With the first Sony PS3 (PlayStation 3) gaming console cracks to circumvent its copy protection system, PSJailBreak is now available for retail at exorbitant price, the source code for the hack is now also available and been published online, allowing self DIY the hack to jailbreak the Sony PS3. The open source exploit for PS3 is PSGroove.
PSGroove is an open-source reimplementation of the PSJailbreak exploit for AT90USB and related microcontrollers. More specifically, PSGroove allows a programmable USB development board with an AT90USB or related microcontroller to be used to bypass PS3 security system and execute unsigned code. PSGroove is not intended to enable piracy. So there is no illegal games copying or ripping features available, does not contain backup manager program nor natively allow user to play backup games. However, PSGroove is intended to and can be used to allow the execution of unsigned third-party apps and games on the PS3, also known as homebrews.
PSGroove, similar to PSJailBreak, supports PlayStation 3 running on firmware version 3.41. Both software works by simulating a USB hub with six devices on Atmel AVR Solutions AT90USB series, Teensy++ USB or BlackCatUSB microcontroller-based board, where the micro-controller has been flashed with the exploit code. The USB key or USB flash drive with crack code sends crafted configuration descriptors to the PS3 when first connected. The descriptor is used by USB device to indicate to host how many connections is possesses and whether it has external power supply. A overly long descriptors cause buffer overflow, and allowing exploit code to be injected into the stack and executed on PS3.
In order to crack PS3 to circumvent the copy protection system, the simulated USB hub perform a number of steps when connecting to PS3 and emulate connecting various devices in specific sequence. During the process, a series of buffer overflows happen, allowing the various exploit code and data to be written to the stack, and subsequently execute the code with lv1 privileges on the console. Both PSJailbreak and PSGroove are using vulnerability first discovered by GeoHot, although no further action was taken then. With exploit code injected, the program then dumps lv1 and syscalls to trick the SPU/SPM into calculating the proper response for the selected dongle ID as the Sony confidential JIG Sticks used in the service centers to test and repair broken PS3 SKU’s, allowing full jail-breaking of PS3.
The PSGroove exploit code is said to be able to ported and worked on Sony PSP (PlayStation Portable) too, according to developer Mathieulh.
A Teensy++ USB Development Board costs only $24, which a USB microcontroller from AT90USB series such as AT90USBKEY, AT90USB162, AT90USB646, AT90USB647, AT90USB1286, AT90USB1287, ATMEGA32U4 has a price tag starts from as little as $18, considerably cheaper than PSJailBreak. PSGroove has all the features of PSJailBreak, except without backup manager program.
PSGroove souce code is now available for free download on github.com.
How to Use and Install PSGroove to Crack PS3
PS3 hacker wannabe has to configure the source code to select the chip and board prior to compiling, by updating the MCU, BOARD, and F_CPU lines in the Makefile. Then, use AVR GCC toolchain (Debian/Ubuntu package: gcc-avr) or WinAVR in Windows “make” command to compile abd build the PSGroove source code into HEX code. The final step involves program the “psgroove.hex” into USB board.
Then, the “programmed” USB key or USB flash drive is ready to jailbreak Sony PS3. To use PSGroove-powered USB dongle exploit:
- Hard power cycle your PS3 (using the switch in back, or unplug it)
- Plug the dongle into your PS3.
- Press the PS3 power button, followed quickly by the eject button.
- Wait for a few seconds for the first LED on USB dongle to light up. After about 5 seconds, the second LED will light up (or the LED will just go off, if you only have one). The action confirms that the exploit worked. Look for the new “Install Package Files” menu option in the PS3 game menu.
More information can be found on README.md.
PSGroove Pre-Compiled .HEX Code
For those without clue on programming and compilation of code, a pre-compiled version of PSGroove has been made available. The compiled program has already been patched to enable the “backup” support, and is available for all boards. To apply the crack to PS3, just program and write one of the psgroove.hex file into the board.
Note: PSGroove has been updated with a modified payload that adds peek and poke syscals to the lv2 kernel, where a userspace application can use these syscalls to dump out the entire memory space of the kernel, or patch the kernel as it is running. The pre-compiled HEX above is NOT including the update.
Note that each HEX file is compiled for a particular board (i.e. Teensy 1.0, Teensy 2.0, Teensy++, Teensy++ 2.0, BlackCat USB or AT90USBKEY). Thus remember to apply the corresponding version.
Download and Install Backup Manager
While PS Groove claims to be entiredly legit for the purpose of just jailbreaking the PS3 by excluding the Backup Manager app, which is used to creating, loading and running PS3 game backups, the Backup Manager can be easily installed by using a backup-enabled patch version of PSGroove source files. For PS3 owners who have manage to have a “hacked” PS3, download the Backup Manager below and install it using PSJailBreak or PS Groove.
Backup Manager: manager.pkg (527 KB)
To install Backup Manager, follow these steps:
- Crack or jailbreak PS3 with PSGroove-ready USB key stick.
- On the XMB, locate “Install Package”.
- Copy the manager.pkg to a FAT32 formatted USB flash drive (any USB flash drive will do).
- Insert the USB flash drive into PS3, and install Backup Manager.
Currently, both PSGroove and PSJailbreak exploit works on PS3 firmware 3.41, where the USB hub vulnerability exists. Sony may release a firmware update to fix the bug and close the loophole, or update the PS3’s bootcode to prevent loading of USB stick, rendering the hack useless if user decides to upgrade. Only PS3 with latest version of firmware is allowed to log into PSN (PlayStation Network) to buy or play games online.
Another warning is that by using Backup Manager, the console can be banned from PSN. The Backup Manager uses an universal game Title ID (LAUN-12345), which is easily identifiable. Sony can then revoke the dongle’s ID, return error 0x8002A227 and possibly suspend the console ID on PSN with SCE_NP_AUTH_ERROR_CONSOLE_ID_SUSPENDED error.
Note that a Backup Manager Stealth Edition has been circulating on Internet, which is reported to be not working.
PSGroove has been ported to other devices which include added support for PIC18F2550 chipset. Download the source code for PSGroove port which supports PIC18F2550 chipset of USB board, pspic2.rar, from psx-scene.com. User needs some knowledge on PIC programming to build a boot-loader and commercial CCS compiler V4.112 to compile the code into an .HEX file. Good news is that for people who has Xbox 360 USB SPI NAND reader with the 12Mhz crystal, which uses the same chipset, can be used to hack the PS3 by using the PSGroove port. More details on the modified PSGroove for Xbox 360 USB SPI NAND reader is available here.
Another port is PS3JB, a FLASH application for the TI-84 Plus and TI-84 Plus Silver Edition that implements the PSGroove exploit for the Playstation 3 console. By connecting a USB cable between a PS3 and the calculator running the application, you can trigger the PSGroove exploit from there graphing calculator. More details at http://brandonw.net/ps3jb/.
Another open source projects PSFreedom, allows mobile devices to be used and simulated as USB hub to exploit PS3.