PS Jailbreak 原理分析
å¾ä¹ 没æåææ¯æç« äºï¼æè¿PS3ç ´è§£æ¯è¾ç«çï¼æå°±åæä¸ä¸ã
é¦å éè¦ä»ç»ä¸äºç ´è§£ç¨å°çåºå±ææ¯ï¼
- Heap overflow
Heapï¼å ï¼æ¯ææç¼ç¨è¯è¨åºå±å å管ççåºç¡ï¼å³ä¾¿ç¨æ±ç¼å¯ä»¥è¡ä¹±æï¼å大ç¨åºä¹è¯å®è¿ä¼ç¨å°å 管çå¨ãå¨cc++éé¢ï¼å½æ们ç¨mallocãfreeãnewãdeleteä¹ç±»çå åæä½å½æ°ï¼æ们就åå 管çå¨æ交éäºãå 管çå¨çå®ç°æå¾å¤ç§ï¼ç®æ³åæä¸åï¼æç¨çº¢é»æ ï¼ä¹æç®åçlinklistï¼è¿æ为äºæé«æ§è½åªè½åé åºå®å°ºå¯¸çå åæ± ã
è¿äºä¸åçå®ç°å¤§å¤æ°æä¸ä¸ªå ¸åç¹å¾ï¼å¯¹é½ãç±äºç°ä»£è®¡ç®æºä½ç³»ç»æçç¼æ ï¼å¯¹é½çæ°æ®ææè¾é«ç访é®é度ï¼å¨æäºç¡¬ä»¶ä½ç³»æ¶æä¸ï¼è®¿é®é对é½å åçè³ä¼ç´æ¥å¯¼è´machine checkãç±äºå¯¹é½ï¼æ¯å¦æ们请æ±100åèï¼å ¶å®å 管çå¨ä¼èªå¨éåä¸ä¸ªå¯¹é½ç尺寸ï¼ç¶ååé é£ä¹å¤§çä¸åï¼æ¯å¦è¯´128åèï¼æ¥è¿åç»æ们ãå½ç¶è¿ä¸ªæè¿°æ¯ä¸ç²¾ç¡®çï¼ä¸é¢è§£éä¸ä¸ã
å 管çå¨éè¦ç»´æ¤å®æ管ççæ¯ä¸åå åï¼ä¹å°±æ¯è¯´ï¼è¦ç»´æ¤æ¯åå åçç¸å ³ä¿¡æ¯ï¼æ¯å¦é¿åº¦ï¼ååååæéï¼ç¶æï¼æªåé ï¼å·²åé çï¼ï¼é£ä¹è¿ä¸ªç¶ææä¹ç»´æ¤å¢ï¼ä¸ç§å¾å¸¸è§çåæ³æ¯ï¼æ¾å¨è¿ä¸ªå ååçé¦é¨ã
å设ç°å¨ç¨åºåç³è¯·100åèï¼å ååä¿¡æ¯æ¬èº«16åèï¼é£ä¹å 管çå¨å°±ä¼æ¾ä¸ä¸ª128é¿åº¦çå ååï¼å¦æ没æè¿ä¹å¤§çï¼å®ä¼æç §ä¸å®çç®æ³ï¼æ¯å¦æ ¹æ®æ¯åå åçä¿¡æ¯å并æªåé åï¼ï¼æè¿åå åçé¦æé+16è¿åç»ç¨åºåï¼äºæ¯ç¨åºåå¾é«å ´ï¼ä»æäº100åèçå åã注æï¼å¨å¤èçç³»ç»ä¸å ¶å®ä»å¯ä»¥å®å ¨ç访é®128-16åèãå¨ç°ä»£ç³»ç»ä¸å°±ä¸è¡äºï¼å 管çå¨ä¼å¨è¿100åèåååç¹æ®æ è®°ï¼å¨ç¡¬ä»¶é¡µç尺度ä¸ä¹ä¼è®¾å®ä¸å®çä¿æ¤ï¼è¯·åèNXDEPï¼ï¼å¦æä½ åè¿äº100ï¼å½freeè¿åå åçæ¶åï¼å 管çå¨ä¼åç°æ è®°è¢«ç ´åï¼ä¹å°±æ¯heap overflowäºã
å¦ææ们å¨è¿100åèçå åä¸åäº256åèçæ°æ®å¢ï¼ä¸ä¸ªæ大æ¦ççäºä»¶æ¯ï¼æä»¬ç ´åäºé»è¿çå ååçä¿¡æ¯ãè¿å°±ä¸ºæ¶ææ»å»å¶é äºæºä¼ã
- USB
USBæ¯ä¸ç§ä¸å¯¹çæ»çº¿ï¼ä¹å°±æ¯æ主æºå客æ·æºçåºå«ï¼ææçæä½é½ç±HostååºãUSBæ两个æ¯è¾éè¦çæ¦å¿µï¼å°åï¼ç«¯ç¹ã
å 说å°åï¼Hostæ¯æ²¡æå°åçï¼åªæ设å¤ææã类似çæ¦å¿µæ¯MACå°åï¼å±åç½ç¨æ®éhub大家è¿å¨ä¸èµ·ï¼ææçæ°æ®å é½ä¼ç»è¿ä½ çç½å¡ï¼åªæ符åä½ çMACçæ°æ®å ç½å¡æä¼æ¥åï¼æ³¨æè¿æ¯æåå§çæ åµï¼è¯·ç½ç»å¸ææ£ï¼ã
å½ä¸ä¸ªæ°çUSB设å¤æå ¥hostï¼æ¯å¦ä¼çï¼ç±äºUSBæ¥å£ä¸ççµå¹³ååï¼HOSTæ§å¶å¨å¾ç¥æ设å¤æå ¥å¹¶ä¸åºååºæ¯1.xè¿æ¯2.0ï¼ä¸æä¸æçµé»ä¸åï¼ï¼æ¤æ¶è®¾å¤ï¼ä¼çï¼çUSBå°åæ¯0ï¼HOSTæ§å¶å¨åè¿ä¸ªå°åéä¿¡ï¼å¹¶ç»è®¾å¤æå®ä¸ä¸ªæ°çUSBå°åï¼èå´å¨1~~127ï¼å¯ä»¥æ³è±¡æ¯DHCPè¿ç¨ï¼ï¼éåHOSTæ§å¶å¨å°±ç¨æ°çUSBå°åæ¥è®¿é®è®¾å¤äºï¼æ¯ä¸ä¸ªæ°æå ¥ç设å¤é½ä¼è¿ä¹å¤çï¼äºæ¯ä½ æä¸ä¸¤ä¸ªä¸æ ·çä¼çï¼å®ä»¬ä¹ä¼å¾å°ä¸åçUSBå°åï¼äºæ¯ç³»ç»å°±è½åºåå¼ä¸¤ä¸ªä¼çäºã
USB HOSTæ§å¶å¨ç»è®¾å¤åé äºæ°çUSBå°å以åï¼å°±å¼å§é®ï¼ä½ æ¯ä»ä¹ä¸è¥¿åï¼ä½ æä»ä¹åè½é¿å¦æ¤å¦æ¤ï¼è®¾å¤ä¼ç¨æ述符ï¼descriptorï¼çæ¹å¼åºçï¼descriptoræ ¼å¼USBè§èéé¢æï¼ï¼æçVIDæ¯xxï¼æçPIDæ¯yyï¼æçååå«zzâ¦â¦å¦æ¤å¦æ¤ã
åæ说å°äºUSBå°åï¼è¿ä¸ªæ°å¼USBæ¶åå¨æ§å¶çµè·¯ä¼ä¿åä¸æ¥ç¨äºä»åçéä¿¡ï¼ä½æ¯å 为è¿ä¸ªä¸è¥¿æ¯è¾ç¹æ®ï¼æ以大å¤æ°çè¯çæ¯ä¸è½æ工修æ¹èªå·±çUSBå°åçã
端ç¹æ¯çæ£æ§è¡æ°æ®éä¿¡ç端å£ï¼ç«¯ç¹0æ¯å§ç»å¯ä»¥ç¨çï¼è¢«ç§°ä¸ºæ§å¶ç«¯ç¹ï¼å ·ä½å°±ä¸ç»è¯´äºã
okï¼ä¸é¢åºè¯è¿ä¹å¤ï¼ä¸é¢å¼å§è¯´ä¸»é¢ï¼PS Jailbreakã
ä¸å¥è¯æ¦æ¬ï¼PS Jailbreakéè¿ç²¾å¿æé çç¹æ®USBæ述符ï¼ä½¿PS3å¤çè¿äºæ述符çæ¶åHeap overflowï¼å¯¼è´ä»£ç æ³¨å ¥è¿èè·åäºGameOSç访é®æéã
ä¸é¢è¯¦ç»ä»ç»PS Jailbreakï¼ä»¥ä¸ç®ç§°JBï¼æ»å»è¿ç¨
ï¼ç»å¤§å¤æ°ç¿»è¯èªhttp://ps3wiki.lan.st/index.php/PSJailbreak_Exploit_Reverse_Engineeringï¼å¹¶å ä¸å¿ è¦ç解é说æï¼ï¼
JB设å¤çå¤å½¢ï¼æ³¨æä¸æ¯ç©çå¤å½¢ï¼æ¯ææ¯ä¸çï¼æ¯ä¸ä¸ªâå å£ USB Hubâï¼æ³¨ææç¨äºåå¼å·ï¼è¿ä¸è¥¿åªæ¯å¯¹å¤å®£ç§°èªå·±æ¯Hubï¼å®é ä¸åªæ¯ä¸ºäºæ»¡è¶³USBåè®®çéæ±ï¼å¹¶æ²¡æå®æ´å°å®ç°USB Hubçå ¨é¨åè½ã
PS3å¼æºçæ¶åï¼å¨ç¹å®çæ åµä¸ä¼å¨USBæ¥å£ä¸æç´¢å®æ¹çJIG设å¤ï¼æä¸ç¥éè¿ç©æçå ·ä½åè½ï¼æä½æ¹æ³æ¯æPOWERå200mså æEjectï¼ï¼JBå©ç¨è¿ä¸ªç¹æ§å¨å¼æºæ£æµJIGçæ¶åå¨å ¶èæçå 个USB Portä¸è½®çªææ6个设å¤ï¼â¦â¦â¦â¦ï¼ï¼ç±äºç³»ç»éè¦ä¸ºæ¯ä¸ªè®¾å¤çå¤çè¿ç¨åé å åï¼éè¿ç²¾å¿æé çUSBæ述符ï¼å®ç°äºHeap overflowã
Port1ï¼Hubåå§å以åï¼ç¬¬ä¸ä¸ªè®¾å¤æå ¥ï¼pid/vid 0xAAAA/0x5555ï¼æ4个é ç½®ï¼æ¯ä¸ä¸ªé¿åº¦é½æ¯0xf00ï¼ç±äºè¿ä¸ªé¿åº¦æ²¡æè¶ è¿4Kç页é¢ï¼æ以æ¨æµPS3ç³»ç»çmallocä¼ä¸ºæ¯ä¸ä¸ªé ç½®åé ä¸ä¸ª4kçå å页ã为ä»ä¹è¦4个å¢ï¼å 为å¯è½å·²ç»æ空é²å åäºï¼ç¨4个æ¯ä¿è¯æ足å¤å¤§çæ¦çæ页é¢å¯¹é½å°4kè¾¹çä¸ãç¶åJBéæ°æ¥åå ¶é 置为18åèãå ¶å®å¨è¿ä¸ªæ¯è¾é¿çé ç½®éé¢å å«æpayloadï¼ä¹å°±æ¯ç¨äºæ³¨å ¥æ»å»çåè½ä»£ç ï¼ã
Port2ï¼PS3读åå®æ1å·è®¾å¤çæ述符以åï¼JBåæ¢åHub USBå°åï¼ç¶åè°ç§°ç¬¬äºä¸ªè®¾å¤æå ¥ï¼pid/vid 0xAAAA/0xBBBBï¼è¿ä¸ªè®¾å¤æä¸ä¸ª22åèçæ述符ï¼åªæå18个åèæ¯ææä¹çï¼æå4个æä¹ä¸æã
Port3ï¼éåè¿ä¸ªè®¾å¤æå ¥ï¼pid/vid 0xAAAA/0x5555ï¼å第ä¸ä¸ªä¸æ ·ä½æ¯æ述符ä¸ä¸æ ·ï¼ä»æ两个é ç½®æ述符ï¼æ¯ä¸ä¸ªé¿åº¦ä¸º0xa4dï¼å¤§é¨åçæ°æ®è¢«è®¤ä¸ºæ¯åå¾ãæç §å¯¹å 管çå¨ççæµï¼è¿äºæ述符ä¼è¢«æ¾å¨ä¸ä¸ªæ°ç4k页é¢ä¸ï¼ç´§éä¹åç两个设å¤ã
Port2ï¼æåºãè¿ä¸ªè®¾å¤çæåºå¯¼è´ä¸ä¸ªæ¾èæè§çç»æï¼ç¬¬ä¸ä¸ªè®¾å¤å第ä¸ä¸ªè®¾å¤ä¹é´åé çå å被éæ¾äºã
OKï¼ä¸é¢è¿æ ·çæè ¾ï¼åå¤å¥½äºçæ£çæ»å»ç¯å¢ä¸ä¸æã
Port4ï¼è¿æ¥ãpid/vid 0xAAAA/0x5555ï¼æä¸ä¸ªé ç½®æ述符ã
é ç½®æ述符Aï¼18åèçæ£å¸¸æ述符ã
é ç½®æ述符Bï¼åAä¸æ ·çæ述符ï¼ä½æ¯å½PS3å次读åå®ä¹åï¼å®æèªå·±çé¿åº¦åæäº0åèãè¿æ¯ç ´è§£çå ³é®ä¹å¤ï¼ä½æ¯å ¶å ·ä½å«ä¹å«æ··ä¸æ¸ ï¼å®å¯¼è´äºé ç½®æ述符Cåé¢çæ°æ®è¦çäºæä¸ä¸ªmallocçè¾¹çæ å¿ï¼å¾å¯è½æ¯å±äºPort3çãä½æ¯è¿ä¸ªæº¢åºç详ç»åå ææå¾çæ»å»ä»£ç æ¬èº«äºã
é ç½®æ述符Cï¼è¿ä¸ªæ述符å¼å§åAæ¯ä¸æ ·çï¼ä½æ¯æåå¤äº14个åèã
.. .. 3e 21 00 00 00 00
fa ce b0 03 aa bb cc dd
80 00 00 00 00 46 50 00
80 00 00 00 00 3d ee 70
åå 个åè被认为æ¯å ä½ï¼ä½æ¯æä¸è¿ä¹è®¤ä¸ºï¼by hyperirisï¼ï¼æ¥ä¸æ¥æ¯ä¸ä¸ªmagic numberï¼fa ce b0 03 aa bb cc ddï¼ç¨è±è¯æ¥çå°±æ¯FACEBOOK AABBCCDDï¼éåçæ°æ®æ¯ä¸ä¸ªæéï¼å®è¦çäºmallocåçè¾¹çæ è®°ï¼è¿ä¼å¯¼è´mallocå¨ä¹åå¤çè¿ä¸ªåçæ¶ååçé误ï¼ä½¿å ¶æç §æ»å»è çææ¿å¨æå®çä½ç½®æä½å åãï¼è¿æ¯ä¸¤ä¸ª64ä½çæéï¼by hyperirisï¼
Port5ï¼å½Port4å®æå·¥ä½ä»¥åï¼åçJIG被æå ¥å°äºPort5ï¼å®åSONYå®æ¹çJIG PID/VID 0x054C/0x02EB æ¯ä¸æ ·çï¼æ¨æµåå®æ¹çé ç½ ®å端ç¹ä¸è´ã
å¯ä»¥çæµç±äºè¿ä¸ªç©æï¼JIGï¼æ¯PS3å·²ç¥ç设å¤ï¼PS3ç³»ç»ä¸ä¼ä¸ºå®å¨å ä¸åé å åã
éåPS3åé64åèçæ°æ®è¦æ±JIGè¿è¡è®¤è¯ï¼ç¶åJBè¿å64åèçåºçãPS3å°ä¼åé å åæ¥ä¿åè¿ä¸ªåºçï¼ï¼ï¼ï¼ï¼ï¼ï¼ç±äºä¹åmallocåçè¾¹çæ è®°å·²ç»è¢«Port4çæå ¥æä¿®æ¹ï¼æ以è¿æ¬¡å ååé å°ä¼å¨ä¸ä¸ªè®¾è®¡å¥½çä½ç½®ï¼ä¹å°±æ¯æä¸ä¸ªå½æ°çåé¢ï¼ï¼æå½æ°24åèå移ä¹åï¼ï¼ç¶åå½æ°çåé¢è¢«è¿64åèè¦çäºï¼ï¼ï¼ï¼ï¼ï¼
ç±äºç³»ç»çJIG认è¯ä»£ç 没æ被patchï¼æ以JBè¿åçæ°æ®è¢«éªè¯æ æã
Port3ï¼æåºãJBç°å¨éç¥PS3ï¼Port3æåºï¼è¿å¯¼è´PS3éæ¾ä¸ºPort3设å¤é ç½®æ述符åé çå åï¼ä¹å°±æ¯è¢«Port4设å¤æ述符è¦ççé£ä¸ªã
äºæ¯Shell codeæ¤å»è¢«è°ç¨ï¼R3å¯åå¨ç°å¨æåçæ¯Port3é ç½®æ述符çå åè¾¹çæ è®°ä½ç½®ã
Shellcodeï¼
ROM:00000018                ld     %r4, -0x10(%r3)
ROM:0000001C                ld     %r3, -8(%r3)
ROM:00000020
ROM:00000020 loc_20:                              # CODE XREF: sub_18+14�j
ROM:00000020                ld     %r5, 0x18(%r3)
ROM:00000024                addi   %r3, %r3, 0x1000
ROM:00000028                cmpw   %r4, %r5
ROM:0000002C                bne    loc_20
ROM:00000030                addi   %r6, %r3, -0xFE0
ROM:00000034                mtctr  %r6
ROM:00000038Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â bctr
R4ä¿åçå°±æ¯0xfaceb003aabbccddï¼ç¶åR3å è½½0x8000000000465000ï¼ç¶åshellcodeä»0x8000000000465000å¼å§æç´¢æ¯ä¸ä¸ª4kè¾¹çï¼ç´å°å¨æä¸ä¸ªä½ç½®åç°0xFACEB003AABBCCDDï¼åç°ä¹åï¼shellcode跳转å°é£éï¼ä»å移0x20å¤å¼å§æ§è¡ã
æ¸ çï¼ç°å¨ä¸åé½æ¸ éäºï¼Port5ï¼4ï¼1é½å°è¢«æåºãPayloadåºè¯¥å¨Port1æåºä¹åå°èªå·±å¤å¶å°ä¸ä¸ªä¸ä¼è¢«éæ¾çå ååéã
Port6ï¼è¿ä¸ªè®¾å¤æ²¡æä»»ä½çå®é æä¹/åè½ï¼vid/pid 0xAAAA/0xDEC0ï¼åªååºä¸ä¸ªæ§å¶ä¼ è¾0xAAï¼å½PS3ç»è¿ä¸ªè®¾å¤åéè¿ä¸ªæ§å¶ä¼ è¾ï¼JBå°±ç¥éèªå·±æåäºï¼å¹¶ç¹äº®LEDã
å¨åå§çJBéé¢ï¼payloadä¼æ£æµè¿ä¸ªè®¾å¤æ¯ä¸æ¯è¢«ææï¼å¦æææäºï¼å°±è°ç¨LV1_Panicå®æºãPSGrooveæè¿ä¸ªå»é¼åè½å»æäºã
è³äºpayload代ç ï¼åPS3çæ¬æå ³ï¼å ·ä½èµæ没æï¼å 为éè¦ps3 main memory dumpã