PS Jailbreak 原理分析

å¾ä¹æ²¡æåææ¯æç« äºï¼æè¿PS3破解æ¯è¾ç«ç­ï¼æå°±åæä¸ä¸ã

é¦åéè¦ä»ç»ä¸äºç ´è§£ç¨å°çåºå±ææ¯ï¼

• Heap overflow

Heapï¼å ï¼æ¯ææç¼ç¨è¯­è¨åºå±åå­ç®¡ççåºç¡ï¼å³ä¾¿ç¨æ±ç¼å¯ä»¥è¡ä¹±æï¼å大ç¨åºä¹è¯å®è¿ä¼ç¨å°å ç®¡çå¨ãå¨cc++éé¢ï¼å½æ们ç¨mallocãfreeãnewãdeleteä¹ç±»çåå­æä½å½æ°ï¼æ们就åå ç®¡çå¨æ交éäºãå ç®¡çå¨çå®ç°æå¾å¤ç§ï¼ç®æ³åæä¸åï¼æç¨çº¢é»æ ï¼ä¹æç®åçlinklistï¼è¿æ为äºæé«æ§è½åªè½åéåºå®å°ºå¯¸çåå­æ± ã

è¿äºä¸åçå®ç°å¤§å¤æ°æä¸ä¸ªå¸åç¹å¾ï¼å¯¹é½ãç±äºç°ä»£è®¡ç®æºä½ç³»ç»æçç¼æï¼å¯¹é½çæ°æ®ææè¾é«ç访é®é度ï¼å¨æäºç¡¬ä»¶ä½ç³»æ¶æä¸ï¼è®¿é®é对é½åå­çè³ä¼ç´æ¥å¯¼è´machine checkãç±äºå¯¹é½ï¼æ¯å¦æ们请æ±100å­èï¼å¶å®å ç®¡çå¨ä¼èªå¨éåä¸ä¸ªå¯¹é½ç尺寸ï¼ç¶ååéé£ä¹å¤§çä¸åï¼æ¯å¦è¯´128å­èï¼æ¥è¿åç»æ们ãå½ç¶è¿ä¸ªæè¿°æ¯ä¸ç²¾ç¡®çï¼ä¸é¢è§£éä¸ä¸ã

å ç®¡çå¨éè¦ç»´æ¤å®æ管ççæ¯ä¸ååå­ï¼ä¹å°±æ¯è¯´ï¼è¦ç»´æ¤æ¯ååå­çç¸å³ä¿¡æ¯ï¼æ¯å¦é¿åº¦ï¼ååååæéï¼ç¶æï¼æªåéï¼å·²åéç­ï¼ï¼é£ä¹è¿ä¸ªç¶ææä¹ç»´æ¤å¢ï¼ä¸ç§å¾å¸¸è§çåæ³æ¯ï¼æ¾å¨è¿ä¸ªåå­åçé¦é¨ã

å设ç°å¨ç¨åºåç³è¯·100å­èï¼åå­åä¿¡æ¯æ¬èº«16å­èï¼é£ä¹å ç®¡çå¨å°±ä¼æ¾ä¸ä¸ª128é¿åº¦çåå­åï¼å¦æ没æè¿ä¹å¤§çï¼å®ä¼æç§ä¸å®çç®æ³ï¼æ¯å¦æ ¹æ®æ¯ååå­çä¿¡æ¯å并æªåéåï¼ï¼æè¿ååå­çé¦æé+16è¿åç»ç¨åºåï¼äºæ¯ç¨åºåå¾é«å´ï¼ä»æäº100å­èçåå­ã注æï¼å¨å¤èçç³»ç»ä¸å¶å®ä»å¯ä»¥å®å¨ç访é®128-16å­èãå¨ç°ä»£ç³»ç»ä¸å°±ä¸è¡äºï¼å ç®¡çå¨ä¼å¨è¿100å­èåååç¹æ®æ è®°ï¼å¨ç¡¬ä»¶é¡µç尺度ä¸ä¹ä¼è®¾å®ä¸å®çä¿æ¤ï¼è¯·åèNXDEPï¼ï¼å¦æä½ åè¿äº100ï¼å½freeè¿ååå­çæ¶åï¼å ç®¡çå¨ä¼åç°æ è®°è¢«ç ´åï¼ä¹å°±æ¯heap overflowäºã

å¦ææ们å¨è¿100å­èçåå­ä¸åäº256å­èçæ°æ®å¢ï¼ä¸ä¸ªæ大æ¦ççäºä»¶æ¯ï¼æ们破åäºé»è¿çåå­åçä¿¡æ¯ãè¿å°±ä¸ºæ¶ææ»å»å¶é äºæºä¼ã

• USB

USBæ¯ä¸ç§ä¸å¯¹ç­æ»çº¿ï¼ä¹å°±æ¯æ主æºå客æ·æºçåºå«ï¼ææçæä½é½ç±HostååºãUSBæ两个æ¯è¾éè¦çæ¦å¿µï¼å°åï¼ç«¯ç¹ã

å说å°åï¼Hostæ¯æ²¡æå°åçï¼åªæ设å¤ææã类似çæ¦å¿µæ¯MACå°åï¼å±åç½ç¨æ®éhub大家è¿å¨ä¸èµ·ï¼ææçæ°æ®åé½ä¼ç»è¿ä½ çç½å¡ï¼åªæ符åä½ çMACçæ°æ®åç½å¡æä¼æ¥åï¼æ³¨æè¿æ¯æåå§çæåµï¼è¯·ç½ç»å¸ææ­£ï¼ã

å½ä¸ä¸ªæ°çUSB设å¤æå¥hostï¼æ¯å¦ä¼çï¼ç±äºUSBæ¥å£ä¸ççµå¹³ååï¼HOSTæ§å¶å¨å¾ç¥æ设å¤æå¥å¹¶ä¸åºååºæ¯1.xè¿æ¯2.0ï¼ä¸æä¸æçµé»ä¸åï¼ï¼æ­¤æ¶è®¾å¤ï¼ä¼çï¼çUSBå°åæ¯0ï¼HOSTæ§å¶å¨åè¿ä¸ªå°åéä¿¡ï¼å¹¶ç»è®¾å¤æå®ä¸ä¸ªæ°çUSBå°åï¼èå´å¨1~~127ï¼å¯ä»¥æ³è±¡æ¯DHCPè¿ç¨ï¼ï¼éåHOSTæ§å¶å¨å°±ç¨æ°çUSBå°åæ¥è®¿é®è®¾å¤äºï¼æ¯ä¸ä¸ªæ°æå¥ç设å¤é½ä¼è¿ä¹å¤çï¼äºæ¯ä½ æä¸ä¸¤ä¸ªä¸æ ·çä¼çï¼å®ä»¬ä¹ä¼å¾å°ä¸åçUSBå°åï¼äºæ¯ç³»ç»å°±è½åºåå¼ä¸¤ä¸ªä¼çäºã

USB HOSTæ§å¶å¨ç»è®¾å¤åéäºæ°çUSBå°å以åï¼å°±å¼å§é®ï¼ä½ æ¯ä»ä¹ä¸è¥¿åï¼ä½ æä»ä¹åè½é¿å¦æ­¤å¦æ­¤ï¼è®¾å¤ä¼ç¨æ述符ï¼descriptorï¼çæ¹å¼åºç­ï¼descriptoræ ¼å¼USBè§èéé¢æï¼ï¼æçVIDæ¯xxï¼æçPIDæ¯yyï¼æçåå­å«zzâ¦â¦å¦æ­¤å¦æ­¤ã

åæ说å°äºUSBå°åï¼è¿ä¸ªæ°å¼USBæ¶åå¨æ§å¶çµè·¯ä¼ä¿å­ä¸æ¥ç¨äºä»åçéä¿¡ï¼ä½æ¯å ä¸ºè¿ä¸ªä¸è¥¿æ¯è¾ç¹æ®ï¼æ以大å¤æ°çè¯çæ¯ä¸è½æ工修æ¹èªå·±çUSBå°åçã

端ç¹æ¯çæ­£æ§è¡æ°æ®éä¿¡ç端å£ï¼ç«¯ç¹0æ¯å§ç»å¯ä»¥ç¨çï¼è¢«ç§°ä¸ºæ§å¶ç«¯ç¹ï¼å·ä½å°±ä¸ç»è¯´äºã

okï¼ä¸é¢åºè¯è¿ä¹å¤ï¼ä¸é¢å¼å§è¯´ä¸»é¢ï¼PS Jailbreakã

ä¸å¥è¯æ¦æ¬ï¼PS Jailbreakéè¿ç²¾å¿æé çç¹æ®USBæ述符ï¼ä½¿PS3å¤çè¿äºæ述符çæ¶åHeap overflowï¼å¯¼è´ä»£ç æ³¨å¥è¿èè·åäºGameOSç访é®æéã

ä¸é¢è¯¦ç»ä»ç»PS Jailbreakï¼ä»¥ä¸ç®ç§°JBï¼æ»å»è¿ç¨

ï¼ç»å¤§å¤æ°ç¿»è¯èªhttp://ps3wiki.lan.st/index.php/PSJailbreak_Exploit_Reverse_Engineeringï¼å¹¶å ä¸å¿è¦ç解é说æï¼ï¼

JB设å¤çå¤å½¢ï¼æ³¨æä¸æ¯ç©çå¤å½¢ï¼æ¯ææ¯ä¸çï¼æ¯ä¸ä¸ªâå­å£ USB Hubâï¼æ³¨ææç¨äºåå¼å·ï¼è¿ä¸è¥¿åªæ¯å¯¹å¤å®£ç§°èªå·±æ¯Hubï¼å®éä¸åªæ¯ä¸ºäºæ»¡è¶³USBåè®®çéæ±ï¼å¹¶æ²¡æå®æ´å°å®ç°USB Hubçå¨é¨åè½ã

PS3å¼æºçæ¶åï¼å¨ç¹å®çæåµä¸ä¼å¨USBæ¥å£ä¸æç´¢å®æ¹çJIG设å¤ï¼æä¸ç¥éè¿ç©æçå·ä½åè½ï¼æä½æ¹æ³æ¯æPOWERå200msåæEjectï¼ï¼JBå©ç¨è¿ä¸ªç¹æ§å¨å¼æºæ£æµJIGçæ¶åå¨å¶èæçå­ä¸ªUSB Portä¸è½®çªææ6个设å¤ï¼â¦â¦â¦â¦ï¼ï¼ç±äºç³»ç»éè¦ä¸ºæ¯ä¸ªè®¾å¤çå¤çè¿ç¨åéåå­ï¼éè¿ç²¾å¿æé çUSBæ述符ï¼å®ç°äºHeap overflowã

Port1ï¼Hubåå§å以åï¼ç¬¬ä¸ä¸ªè®¾å¤æå¥ï¼pid/vid 0xAAAA/0x5555ï¼æ4个éç½®ï¼æ¯ä¸ä¸ªé¿åº¦é½æ¯0xf00ï¼ç±äºè¿ä¸ªé¿åº¦æ²¡æè¶è¿4Kç页é¢ï¼æ以æ¨æµPS3ç³»ç»çmallocä¼ä¸ºæ¯ä¸ä¸ªéç½®åéä¸ä¸ª4kçåå­é¡µã为ä»ä¹è¦4个å¢ï¼å ä¸ºå¯è½å·²ç»æ空é²åå­äºï¼ç¨4个æ¯ä¿è¯æ足å¤å¤§çæ¦çæ页é¢å¯¹é½å°4kè¾¹çä¸ãç¶åJBéæ°æ¥åå¶é置为18å­èãå¶å®å¨è¿ä¸ªæ¯è¾é¿çéç½®éé¢åå«æpayloadï¼ä¹å°±æ¯ç¨äºæ³¨å¥æ»å»çåè½ä»£ç ï¼ã

Port2ï¼PS3读åå®æ1å·è®¾å¤çæ述符以åï¼JBåæ¢åHub USBå°åï¼ç¶åè°ç§°ç¬¬äºä¸ªè®¾å¤æå¥ï¼pid/vid 0xAAAA/0xBBBBï¼è¿ä¸ªè®¾å¤æä¸ä¸ª22å­èçæ述符ï¼åªæå18个å­èæ¯ææä¹çï¼æå4个æä¹ä¸æã

Port3ï¼éåè¿ä¸ªè®¾å¤æå¥ï¼pid/vid 0xAAAA/0x5555ï¼å第ä¸ä¸ªä¸æ ·ä½æ¯æ述符ä¸ä¸æ ·ï¼ä»æ两个éç½®æ述符ï¼æ¯ä¸ä¸ªé¿åº¦ä¸º0xa4dï¼å¤§é¨åçæ°æ®è¢«è®¤ä¸ºæ¯åå¾ãæç§å¯¹å ç®¡çå¨ççæµï¼è¿äºæ述符ä¼è¢«æ¾å¨ä¸ä¸ªæ°ç4k页é¢ä¸ï¼ç´§éä¹åç两个设å¤ã

Port2ï¼æåºãè¿ä¸ªè®¾å¤çæåºå¯¼è´ä¸ä¸ªæ¾èæè§çç»æï¼ç¬¬ä¸ä¸ªè®¾å¤å第ä¸ä¸ªè®¾å¤ä¹é´åéçåå­è¢«éæ¾äºã

OKï¼ä¸é¢è¿æ ·çæè¾ï¼åå¤å¥½äºçæ­£çæ»å»ç¯å¢ä¸ä¸æã

Port4ï¼è¿æ¥ãpid/vid 0xAAAA/0x5555ï¼æä¸ä¸ªéç½®æ述符ã

éç½®æ述符Aï¼18å­èç正常æ述符ã

éç½®æ述符Bï¼åAä¸æ ·çæ述符ï¼ä½æ¯å½PS3å次读åå®ä¹åï¼å®æèªå·±çé¿åº¦åæäº0å­èãè¿æ¯ç ´è§£çå³é®ä¹å¤ï¼ä½æ¯å¶å·ä½å«ä¹å«æ··ä¸æ¸ï¼å®å¯¼è´äºéç½®æ述符Cåé¢çæ°æ®è¦çäºæä¸ä¸ªmallocçè¾¹çæ å¿ï¼å¾å¯è½æ¯å±äºPort3çãä½æ¯è¿ä¸ªæº¢åºç详ç»åå ææå¾çæ»å»ä»£ç æ¬èº«äºã

éç½®æ述符Cï¼è¿ä¸ªæ述符å¼å§åAæ¯ä¸æ ·çï¼ä½æ¯æåå¤äº14个å­èã

.. .. 3e 21 00 00 00 00
fa ce b0 03 aa bb cc dd
80 00 00 00 00 46 50 00
80 00 00 00 00 3d ee 70

åå­ä¸ªå­è被认为æ¯å ä½ï¼ä½æ¯æä¸è¿ä¹è®¤ä¸ºï¼by hyperirisï¼ï¼æ¥ä¸æ¥æ¯ä¸ä¸ªmagic numberï¼fa ce b0 03 aa bb cc ddï¼ç¨è±è¯­æ¥çå°±æ¯FACEBOOK AABBCCDDï¼éåçæ°æ®æ¯ä¸ä¸ªæéï¼å®è¦çäºmallocåçè¾¹çæ è®°ï¼è¿ä¼å¯¼è´mallocå¨ä¹åå¤çè¿ä¸ªåçæ¶ååçé误ï¼ä½¿å¶æç§æ»å»èçææ¿å¨æå®çä½ç½®æä½åå­ãï¼è¿æ¯ä¸¤ä¸ª64ä½çæéï¼by hyperirisï¼

Port5ï¼å½Port4å®æå·¥ä½ä»¥åï¼åçJIG被æå¥å°äºPort5ï¼å®åSONYå®æ¹çJIG PID/VID 0x054C/0x02EB æ¯ä¸æ ·çï¼æ¨æµåå®æ¹çéç½ ®å端ç¹ä¸è´ã

å¯ä»¥çæµç±äºè¿ä¸ªç©æï¼JIGï¼æ¯PS3å·²ç¥ç设å¤ï¼PS3ç³»ç»ä¸ä¼ä¸ºå®å¨å ä¸åéåå­ã

éåPS3åé64å­èçæ°æ®è¦æ±JIGè¿è¡è®¤è¯ï¼ç¶åJBè¿å64å­èçåºç­ãPS3å°ä¼åéåå­æ¥ä¿å­è¿ä¸ªåºç­ï¼ï¼ï¼ï¼ï¼ï¼ï¼ç±äºä¹åmallocåçè¾¹çæ è®°å·²ç»è¢«Port4çæå¥æä¿®æ¹ï¼æ以è¿æ¬¡åå­åéå°ä¼å¨ä¸ä¸ªè®¾è®¡å¥½çä½ç½®ï¼ä¹å°±æ¯æä¸ä¸ªå½æ°çåé¢ï¼ï¼æå½æ°24å­èå移ä¹åï¼ï¼ç¶åå½æ°çåé¢è¢«è¿64å­èè¦çäºï¼ï¼ï¼ï¼ï¼ï¼

ç±äºç³»ç»çJIG认è¯ä»£ç æ²¡æ被patchï¼æ以JBè¿åçæ°æ®è¢«éªè¯æ æã

Port3ï¼æåºãJBç°å¨éç¥PS3ï¼Port3æåºï¼è¿å¯¼è´PS3éæ¾ä¸ºPort3设å¤éç½®æ述符åéçåå­ï¼ä¹å°±æ¯è¢«Port4设å¤æ述符è¦ççé£ä¸ªã

äºæ¯Shell codeæ­¤å»è¢«è°ç¨ï¼R3å¯å­å¨ç°å¨æåçæ¯Port3éç½®æ述符çåå­è¾¹çæ è®°ä½ç½®ã

Shellcodeï¼

ROM:00000018                 ld      %r4, -0x10(%r3)
ROM:0000001C                 ld      %r3, -8(%r3)
ROM:00000020
ROM:00000020 loc_20:                               # CODE XREF: sub_18+14�j
ROM:00000020                 ld      %r5, 0x18(%r3)
ROM:00000024                 addi    %r3, %r3, 0x1000
ROM:00000028                 cmpw    %r4, %r5
ROM:0000002C                 bne     loc_20
ROM:00000030                 addi    %r6, %r3, -0xFE0
ROM:00000034                 mtctr   %r6
ROM:00000038                 bctr

R4ä¿å­çå°±æ¯0xfaceb003aabbccddï¼ç¶åR3å è½½0x8000000000465000ï¼ç¶åshellcodeä»0x8000000000465000å¼å§æç´¢æ¯ä¸ä¸ª4kè¾¹çï¼ç´å°å¨æä¸ä¸ªä½ç½®åç°0xFACEB003AABBCCDDï¼åç°ä¹åï¼shellcode跳转å°é£éï¼ä»å移0x20å¤å¼å§æ§è¡ã

æ¸çï¼ç°å¨ä¸åé½æ¸éäºï¼Port5ï¼4ï¼1é½å°è¢«æåºãPayloadåºè¯¥å¨Port1æåºä¹åå°èªå·±å¤å¶å°ä¸ä¸ªä¸ä¼è¢«éæ¾çåå­åéã

Port6ï¼è¿ä¸ªè®¾å¤æ²¡æä»»ä½çå®éæä¹/åè½ï¼vid/pid 0xAAAA/0xDEC0ï¼åªååºä¸ä¸ªæ§å¶ä¼ è¾0xAAï¼å½PS3ç»è¿ä¸ªè®¾å¤åéè¿ä¸ªæ§å¶ä¼ è¾ï¼JBå°±ç¥éèªå·±æåäºï¼å¹¶ç¹äº®LEDã

å¨åå§çJBéé¢ï¼payloadä¼æ£æµè¿ä¸ªè®¾å¤æ¯ä¸æ¯è¢«ææï¼å¦æææäºï¼å°±è°ç¨LV1_Panicå®æºãPSGrooveæè¿ä¸ªå»é¼åè½å»æäºã

è³äºpayload代ç ï¼åPS3çæ¬æå³ï¼å·ä½èµæ没æï¼å ä¸ºéè¦ps3 main memory dumpã

转载于:https://www.cnblogs.com/skogkatt/archive/2010/09/09/4163797.html