Sponsored Links

Sponsored Links

PS JailBreak Mod Code Sniffed via USB, Logged and Examined


Sponsored Links
205w ago - A few days ago PS JailBreak was reverse-engineered, and today Descrambler sniffed the USB traffic and shared the log.

I don't know that much about the USB protocol, but I think this is what happens:

• The PSJailbreak is inserted
• It connects with the host (PS3) and sends 09 02 12 00 01 00 00 80 + all the bytes from the first packet starting at 0008 up to 00EFF.
• The stack is overwritten and the PS3 jumps into code from the packet
• The Atmega sends a "USB Disconnect command"
• The last three steps are repeated four times

• It connects with the host and sends 09 02 4D 0A 01 01 00 80 + the bytes from the second packet starting at 0008 up to 0A4C
• The stack is overwritten and the PS3 jumps into code from the packet
• The Atmega sends a "USB Disconnect command"
• The last three steps are repeated twice.

Voilà... The PS3 is in "Debug Mode".

Apparently the third and fourth byte of the after the 09 02 are the numbers of bytes to be sent. At least this goes for the second log (4D 0A->0A4D bytes)...

The first 8 bytes are from the usb protocol left [09 02 ... ]

The code will be pushed four times onto ps3 usb stack:

00000: 09 02 12 00 01 00 00 80 FA 09 04 00 00 00 FE 01
00010: 02 00 00 00 00 00 00 00 FA CE B0 03 AA BB CC DD
00020: 38 63 F0 00 38 A0 10 00 38 80 00 01 78 84 F8 06
00030: 64 84 00 70 38 A5 FF F8 7C C3 28 2A 7C C4 29 2A
00040: 28 25 00 00 40 82 FF F0 38 84 00 80 7C 89 03 A6
00050: 4E 80 04 20 00 00 00 00 00 00 00 00 00 00 00 00
00060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00080: 7C 08 02 A6 F8 21 FF 61 FB 61 00 78 FB 81 00 80
00090: FB A1 00 88 FB C1 00 90 FB E1 00 98 F8 01 00 B0
000A0: 3B E0 00 01 7B FF F8 06 7F E3 FB 78 64 63 00 05
000B0: 60 63 0B 3C 7F E4 FB 78 64 84 00 70 60 84 01 AC
000C0: 38 A0 04 FA 4B 97 BF 59 7F E3 FB 78 64 63 00 05
000D0: 60 63 0B 3C 38 63 00 20 4B 9D 22 01 7F E3 FB 78
000E0: 64 63 00 05 60 63 0B 3C 7F E4 FB 78 64 84 00 2E
000F0: 60 84 B1 28 38 63 00 10 F8 64 01 20 7F E5 FB 78
00100: 64 A5 00 70 60 A5 01 50 80 65 00 00 28 03 00 00
00110: 41 82 00 18 80 85 00 04 7C 63 FA 14 90 83 00 00
00120: 38 A5 00 08 4B FF FF E4 48 00 05 88 F8 21 FF 51
00130: 7C 08 02 A6 FB C1 00 A0 FB E1 00 A8 FB A1 00 98
00140: F8 01 00 C0 3B C0 07 D0 3B E0 00 C8 4B 90 A9 B8
00150: 00 04 90 E0 E8 82 0F 08 00 04 90 E4 E8 7C 00 20
00160: 00 04 90 E8 F8 64 00 00 00 04 F0 A8 48 00 1A 9D
00170: 00 2A AF C8 4B DA 5B 80 00 04 ED 18 38 80 00 00
00180: 00 04 ED 1C 90 83 00 00 00 04 ED 20 4E 80 00 20
00190: 00 3B A8 90 01 00 00 00 00 05 05 D0 38 60 00 01
001A0: 00 05 05 D4 4E 80 00 20 00 00 00 00 38 60 00 01
001B0: 4E 80 00 20 48 00 02 78 48 00 01 EC 80 00 00 00
001C0: 00 05 0C A8 80 00 00 00 00 33 E7 20 80 00 00 00
001D0: 00 05 10 32 80 00 00 00 00 05 0B 7C 80 00 00 00
001E0: 00 05 0B 8C 80 00 00 00 00 05 0B 9C 80 00 00 00
001F0: 00 05 0B D4 80 00 00 00 00 33 E7 20 80 00 00 00
00200: 00 05 0C 1C 80 00 00 00 00 33 E7 20 80 00 00 00
00210: 00 05 0C 78 80 00 00 00 00 33 E7 20 80 00 00 00
00220: 00 05 0C 84 80 00 00 00 00 33 E7 20 00 00 00 00
00230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00240: 00 00 00 00 F8 21 FF 81 7C 08 02 A6 F8 01 00 90
00250: 38 80 00 00 38 A0 00 01 48 08 1D B1 80 A3 00 08
00260: 38 60 00 00 3C 80 AA AA 60 84 C0 DE 7C 04 28 40
00270: 41 82 00 08 38 60 FF FF 7C 63 07 B4 E8 01 00 90
00280: 7C 08 03 A6 38 21 00 80 4E 80 00 20 F8 21 FF 81
00290: 7C 08 02 A6 F8 01 00 90 38 80 00 00 48 08 1D 99
002A0: 38 81 00 70 38 A0 00 00 F8 A4 00 00 38 C0 21 AA
002B0: B0 C4 00 00 38 C0 00 00 B0 C4 00 06 38 C0 00 01
002C0: 78 C6 F8 06 64 C6 00 05 60 C6 0B AC 38 E0 00 00
002D0: 48 08 1C CD 38 60 00 00 E8 01 00 90 7C 08 03 A6
002E0: 38 21 00 80 4E 80 00 20 38 60 00 00 39 60 00 FF
002F0: 44 00 00 22 2C 03 00 00 40 82 00 1C 38 60 00 01
00300: 78 63 F8 06 64 63 00 05 60 63 0B BC 38 80 00 01
00310: 90 83 00 10 4E 80 00 20 F8 21 FF 31 7C 08 02 A6
00320: F8 01 00 E0 FB E1 00 C8 38 81 00 70 48 16 2E 81
00330: 3B E0 00 01 7B FF F8 06 67 FF 00 05 63 FF 0B BC
00340: E8 7F 00 00 2C 23 00 00 41 82 00 0C 38 80 00 27
00350: 48 01 17 E9 38 80 00 27 38 60 08 00 48 01 13 9D
00360: F8 7F 00 00 E8 81 00 70 4B FF C5 F9 E8 61 00 70
00370: 38 80 00 27 48 01 17 C5 E8 7F 00 00 4B FF C6 0D
00380: E8 9F 00 00 7C 64 1A 14 F8 7F 00 08 38 60 00 00
00390: EB E1 00 C8 E8 01 00 E0 38 21 00 D0 7C 08 03 A6
003A0: 4E 80 00 20 F8 21 FF 61 7C 08 02 A6 FB 81 00 80
003B0: FB A1 00 88 FB E1 00 98 FB 41 00 70 FB 61 00 78
003C0: F8 01 00 B0 7C 9C 23 78 7C 7D 1B 78 3B E0 00 01
003D0: 7B FF F8 06 7F A3 EB 78 7F E4 FB 78 64 84 00 05
003E0: 60 84 10 28 38 A0 00 09 4B FF C5 CD 28 23 00 00
003F0: 40 82 00 34 67 FF 00 05 63 FF 0B BC 80 7F 00 10
00400: 28 03 00 00 41 82 00 20 E8 7F 00 00 28 23 00 00
00410: 41 82 00 14 E8 7F 00 08 38 9D 00 09 4B FF C5 45
00420: EB BF 00 00 7F A3 EB 78 48 25 A2 38 7C 08 02 A6
00430: F8 21 FE 61 FB 61 00 78 FB 81 00 80 FB A1 00 88
00440: FB C1 00 90 FB E1 00 98 F8 01 01 B0 7C 7D 1B 78
00450: 7C 9E 23 78 3B E0 00 01 7B FF F8 06 EB 82 96 00
00460: EB 9C 00 68 EB 9C 00 18 EB 62 0F 08 E9 3D 00 18
00470: 81 29 00 30 79 29 84 02 2C 09 00 29 40 82 00 58
00480: E8 9C 00 10 78 85 C1 E4 78 A5 46 20 2C 05 00 FF
00490: 41 82 00 18 60 84 00 03 F8 9C 00 10 38 60 00 06
004A0: 90 7E 00 00 48 00 00 14 60 84 00 02 F8 9C 00 10
004B0: 38 60 00 2C 90 7E 00 00 80 BC 00 04 E8 9C 00 08
004C0: E8 7B 00 00 7D 23 2A 14 F9 3B 00 00 48 02 B1 C1
004D0: 48 00 00 C4 7F A3 EB 78 7F C4 F3 78 4B FF D9 B1
004E0: 7F FD FB 78 67 BD 00 05 63 BD 0B D0 80 7D 00 00
004F0: 80 BC 00 04 7C 63 2A 14 90 7D 00 00 E8 9C 00 10
00500: 78 85 C1 E4 78 A5 46 20 2C 05 00 FF 40 82 00 88
00510: E8 7B 00 00 38 80 00 00 38 C0 00 00 7C E3 22 14
00520: 80 A7 00 00 7C C6 2A 78 38 84 00 04 28 24 04 00
00530: 40 82 FF EC 80 7D 00 00 78 C6 07 C6 7C C6 1B 78
00540: 38 60 00 00 90 7D 00 00 7F E7 FB 78 64 E7 00 05
00550: 60 E7 0F 70 E8 67 00 00 28 23 00 00 41 82 00 38
00560: 38 E7 00 10 7C 23 30 40 40 82 FF EC E8 A7 FF F8
00570: E8 FB 00 00 80 65 00 00 28 03 00 00 41 82 00 18
00580: 80 85 00 04 7C 63 3A 14 90 83 00 00 38 A5 00 08
00590: 4B FF FF E4 38 60 00 00 EB 61 00 78 EB 81 00 80
005A0: EB A1 00 88 EB C1 00 90 EB E1 00 98 E8 01 01 B0
005B0: 38 21 01 A0 7C 08 03 A6 4E 80 00 20 F8 21 FF 51
005C0: 7C 08 02 A6 FB C1 00 A0 FB E1 00 A8 FB A1 00 98
005D0: F8 01 00 C0 3B C0 0F A0 3B E0 00 C8 4B FB 9B 98
005E0: A0 55 6F 3D 00 2C B8 FD 80 00 00 00 00 05 0F B8
005F0: 8C 0A 94 8C 00 0D 99 B1 80 00 00 00 00 05 0F E0
00600: A2 BC 1A 56 00 05 2A DC 80 00 00 00 00 05 10 04
00610: 6B 70 28 02 00 02 00 17 80 00 00 00 00 05 0F D4
00620: 00 00 00 00 00 00 00 00 00 30 53 54 38 60 00 82
00630: 00 5F 3F C0 38 60 00 01 00 5F 3F C4 4E 80 00 20
00640: 00 00 00 00 00 02 ED 0C 3B A0 00 01 00 00 00 00
00650: 00 22 B8 88 5F 74 6F 6F 00 22 B8 8C 6C 32 2E 78
00660: 00 22 B8 90 6D 6C 23 72 00 22 B8 94 6F 6F 74 00
00670: 00 00 00 00 00 0D 68 B8 5F 74 6F 6F 00 0D 68 BC
00680: 6C 32 2E 78 00 0D 68 C0 6D 6C 23 72 00 0D 68 C4
00690: 6F 6F 74 00 00 00 00 00 2F 64 65 76 5F 62 64 76
006A0: 64 00 6D 6F 64 00 00 00 00 00 00 00 00 00 00 00
006B0: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
006C0: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
006D0: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
006E0: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
006F0: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00700: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00710: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00720: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00730: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00740: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00750: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00760: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00770: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00780: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00790: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
007A0: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
007B0: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
007C0: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
007D0: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
007E0: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
007F0: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00800: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00810: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00820: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00830: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00840: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00850: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00860: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00870: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00880: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00890: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
008A0: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
008B0: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
008C0: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
008D0: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
008E0: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
008F0: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00900: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00910: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00920: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00930: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00940: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00950: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00960: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00970: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00980: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00990: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
009A0: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
009B0: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
009C0: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
009D0: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
009E0: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
009F0: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00A00: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00A10: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00A20: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00A30: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00A40: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00A50: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00A60: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00A70: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00A80: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00A90: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00AA0: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00AB0: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00AC0: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00AD0: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00AE0: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00AF0: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00B00: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00B10: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00B20: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00B30: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00B40: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00B50: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00B60: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00B70: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00B80: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00B90: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00BA0: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00BB0: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00BC0: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00BD0: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00BE0: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00BF0: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00C00: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00C10: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00C20: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00C30: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00C40: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00C50: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00C60: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00C70: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00C80: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00C90: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00CA0: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00CB0: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00CC0: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00CD0: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00CE0: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00CF0: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00D00: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00D10: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00D20: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00D30: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00D40: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00D50: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00D60: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00D70: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00D80: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00D90: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00DA0: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00DB0: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00DC0: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00DD0: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00DE0: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00DF0: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00E00: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00E10: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00E20: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00E30: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00E40: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00E50: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00E60: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00E70: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00E80: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00E90: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00EA0: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00EB0: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90
00EC0: EB E1 00 98 E8 01 00 B0 38 21 00 A0 7C 08 03 A6
00ED0: 38 60 00 01 78 63 F8 06 64 63 00 70 38 80 00 00
00EE0: 38 A0 06 E8 4B 94 CA 60 60 00 00 00 60 00 00 00
00EF0: EB 61 00 78 EB 81 00 80 EB A1 00 88 EB C1 00 90

After that they push this two times on the stack to run the code via disconnect/reconnect usb devices on the bus.

00000: 09 02 4D 0A 01 01 00 80 01 09 04 00 00 00 FE 01
00010: 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00
00020: FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00
00030: 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09
00040: 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE
00050: 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00
00060: 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04
00070: 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00
00080: 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00
00090: FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00
000A0: 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09
000B0: 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02
000C0: 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00
000D0: 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04
000E0: 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00
000F0: 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01
00100: FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00
00110: 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09
00120: 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02
00130: 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE
00140: 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04
00150: 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00
00160: 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01
00170: 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00
00180: 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09
00190: 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02
001A0: 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE
001B0: 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00
001C0: 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00
001D0: 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01
001E0: 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00
001F0: FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00
00200: 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02
00210: 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE
00220: 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00
00230: 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04
00240: 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01
00250: 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00
00260: FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00
00270: 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09
00280: 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE
00290: 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00
002A0: 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04
002B0: 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00
002C0: 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00
002D0: FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00
002E0: 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09
002F0: 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02
00300: 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00
00310: 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04
00320: 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00
00330: 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01
00340: FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00
00350: 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09
00360: 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02
00370: 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE
00380: 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04
00390: 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00
003A0: 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01
003B0: 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00
003C0: 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09
003D0: 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02
003E0: 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE
003F0: 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00
00400: 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00
00410: 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01
00420: 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00
00430: FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00
00440: 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02
00450: 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE
00460: 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00
00470: 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04
00480: 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01
00490: 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00
004A0: FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00
004B0: 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09
004C0: 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE
004D0: 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00
004E0: 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04
004F0: 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00
00500: 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00
00510: FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00
00520: 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09
00530: 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02
00540: 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00
00550: 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04
00560: 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00
00570: 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01
00580: FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00
00590: 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09
005A0: 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02
005B0: 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE
005C0: 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04
005D0: 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00
005E0: 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01
005F0: 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00
00600: 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09
00610: 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02
00620: 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE
00630: 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00
00640: 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00
00650: 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01
00660: 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00
00670: FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00
00680: 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02
00690: 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE
006A0: 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00
006B0: 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04
006C0: 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01
006D0: 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00
006E0: FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00
006F0: 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09
00700: 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE
00710: 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00
00720: 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04
00730: 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00
00740: 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00
00750: FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00
00760: 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09
00770: 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02
00780: 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00
00790: 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04
007A0: 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00
007B0: 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01
007C0: FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00
007D0: 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09
007E0: 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02
007F0: 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE
00800: 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04
00810: 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00
00820: 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01
00830: 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00
00840: 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09
00850: 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02
00860: 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE
00870: 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00
00880: 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00
00890: 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01
008A0: 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00
008B0: FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00
008C0: 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02
008D0: 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE
008E0: 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00
008F0: 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04
00900: 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01
00910: 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00
00920: FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00
00930: 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09
00940: 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE
00950: 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00
00960: 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04
00970: 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00
00980: 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00
00990: FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00
009A0: 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09
009B0: 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02
009C0: 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00 00
009D0: 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04
009E0: 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00
009F0: 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01
00A00: FE 01 02 00 09 04 00 00 00 FE 01 02 00 09 04 00
00A10: 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02 00 09
00A20: 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE 01 02
00A30: 00 09 04 00 00 00 FE 01 02 00 09 04 00 00 00 FE
00A40: 00 FE 01 02 00 09 04 00 00 00 FE 01 02

That's all, folks.

Repost in binary (Thanks Disane) The first 8 bytes are from the usb protocol left [09 02 ... ]

http://www.ps3news.com/forums/attachment.php?attachmentid=21111

ASCII binary (Thanks xCoder)

http://www.ps3news.com/forums/attachment.php?attachmentid=21116

Here's an improved disassembly by crazyc.

http://www.ps3news.com/forums/attachment.php?attachmentid=2111



Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!

Comments 113 Comments - Go to Forum Thread »

• Please Register at PS3News.com or Login to make comments on Site News articles. Thanks!

CJPC's Avatar
#83 - CJPC - 205w ago
Hi,
Not a very big discovery, but if you look to the ASCII translation of the first dump, somewhere around the middle you will see this:
And if you remove some unwanted caracters (formating or protocol???) you get this:

So it seems there is some XML and a module related to BD drive involved in the process.

Also, it seems these dumps are incomplete, but i'm wondering if this diagram could not be helpful to complete them?
In regards to the "_tool2.xml", its actually category_game_tool2.xml in the flash (or vflash, I suppose), which enables the options that debug users have, namely the "Install Package Files", and the ability to boot from app_home.


Bulldogzz's Avatar
#82 - Bulldogzz - 205w ago
Theoretically, couldn't you just, recreate the buffer overflow since we know how its done, overwrite the return address to execute your own code, e.g. allowing an faulty handshake (by changing a je (Jump if equal to in shellcode) to a jmp (Unconditional jump) then sending the Sony device ID?

DarkNeo's Avatar
#81 - DarkNeo - 205w ago
Just wanted to add my two cents to this discussion:

Putting myself in Sony's position, if I was going to make a USB device that could disable security on my console, I'd secure it pretty well, for instance with public key encryption. So the console has a public key, and the device would have the private key, which it would use to sign a handshake to send to the console.

So bearing that in mind perhaps what happens is the buffer overflow overwrites the public key in memory, or something to that effect, so that it will accept an incorrectly signed handshake. If a clone is made cleverly it could also be used to protect the clone since even with logging the data exchange you still wouldn't understand the data being transfered, since it's encrypted, and if the chip is read protected you wouldn't be able to figure out what that data is, or what the key is.

Although thinking about it if you figured out where the key is in the exploit code, you could decrypt it...

Anyway that's just me rambling, some of this may already have been discussed/disproven.

Xplic1T's Avatar
#80 - Xplic1T - 205w ago
because the ps3 is in debug mode... you don't actually have access to the hypervisor.

whinis's Avatar
#79 - whinis - 205w ago
Question, What is stopping use from after we hack the ps3 including encryption from making an update that can update any ps3 to cfw?

Sponsored Links

Sponsored Links
Sponsored Links

Sponsored Links







Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News