155w ago - We've seen the
PS3 Exploit performed with an
SX28,
Atmega8 and
Parallel/LPT1 Port, so here are some pics, a schematic and source code to run the PlayStation 3 exploit via USB Keyboard with an LED.
Maybe some of you don't want to open the PS3 just because if you install the exploiter hardware, it would look ugly.
Or just wanna hide/integrate, so it won't interfere, deattach,... etc if you have to move the "box". Even if neither, I think it looks better, work better if you install inside.
So, how to do?
Install a faux-keyboard to one of the usb and connect a wire to the "magic-point".
• the
schematic (final version)
• the
breadboard model (first probe.. one led differs)
• the "
internal usb" ---- DO NOT USE THIS PORT AFTER YOU INSTALLED THIS!
• the usual
attack point
• pic about the
installed device... covered in lot of electrical tape
•
armed hw
• pic after a
successful exploit
•
source codes for atmega and for ps3 (misnamed as pc.. sry)
Some details:
• as you can see, it uses a mere 12MHz crystal, yet also works (some times it kill the HID-manager, but often work)
• the leds in the last two pics are inside, no hole needed as the external cover is more-or-less transparent, just align it to a hole
Now how it's work?
If the hw armed by kbd_led-sequence (you can send the appropriate code by the included programs) then if the scroll-lock led is lit, after a pre_delay, the hw will send pls_cnt number of pulse with pls_ms rate. All 3 parameter is programmable via led-sequences (prgs incuded). All values should be in range from 1 to 254. (my current setting are: pre_ms=100, pls_ms=25, pls_cnt=150)
You can disarm also as in default, so it will not mess with the system and you can't activate it by accident.
I tried to include an automatic led-switch code to xorhack code, but it was mostly ineffective. So the best bet is to push the scroll-lock in the keyboard.
ps: the blaze ps2->vga adapter work with ps3 too - in game_os scrart/rgb 576p and 16:9 is the max (without YUV-RGB conversion), but in linux there is RGB 720p mode... and: if you installed the openssh-server, you can also connect to the ps3 with scp / winscp for file-transfer.
Thx bro...
• use some thick insulation below the atmega
• the USB wires are not sensitive, i used wires from an old ribbon-cable (as in old mobo-headers or old 40-wire IDE-cables)
• but the attack wire is sensitive, make it's way away from the psu's prongs; for wire i used an extracted wire from a broken 80-wire IDE-cable, and use the hole more away from the psu-connector in the shielding to connect to the uC
(you can see connectors on my pictures, but these was for developing purpose)
How to use:
first, arm the device with the program supplied (without it, it won't react to scroll-lock)
2nd, start the ps3exploit with a suitable parameter
3rd, during the prg run, press the scroll-lock button on a real keyboard attached to the ps3
4th, if the program finished, press the scroll-lock again to unlock the console messages
repeat 2 to 4 until the ps3 successfully exploited
after successfully exploited, you can disarm the device
- you need to switch scroll-lock off to reset the device's counter
/if the program runs several times without any issue (freeze, any program-malfunction, ..etc) nor successful exploit, check the attacking wire may be disconnected/ if the ps3 is unstable, you can't play games, then the wire maybe too close to the prongs, put it further away from it (drive the wire to the hole(s) in the side of the resistor where the connection have been made)/
The device sends 1clk pulses after an initial delay, with programmed spacing, till a programmed count is reached.
(you can use some other crystals as well, but you need to modify the code)
During programming, don't forget to set the fuses: external crystal (cksel= 1111) and I've enabled the brown-out detector.
[quote]
_____________________...._______________....__
/\
____
~~~~~\_/~~~~~~\_/~....~~~~~\_/~~~~....~~~~
I have overlooked that pin before, sorry!
With this workaround the ps3 will be playable again
no, these are just assumptions, however these are not crucial. The attack pulse (high-Z to GND to high-Z) length is only one cycle (1/12 000 000 sec = 83ns). Compared to this length, the others so big that the difference is insignificant. The default values are pre:100ms, pls:100ms, 7 pulse so use the progs added to modify these!
It only has 1 USB hub with 2 ports, wouldn't sacrificing 1 make both useless?
As you can see (or if not, i'll tell you) i'm also installed into a 40gb model (2 usb). Still you have 1 usb, where you can connect one or more HUB!
Same as with the other exploits (hv level access), just can be installed entirely in the box (as a modchip
It's the 160 GB Limited Edition Uncharted Bundle PS3. The insides are very different from the 60 GB.
It only has 1 USB hub with 2 ports, wouldn't sacrificing 1 make both useless?