• The PSJailbreak payload has now been fully made public for other devs to devour and understand how the original exploit worked.

    To quote:

    1. It gets control at Exploit_Entry, which copies the rest of the payload to the fixed address 0×8000000000700000.

    2. Exploit_Main copies a resident part of the payload to another location, creates virtual USB device driver called “MOD” with 3 functions, hooks some VSH functions via TOC entry and does some permanent in-ram patching. when the work is done it zeroes itself out.

    3. The resident part has basically 3 purposes: (a)It manages virtual USB device, (b)It does some on-the-fly patching and (c)It hooks all the game disk file accesses from the VSH.

    3a. The virtual USB device is needed to make sure the original PS3JB device in plugged in. Once the correct device is plugged (the one with the AAAAC0DE) device driver initializes the variable to 1 (see kmod_func1 - probably “identify device”, and kmod_func2 - “initialize device”). If one pulls the device out, the function kmod_func3_call_panic “term device” is called which causes a kernel panic.

    3b. The on-the-fly patching part of the code is probably called on virtual memory page remapping and does additional patching in-place. It identifies if the pages requires patching byte calculating it’s “hash” and comparing to the table entries. One of the patches enables developer menu/settings called “category_game_tool2.xml#root” which probably enables support of the pkgs and other dev stuff.

    3c. The hooks from the VSH are intended to redirect all on-BDVD file requests (or probably just “open”) from VSH to the HDD saved backup. The launcher saves the base directory of the game started and after that all the file names are prepended with it. that’s how the backup feature works. The LV1 still needs BDVD auth to launch the game, so the original disc in BDVD is still required.

    4. Adds a Syscall (Syscall 36) which will be called by Backup Loader to activate the virtual bluray drive with the correct backed-up disk.

    5. Patches the return value from Hypercall 99 so that we can launch unsigned apps.

    You can view the full payload HERE.

    Tags: ,

    Discuss in Forums (10)


  • 10 Comments

    1. o0kilabot0o
      09-16-2010
      10:41 AM
      1

      arrgggg! My BRAIIINNNNNNNN!!!!

    2. kambody
      09-16-2010
      10:56 AM
      2

      does this means it used the geohot hack to get ot this or not?

    3. nonaxanon
      09-16-2010
      11:17 AM
      3

      diablos, eso mismo!

    4. suicidal.banana
      09-16-2010
      11:30 AM
      4

      @kambody: Although im just a noob, i would say so yes. no way they 'guessed' all that stuff.
      Then again, they could have done something similair to geo and just kept it secret untill they could start selling their devices.

      On a side note, what happend to
      PSJailbreak:
      "Our Backup Manager v1.1 will be released on or before the 15th of September with a very valuable feature as well as increased reliability and expandability."
      (http://psjailbreak.com/news)

    5. mr_xzibit
      09-16-2010
      11:39 AM
      5

      maybe the jailbreak team have all been kidnaped by SONY.

    6. ZanderCross
      09-16-2010
      11:47 AM
      6

      The funny thing about PSJ is that this company hacks the PS3 and people copy the hack before they even release it. Then they try to lock down their own hacked homebrew... OK so what... It's going to take us an extra week or two to get the new backup manager now? With all the homebrew being worked on right now and with PSGrove already updated with more of Sony's security out of the way, what makes them think they can hide something from other hackers? It's a sad world when hackers won't just unite and work together. They could make great homebrew if we only had a united front!

      Sadly some people are just in it for the money and not the community...

    7. dodo815
      09-16-2010
      01:07 PM
      7

      i wanna see 3.42 hacking cause i have it and i cant hack the console dame:thefinger:

    8. Dark_Michael
      09-16-2010
      01:39 PM
      8

      @kambody it doesn't.

      If I understood it well, LV2 previliges means that we will be able to run backed up games without having to insert the original game inside the console :D

    9. AsSiTcH
      09-16-2010
      02:50 PM
      9

      Originally Posted by Dark_Michael
      @kambody it doesn't.

      If I understood it well, LV2 previliges means that we will be able to run backed up games without having to insert the original game inside the console :D
      Im not so sure lvl 2 priveledges will allow this. Its also to soon to know.

    10. Eternity
      09-16-2010
      03:58 PM
      10

      Few things, GeoHot's exploit used a timing glitch attack. This uses, from what I kind've remember reading, a software based payload exploiting a buffer overflow in the sony firmware namely in the enumeration routine of USB Device descriptors. "unsafe" datatype functions are good for this weakness, C90 stuff were good for that,. (printf, sscanf, memcpy, come to mind; basically deals with \0 terminated strings and overwriting the null terminator to overflow a dest variable's size.) now we have C++ libraries like Boost that help eliminate that (Though at a cost of huge code-overhead; those of you that ever tried tracing through a a faulty lexical_cast call know what I'm talking about.) through the use of sophisticated "sizeof" type of routines. I won't say anymore, don't wanna turn this reply into a history lesson on unsafe fuction calls :P

      Basically the takeaway is: if I remember what I read correctly, it did not actually use GeoHot's glitch attack since GeoHot's attack used a timed electrical-pulse on one of the bus-lines to "glitch" the system. That in and of itself makes it different then using a USB dongle that has firmware (Containing the removal and installing or USB devices) flashed to a microcontroller. Now I haven't, to be honest, looked too much into the actual code for the exploit, so it may actually wind up being a software version of GeoHot's glitch, I dunno. What I do remember is it dealt with enumerating USB Device descriptors, which is something GeoHot's exploit did not do, unless there was a stage 2 to it that I missed.

      Second thing I wanted to bring up was, if you follow Mat's (Can't remember how to exactly spell his name, there's an H and a I in there somewhere; I have it on one of my million FF tabs lol) twitter page, he basically said almost anything can be done in LV2. Though he did re-emphasize "almost". Lots of us thought CFW; but I he had something else in mind. Something he wrote when someone asked him, kind've made me think that. Though, it might be possible, don't know enough about the privileges of the various levels.

      The last thing I wanted to bring up was something Suicidal.Banana mentioned:

      @kambody: Although im just a noob, i would say so yes. no way they 'guessed' all that stuff.
      That's precisely what my feeling is on it (Not the copying of GeoHot, but the guessing of the stuff). I mentioned it over here:
      http://www.ps3hax.net/showthread.php?t=13226&page=2