Sponsored Links

Sponsored Links

PS JailBreak Inside Pics, Details by SKFU & DemonHades Team


Sponsored Links
212w ago - Yesterday we caught a glimpse of some PS JailBreak Reviews which confirmed PS3 Firmware 3.41 is required, and today we have some PS3 JailBreak details from PlayStation 3 hackers SKFU and the DemonHades Team along with some pictures of the inside of the PS JailBreak (below) courtesy of [Register or Login to view links].

For those who missed it, PS JailBreak was first announced two days ago and is a USB device which allows end-users to play PS3 game back-ups on Sony's PlayStation 3 entertainment system.

Here is what [Register or Login to view links] has to say on it, to quote:

"I just tested the software they uploaded and can confirm it works so far.

I can tell a bit about the backup manager. It seems the software uses bd_emu features to manage the backups. The HDD to use, should have a modified bd emu format, which sets all backups on first position, so the PS3 detects 'em all. Then you can choose the image to boot via the manager.

To directly copy and boot a game, the software would need to decrypt all layers on the fly. Meaning it decrypts all executables somehow, else it won't run. Even on a debug unit.

The hardware look like a copy of the original PS3 jigstick, used in SONY service centers to repair broken PlayStation3 SKU's. Someone internal leaked or sold a stick, so they had the chance to reverse and clone the hardware.

The stick should boot before the normal firmware does, so it's hard to patch it. Maybe SONY could update the bootcode to prevent it, set it to a revoke list.

By the way, in all videos they use debug PS3's to run the software. There is no video showing the actual process booting on a retail PS3 afaik. So I do not confirm that this is true, yet!

If it's as true as it looks this time, good job guys!"

And now here are comments from [Register or Login to view links] on PS JailBreak, to quote (roughly translated):

"Well I see that recently raised a stir is mounted by a chip of course to load backups from a pendrive, at first glance one might say it's fake if we did not know of studies conducted years ago and let us see many more hidden things that not all users can understand, in this case we speak of the card jig, the jig is used by the card sony sat for maintenance and restoration in ps3.

In short, this jig card has been removed from the payment sony sat.. so now try to expand the money spent only and once recovered the money spent in obtaining this device the reproduction and cloning of the device will be imminent.

When I saw the body of the above, first I noticed that the sample vsh known and used parts of a debug.. and of course if one is launching retail which does not make much sense, could only think one way quickly- THE CONVERTER RETAIL TO DEBUG.

This converter is thought to sony and service for devs have this jig card (aka USB dongle), allowing this USB is that:

Releasing the boot ini dev_usb0 and a sequence of buttons that change the state of syscon as we launch the initial boot usb dongle, then interprets the bootstrap and load the necessary files from the dongle itself temporarily leaving the ram doing a false reboot.

According to the store have told the seller, no residue on the PS3.. so it fits the above description.

The idea is quite clear gentlemen, emulates the fw of trm syscon and we have a debug interprets loading the kernel debug and providing all the features to debug vshmain time, this results in loading unsigned code.

This allows us as I mentioned months ago to launch pkgs from ubs, since it has a browser for managing them.

The official BDEMU disk loading before you activate the mediatype BD and then run the loader to the channel of communication with the real reader would be closed and only would use the BD-emu, emu and the bd can not share the same channel communication.

In this case to remove the layer is used to extract cellftp to an external source of filesystems without pre-decoded and converted to debug layer.

Executables can be created with the sdk, and generated their own loader which removes the layer of encryption (this if it will extract the discs, not linux), then the PS3Gen (published as a matter of 1 month) can be create iso patched with valid soft.esto itself mean that everything is made in the PS3 SDK (emulators, applications, etc) will be loaded without problems, as we are doing the same as the 360 with jtag hack it uses a core debug.

The loader is loaded by the execution path that recognizes the actual application manager, loaded via app.

TRUE GENTLEMEN OF THE NEWS WOULD BE A GREAT TIME AND NEWS bad news... Let me explain:

1. NO SERIOUS WORK DONE BY HACKERS OR RESEARCHERS.

2. MATERIAL IS MADE LIKE THE MAGIC BATTERY FOR PSP WITH SONY TOOLS.

In short, PS3 has fallen to the very tools you use in your SAT Sony... that if Sony can plug it into the next update.. just have to cancel the initial boot usb to close the bar, because the boss is syscon."







Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!

Comments 24 Comments - Go to Forum Thread »

• Please Register at PS3News.com or Login to make comments on Site News articles. Thanks!

ex5's Avatar
#9 - ex5 - 212w ago
Hey i found this also.. Observations :

Components (red dots)
A : Resistor ; 1K
B : LED
C : LED
D : Resistor ; 1k
E : ?? Resistor ??
F : ?? Capacitor ??
G : ?? Resistor ??
H : ?? Resistor ; 1K (Pullup resistor) ??
I : ?? Capacitor ??
J : Capacitor ; 100nF (Decoupling cap)
. : XTAL

- The blue spots A, B and D controls the LEDs
- The blue spots K, L, G and H are for power (Vdd, Vss)
- I think the blue spots M, I and J are to program the PIC (ICPGC, ICPGD, /MCLR)
- The blue spots E and F are OSC1 and OSC2. They must be connected to the XTAL (orange spots A and B) and to the GND mass (alpha wire) through two 22pF capacitors.
- The orange spot F should be related to USB.D-
- The orange spot C might be connected to the blue spot M (ICPGC)
- The orange spot C might be connected to pin 33 (/ICRST)
- I think the orange spot E is connected to one of the via noted alpha

Karl69's Avatar
#8 - Karl69 - 212w ago
Thanks... On the old PIC16C84 it was possible to override the read out protection by setting VCC=programming voltage-0.5V while programming the config bits...

Though such a thing is not possible anymore, it might still be possible to glitch the newer PICs via the VCC and/or the CLK signal.

Karl69's Avatar
#7 - Karl69 - 212w ago
the problem is not the mcu
i think any mcu
with usb
can handle the job
we have only to see sniffing
how to sniff a usb connection?
xD
you only need a strong logic analyzer
D- on pin 11
on this mcu
of photos

So, to which pin of the MCU is the CLK connected?
That's probably the only way to tell which MCU is used here...

red8316's Avatar
#6 - red8316 - 212w ago
Interesting clone investigation transcript from DemonHades site.

Si nos fijamos en la foto, hay dos pins del USB puenteados por una resistencia, por tanto, no hacen nada. Luego solo nos quedan 2. Uno es el +5v y el otro el de datos. Por tanto solo hay que analizar uno.

El electronico que me a comentado esto prefiere estar en el anonimato hay que respetarle , dice estar estudiando electronica. Yo personalmente, le veo lógica.

Aqui os dejo la conver que e tenido con el en nuestro chat

just saw pics
on your site
of the disassembled one from discoazul
i was just trying to

read the schematic
[Register or Login to view links]
and found that
this is probably not
standard usb
it uses the usb connector
to initialize a different
kind of serial connection
looking at the schematic

you see D- and GND
connected together with a resistance
this is not usb
it may be a trigger
to start
a connection
onto the other
two pins

i bet it is standard rs232 or i2c
just like

any other service port
you can sniff the only active pin for the communication
and see
because
of the 4 usb pins
you have
1 gnd
2 d- connected to gnd

cool
you know
mcu
don't have a lot of flash
i don't think it stores
datas
inside
and looking at the schematics
it seems
also that
you have some pull up resistors

so i bet it is some kind of i2c
just like any other service hardware from any other brand
you can check with a multimeter when it arrives
i'm looking forward to see the complete schematic
on some website
so, to sum up
1. Probably not usb, but a trigger onto one side to start a different protocol onto the other

2. quite sure only one pin to sniff with logic
3. mcu doesn't have a big flash, the magic datas are probably very little

4. don't think they are using asic or fpga, more likely cheap mcu
and finally
the upper part of the board
is not interesting
it only handles lighting
the only thing
i can not understand
is the diode
probably used for reading
from the ps the reply
i have
another
theory
probably
if it is correct usb
protocol
and not using a tricky method
probably the
key is
the device id
?¿
of the usb dongle
you know
yes i know
usb devices has a device id
but...
the id is the same in all ps jailbreak?
which
tells
the usb host
what kink of hardware
you connected
yes...
only with the id, the ps3 comes in to debug mode?
it can be
in the SAT, the technics use an usb called "ID Stick" or something else
wait a second
i search it
k
ID swapping For Target USB
its the name
you say that the jaibreak changes the ID os the PS3
?¿
no
every usb device
has got an id that tells
the kind of object connected
eg. printer, hid, wifi dongle ...
yes
if the ps3 has got inside a dongle with the correct id
goes into service
however
we only have to wait
monday
so that you can
It's easy to copy this ID?
open up the jig with your hands
XD
xD
when you use any mcu with usb
you can
decide it
mmm
if i'm not wrong
someone
tried
to connect it to a pc
yes
and the pc recognized it
no
in some way
the pc not recognized it
what happened?
nothing
when connect it
nothig happens
we will try to connect to linux
tried to search for hardware?
*drivers'
it finds a strange drive
oh this is good
but it havent got drivers
so it has a strange device id
yes
:P
but the mcu have memory
very little
it have a secret partition
generally
very very litte
256 kb i think
ok!
so that
whith the debug kernel
they can
update
yes
it
probably
that is
the eeprom
inside
the mcu
ps3 debug kernel?
yes
it enables ps3 to run unsigned code
i have any idea about what mcu is it?
probably an atmega?
probably
i finf an atmega 44 pin with memory and usb capable
you can also
ATmega 32U4
check for the pin
where the external
oscillator is connected
ok
the side i mean
Atmega datasheet: [Register or Login to view links] ... oc7766.pdf
16/32K Bytes of
ISP Flash
the problem is not the mcu
i think any mcu
with usb
can handle the job
we have only to see sniffing
how to sniff a usb connection?
xD
you only need a strong logic analyzer
D- on pin 11
on this mcu
of photos

Maniac2k's Avatar
#5 - Maniac2k - 212w ago
No, it can't be a modified USB stick. As seen on the pictures there is only one chip on the pcb. The chip itself has an integrated eeprom, but it's only 256 bytes small.

Sponsored Links

Sponsored Links
Sponsored Links

Sponsored Links







Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News