scarbunny Posted September 1, 2010 Share Posted September 1, 2010 Exploit fully documented http://ps3wiki.lan.st/index.php?title=PSJailbreak_Exploit_Reverse_Engineering not had a chance to read it yet. Interesting piece at the end The lv2 kernel is loaded at the time of the exploit, perfect for patching or you could replace it with something better like a linux kernel. A linux kernel running in this environment would have all the privilege of the regular gameos kernel. Same privileges as GameOS so potential to replace GameOS with custom firmware, although even without that it seems possible to reinstate OtherOS but with higher privileges which should make for better homebrew. Although the actual "payload" isn't documented in the wiki, so it could still be a stolen key that could expire over time, although potential to bypass/keep live with simple clock emulator? Link to comment Share on other sites More sharing options...
arronc Posted September 1, 2010 Share Posted September 1, 2010 It says reverse engineering : it is not : this is completely speculative : "Port Five The dongle plugs the fake Jig into Port Five right after Port Four has done its job. It uses the same PID/VID that the original Sony Jig uses (0x054C/0x02EB) and probably the same configuration with the same end points. It is suspected that because the Jig is a known device that the PS3 was waiting for, it's device and configuration descriptors will not be malloced into the heap. The PS3 sends a 64 byte challenge to the fake Jig to authenticate it, and the dongle replies with 64 bytes of static data. The PS3 will malloc space for this response, and because the boundary tags have been modified by Port Four, malloc will return a pointer to 24 bytes before a function that has something to do with free and the 64 bytes of data will be written over top of the function. At the point, no code has been patched yet, so the Jig's static response will fail to authenticate the jig." This dosn't even have any internal logical consistency to it, never mind the rest of the wiki. You can see that the author dosn't have a clue, and as opposed to reverse engineering, its just a guess. Yeah : you could could maybe do something with the internal clock, but if last night Sony revoked the key, then its already too late. You wouldn't need a firmware update to revoke a key. Link to comment Share on other sites More sharing options...
Slim Posted September 1, 2010 Share Posted September 1, 2010 I guess there isn't much good information around, and probably not likely to be, as the invested parties will just be wanting to take a lot of pre-orders All very interesting though. Pre-orders? It's open source. Link to comment Share on other sites More sharing options...
arronc Posted September 1, 2010 Share Posted September 1, 2010 I guess there isn't much good information around, and probably not likely to be, as the invested parties will just be wanting to take a lot of pre-orders All very interesting though. Pre-orders? It's open source. PreOrder here : http://ps3jailbreak.com/?p=231 Like anyone in their right mind would Link to comment Share on other sites More sharing options...
Slim Posted September 1, 2010 Share Posted September 1, 2010 PreOrder here : http://ps3jailbreak.com/?p=231 Like anyone in their right mind would I think you've missed the point, read back! Link to comment Share on other sites More sharing options...
arronc Posted September 2, 2010 Share Posted September 2, 2010 PreOrder here : http://ps3jailbreak.com/?p=231 Like anyone in their right mind would I think you've missed the point, read back! No : Im confident Im correct. Link to comment Share on other sites More sharing options...
scarbunny Posted September 2, 2010 Share Posted September 2, 2010 The whole point is that the PS3Jailbreak has been reverse engineered and released open source, no need to preorder a special stick for $150. The reason for the lack of info on the hack originally came from the fact PS3Jailbreak wanted to sell crap loads of the stick at $150. But by doing this they pissed off the "scene" who then got their hands on the sticks dumped to contents and got released it with some tweaks as open source. Now all you need is a $20 usb test stick and the source files. Link to comment Share on other sites More sharing options...
scarbunny Posted September 3, 2010 Share Posted September 3, 2010 Does any where locally sell the sort of stick that is needed? I can't think of a specialist electronics store that would stock them. Link to comment Share on other sites More sharing options...
Slim Posted September 3, 2010 Share Posted September 3, 2010 No : Im confident Im correct. I'm sure you are, but you have missed the point and are talking at crossed purposes. The reverse engineer isn't for the commercial product you've later linked to, it's for the open source project. As for your analysis of the exploit, that looks to be incorrect too, there's a good summary on ./ "It emulates a six-port hub and connects/disconnects devices with corrupted descriptors (that have their size changed on-the-fly!) in a particular order to smash the Heap so you can use a corrupted malloc boundary tag to overwrite the call to free() so that after the failed Jig authentication tries to release the memory allocated for the cryptographic response it will launch the shell code that was dropped into memory using a USB descriptor." ...so no need for the key, no point in Sony revoking the key, you've misunderstood. It is very fixable though, they need to plug the hole in the usb firmware. Wouldn't use it myself, don't want to be banned off psn. Link to comment Share on other sites More sharing options...
arronc Posted September 3, 2010 Share Posted September 3, 2010 I am aware that there that there are several aspects to the surrounding subject thats being discussed here, as are you, and everyone else reading : whats the problem ? If the above explanation is good enough for you then OK fine. My suspicion is that it not correct, because the USB descriptor code injection happens /before/ the memory allocation for the key exchange is invoked, rather than after, which I believe would be required to make the process work as described. Maybe you dont need need a vaild key, if it is as described. Im guessing as much as the next person, and Im sure it will rattle down eventually, and we'll know for sure. Link to comment Share on other sites More sharing options...
Slim Posted September 3, 2010 Share Posted September 3, 2010 I am aware that there that there are several aspects to the surrounding subject thats being discussed here, as are you, and everyone else reading : whats the problem ? Im guessing as much as the next person, and Im sure it will rattle down eventually, and we'll know for sure. I've no problem, I'm just trying to get through You don't need to guess, the exploit has been open sourced, see? Link to comment Share on other sites More sharing options...
arronc Posted September 3, 2010 Share Posted September 3, 2010 You don't need to guess, the exploit has been open sourced, see? const uint8_t PROGMEM jig_response[64] = { 0x80, 0x00, 0x00, 0x00, 0x00, 0x3d, 0xee, 0x78, 0x80, 0x00, 0x00, 0x00, 0x00, 0x3d, 0xee, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x33, 0xe7, 0x20, 0xe8, 0x83, 0xff, 0xf0, 0xe8, 0x63, 0xff, 0xf8, 0xe8, 0xa3, 0x00, 0x18, 0x38, 0x63, 0x10, 0x00, 0x7c, 0x04, 0x28, 0x00, 0x40, 0x82, 0xff, 0xf4, 0x38, 0xc3, 0xf0, 0x20, 0x7c, 0xc9, 0x03, 0xa6, 0x4e, 0x80, 0x04, 0x20, 0x04, 0x00, 0x00, 0x00, }; I dont have any hardware to test with, and not really the inclination, but substitution of the above key in the source code would tell you if it is a neccesary key, or if it is random. The fact that it isnt all 0x00 leads me to to believe it is a key. But without going to a lot of trouble to try it out, just watch me guess Any opinion ? Link to comment Share on other sites More sharing options...
scarbunny Posted September 3, 2010 Share Posted September 3, 2010 Looks like some clever little hackers have ported the Jailbreak to the N900 phone, maybe they will get it on Android in the near future. ETA Also ported to the Palm Pre, so I would think Android shouldn't be far off? Link to comment Share on other sites More sharing options...
Slim Posted September 3, 2010 Share Posted September 3, 2010 I dont have any hardware to test with, and not really the inclination, but substitution of the above key in the source code would tell you if it is a neccesary key, or if it is random. The fact that it isnt all 0x00 leads me to to believe it is a key. But without going to a lot of trouble to try it out, just watch me guess Any opinion ? I don't think you're looking at a key there. If Sony were using only 64 bit keys, you wouldn't need an exploit at all. Link to comment Share on other sites More sharing options...
arronc Posted September 3, 2010 Share Posted September 3, 2010 I dont have any hardware to test with, and not really the inclination, but substitution of the above key in the source code would tell you if it is a neccesary key, or if it is random. The fact that it isnt all 0x00 leads me to to believe it is a key. But without going to a lot of trouble to try it out, just watch me guess Any opinion ? I don't think you're looking at a key there. If Sony were using only 64 bit keys, you wouldn't need an exploit at all. Well, in this case, each of the 64 elements is a 16 bit wide data value in hex, so that makes data structure 1024 bits wide, so thats probably enough to be a key. edited to add : Forget to mention the point of that maybe its a key and maybe its not. Although the exploit is public source code, and you make some derivation with regard to how it works : without knowing the other side of the private ps3 code that accepts the exported array, it is still necessary to guess the interaction , as you only have only side of the two way conversation documented. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.