, 02:14:58 AM » |
|
 It appears to contain a 48 pin MCU, nothing else (except for a crystal and resistors/caps). I can see how easily this thing will be replicated |
|
|
|
|
Logged
|
|
|
|
|
Vampirtc
|
|
« Reply #86 on: August 26, 2010, 02:19:39 PM » |
|
|
|
|
|
|
Logged
|
|
|
|
|
Arakon
|
|
« Reply #87 on: August 26, 2010, 02:38:26 PM » |
|
That info is wrong. The guy took the PIC datasheet and overlaid the pin layout.. not one of these pins was measured to check if that is actually the chip.
Things are pointing to an atmel chip actually, cause its layout is much more likely.
|
|
|
|
|
Logged
|
I do NOT give support by email, PM, ICQ or whatever. Anyone annoying me that way will have his balls removed. With a rusty butterknife. Slowly. And I'll enjoy doing it.
|
|
|
|
The M.A.R.T.
|
|
« Reply #88 on: August 26, 2010, 04:20:44 PM » |
|
http://www.gamefreax.de/psjailbreak-reverse-engineered.html "First off, PSJailbreak was apparently NOT a clone of Sony’s JIG, instead its a legitimate exploit that was developed. Second, we can NOT upgrade PSJailbreak without the use of additional hardware - maybe the company planned to sell another component to upgrade the unit?"
|
|
|
|
|
Logged
|
|
|
|
|
Blackaddr
|
|
« Reply #89 on: August 26, 2010, 05:19:12 PM » |
|
I haven't seen a good translation of that page yet, perhaps someone fluent in german can do so.
Anyway, it sounds like the jailbreak is not a clone, it's a true exploit, possibly based around a stack overflow attack using the USB descriptor. If it's actually a real exploit and not cloning real PS3 jig then the payload might be straight forward and easy to duplicate, which would be great for homebrewing the hack.
Anybody with a better understanding of german want to clarify any of this?
|
|
|
|
|
Logged
|
360 Info Collection -> http://www.xboxhacker.org/index.php?topic=12940.0Do not take anything I say as gospel, use your own judgement, make your own decisions. Please pay attention to which sub-forums are for Research and Technical discussion. The following are NOT for help with and troubleshooting existing hacks. - Hardware (Technical) - DVD-ROM Drive and Media - Hard Disk - Software (Technical) |
|
|
|
parasven
|
|
« Reply #90 on: August 26, 2010, 05:37:21 PM » |
|
We have taken a closer look at this PSJailbreak dongle
We can confirm that the PSJailbreak is not a clone of Sony’s “Jig” module. PSJailbreak is a self-developed exploit. The chip is not a PIC18F444 but a ATMega is used with a software USB interface. This means the chip is internally capable of emulating any USB device. PSJailbreak emulates a 6 Port USB hub on which different devices will later be connected and then disconnected. One of these devices has the product:vendor ID of Sony’s “Jig” module, which means this had played a certain role during the development of PSJailbreak role.
But lets start from beginning: When the PS3 is powered on … A USB emulation device will be connected, which has a too large of a Configuration Descriptor. This Descriptor overrides the stack with a PowerPC shellcode that gets executed. Now, various USB devices are connected to the emulation USB hub. One device has a large Descriptor with a size of 0xAD, which is part of the exploit and contains static data. A short time later (we are talking milliseconds here) the jig module is connected, and encrypted data is transmitted to the jig module. A few milliseconds later, the Jig module answers with 64 byte static data, all USB devices are then disconnected, and a new USB device is connected and the PS3 launches with ‘a new feature’.
PSJailbreak is NOT software update-able. The Update feature which is mentioned, can be done just with hardware modifications. So by ‘update’ they mean ‘buy more of our stuff’
64Byte static data that is emulated by Jig sent to the PS3 http://www.ps3hax.net/2010/08/ps-jailbreak-reverse-engineered/ |
|
|
|
|
Logged
|
|
|
|
|
anita999
|
|
« Reply #91 on: August 26, 2010, 08:26:34 PM » |
|
hoooo, finally some real data sniffing and reverse engineering.....
seems there will be lots of cheap solutions coming out...
sooner or later we should have DIY instructions with less then 20$ cost......
|
|
|
|
|
Logged
|
|
|
|
|
MohsinNisar
|
|
« Reply #92 on: August 27, 2010, 12:43:28 AM » |
|
PSJailbreak is NOT software update-able. The Update feature which is mentioned, can be done just with hardware modifications. So by ‘update’ they mean ‘buy more of our stuff’ That means they are gonna need to buy a new PS Jailbreak usb every time. |
|
|
|
|
Logged
|
Want to Play Shenmue III
|
|
|
|
bidomo
|
|
« Reply #93 on: August 27, 2010, 01:22:15 AM » |
|
PSJailbreak is NOT software update-able. The Update feature which is mentioned, can be done just with hardware modifications. So by ‘update’ they mean ‘buy more of our stuff’ That means they are gonna need to buy a new PS Jailbreak usb every time. Not explicitly... What a scam!  |
|
|
|
|
Logged
|
|
|
|
Doggpound
Newbie
Posts: 4
|
|
« Reply #94 on: August 27, 2010, 03:06:38 AM » |
|
LOL @ uberfry,
You go girl!
what? i dont understand
what's this? a dongle for professional software?
it's a different thing.
It's not that simple. You are assuming it's a one way hack where you plug in the dongle and it pukes some binary numbers into the console and voila, it's hacked.
The communication is going to be two-way, with challenge/response, most likely based on console specific encoded data, and will probably be encrypted too.
turns out its that simple Sniffing what is done is not always enough to be able to reverse a device. Look at how zero knowledge tests work. I don't know how this USB jb works but I do know that knowing what is said could give no context to the conversation if you know what I mean.
i know what u mean, but the ic looked like a pic/atmega which probably has no specialized encryption hardware. i knew the usb would be emulated, and ive written a software usb stack before so i know the strain it has on an 8bit microcontroller. Considering the ps3 boots pretty quick even after having to enumerate, it was safe to assume that no special encryption was going on. it turns out that that is the case,and simple sniffing is all the is required. anyways, ive tried to replicate this hack with the release of the new info that has surfaced. its still a no go so far. using a pic18f13K50 using the hardware usb, i played around with enumeration.i dont think there is actually an overflow exploit the way the guy who released the info decribed it. basically a device is connected,some data is given, the device is reset,then 64 bytes is sent back to the ps3. this is exactly how enumeration is done. the 64bytes is all the info sent during enumeration for device descriptor,configuartion descriptor, interface descriptor, endpoint descriptor. so basically, this just looks like based on enumeration, the ps3 then is sent into service mode. the only thing that is needed is the 64bytes for this to work. i saw a picture with some bytes erased and with a watermark on top. unfortunately, some important info is scrambled so nothing will work without it. |
|
|
|
|
Logged
|
|
|
|
|
Blackaddr
|
|
« Reply #95 on: August 27, 2010, 07:38:02 AM » |
|
It's not that simple. You are assuming it's a one way hack where you plug in the dongle and it pukes some binary numbers into the console and voila, it's hacked.
turns out its that simple Indeed. Crow is pretty tasty if you put cheese on it. |
|
|
|
|
Logged
|
360 Info Collection -> http://www.xboxhacker.org/index.php?topic=12940.0Do not take anything I say as gospel, use your own judgement, make your own decisions. Please pay attention to which sub-forums are for Research and Technical discussion. The following are NOT for help with and troubleshooting existing hacks. - Hardware (Technical) - DVD-ROM Drive and Media - Hard Disk - Software (Technical) |
|
|
|
neonpolaris
|
|
« Reply #96 on: August 27, 2010, 08:51:55 AM » |
|
Indeed. Crow is pretty tasty if you put cheese on it.
Refreshingly classy post. |
|
|
|
|
Logged
|
|
|
|
|
garyopa
|
|
« Reply #97 on: August 27, 2010, 09:12:29 AM » |
|
|
|
|
|
|
Logged
|
|
|
|
|
Rogero
|
|
« Reply #98 on: August 27, 2010, 10:03:25 AM » |
|
yeah...my pre-order got refunded today, I guess this will speed up the RE of the sample units out in the wild now ( as a revenge  ) and sooner or later this hack will be public, Sony?PS3 have to lose the battle somewhere... |
|
|
|
|
Logged
|
|
|
|
|
AHippyHop
|
|
« Reply #99 on: August 27, 2010, 11:21:21 AM » |
|
That 'non-updateable' part sounds ominous!
A quick scan of the uC forums/sites show in-situ programmers using serial, byte and 'specific' programmers for the job. One site suggests the 'PonyProg' programmer, and there are PCB layouts to construct it (if it's applicable). Not heard of it myself.
An open re solution would hopefully solve that, in time. Loads of great, free Atmel tools out there though.
AHH
|
|
|
|
|
Logged
|
|
|
|
|
