PSJailBreak Reverse-Engineering Details Begin to Surface

Category: PS3 Hacks & JailBreak By: PS3 News - (logic-sunrise.com)
Tags: psjailbreak reverse-engineering ps jailbreak reverse-engineering psjailbreak rei

144w ago - Earlier today we reported that the PSJailBreak PS3 modchip is easily dumped and that PSJailBreak clones are already on the way, and now some PlayStation 3 developers are working on reverse-engineering the costly USB device in hopes to make a less expensive or free scene alternative available soon.

Tsujin, knightsolidus and bushing have made brief attempts at determining the PSJailBreak IC chip and pin-out, while Neme6 of Logic-Sunrise (linked above) has also shared his findings thus far.

More pictures are available HERE for those curious, and to quote, roughly translated on the linked pics:

"Many teams are studying the JSP to try to clone a low cost and how it works. From the photos released, I tried to determine the electronic design of PSJ.

Here is the result of my work and my observations. Feel free to post if can lighten the shadows that remain.

First ICP is probably the type PIC18F declination 4455, 4550, 4458, 4553. The size of the EEPROM is 256 bytes."

Comments:

Components (red dots)
A: Resistor, 1K
B: LED
C: LED
D: Resistor, 1k
E:?? Resistor ?? Resistor??
F:?? Capacitor ?? Capacitor??
G:?? Resistor ?? Resistor??
H:?? Resistor ; 1K (Pullup resistor) ?? Resistor, 1K (pullup resistor)??
I:?? Capacitor ?? Capacitor??
J: Capacitor, 100nF (Decoupling cap)
. . : XTAL

• The blue dots A, B and D control the LEDs.
• The blue dots ¤ K, L, G and H are for power (Vdd, Vss).
• I suppose the blue dots M, I and J are to program the PIC (ICPGC, ICPGD, / MCLR).
• Points E and F are blue and OSC1 OSC2. They should be connected to XTAL (orange dots A and B).
• And the GND (file alpha) through two 22pF capacity.
• The orange dot ¤ F, there should be a link with USB.D-(I can not quite see from the photos).
• Maybe the orange dot at point C is connected blue M (ICPGC).
• Maybe the orange dot C is connected to pin 33 (/ ICRST).
• I guess the orange dot E is connected to a via (through hole) noted alpha.

Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!

39 Comments - Go to Forum Thread »

#14 - caesarc - 144w ago

If it's indeed a 18Fxx50 family PIC then it has a lot of internal flash memory.
18F4550 has 32k and sports self writing too.

Dumping it is out of the question as it's a pretty safe chip but sniffing it is surely possible and should be enough.

#13 - tripellex - 144w ago

Originally Posted by hacked2123

Its going to be more than just a Hardware ID == boot debug. At the very least on that little dongle of their's there is an XML file that describes the 2 new additions to the XMB. As far as I know, its not included in the official retail firmwares.

I can't imagine it being much more then that, what with only 256 bytes of EEPROM.

#12 - hacked2123 - 144w ago

#11 - tripellex - 144w ago

Originally Posted by barbnjason

Read my mind, was thinking the same thing, USB RS232 cables are already out there (used a lot in flashing FTA Sat boxes.) would just have to code the software pc side to push the info to the ps3. Problem would be the lag of the pc seeing the ps3 intime to send the code as you have to cold boot the ps3 and you have a short time to inject the code.

Not sure what the crystal frequency is on the Jailbreak's oscillator, but it'd be funny if the HW ID is pulsed at exactly 40ns

#10 - barbnjason - 144w ago

Originally Posted by tripellex

Here's a question for the more techno-oriented members:

If the dongle is just handshaking its hardware ID to the system at startup, would it be possible to create a serial-to-USB cable from the PC to the PS3 and have it pulse the HW ID right as the system starts up to accomplish the same thing (I assume because of the presence of the oscillator, that it sends it as a pulse. Correct me if I'm wrong).