PSJailbreak Reverse Engineered

[wraggster]

German website GameFreax has claimed to have successfully reverse engineered PS Jailbreak. They bring out some important information that was previously unknown. First off, PSJailbreak was apparently NOT a clone of Sony’s JIG, instead its a legitimate exploit that was developed. Second, we can NOT upgrade PSJailbreak without the use of additional hardware - maybe the company planned to sell another component to upgrade the unit?

Here is the full (roughly) translated post:

We have taken a closer look at this PSJailbreak dongle
We can confirm that the PSJailbreak is not a clone of Sony’s “Jig” module. PSJailbreak is a self-developed exploit. The chip is not a PIC18F444 but a ATMega is used with a software USB interface. This means the chip is internally capable of emulating any USB device. PSJailbreak emulates a 6 Port USB hub on which different devices will later be connected and then disconnected. One of these devices has the product:vendor ID of Sony’s “Jig” module, which means this had played a certain role during the development of PSJailbreak role.

But lets start from beginning: When the PS3 is powered on … A USB emulation device will be connected, which has a too large of a Configuration Descriptor. This Descriptor overrides the stack with a PowerPC shellcode that gets executed. Now, various USB devices are connected to the emulation USB hub. One device has a large Descriptor with a size of 0xAD, which is part of the exploit and contains static data. A short time later (we are moving here in milliseconds) the jig module is connected, and encrypted data is transmitted to the jig module. A few milliseconds later, the Jig module answers with 64 byte static data, all USB devices are then disconnected, and a new USB device is connected and the PS3 launches with ‘a new feature’.

PSJailbreak is NOT software update-able. The Update feature which is mentioned, can be done just with hardware modifications. So by ‘update’ they mean ‘buy more of our stuff’

http://www.gamefreax.de/psjailbreak-...ngineered.html

[Qmark]

So the single-point-of-failure is a buffer overflow, huh?
Unless the PS3 boot sequence is entirely in mask ROM, this is going to be inconsequential for Sony to patch away.