Het was even goed nadenken of ik dit bericht wel of niet zou gaan posten, want naar een volledige uitleg van een PlayStation 3 hack te verwijzen is vragen om op de shitlist van Sony te komen. Maar toen mijn PS3 me DVDS kapot kraste gaf Sony ook geen reet er om, want ik viel buiten de garantie, net als het verwijderen van de optie om Linux te instaleren op de console. Bovendien doen wij van Eigenwereld.nl graag meer met onze consoles dan gamen alleen, dus een zeer technische uitleg van hoe de huidige PlayStation 3 PSJalibreak hack werkt kan je hier lezen.

The state of the PS3

The exploit takes place while the PS3 is looking for the Jig (triggered by pressing eject within 200ms of pressing power). It is suspected that the ps3 spends around 5 seconds doing nothing but initializing devices on the USB bus, so there is little extra code running to mess the exploit up.
Setting up the heap

The PSJailbreak dongle emulates a 6 port USB hub. By attaching and detaching fake devices to the ports of the hub the dongle has control over the mallocing and freeing of various blocks of memory that hold the device and configuration descriptors.

Port one

After the hub has been initialized, a device is plugged into port one with a pid/vid of 0xAAAA/0x5555, It has 4 configurations with each one is 0xf00 bytes long. This is just under the size of 4k page, so malloc will have probably have request a new page for each one, unless it already has enough free space, but at least one will be aligned at the start of a page.

The dongle also changes the configuration the 2nd time it is read so that the configuration in the ps3 memory is only 18 bytes long.

It just so happens that that this data contains the payload that the exploit will jump to after gaining control of the execution, but that is not important for the exploit.
Port two

After the PS3 has finished reading the port one device descriptors, the dongle switches back to the address of the hub and reports that a device has been plugged into port two.

This device has a pid/vid of 0xAAAA/0xBBBB, and it has 1 configuration descriptor which is 22 bytes long.