Open Source PS3 Jailbreak Released

tlhIngan writes "Despite all the lawsuits and injunctions by Sony to keep the PS3 Jailbreak out of modder's hands, it appears that a third party has made a clone. The best part is, it only requires a cheap (approximately $40) development board by Atmel, and the requisite software is open-source. Get the Atmel code from GitHub and apply a small patch which will enable backup play (the code by itself only lets you run unsigned code, the patch allows for BD backups). The code is GPLv3. It would be highly ironic if someone ported this to Linux USB Gadgets, then you could use a Linux device to jailbreak your PS3, to which Sony removed Linux functionality. An Android phone would be suitable."

Hehehe

[Jorl17]

"It would be highly ironic if someone ported this to Linux USB Gadgets, then you could use a Linux device to jailbreak your PS3"

Nice way to ask an entire community of nerds to do that for you!
Now, let's get working!

Re:Hehehe

[Serenissima]

I can't understand why any of you own a PS3 in the first place.

Really? I mean.......really? You can't think of a single reason why anyone would want one?

Re:Hehehe

[nebaz]

Because it runs Linux?...oh wait.

Re:Hehehe

[jpapon]

Really? I mean.......really? You can't think of a single reason why anyone would want one?

Seriously... I mean, it does EVERYTHING. Or so I've been told.

Re:Hehehe

[xtracto]

Because we like the games?
And the other alternative charge to play online?
And the other alternative has not the games we like?
And the other alternative is buying a computer? (which also may not have the games we like)

I own only a Wii but I have a PS3 in my wallet's sight :)

I have been thinking between buying an Xbox or a ps3... but after xbox live price increment, the PS3 has more and more points (free netplay, blueray, better graphics... and soon homebrew)

Re:Hehehe

[amolapacificapaloma]

I can't understand why any of you own a PS3 in the first place.

Really? I mean.......really? You can't think of a single reason why anyone would want one?

Well, the single reason I can think of is hating Microsoft more than Sony. It's tough call though.

Who do you hate more, the guy that killed mommy or the guy that killed daddy? (Think of this as a lyrical exaggeration, of course)

Re:Hehehe

[ThoughtMonster]

Now, let's get working!

http://kakaroto.homelinux.net/2010/08/psjailbreak-usb-gadget-kernel-driver/

There you go. Still not released, but well underway (check the blog for updates).

Re:Hehehe

[hardburn]

False dichotomy. Why can't I also hate Nintendo?

Re:Hehehe

[erroneus]

I more or less agree with you on this, but the slashdot demographic is still quite diverse in many ways. We have Apple fanbois, Windows fanbois (AKA trolls) and others. We have people who practice what they preach and others who preach but fail to practice.

Personally, my boycott of Sony is for reasons of quality that goes back a very long way. The only Sony device I ever owned that was any good was my camcorder... I still have it but haven't used it in a very long time. All other things ended up failing just after the warranty expired. And they are just JUNK. My Clie's battery stopped working rendering it useless. I was given one Sony laptop and later bought one of more modern hardware components which then introduced me to the compatibility and performance hell that is "neomagic" or something like that... a really crappy video chip set that, if I recall, is related to the GMA500 video chipset that Intel will never and can never fully support under Linux. That was quite some time ago and I started hating Sony for that back then and since that time, nothing has shown me that they have done anything to improve their image ... quite the contrary, the rootkit incident was icing on the crap-cake. This "removed linux support" matter was just another "I told you so" thing as far as I am concerned.

I will never buy a Sony anything.

Everyone who sets aside their good senses so that they can play some games are doing themselves no service at all. I'm anti-microsoft, but I still have XBox360... actually, two and an original XBox... all that so I can play with my sons. I can't bring myself to own a Wii... it feels stupid. And if I want exercise, I'll ride my bicycle -- it's more fun.

Anyway, most people here are pretty weak when it comes to character and standing by their positions. I say this because of all the "types" of people I see here on Slashdot, I can't say that I have noticed many Sony fans or even Sony apologists. So either they choose not to speak up or there are a lot of people who prioritize games over good character or good sense. (This, by the way, partially describes addiction and other mental inconsistencies like religion... seriously, how can you have a rational and logical mind and still leap to answer life's questions with "god magic"?)

Re:Hehehe

[Yetihehe]

Nintendo is the uncle who smells funny.

Re:Hehehe

[TheCRAIGGERS]

Just as long as you realize you're supporting a conglomerate that is actively trying to remove all your rights concerning copyright, among others.

To put it more bluntly, you're giving money to a lobbyist group so they can screw you with it.

Re:Hehehe

[mcgrew]

Well, the single reason I can think of is hating Microsoft more than Sony.

Hmmm, I'm no MS fan for sure; I hate the way they design and write programs. But none of their evil has been directed towards me, whereas Sony rooted my PC and really fucked it up. My daughter bought a CD at the now-defunct record store she worked at, and trusting that a big company like Sony wouldn't deliberately put malware on their products, ran the programs.

ALL of my music recording/burning/ripping software was trashed; my P2P apps were trashed, my CD burner was rendered read-only. None of this software would uninstall or reinstall. Sony pwned me good.

And I am not a pirate! Fercrissake, she fucking BOUGHT the CD from a music store. This is Evil with a capital E. Maybe two or three Es. Those bastards should have gone to fucking prison; if I did that to their computers you can bet your mom's ass I'd be in prison.

When I reinstalled Windows (running '98 back then) I discovered that I'd lost my CDs holding my audio and video drivers. The audio driver wasn't available over the internet (that I could find viewing at the 640x480 not having a video driver limited me to) forced me to "upgrade" to XP (and I never saw much functional difference between XP and 98 except they moved everything around), costing me a hundred bucks, and I had to buy a USB sound box. And spend all afternoon installing XP and all my apps, some of which wouldn't run in XP.

As much as I dislike Microsoft, as evil as they may be they've NEVER gone to those depths of evilness, at me anyway.

These days, I do hardly any gaming so as soon as I can get Linux installed on my netbook I'll pretty much be MS-free. If MS came up with an app I felt I really wanted or needed, I'd buy it in a heartbeat, but no way could I ever trust Sony again. Shit, I trust Evil-X more than I do Sony, and that's saying a lot! If Sony sold cookies I'd suspect they'd tainted them with rat poison just in case I was a pirate.

And, for a game box, there's always Nintendo if you hate both MS and Sony.

Re:Hehehe

[Sancho]

If you're a consumer you're almost certainly doing this. Unless you bought your home outright, only shop at local farmer's markets, sew your own clothes, and don't purchase any entertainment to speak of.

Re:Hehehe

[Dreadrik]

I can't say that I have noticed many Sony fans or even Sony apologists. So either they choose not to speak up or there are a lot of people who prioritize games over good character or good sense.

I like their TV's and the PS3, but I'm not exactly a fanboy. I don't think their business practices are much different than any of the giants'. I thought the rootkit scandal was embarrasing, but I don't get why MS got out of that mess so easily, while Sony became marked for life.
I tried to question an anti-sony rant here one time before, but got modded to hell (even though it turned out I was right), so at least I am very careful when trying to defend Sony.

Re:Hehehe

[jonwil]

Microsoft's problem is that unlike OSX where apps generally put things in one place (documents in a documents folder, settings in settings files etc), on Windows, its impossible to know where apps may have put things.

Some apps put their settings in the registry under HKEY_CURRENT_USER
Some apps put their settings in the registry under HKEY_LOCAL_MACHINE
Some apps put their settings in a config file in the windows or my documents folders.
Some apps put their settings in a config file in their own folder.
Some do all of the above.
Not to mention all the apps that do things like register COM objects, install system services and who knows what else.

Re:Hehehe

[Doc+Ruby]

Blu-Ray is not a monopoly any more than "Sun's" Java is. There are other vendors than Sony to buy Blu-Ray from.

And even if it were, Blu-Ray doesn't exert anywhere near the influence over IT as Microsoft does - if any at all.

Re:Hehehe

[Nursie]

Nice way to condone piracy idiot... let's not pretend anyone wants to use for the things like Homebrew.

Fsck off, troll.

Some of us DO want to use it to keep our legitimate games libraries on hard disk. There's zero technical or legal reason that the machine shouldn't do this, it's just an annoying DRM measure. I know defeating DRM is itself now illegal, but that's a travesty of justice IMHO and not a law I will respect.

So you can go on about condoning piracy all you like (and I know that a lot of people will pirate whatever they can get their hands on) but it's not everyone that's interested in this mod. I can do this with the PS2, I could (if I had more than 1 game) do it on the Wii (where it an also do things like bypass annoying region codes).

Frankly a PSN ban wouldn't be too much hassle. I never play online multiplayer and new games that require firmware updates usually come with them on disk, or they can be downloaded from a PC. So long as Sony don't actually brick these jailbroken PS3 consoles, which they may, then I don't actually care that much.

Re:Hehehe

[Andorin]

How did you get modded up with a comment like "No one was affected by that silly rootkit?" Apparently enough people were affected that the Texas Attorney General sued, class action suits were filed in New York and California, and even even Italy, the EFF, and the FTC investigated Sony over the rootkit scandal. Dismissively saying that nobody was affected by it is just ignorance or trolling.

And it wasn't just "a particular CD"; it was a nice list of titles; 102 different albums in total according to Wikipedia. Millions of CDs. MediaMax alone went out on 20 million discs.

Your point that other IT concerns outweigh the problems with Sony's rootkit is valid, but you're comparing apples and oranges here. And the way you dismissed the seriousness of the rootkit makes you look like a fool or someone with an agenda.

Coming soon!

[Kenja]

The closed source patch that fixes the exploit used by the open source project.

Patch 3.43. bye bye USB.

[leuk_he]

HOT FROM SONY SITE:

Downloading and installing the PlayStation®3 system software update will update your PS3 system's operating system to include the latest security patches, settings, features and other items. We encourage you to check this page from time to time for system software updates and to always maintain your system to use the latest version of the system software.

An update to the PS3 system software will be was released on September 27, 2010. You can use this update to upgrade your system software to version 3.43.
English EspañolFrançais

Notices

        * Do not download or install updates using data other than official update data provided online or on disc media by Sony Computer Entertainment, and do not download or install updates by methods other than those described in the system documentation or on this website. If you download or install update data from another source, by another method, or with a PS3 system that has been altered or modified in any way, the PS3 system may not operate properly and may not be able to install the official update data. Any of these actions may void the PS3 system warranty and affect your ability to obtain warranty services and repair services from Sony Computer Entertainment.
        * This update is for PS3 systems purchased in North America. DO NOT update your PS3 system through this website if you purchased your system outside North America. There is no guarantee of proper operation with models sold outside North America.
        * The system software and system software updates installed on your system are subject to a limited license from Sony Computer Entertainment Inc. Visit http://www.scei.co.jp/ps3-eula for details.
        * If your PS3 system software version is 3.43 (or later), you do not need to perform this update. To check the version of your system software, go to > (Settings) > (System Settings) > [System Information]. The information is shown in the [System Software] field.
        * The [Install Other OS] and [Default System] features have been deleted in system software versions 3.21 and later. You will not be able to use [Install Other OS] or [Default System] under (Settings) > (System Settings). See the Consumer Alerts page for more details.
        * To play some software or use some features, you may first need to update the system software.
        * Depending on your PS3 system software version, the screen images and icons that are used on this website may differ from those that appear on your system.
        * This version will disable USB ports due to security issues. If you have to USB peripherals you will have to to replace them with wireless versions. See the Consumer Alerts page for more details.

Re:Patch 3.43. bye bye USB.

[smussman]

An update to the PS3 system software will be was released on September 27 , 2010

*brain explodes*

Re:Just how does this exploit work?

The USB dongle is a microcontroller that emulates a 6-port USB hub. It works by attaching a sequence of fake USB devices with large configuration descriptors, one of which contains the exploit payload. The sequence of USB connections and disconnections results in a heap overflow that eventually results in the exploit code being executed with root privileges. Sony can indeed patch the hole and surely will in the next firmware update. I believe that the open-source version disables automatic firmware updates, but I might be wrong.

Re:simple solution

[LingNoi]

Actually all Sony really has to do is give people a way to run home brew on their own systems without letting pirates in and none of this would have ever happened.

Since they screwed that up now the cats out the bag. People aren't going to stop hacking it until they can run their homebrew and linux again.

This exploit is beautiful

[DeadCatX2]

http://www.ps3news.com/PS3-Dev/ps-jailbreak-ps3-exploit-reverse-engineering-is-detailed/

It emulates a six-port hub and connects/disconnects devices with corrupted descriptors (that have their size changed on-the-fly!) in a particular order to smash the Heap so you can use a corrupted malloc boundary tag to overwrite the call to free() so that after the failed Jig authentication tries to release the memory allocated for the cryptographic response it will launch the shell code that was dropped into memory using a USB descriptor.

It brings a tear to my eye. Truly, one of the most beautiful things I ever had the privilege of understanding.

Re:This exploit is beautiful

[DeadCatX2]

I have blue screened my development workstation before because I had a bad descriptor that the Windows Audio driver tried to parse and it brought down the kernel. So I knew this sort of thing would be possible. I think attacking the USB host controller driver is going to become a much more common method of infection in the next few years.

But to get that far...you need dedication. You need to love the hardware. When you see it, it's like the matrix...behind the 1s and 0s and circuit board traces, there is a setting, characters, and a plot.

From there, that's how you can see the attack on the heap. That's actually the most complicated part, in my opinion. You are trying to fool the kernel into handing you a certain portion of memory. It's like social engineering...and that's what makes it hard. The kernel is interrogating you, and you have to give the right answers. Not only the right answers, but the answers must be corrupted in just the right way.

Everything from this point can be built on the work of someone before you. Pretty much all exploits eventually launch shellcode somewhere. They all need some way to launch the shellcode, and hooking a system call (in this case, free()) is a favored way to go about that. Then you need some way to do the hook, which in this case was the smashing the Heap.

So you sit there and think...how do I drop shellcode in? What function do I hook? How do I hook it? Dots appear...and then you connect them, and you annotate the connections, and you go back and you start from scratch again because you see a better way, and then finally...it all comes together.

Re:This exploit is beautiful

[Myoukochou]

You'd be amazed what a bounty for getting OtherOS working again gets you.

Re:This exploit is beautiful

[saboola]

I heard they used magnets.

Re:This exploit is beautiful

[DeadCatX2]

This isn't really a buffer overflow in the sense of smashing the stack. There's no strcmp or anything that the programmer forgot to do a bounds check on. It relies on corrupting the malloc boundary tag.

In fact, USB descriptors have a size field built into them. One of the elegant aspects of the exploit is that the descriptors are read *twice* by the PS3, and the size is being changed in between the two reads.

Re:This exploit is beautiful

[Myoukochou]

(clarification) At least, that's my speculation. (Darn it, mixing up preview and submit.)

You'll note no significant movement was ever made on a working modchip. PS3 remained pretty much hack-free... until Sony disabled OtherOS.

geohot's glitch - for it was a glitch attack, requiring hardware intervention, and a fair pile of luck for things not to crash - was specifically targeted at the OtherOS hypervisor, only worked in OtherOS, and was simply trying to get more hardware access, but it would never have gotten you complete access (for a start, by the time you're in OtherOS, the SPU in security mode is latched off the bus, I understand, although I never got the opportunity to check personally).

Sony (characteristically, some might say) totally overreacted in the worst possible way - geohot's glitch was really not a useful exploit! - but by taking everyone's toys away, and specifically by causing a problem to a lot of security researchers who used PS3 clusters for all kinds of research (including cryptographic research, for example the MD5/SHA-1 collisions) and who could now only get replacements from eBay praying they're not updated... they made a lot of people suddenly very interested and determined to crack it, and maybe those with clusters would be equally interested in something like this, perhaps even willing to fund research? *shrug* Merely idle speculation...

So, yeah. A fairly tight architecture it is, but start annoying security researchers with the resources to decap or fab chips, let alone dump firmware and look for bugs, and you've got to expect some kind of robust response - although where it really came from originally, we may never know, and what else they have in store for the future, it's hard to tell.

It's a cute little heap overflow in the USB controller; a nice little puppy-pile of (it appears, uncleanly nested) USB hellos and goodbyes to fill the heap, and a shellcode dump for the last one. Fixable in a firmware update, yes - and PSN-bannable (even brickable, if Sony are that hardcore) if used as is, as PS3s log what applications/games you run and send that info to Sony as part of DNAS authentication (at least, they do in unmodified DNAS; it's no longer foolproof) - but this is the tip of the iceberg I'm sure - when Sony fix this, I don't doubt another bug will be found in short order, maybe a software-only one (the PS3 parses enough formats that there's basically got to be something). The arms race has officially begun.

It's correctly named, too; this is really a 'jailbreak' in exactly the same sense as used on the iPhone for example, not some modchip to let people play copied games or anything (in fact, I don't believe it can... yet).

Re:simple solution

[hardburn]

Oh, and another solution: Mark updates with an expiration date such that the unit will refuse to run if its firmware is too stale.

If they ever do that, I will have to kill somebody. Besides the obvious reason, I have a driving wheel that won't work unless the system date is set before 12-22-08. The bug has been there for well over a year and there's no sign its getting fixed.

Consider that the one and only reason I bought a PS3 over a 360 is to play GT5. See how well that decision worked for me?

What about the PSP?

[slapout]

It would be interesting if this thing was ported to the PSP and the PSP could be used to unlock the PS3

Re:simple solution

[Animaether]

I never quite understood that "If only they'd allowed homebrew, none of this* would have happened!" reasoning.

After all, you can certainly run homebrew on a PC, but this* still happens.

In addition, you -could- run homebrew on the PS3. You didn't get access to the BD, you didn't get full access to the graphics bits and pieces, but you could run homebrew. Apparently that wasn't enough for some, somebody decided to poke at the hypervisor to gain access to these resources, and once they started succeeding a bit, OtherOS was nixed on the older models as well, citing 'security concerns'.

*"this"?

Get the Atmel code from GitHub [which] by itself [...] lets you run unsigned code

Seems like homebrew and linux were possible right there and then...

and apply a small patch which will enable backup play

Right. Backups. I guess that's really what "this" is.

Sounds rather threatening. Open your platform to homebrew, without restriction, or else we'll open it for you - and make it stupid-simple for this* to happen as a(n un)fortunate 'side-effect'.

That out of the way.. I'm looking forward to an actual thriving homebrew scene for the PS3, with lots of indie developers making the games for PS3 they always wanted to but never had the funds to become a licensed developer, and didn't have the access they needed to develop their envisioned games.

You fools!

[zmollusc]

You foolish fools! Defeating DRM will let the terrorists win! Already another oil platform has exploded due to evil hackers playing unsigned content on the PS3!

Re:Let's make this easier for everyone...

[Yvan256]

If it's one of the usual Atmel parts, you can probably use Digi-Key.ca

Extremely fast shipping, no customs fees.

Oblig. Adams

[MrFurious5150]

The major problem is quite simply one of grammar, and the main work to consult in this matter is Dr Dan Streetmentioner's Time Traveller's Handbook of 1001 Tense Formations. It will tell you for instance how to describe something that was about to happen to you in the past before you avoided it by time-jumping forward two days in order to avoid it. ... Most readers get as far as the Future Semi-Conditionally Modified Subinverted Plagal Past Subjunctive Intentional before giving up: and in fact in later editions of the book all the pages beyond this point have been left blank to save on printing costs.

Re:simple solution

[Sir_Lewk]

a reasonably priced upgrade

For a bug like that, any price is unreasonable.

Re:simple solution

[smallfries]

Right. Backups. I guess that's really what "this" is.

I own a PS3 and I'll be looking into specifically for this feature. Fuck backups. And fuck piracy too. I don't mind paying for games, but after paying for a console with a harddisk in it, and waiting ten minutes for each game to "install" itself I seriously resent having to get my ass off of the couch to switch games.

Come on Sony. I've paid for the system, I've paid for the game. Stop being such fuckwits and let me use what I've already paid for.

Re:simple solution

[shentino]

That's because OtherOS was crippleware.

Homebrew in that sense had to run without the aid of the Cell that the hypervisor blocked access to.

Native, Sony approved games still had full access.