Wednesday 7 April 2010
JaicraB Blog (English version)
This is the official JaicraB Blog English version. I will be the maintainer of the site and I will try to mantain it updated with the latest news from the JaicraB Blog so the international PS3 scene can collaborate in an easier way with JaicraB and DemonHades.
Thursday 1 April 2010
PS3, Pulse generation software V2
[original version]
Pulse generator V2.
The pulse generation software was poorly debugged and theoretically bad planned. It was wroking for me, but it is true that is was not always working at the first try. Because of this I've developed a second version, more debugged and controlled by the CPU cycles. Why by CPU cycles? Each computer is different, CPU, BUS, etc etc. And because of this each computer has its own cycle so now you can find it starting from the smallest one until you find it ;). In my case it is 3, running over MSDOS in a VMWARE virtual machine.
Usage:
1.- Keep disconnected the LPT! port from the PC. (At system startup it is usually activated).
2.- Now you can generate a pulse giving it from 1 to 9 cycles.
3.- Start always with 1 cycle at least with 25 tries. If you see that it does not influecne the PS3 the ncontinue with the number 2 wit hanother 25 tries, and so on.
4.- Once the exploit works, you can leave the program pushing any key, remember the number os cycles for the next test.
Downloads:
Source code and binaries: http://www.megaupload.com/?d=QKKNKZJJ
Pass: jaicrab.jaicrab
Some photos:
Pulse generator V2.
The pulse generation software was poorly debugged and theoretically bad planned. It was wroking for me, but it is true that is was not always working at the first try. Because of this I've developed a second version, more debugged and controlled by the CPU cycles. Why by CPU cycles? Each computer is different, CPU, BUS, etc etc. And because of this each computer has its own cycle so now you can find it starting from the smallest one until you find it ;). In my case it is 3, running over MSDOS in a VMWARE virtual machine.
Usage:
1.- Keep disconnected the LPT! port from the PC. (At system startup it is usually activated).
2.- Now you can generate a pulse giving it from 1 to 9 cycles.
3.- Start always with 1 cycle at least with 25 tries. If you see that it does not influecne the PS3 the ncontinue with the number 2 wit hanother 25 tries, and so on.
4.- Once the exploit works, you can leave the program pushing any key, remember the number os cycles for the next test.
Downloads:
Source code and binaries: http://www.megaupload.com/?d=QKKNKZJJ
Pass: jaicrab.jaicrab
Some photos:
PS3, Second Dump
[original version]
Good night/early morning.
First of all, I want to point out that you have to be aware if you are going to use the previously described circuit.
The program received some criticism, well, you've seen the source code, you can modify it at your own will! It works for me and I've shared it as is. The same happened with the memory dumps, I haven't checked them out. At the same time I've obtained them, I copied them to a pendrive, I compressed them and I uploaded them with checking its contents.
Also I have to point out that in any of the dumps to date, including this second test, the communitacions board (bluetooh, wifi) was not connected to the main board.
Let's go to the point. I've generated a second dump to compare it with the first one. Just in case we find any data corruption because of the generated pulse or simply because of the HV variables.
The Boot dump is exactly the same and there is nothing comprehensible :S. It is probably cyphered or it does not contain any string.
The HV dump is different, but quite similar to the first one made.
Extract your own conclusions.
HV: http://www.megaupload.com/?d=ZO4K6OYT
BootLoader: It is not needed, its exactly the same.
Pass: jaicrab.jaicrab
I wait for your feedback. Good luck.
Good night/early morning.
First of all, I want to point out that you have to be aware if you are going to use the previously described circuit.
The program received some criticism, well, you've seen the source code, you can modify it at your own will! It works for me and I've shared it as is. The same happened with the memory dumps, I haven't checked them out. At the same time I've obtained them, I copied them to a pendrive, I compressed them and I uploaded them with checking its contents.
Also I have to point out that in any of the dumps to date, including this second test, the communitacions board (bluetooh, wifi) was not connected to the main board.
Let's go to the point. I've generated a second dump to compare it with the first one. Just in case we find any data corruption because of the generated pulse or simply because of the HV variables.
The Boot dump is exactly the same and there is nothing comprehensible :S. It is probably cyphered or it does not contain any string.
The HV dump is different, but quite similar to the first one made.
Extract your own conclusions.
HV: http://www.megaupload.com/?d=ZO4K6OYT
BootLoader: It is not needed, its exactly the same.
Pass: jaicrab.jaicrab
I wait for your feedback. Good luck.
Wednesday 31 March 2010
PS3, Dump... Complete
[original version]
Wellcome.
I've been able to generate the Hyper and BL dumps. :D
Finally I've build the pulse generator using the PC parallel port.
Dumps:
HV: http://megaupload.com/?d=SJ0NX5SQ (descomprimido: 16.777.216 Bytes)
BL: http://www.megaupload.com/?d=X9KX2WSA (descomprimido: 262.144 Bytes)
ZIP password: jaicrab.jaicrab
LPT1 circuit diagram:
Software:
(DO IT AT YOUR OWN RISK, I WON'T BE RESPONSIBLE of any damage made to the device, its a very simple program, and it is not polished. There is very little danger, but you also need to take into account that the LPT1 port is very fragile. Good luck!)
Source code and binary: http://megaupload.com/?d=7EJW43VG
It is recommended to run it under the Windows command line. Download the Windows 98 sartup disk, copy the binary and run it. Do not connect the anything to the LPT1 port until specified by the program. The source code has been developed using Turbo c++.
Pass: jaicrab.jaicrab
The most important thing is to share and to do not save anything for yourself, mainly if it is for the common improvement. Please don't misuse my MAC and my PS3 data ;)
Any question or suggestion is wellcome in the comments. In the next "chapter" I'll disenbowel the dump. See you soon!
Wellcome.
I've been able to generate the Hyper and BL dumps. :D
Finally I've build the pulse generator using the PC parallel port.
Dumps:
HV: http://megaupload.com/?d=SJ0NX5SQ (descomprimido: 16.777.216 Bytes)
BL: http://www.megaupload.com/?d=X9KX2WSA (descomprimido: 262.144 Bytes)
ZIP password: jaicrab.jaicrab
LPT1 circuit diagram:
Software:
(DO IT AT YOUR OWN RISK, I WON'T BE RESPONSIBLE of any damage made to the device, its a very simple program, and it is not polished. There is very little danger, but you also need to take into account that the LPT1 port is very fragile. Good luck!)
Source code and binary: http://megaupload.com/?d=7EJW43VG
It is recommended to run it under the Windows command line. Download the Windows 98 sartup disk, copy the binary and run it. Do not connect the anything to the LPT1 port until specified by the program. The source code has been developed using Turbo c++.
Pass: jaicrab.jaicrab
The most important thing is to share and to do not save anything for yourself, mainly if it is for the common improvement. Please don't misuse my MAC and my PS3 data ;)
Any question or suggestion is wellcome in the comments. In the next "chapter" I'll disenbowel the dump. See you soon!
PS3, Resurrected, back on board
[original version]
As you can read, good news for me. The PS3 is working again.
The problem? it wasn't the power supply, it was due to the two resistors where the exploit wire is connected. Due to finger too much the wire.
I had to change both of them, recicled from a broken PDA
If someone has the same problem, they are 45 Ohms resistors. I tried using two convential 1/2 watt resistors and it didn't work. Anyway, the ones I had used are an SMD 35 Ohms ones.
I'm back on board, let's get the DUMP.
As you can read, good news for me. The PS3 is working again.
The problem? it wasn't the power supply, it was due to the two resistors where the exploit wire is connected. Due to finger too much the wire.
I had to change both of them, recicled from a broken PDA
If someone has the same problem, they are 45 Ohms resistors. I tried using two convential 1/2 watt resistors and it didn't work. Anyway, the ones I had used are an SMD 35 Ohms ones.
I'm back on board, let's get the DUMP.
Tuesday 30 March 2010
PS3, Power Supply K.O.
[original version]
As you can read, it seems that the power supply is broken down.
I'm sure that it's been because I've turned it off too many times using the back button while testing (Maybe the button is broken, who knows).
See you soon!
As you can read, it seems that the power supply is broken down.
I'm sure that it's been because I've turned it off too many times using the back button while testing (Maybe the button is broken, who knows).
See you soon!
Sunday 28 March 2010
PS3, Exploit, Roll-out
[original version]
It seems that to roll-out the exploit and make it success 100% is like the lotery, don't get exasperated.
Once installed as descrived previously I recommend a restart. As it is so "tricky" to success with it, it is recommended to do it just after a restart and without logging in into the graphical interface. I mean, when the system requests our login data we will go to a terminal by pushing Control+Alt+F1. There we login with the user defined during the installation.
Once logged in we can go as root with the following command "sudo -s". WE introduce the root password and we are ready to test the exploit.
The command to run the exploit is "ps3exploit" and it needs a parameter. The amount of times that it will give you the opportunity to cause the failure to the hypervisor and that we will take advantage to generate the memory dumps.
If we run "ps3exploit 100". We will get 100 opportunities to carry out the deed.
It will show a message telling us to push the button of the circuit and the retry count until you to the 100 retries xD. How we will know that it works? If the exploit detects your button push in the circuit you will realize, the RAM dump will begin. And what happens if it is not detected? It will inform you that you got you 100 retries and that's it. If it is not detected don't despair, try again with "ps3exploit 100" until you get it.
In my case, I still haven't been able to make it work. I think that it is because of the circuit, I have not built it in the right way, the 26Mhz crystal as I previously said o the the circuit isn't the right one.
I'll keep you updated...
It seems that to roll-out the exploit and make it success 100% is like the lotery, don't get exasperated.
Once installed as descrived previously I recommend a restart. As it is so "tricky" to success with it, it is recommended to do it just after a restart and without logging in into the graphical interface. I mean, when the system requests our login data we will go to a terminal by pushing Control+Alt+F1. There we login with the user defined during the installation.
Once logged in we can go as root with the following command "sudo -s". WE introduce the root password and we are ready to test the exploit.
The command to run the exploit is "ps3exploit" and it needs a parameter. The amount of times that it will give you the opportunity to cause the failure to the hypervisor and that we will take advantage to generate the memory dumps.
If we run "ps3exploit 100". We will get 100 opportunities to carry out the deed.
It will show a message telling us to push the button of the circuit and the retry count until you to the 100 retries xD. How we will know that it works? If the exploit detects your button push in the circuit you will realize, the RAM dump will begin. And what happens if it is not detected? It will inform you that you got you 100 retries and that's it. If it is not detected don't despair, try again with "ps3exploit 100" until you get it.
In my case, I still haven't been able to make it work. I think that it is because of the circuit, I have not built it in the right way, the 26Mhz crystal as I previously said o the the circuit isn't the right one.
I'll keep you updated...
PS3, Linux & Exploit
[original version]
Hello again.
I am going to install ubuntu-8.10-alternate. It can be downloaded here.
To continue we also need to download the exploit, in this case the xorloser Geohot exploit. It can be downloaded here.
OtherOS installation.
It should be easy. Once downloaded you have to burn the image on a CD (nero, deepburner, etc).
Then you introduce it in the PS3 and then go to "System Settings", "Install other operating system". It will look for this file /CD/PS3/OTHEROS.BLD in the reader. We select that we want to install it.
Once installed, we go to "Default System" and we select "Other OS". The PS3 will restart and the Ubuntu install will begin.
(Be aware that if we don't have reserved the space in the hard disk for another operating system we won't be able to install it).
The installation is simple, just follow the steps.
Exploit installation.
Once Ubuntu is installed we can continue with the Exploit.
Mainly I have installed the SSH server so I can connect to the PS3 from my PC and control the console as if I was there. It is not necesary
You can se the commands executed for the installation(if you need anything just leave a comment) and the complete log here:
linux@PS3:~$ sudo -s
root@PS3:~# mkdir Exploit
root@PS3:~# cd Exploit/
root@PS3:~/Exploit# wget http://xorloser.com/blog/wp-content/uploads/2010/03/xorhack.zip
root@PS3:~/Exploit# unzip xorhack.zip
root@PS3:~/Exploit# ls
root@PS3:~/Exploit#mv /usr/src/linux-ports-headers-2.6.25-2/ /usr/src/linux-headers-2.6.25-2/
root@PS3:~/Exploit# make
root@PS3:~/Exploit# ls
root@PS3:~/Exploit# make install
root@PS3:~/Exploit#
Hello again.
I am going to install ubuntu-8.10-alternate. It can be downloaded here.
To continue we also need to download the exploit, in this case the xorloser Geohot exploit. It can be downloaded here.
OtherOS installation.
It should be easy. Once downloaded you have to burn the image on a CD (nero, deepburner, etc).
Then you introduce it in the PS3 and then go to "System Settings", "Install other operating system". It will look for this file /CD/PS3/OTHEROS.BLD in the reader. We select that we want to install it.
Once installed, we go to "Default System" and we select "Other OS". The PS3 will restart and the Ubuntu install will begin.
(Be aware that if we don't have reserved the space in the hard disk for another operating system we won't be able to install it).
The installation is simple, just follow the steps.
Exploit installation.
Once Ubuntu is installed we can continue with the Exploit.
Mainly I have installed the SSH server so I can connect to the PS3 from my PC and control the console as if I was there. It is not necesary
You can se the commands executed for the installation(if you need anything just leave a comment) and the complete log here:
linux@PS3:~$ sudo -s
root@PS3:~# mkdir Exploit
root@PS3:~# cd Exploit/
root@PS3:~/Exploit# wget http://xorloser.com/blog/wp-content/uploads/2010/03/xorhack.zip
root@PS3:~/Exploit# unzip xorhack.zip
root@PS3:~/Exploit# ls
root@PS3:~/Exploit#mv /usr/src/linux-ports-headers-2.6.25-2/ /usr/src/linux-headers-2.6.25-2/
root@PS3:~/Exploit# make
root@PS3:~/Exploit# ls
root@PS3:~/Exploit# make install
root@PS3:~/Exploit#
PS3, Circuit board solding points
[original version]
According to Geo the solding point is the following one:
I've been able to track it to a bigger point to solder it. In this case it's been the last but one resistor:
I will get the 5V, 3,3V and ground from the "communications" board, where you can find wifi and bluetooth (by the way, Ethernet does not work if you don't connect this board):
Out of curiosity:
-If you only place the wire in the GEO point the yellow led lights.
-If you connect the GEO point and the ground, it freezes when the XMB appears, without yellow light.
-If you put them all the PS3 works as expected.
Next step... To finish up installing linux and test the exploit.
According to Geo the solding point is the following one:
I've been able to track it to a bigger point to solder it. In this case it's been the last but one resistor:
I will get the 5V, 3,3V and ground from the "communications" board, where you can find wifi and bluetooth (by the way, Ethernet does not work if you don't connect this board):
Out of curiosity:
-If you only place the wire in the GEO point the yellow led lights.
-If you connect the GEO point and the ground, it freezes when the XMB appears, without yellow light.
-If you put them all the PS3 works as expected.
Next step... To finish up installing linux and test the exploit.
Saturday 27 March 2010
PS3, The 40ns circuit, Lets build it
[original version]
Just got the material, after 3 hours of search in a nearby "town". Anyway I haven't found the 25Mhz crystal, so I have to use a 26,770Mhz one (I hope that the history doesn't change too much :S).
Just tell you, that the sum of all of the components, including the board with the holes, hasn't exceeded 3€.
This afternoon-night-early morning I'll put my shoulders to the wheel. I'll keep you informed.
-----------------------------------------------------------------------------
It's 22:10 and I already have part of the circuit built. Some easy to solve doubts appear:
I have to supply 5V to the integrated circuits. I have located the power supply points from where I can get that voltage. I still have to locate the 3,3v points.
The attendant from the shop has given me the wrong resistors :S, so I had to put a few more in a serial way.
Right now the circuit looks like this:
---------------------------------------
Finished circuit.
Next step, Install linux (almost there) and solder the circuit to the PS3.
FAILURE
Just got the material, after 3 hours of search in a nearby "town". Anyway I haven't found the 25Mhz crystal, so I have to use a 26,770Mhz one (I hope that the history doesn't change too much :S).
Just tell you, that the sum of all of the components, including the board with the holes, hasn't exceeded 3€.
This afternoon-night-early morning I'll put my shoulders to the wheel. I'll keep you informed.
-----------------------------------------------------------------------------
It's 22:10 and I already have part of the circuit built. Some easy to solve doubts appear:
I have to supply 5V to the integrated circuits. I have located the power supply points from where I can get that voltage. I still have to locate the 3,3v points.
The attendant from the shop has given me the wrong resistors :S, so I had to put a few more in a serial way.
Right now the circuit looks like this:
---------------------------------------
Finished circuit.
Next step, Install linux (almost there) and solder the circuit to the PS3.
PS3, The 40ns circuit
[original version]
Good night.
Tomorrow afternoon I'll buy the components to build the following circuit:
When back from shopping I'll build it. I'll describe the steps (while I study it :S).
Good night.
Tomorrow afternoon I'll buy the components to build the following circuit:
When back from shopping I'll build it. I'll describe the steps (while I study it :S).
Friday 26 March 2010
PS3, with PC dissipators
[original version]
Wellcome.
I've obtained a second PS3, its a bit broken because it stops working every 10 minutes because of overheating.
I am going to disembowel this PS3 and try to resolve the problem so I can investigate with it soon.
Step 1:
I have a PS3 that I can disembowel.
A video capture device and a PC only used as a TV.
I disembowel it and extract the circuit board.
Step 2:
I adapted some AMD dissipators that I had at hand. I've prepared the wiring so I can clearly view the board. I've prepared the fans.
I take look and see the best way to position it. I apply the thermic paste and then I put them in the right way.
I enlarge the power supply unit and bluray reader wiring.
Now I have to adapt the PSU so I can have the circuit board free of any device below or above. Here we have the device ready and ready for linux to be installed.
The next step is to prepare the 40ns circuit and to make the two solding points on the circuit board.
We will aply the exploit and try to generate the dump so we can make it public (they say then the ones already released are incomplete).
See you tomorrow.
Wellcome.
I've obtained a second PS3, its a bit broken because it stops working every 10 minutes because of overheating.
I am going to disembowel this PS3 and try to resolve the problem so I can investigate with it soon.
Step 1:
I have a PS3 that I can disembowel.
A video capture device and a PC only used as a TV.
I disembowel it and extract the circuit board.
Step 2:
I adapted some AMD dissipators that I had at hand. I've prepared the wiring so I can clearly view the board. I've prepared the fans.
I take look and see the best way to position it. I apply the thermic paste and then I put them in the right way.
I enlarge the power supply unit and bluray reader wiring.
Now I have to adapt the PSU so I can have the circuit board free of any device below or above. Here we have the device ready and ready for linux to be installed.
The next step is to prepare the 40ns circuit and to make the two solding points on the circuit board.
We will aply the exploit and try to generate the dump so we can make it public (they say then the ones already released are incomplete).
See you tomorrow.
Subscribe to:
Posts (Atom)
