PSJailbreak Payload Reverse Engineering Details - PS3Hax Network

Pirate · 09-16-2010

The PSJailbreak payload has now been fully made public for other devs to devour and understand how the original exploit worked.

To quote:

1. It gets control at Exploit_Entry, which copies the rest of the payload to the fixed address 0x8000000000700000.

2. Exploit_Main copies a resident part of the payload to another location, creates virtual USB device driver called "MOD" with 3 functions, hooks some VSH functions via TOC entry and does some permanent in-ram patching. when the work is done it zeroes itself out.

3. The resident part has basically 3 purposes: (a)It manages virtual USB device, (b)It does some on-the-fly patching and (c)It hooks all the game disk file accesses from the VSH.

3a. The virtual USB device is needed to make sure the original PS3JB device in plugged in. Once the correct device is plugged (the one with the AAAAC0DE) device driver initializes the variable to 1 (see kmod_func1 - probably "identify device", and kmod_func2 - "initialize device"). If one pulls the device out, the function kmod_func3_call_panic "term device" is called which causes a kernel panic.

3b. The on-the-fly patching part of the code is probably called on virtual memory page remapping and does additional patching in-place. It identifies if the pages requires patching byte calculating it's "hash" and comparing to the table entries. One of the patches enables developer menu/settings called "category_game_tool2.xml#root" which probably enables support of the pkgs and other dev stuff.

3c. The hooks from the VSH are intended to redirect all on-BDVD file requests (or probably just "open") from VSH to the HDD saved backup. The launcher saves the base directory of the game started and after that all the file names are prepended with it. that's how the backup feature works. The LV1 still needs BDVD auth to launch the game, so the original disc in BDVD is still required.

4. Adds a Syscall (Syscall 36) which will be called by Backup Loader to activate the virtual bluray drive with the correct backed-up disk.

5. Patches the return value from Hypercall 99 so that we can launch unsigned apps.

You can view the full payload HERE.

o0kilabot0o · 09-16-2010

arrgggg! My BRAIIINNNNNNNN!!!!

kambody · 09-16-2010

does this means it used the geohot hack to get ot this or not?

nonaxanon · 09-16-2010

diablos, eso mismo!

suicidal.banana · 09-16-2010

@kambody: Although im just a noob, i would say so yes. no way they 'guessed' all that stuff.
Then again, they could have done something similair to geo and just kept it secret untill they could start selling their devices.

On a side note, what happend to
PSJailbreak:
"Our Backup Manager v1.1 will be released on or before the 15th of September with a very valuable feature as well as increased reliability and expandability."
(http://psjailbreak.com/news)

mr_xzibit · 09-16-2010

maybe the jailbreak team have all been kidnaped by SONY.

ZanderCross · 09-16-2010

The funny thing about PSJ is that this company hacks the PS3 and people copy the hack before they even release it. Then they try to lock down their own hacked homebrew... OK so what... It's going to take us an extra week or two to get the new backup manager now? With all the homebrew being worked on right now and with PSGrove already updated with more of Sony's security out of the way, what makes them think they can hide something from other hackers? It's a sad world when hackers won't just unite and work together. They could make great homebrew if we only had a united front!

Sadly some people are just in it for the money and not the community...

dodo815 · 09-16-2010

i wanna see 3.42 hacking cause i have it and i cant hack the console dame:thefinger:

Dark_Michael · 09-16-2010

@kambody it doesn't.

If I understood it well, LV2 previliges means that we will be able to run backed up games without having to insert the original game inside the console :D

AsSiTcH · 09-16-2010

Originally Posted by Dark_Michael

@kambody it doesn't.

If I understood it well, LV2 previliges means that we will be able to run backed up games without having to insert the original game inside the console :D

Im not so sure lvl 2 priveledges will allow this. Its also to soon to know.

09-16-2010	#1
Pirate Join Date: Feb 2007 Posts: 6,988 Likes: 371 Liked 8,045 Times in 1,247 Posts Mentioned: 585 Post(s) Tagged: 0 Thread(s)	PSJailbreak Payload Reverse Engineering Details The PSJailbreak payload has now been fully made public for other devs to devour and understand how the original exploit worked. To quote: 1. It gets control at Exploit_Entry, which copies the rest of the payload to the fixed address 0x8000000000700000. 2. Exploit_Main copies a resident part of the payload to another location, creates virtual USB device driver called "MOD" with 3 functions, hooks some VSH functions via TOC entry and does some permanent in-ram patching. when the work is done it zeroes itself out. 3. The resident part has basically 3 purposes: (a)It manages virtual USB device, (b)It does some on-the-fly patching and (c)It hooks all the game disk file accesses from the VSH. 3a. The virtual USB device is needed to make sure the original PS3JB device in plugged in. Once the correct device is plugged (the one with the AAAAC0DE) device driver initializes the variable to 1 (see kmod_func1 - probably "identify device", and kmod_func2 - "initialize device"). If one pulls the device out, the function kmod_func3_call_panic "term device" is called which causes a kernel panic. 3b. The on-the-fly patching part of the code is probably called on virtual memory page remapping and does additional patching in-place. It identifies if the pages requires patching byte calculating it's "hash" and comparing to the table entries. One of the patches enables developer menu/settings called "category_game_tool2.xml#root" which probably enables support of the pkgs and other dev stuff. 3c. The hooks from the VSH are intended to redirect all on-BDVD file requests (or probably just "open") from VSH to the HDD saved backup. The launcher saves the base directory of the game started and after that all the file names are prepended with it. that's how the backup feature works. The LV1 still needs BDVD auth to launch the game, so the original disc in BDVD is still required. 4. Adds a Syscall (Syscall 36) which will be called by Backup Loader to activate the virtual bluray drive with the correct backed-up disk. 5. Patches the return value from Hypercall 99 so that we can launch unsigned apps. You can view the full payload HERE.

09-16-2010	#3
kambody Member Join Date: Oct 2008 Posts: 75 Likes: 7 Liked 1 Time in 1 Post Mentioned: 0 Post(s) Tagged: 0 Thread(s)	so? does this means it used the geohot hack to get ot this or not?

09-16-2010	#5
suicidal.banana Apprentice Join Date: Sep 2010 Posts: 7 Likes: 4 Liked 0 Times in 0 Posts Mentioned: 0 Post(s) Tagged: 0 Thread(s)	@kambody: Although im just a noob, i would say so yes. no way they 'guessed' all that stuff. Then again, they could have done something similair to geo and just kept it secret untill they could start selling their devices. On a side note, what happend to PSJailbreak: "Our Backup Manager v1.1 will be released on or before the 15th of September with a very valuable feature as well as increased reliability and expandability." (http://psjailbreak.com/news) Last edited by suicidal.banana; 09-16-2010 at 11:35 AM.

09-16-2010	#8
dodo815 Member Join Date: Jul 2009 Posts: 58 Likes: 1 Liked 1 Time in 1 Post Mentioned: 0 Post(s) Tagged: 0 Thread(s)	hi i wanna see 3.42 hacking cause i have it and i cant hack the console dame:thefinger:

		PS3Hax Network - Playstation 3 Hacks and Mods > News > PS3Hax News
PSJailbreak Payload Reverse Engineering Details

09-16-2010	#2
o0kilabot0o Member Join Date: Sep 2010 Posts: 72 Likes: 2 Liked 2 Times in 2 Posts Mentioned: 0 Post(s) Tagged: 0 Thread(s)	arrgggg! My BRAIIINNNNNNNN!!!!

09-16-2010	#4
nonaxanon Apprentice Join Date: Jun 2009 Location: Puerto Rico Posts: 29 Likes: 2 Liked 1 Time in 1 Post Mentioned: 0 Post(s) Tagged: 0 Thread(s)	diablos, eso mismo!

09-16-2010	#6
mr_xzibit Apprentice Join Date: Sep 2010 Posts: 8 Likes: 2 Liked 0 Times in 0 Posts Mentioned: 0 Post(s) Tagged: 0 Thread(s)	maybe the jailbreak team have all been kidnaped by SONY.

09-16-2010	#7
ZanderCross Member Join Date: Sep 2010 Posts: 227 Likes: 90 Liked 43 Times in 32 Posts Mentioned: 0 Post(s) Tagged: 0 Thread(s)	The funny thing about PSJ is that this company hacks the PS3 and people copy the hack before they even release it. Then they try to lock down their own hacked homebrew... OK so what... It's going to take us an extra week or two to get the new backup manager now? With all the homebrew being worked on right now and with PSGrove already updated with more of Sony's security out of the way, what makes them think they can hide something from other hackers? It's a sad world when hackers won't just unite and work together. They could make great homebrew if we only had a united front! Sadly some people are just in it for the money and not the community...

09-16-2010	#9
Dark_Michael Apprentice Join Date: Sep 2010 Posts: 3 Likes: 1 Liked 0 Times in 0 Posts Mentioned: 1 Post(s) Tagged: 0 Thread(s)	@kambody it doesn't. If I understood it well, LV2 previliges means that we will be able to run backed up games without having to insert the original game inside the console :D

User Name		Remember Me?
Password