- A few weeks back we reported
on the PS JailBreak PS3 exploit reverse engineering followed by the PSJailBreak PS3 exploit payload
, and today naehrwert
has focused on the PSJailBreak payload itself, as follows:
PSJailbreak Payload Reverse Engineering
Here's my understanding of what the exploit playload does:
1. it gets control at exploit_entry, which copies the rest of the payload to the fixed address 0x8000000000700000 and jumps to exploit_main.
2. exploit_main copies a resident part of the payload to another location, creates virutal usb device driver called "mod" with 3 functions, hooks some vsh functions via toc entry and does some permanent in-ram patching. when the work is done it zeroes itself out.
3. the resident part has basically 3 purposes: it manages virtual usb device, it does some on-the-fly patching and it hooks all the game disk file accesses from the vsh.
a. the virtual usb device is needed to make sure the original ps3jb device in plugged in. once the correct device is plugged (the one with the AAAAC0DE) device...