well not everytime, but everytime we want to run it in that mode yes, I'm not REALLLY worried as the pc is sitting next to the ps3 on the desk but some people who have them in seperate rooms or a long distance away might be caffuffled lol....
Theoretically all we need is the code to send the PS3 into a 'DFU mode' or the like, if it is merely a buffer overflow exploit.. I think that once you emulate the said USB Hub, the fact that it connects and disconnects up to six devices repeatedly, this is what causes the buffer to overflow, then what you need to do is it overwrite the return address with the address of an opcode which in theory will cause execution to jump to the user supplied data? e.g. the code used in psJB to send ps3 into DFU mode?
Ok guys, some more news here! I finally got the kernel module to work! It loads up and everything, so that's cool. It also properly answers the device/configuration requests. But I have one issue :
The host asks for a buffer of size 18, and I send it a size 3840 bytes.. and with the usb sniffer I have here under linux (for tests), all I see is a 'corrupted packet error', so I'm not sure if the data is sent correctly, or if it doesn't even get sent because the underlying framework refuses it.
anyways, so far all good, assuming the data is sent correctly, then I've written a driver that reproduces the usb dumps received! Now we just need a proper dump to see exactly what's going on, when to send that data, etc...
Now it's 10:20 AM, and I really need to go to sleep, so good night all! I hope we'll have some more stuff tomorrow so I can continue working on this!
I finally got the kernel module to work! It loads up and everything, so that's cool. It also properly answers the device/configuration requests.
Well you need to send enough data to rewrite the return address to that of your malicious code - the bypass / overwrite for the Sony JIG Answer Response Scheme.
BUFFER[ ] <----- 90 bytes space allocated for BUFFER[ ]
RETURN ADDRESS <----- When the user inputs data the program control would come here and follow the 'address' stored here to go back.
But if the users inputs more than 90 bytes of data...for example XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX [user input]