PlayStation 3 Jailbreak

From Wikipedia, the free encyclopedia
(Redirected from PlayStation Jailbreak)
Jump to navigation Jump to search
USB dongle for PlayStation to jailbreak the system.
A PS Jailbreak USB dongle.

PlayStation 3 Jailbreak was the first USB (Universal Serial Bus) chipset that allowed unauthorized execution of code, similar to homebrew, on the PlayStation 3. It works by bypassing a system security check using a memory exploit (heap overflow) which occurs with USB devices that allows the execution of unsigned code. One of the most popular pieces of homebrew software used with the device is Backup Manager, which allows users to copy game titles from the optical media to the hard drive of the PlayStation 3. Backup Manager can also be used to run homebrew applications that are created to run in the console's native mode.

Multiple devices to perform code execution exist, such as the open sourced versions (e.g. PS groove, PS freedom). Most of these only work on PlayStation 3 system software v3.41 or lower as PlayStation's System Software v3.42 patches the mod chip exploit on the console. The creators of PS3 Jailbreak also released PS Downgrade which enables downgrading of PlayStation 3's System Software to v3.41 (Or lower) from v3.42, v3.50, and v3.55.

Present and future support[edit]

In August, 2011, information about hardware that was downgrading PlayStations on system software v3.70 was being released.[1] These hardware mods were NAND/NOR chip flashers that would either be soldered or clipped onto the PlayStation's chips on NAND/NOR chip located on the PlayStation's motherboard.[citation needed] It would then flash the memory off the chip and backup the PlayStation's firmware, downgrading the console when the hard-drive was formatted.[citation needed] These flashers still work on the latest system software version and can be purchased online.[citation needed]

In September 2011, Lulzsec Cody Kretsinger was arrested for attacking Sony pictures website that had previously been taken offline by a DDOS attack lasting over 2 months, Kretsinger had found and released level 0 security codes that could be used to run unauthorized firmware known as CFW ("Custom Firmware").[citation needed] These were the same keys that would have allowed a Chinese hacking group known as "Blue Disk" to release a purchasable CFW (custom firmware) for 4.21 and above.[citation needed] Shortly after, a well-known PlayStation 3 developer, "Rogero," released his free of charge 4.21 CFW.[citation needed] There are now different developers releasing CFWs for the latest versions of PlayStation 3's firmware.[citation needed] These custom firmware render the PlayStation Jailbreak obsolete.[citation needed] They cannot, however, be installed unless the PlayStation 3 is on system software version 3.55 or below.[citation needed]

On June 26, 2013, the 3.60+ loader keys were released to the public by "The Great Unicorns" and on the same day hard-drive encryption for PHAT consoles were released by a developer called "flatz."[citation needed] Following this the Lv1ldr crypto keys were released for 4.21-4.46.[citation needed]

As of December, 2020, websites such as PSX-PLACE are still working on exploiting the vulnerabilities to install CFW on super slim consoles. They are able to run homebrew applications on any version of Playstation 3 by exploiting some vulnerabilities in official firmware of the console.

Inner workings[edit]

The PS3 Jailbreak effectively exploits the PS3 by using a heap overflow. When the dongle is plugged into a PS3 (all models-"Fat" and "Slim") its device descriptors notify the PS3 that it is a 6-port USB hub. After memory is allocated for the device which is the 6-port USB hub, the PS3 Jailbreak then tells the PS3 that a USB device has been plugged into port 1 of the hub. This device contains the payload that will run after the exploit is complete. This device has normal device descriptors for a typical USB device. After memory has been allocated for the payload USB device on port 1, the PS3 Jailbreak then tells the PS3 that another USB device has been plugged into port 2. This device does not hold any data related to the exploit and has typical device descriptors. Next, the PS3 Jailbreak says that another device has been plugged into port 3. This device is very important as it causes a heap exploit later in the process. The port 3 device contains unusually large device descriptors. After memory has been allocated for the port 3, the PS3 Jailbreak then tells the PS3 that the device in port 2 has been removed. This frees up the memory that was used to allocate the device descriptors. After this, another device is plugged into port 4 which holds 3 configuration descriptors with the third holding PowerPC shellcode (which is used to exploit the system and forces the system to run the payload in port 1). In port 5 another device is plugged in which emulates the "PS3 Service Jig", a device used to recover corrupted or non-functional PS3's at Sony factories. This device matches device descriptors and configuration descriptors as the real "Jig" When the PS3 tries to allocate memory to check if the "Jig" is authentic, it fails as a heap overflow occurs - the 64 bytes that has to be allocated points to the next free memory address which is actually not free as it was overwritten earlier in the process. This means that the shellcode gets sent to the CPU to be executed (this exploit passed the unsigned code check) and starts executed as soon as the PS3 detects removal of "devices" in the "USB hub". The shellcode then tells the CPU to read and execute the payload on the first port which effectively allows unsigned code to run on the system.


Sony had taken a few steps to prevent the jailbreak of the PlayStation 3, and has associated the action as a form of copyright infringement. In eastern European countries, no action has ever been taken to condemn such cases.

The cases listed below are lawsuits Sony filed in courts to prohibit the sales and imports of circumvention devices that would jailbreak the system.

  • PS3 Jailbreak was outlawed in Australia as it was considered to be in violation of copyright law. The ban states that PS Jailbreak cannot be imported, distributed to another person or offered to the public.[2]
  • Sony lost a lawsuit in December 2010 in Barcelona against the seller of PS Jailbreak. The sales and imports of the product were therefore deemed legal to use within Spain, and Sony were ordered to pay damages for trying to block the sales and imports.[3]
  • In January 2011, Sony had filed a lawsuit against George Hotz for leaking the encryption keys for the PlayStation 3. The case was settled in April of that year, where Hotz agreed to a permanent injunction to never circumvent a Sony product again.[4] The Court had also approved that Sony's lawyers could obtain the IP addresses of anyone who visited Hotz's website.[5]

See also[edit]


  1. ^ "PS3 Homebrew Wiki". Retrieved 7 June 2022.
  2. ^ "PS3 Modchipserritories like the US, Europe, and Asia to block its sale. Suits are filed against retailers selling the device".
  3. ^ Mark_Raby (2010-12-18). "Powned: Sony ordered to pay restitution to PS Jailbreak seller in Spain". gamesradar. Retrieved 2021-11-14.
  4. ^ "Sony and Hotz settle hacking case". BBC News. 2011-04-12. Retrieved 2021-11-14.
  5. ^ Kravets, David. "Judge Lets Sony Unmask Visitors to PS3-Jailbreaking Site". Wired. ISSN 1059-1028. Retrieved 2021-11-14.