144w ago - Yesterday we caught a glimpse of some PS JailBreak Reviews which confirmed PS3 Firmware 3.41 is required, and today we have some PS3 JailBreak details from PlayStation 3 hackers SKFU and the DemonHades Team along with some pictures of the inside of the PS JailBreak (below) courtesy of PlanetadeJuego.com.
For those who missed it, PS JailBreak was first announced two days ago and is a USB device which allows end-users to play PS3 game back-ups on Sony's PlayStation 3 entertainment system.
"I just tested the software they uploaded and can confirm it works so far.
I can tell a bit about the backup manager. It seems the software uses bd_emu features to manage the backups. The HDD to use, should have a modified bd emu format, which sets all backups on first position, so the PS3 detects 'em all. Then you can choose the image to boot via the manager.
To directly copy and boot a game, the software would need to decrypt all layers on the fly. Meaning it decrypts all executables somehow, else it won't run. Even on a debug unit.
The hardware look like a copy of the original PS3 jigstick, used in SONY service centers to repair broken PlayStation3 SKU's. Someone internal leaked or sold a stick, so they had the chance to reverse and clone the hardware.
The stick should boot before the normal firmware does, so it's hard to patch it. Maybe SONY could update the bootcode to prevent it, set it to a revoke list.
By the way, in all videos they use debug PS3's to run the software. There is no video showing the actual process booting on a retail PS3 afaik. So I do not confirm that this is true, yet!
If it's as true as it looks this time, good job guys!"
And now here are comments from DemonHades Team on PS JailBreak, to quote (roughly translated):
"Well I see that recently raised a stir is mounted by a chip of course to load backups from a pendrive, at first glance one might say it's fake if we did not know of studies conducted years ago and let us see many more hidden things that not all users can understand, in this case we speak of the card jig, the jig is used by the card sony sat for maintenance and restoration in ps3.
In short, this jig card has been removed from the payment sony sat.. so now try to expand the money spent only and once recovered the money spent in obtaining this device the reproduction and cloning of the device will be imminent.
When I saw the body of the above, first I noticed that the sample vsh known and used parts of a debug.. and of course if one is launching retail which does not make much sense, could only think one way quickly- THE CONVERTER RETAIL TO DEBUG.
This converter is thought to sony and service for devs have this jig card (aka USB dongle), allowing this USB is that:
Releasing the boot ini dev_usb0 and a sequence of buttons that change the state of syscon as we launch the initial boot usb dongle, then interprets the bootstrap and load the necessary files from the dongle itself temporarily leaving the ram doing a false reboot.
According to the store have told the seller, no residue on the PS3.. so it fits the above description.
The idea is quite clear gentlemen, emulates the fw of trm syscon and we have a debug interprets loading the kernel debug and providing all the features to debug vshmain time, this results in loading unsigned code.
This allows us as I mentioned months ago to launch pkgs from ubs, since it has a browser for managing them.
The official BDEMU disk loading before you activate the mediatype BD and then run the loader to the channel of communication with the real reader would be closed and only would use the BD-emu, emu and the bd can not share the same channel communication.
In this case to remove the layer is used to extract cellftp to an external source of filesystems without pre-decoded and converted to debug layer.
Executables can be created with the sdk, and generated their own loader which removes the layer of encryption (this if it will extract the discs, not linux), then the PS3Gen (published as a matter of 1 month) can be create iso patched with valid soft.esto itself mean that everything is made in the PS3 SDK (emulators, applications, etc) will be loaded without problems, as we are doing the same as the 360 with jtag hack it uses a core debug.
The loader is loaded by the execution path that recognizes the actual application manager, loaded via app.
TRUE GENTLEMEN OF THE NEWS WOULD BE A GREAT TIME AND NEWS bad news... Let me explain:
1. NO SERIOUS WORK DONE BY HACKERS OR RESEARCHERS.
2. MATERIAL IS MADE LIKE THE MAGIC BATTERY FOR PSP WITH SONY TOOLS.
In short, PS3 has fallen to the very tools you use in your SAT Sony... that if Sony can plug it into the next update.. just have to cancel the initial boot usb to close the bar, because the boss is syscon."
Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!
Components (red dots)
A : Resistor ; 1K
B : LED
C : LED
D : Resistor ; 1k
E : ?? Resistor ??
F : ?? Capacitor ??
G : ?? Resistor ??
H : ?? Resistor ; 1K (Pullup resistor) ??
I : ?? Capacitor ??
J : Capacitor ; 100nF (Decoupling cap)
. : XTAL
- The blue spots A, B and D controls the LEDs
- The blue spots K, L, G and H are for power (Vdd, Vss)
- I think the blue spots M, I and J are to program the PIC (ICPGC, ICPGD, /MCLR)
- The blue spots E and F are OSC1 and OSC2. They must be connected to the XTAL (orange spots A and B) and to the GND mass (alpha wire) through two 22pF capacitors.
- The orange spot F should be related to USB.D-
- The orange spot C might be connected to the blue spot M (ICPGC)
- The orange spot C might be connected to pin 33 (/ICRST)
- I think the orange spot E is connected to one of the via noted alpha
the problem is not the mcu
i think any mcu
can handle the job
we have only to see sniffing
how to sniff a usb connection?
you only need a strong logic analyzer
D- on pin 11
on this mcu
So, to which pin of the MCU is the CLK connected?
That's probably the only way to tell which MCU is used here...