PlayStation 3 Jailbreak

PlayStation Jailbreak was the first Universal Serial Bus chipset that allows unauthorized code execution, such as homebrew, on the PlayStation 3. It bypasses a system security check using a memory exploit (heap overflow) which occurs with USB devices that allows the execution of unsigned code. One of the most popular pieces of homebrew software used with the device is Backup Manager, which allows users to copy game titles from the optical media to the hard drive of the PlayStation 3. Backup Manager can also be used to run homebrew applications that are created to run in the console's native mode.

A PS Jailbreak USB dongle

Multiple devices to perform code execution exist, such as the open sourced versions (e.g. PSgroove, PSfreedom). Most of these only work on PlayStation 3 system software v3.41 or lower as PlayStation's System Software v3.42 patches the mod chip exploit on the console. The creators of PS3 Jailbreak also released PSDowngrade which enables downgrading of PlayStation 3's System Software to v3.41 (Or lower) from v3.42, v3.50, and v3.55.

Present and future support

In August, 2011, information about hardware that was downgrading PlayStations on system software v3.70 was being released. These hardware mods were NAND/NOR chip flashers that would either be soldered or clipped onto the PlayStation's chips on NAND/NOR chip located on the PlayStation's motherboard. It would then flash the memory off the chip and backup the PlayStation's firmware hence downgrading the console when the hard-drive was formatted. These flashers still work on the latest system software version and can be purchased online.

On September of 2011 a "Alleged" Lulzsec Cody Kretsinger was arrested Thursday morning for attacking Sony pictures website that had previously been taken offline by a DDOS attack lasting over 2 months, Kretsinger had found level 0 security codes that and released them that could be used to run unothorized firmware known as CFW ("Custom Firmware")today. These were the same keys that would have allowed a Chinese hacking group known as "BlueDisk" to release a purchasable CFW (custom firmware) for 4.21 and above. Shortly after, a well-known PlayStation 3 developer, "Rogero," released his free of charge 4.21 CFW. There are now different developers releasing CFWs for the latest versions of PlayStation 3's firmware. These custom firmware render the PlayStation Jailbreak obsolete. They cannot, however, be installed unless the PlayStation 3 is on system software version 3.55 or below.

On June 26, 2013, the 3.60+ loader keys were released to the public by "The Great Unicorns" and on the same day hard-drive encryption for PHAT consoles were released by a developer called "flatz." Following this the Lv1ldr crypto keys were released for 4.21-4.46.

Dec 2020 Websites such as PSX-PLACE are still working on exploiting the vulnerabilities to install CFW on super slim consoles. They are able to run homebrew applications on any version of Playstation 3 by exploiting some vulnerabilities in official firmware of the console.

Inner-Workings

The PS3JailBreak effectively exploits the PS3 by using a heap overflow. When the dongle is plugged into a PS3 (all models-"Fat" and "Slim) its device descriptors notify the PS3 that it is a 6-port USB hub. After memory is allocated for the device the "6-port USB hub", the PS3JailBreak then tells tells the PS3 that a USB device has been plugged into port 1 of the hub. This device contains the payload that will run after the exploit is complete. This device has normal device descriptors for a typical USB device. After memory has been allocated for the payload USB device on port 1, the PS3JailBreak then tells the PS3 that another USB device has been plugged into port 2. This "device" does not hold any data related to the exploit and has typical device descriptors. Next, the PS3JailBreak says that another device has been plugged into port 3. This device is very important as it causes a heap exploit later in the process. The port 3 "device" contains unusually large device descriptors. After memory has been allocated for the port 3, the PS3JailBreak then tells the PS3 that the device in port 2 has been removed. This frees up the memory that was used to allocate the device descriptors. After this, another "device" is plugged into port 4 which holds 3 configuration descriptors with the third holding PowerPC shellcode (which is used to exploit the system and forces the system to run the payload in port 1). In port 5 another "device" is plugged in which emulates the "PS3 Service Jig", a device used to recover corrupted or non-functional PS3's at Sony factories. This device matches device descriptors and configuration descriptors as the real "Jig" When the PS3 tries to allocate memory to check if the "Jig" is authentic, it fails as a heap overflow occurs - the 64 bytes that has to be allocated points to the next free memory address which is actually not free as it was overwritten earlier in the process. This means that the shellcode gets sent to the CPU to be executed (this exploit passed the unsigned code check) and starts executed as soon as the PS3 detects removal of "devices" in the "USB hub". The shellcode then tells the CPU to read and execute the payload on the first port which effectively allows unsigned code to run on the system.

Legality

  • PS3 Jailbreak was outlawed in Australia as it was considered to be in violation of copyright law. The ban states that PS Jailbreak cannot be imported, distributed to another person or offered to the public.[1]
  • However, no case has been made against an individual by the Sony corporation on the matter of downgrading one's PS3. Nor has any development team that works on downgrading tools (downgrading to the jailbreak capable 3.55 OFW) been presented with litigation by Sony (E3 Flasher Limited, Progskeet, etc.) However Sony attempted to sue GeoHot for his 3.55 Jailbreak.

Sony, after questionable collection of IP addresses and personal information of users even just viewing any of Hotz's sites, Twitter, Facebook, etc., reached settlement with Hotz out of court.

See also

References

This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.