Sponsored Links

Sponsored Links

Page 1 of 5 123 ... LastLast
Results 1 to 10 of 42



  1. #1
    Forum Moderator PS3 News's Avatar
    Join Date
    Apr 2005
    Posts
    28,391
    Sponsored Links

    PSJailBreak PS3 Exploit Payload Reverse Engineering Detailed

    Sponsored Links
    A few weeks back we reported on the PS JailBreak PS3 exploit reverse engineering followed by the PSJailBreak PS3 exploit payload, and today naehrwert has focused on the PSJailBreak payload itself, as follows:

    PSJailbreak Payload Reverse Engineering

    Here's my understanding of what the exploit playload does:

    1. it gets control at exploit_entry, which copies the rest of the payload to the fixed address 0x8000000000700000 and jumps to exploit_main.

    2. exploit_main copies a resident part of the payload to another location, creates virutal usb device driver called "mod" with 3 functions, hooks some vsh functions via toc entry and does some permanent in-ram patching. when the work is done it zeroes itself out.

    3. the resident part has basically 3 purposes: it manages virtual usb device, it does some on-the-fly patching and it hooks all the game disk file accesses from the vsh.

    a. the virtual usb device is needed to make sure the original ps3jb device in plugged in. once the correct device is plugged (the one with the AAAAC0DE) device driver initializes the variable INITIALIZED to 1 (see kmod_func1 - probably "identify device", and kmod_func2 - "initialize device").

    if one pluggs the device out, the function kmod_func3_call_panic "term device" is called which causes a kernel panic. all the virtual usb device code can be removed completely from the open psjb implementation since it's just a way of protection for the original ps3jb.

    b. the on-the-fly patching part of the code is probably called on virtual memory page remapping and does additional patching in-place. it identifies if the pages requires patching byt calculating it's "hash" and comparing to the table entries. one of the patches enables developer menu/settings called "category_game_tool2.xml#root" which probably enables support of the pkgs and other dev stuff.

    c. the hooks from the vsh are intended to redirect all on-bdvd file requests (or probably just "open") from vsh to the hdd saved backup. the launcher saves the base directory of the game started and after that all the file names are prepended with it. that's how the backup feature works. the lv1 still needs bdvd auth to launch the game, so the original disc in bdvd is still required.

    4. Adds a Syscall (Syscall 36) which will be called by Backup Loader to activate the virtual bluray drive with the correct backed upped disk.

    5. Patches the return value from hypercall 99 so that we can launch unsigned apps.

    the code below is from my idb of the payload.

    [Register or Login to view code]

    PSJailBreak PS3 Exploit Payload Reverse Engineering Detailed

    More PlayStation 3 News...

  2. #2
    Contributor Kiriller's Avatar
    Join Date
    Sep 2008
    Posts
    108
    Sponsored Links
    Sponsored Links
    correct me if i'm wrong, what is the reason for reverse engineering when we already know how to program empty usb boards & other devices? Don't think it will even serve a purpose of coding for new firmware seeing how sony already patched this hole... Hope i'm wrong though!

  3. #3
    Forum Moderator PS3 News's Avatar
    Join Date
    Apr 2005
    Posts
    28,391
    Sponsored Links
    Sponsored Links
    Most of this is just for those who want to learn the intricacies of how it all works, versus end-users who are just seeking a solution to JailBreak their PS3 and run backups/homebrew with it... that is why I stuck this in the Dev section versus the PS3 hacks one.

  4. #4
    Senior Member SwordOfWar's Avatar
    Join Date
    Jul 2009
    Posts
    343
    Understanding how it all works, even if it was patched, could help lead to another solution.

    The more people know about the patch and how it works, the more likely we will see an improvement in open source solutions like PSGroove/PSFreedom.

  5. #5
    Contributor tjay17's Avatar
    Join Date
    Apr 2010
    Posts
    421
    Ok, that went over my head but the more that is known the better.

  6. #6
    Contributor FireSokar's Avatar
    Join Date
    Mar 2006
    Posts
    67
    Thanks for the info boss. On a side note - this will eventually lead to CFW. If someone does not detail exactly what is done with the device, it would be impossible for a CFW to come out. Eventually a untethered JB will come to light. I feel that it is totally possible, this was most likely a untethered solution that was developed into a tethered solution to force a consumer to buy a (what they thought to be restricted device.)

  7. #7
    Senior Member GrandpaHomer's Avatar
    Join Date
    Apr 2005
    Posts
    1,316
    Quote Originally Posted by Kiriller View Post
    correct me if i'm wrong, what is the reason for reverse engineering when we already know how to program empty usb boards & other devices? Don't think it will even serve a purpose of coding for new firmware seeing how sony already patched this hole... Hope i'm wrong though!
    There is quite a bit of difference between copying the "black box" from outside just by monitoring it's behaviour and cracking it wide open as you're never sure what other functions and surprises might me hidden inside. Also - it could have much more effective or precize coding etc. etc. etc. ...

  8. #8
    Contributor foenix's Avatar
    Join Date
    Oct 2008
    Posts
    3
    Quote Originally Posted by Kiriller View Post
    correct me if i'm wrong, what is the reason for reverse engineering when we already know how to program empty usb boards & other devices? Don't think it will even serve a purpose of coding for new firmware seeing how sony already patched this hole... Hope i'm wrong though!
    The reason for reverse engineering is simple, 1. to find out the main source code, 2. to view, extract and possibly tweak the source code onto another device eg: psjailbreak tiny++ whatever, 3. finding more information to make the software more useful eg: allowing the exploit to run without the need of usb dongle connected, 4. possibly assisting in homebrew code ported to another device to use instead of usb dongle, eg: psp, ipod etc.

    Hope that helps,
    Foenix

  9. #9
    Senior Member heartagram62's Avatar
    Join Date
    Apr 2008
    Posts
    98
    OMG how have i missed so much on the PS3 jailbreak? I have been out of the country and without internet access since late July! I come back update my PS3 without thinking and then read all of these articles. I really feel I have missed out on something here.

  10. #10
    Junior Member avojps24's Avatar
    Join Date
    Feb 2010
    Posts
    65

    Lightbulb

    Quote Originally Posted by heartagram62 View Post
    OMG how have i missed so much on the PS3 jailbreak? I have been out of the country and without internet access since late July! I come back update my PS3 without thinking and then read all of these articles. I really feel I have missed out on something here.
    use the one you updated to play online. Buy another ps3 (fat or slim) with 3.41... problem solved. Now you can enjoy the best of both worlds, with the exception of paying for the games you want to play online.

 

Sponsored Links
Page 1 of 5 123 ... LastLast
Advertising - Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News