;PS3JB - PS3 Jailbreaker ; (C) 2010 by Brandon Wilson. All rights reserved. ;Portions in util.asm, equates.inc (C) Dan Englender. ;I apologize in advance for the true awfulness that is this code file. include "settings.inc" ;Specific settings for this application NOLIST include "ti83plus.inc" LIST include "equates.inc" ;Equates and macros to be used include "header.asm" GLOBALS ON SEGMENT MAIN EXTERN DispHexA,IGetKey,IPutS,IPutC,DispHexHL,DialogBox,DriverInit,VPutSAppCenter,StopLog,WaitTimerBms,ifastcopy EXTERN USBactivityHook,sendReadResponse,SendData,MassStorageInit,VPutSApp,MassStorageHandle,CalculatorInit,LCDdelay EXTERN KeyboardInit,DriverKill,SendInterruptData,PutSApp,SendKeypress,fastCopy,SetupLog,DispLog,InitializePeriphUSB EXTERN BCALL_replacement,BCALL_replacementStart,BCALL_replacementEnd,silentLinkHook,receiveAndWriteUSBData_fromInt EXTERN initUSBStuff,initCrystalTimer,MouseInit,GamepadInit,RecycleUSB,getNext,WaitTimer20ms,WaitTimer40ms,WaitTimer100ms EXTERN Device4DeviceDescriptor,Device4ConfigDescriptor1,Device5DeviceDescriptor,Device5ConfigDescriptor EXTERN Device1DeviceDescriptor,Device1ShortConfigDescriptor,Device1ConfigDescriptor,Device2DeviceDescriptor EXTERN HubDeviceDescriptor,HubConfigDescriptor,Device3DeviceDescriptor,Device3ConfigDescriptor,Device2ConfigDescriptor EXTERN Device6DeviceDescriptor,Device6ConfigDescriptor Var lwrCaseFlag,1 Var menuAddr,2 Var numChoices,1 Var deviceBitmap,12 Var deviceChangedBitmap,12 Var deviceAddressMap,7 Var jailbreakState,1 Var lastPortResetClear,1 Var lastPortConnClear,1 Var lastPortStatus,1 Var hubIntResponse,1 Var portCur,1 Var curAddressIndex,1 Var maxPacketSize,1 Var jigBytesReceived,1 ;Possible states JB_INIT EQU 1 WAIT_HUB_READY EQU 2 HUB_READY EQU 3 P1_WAIT_RESET EQU 4 P1_WAIT_ENUMERATE EQU 5 P1_READY EQU 6 P2_WAIT_RESET EQU 7 P2_WAIT_ENUMERATE EQU 8 P2_READY EQU 9 P3_WAIT_RESET EQU 10 P3_WAIT_ENUMERATE EQU 11 P3_READY EQU 12 P2_WAIT_DISCONNECT EQU 13 P4_WAIT_CONNECT EQU 14 P4_WAIT_RESET EQU 15 P4_READY EQU 16 P5_WAIT_RESET EQU 17 P5_WAIT_ENUMERATE EQU 18 P5_CHALLENGED EQU 19 P5_RESPONDED EQU 20 P3_WAIT_DISCONNECT EQU 21 P3_DISCONNECTED EQU 22 P5_WAIT_DISCONNECT EQU 23 P5_DISCONNECTED EQU 24 P4_WAIT_DISCONNECT EQU 25 P4_DISCONNECTED EQU 26 P1_WAIT_DISCONNECT EQU 27 P1_DISCONNECTED EQU 28 P6_WAIT_RESET EQU 29 P6_WAIT_ENUMERATE EQU 30 DONE EQU 31 P4_WAIT_ENUMERATE EQU 32 AboutScreen: ;Display the About screen B_CALL ForceFullScreen B_CALL ClrLCDFull ld hl,1 ld (curRow),hl ld hl,sAboutText call PutSApp ; ld hl,Splash_DS ; ld de,appBackUpScreen ; ld bc,57 ; ldir ; ld hl,appBackUpScreen ; ld de,49*256+5 ; B_CALL DisplayImage ld a,53 ld (penRow),a ld hl,Intro_Web call VPutSAppCenter ld hl,30*256+29 ld (pencol),hl ld hl,Intro_Version call VPutSApp ld a,37 ld (penRow),a ld hl,Intro_Build call VPutSAppCenter xor a ld (kbdKey),a ld (kbdScanCode),a B_CALL GetKey Init: B_CALL CanAlphIns ld (iy+PS3JBFlags),0 ld hl,mainMenu ld (menuAddr),hl DrawMenu: B_CALL ClrLCDFull B_CALL HomeUp ld hl,(menuAddr) call PutSApp ld de,0001h ld b,(hl) ld a,b ld (numChoices),a inc hl $$: push bc ld (curRow),de push de call PutSApp pop de inc e inc hl inc hl pop bc djnz $B keyLoop: B_CALL GetKey cp kQuit jr z,exitApp cp kClear jr z,exitApp cp k1 jr c,keyLoop sub k1 ld b,a ld a,(numChoices) dec a cp b jp m,keyLoop inc b push bc ld hl,(menuAddr) xor a ld bc,24 cpir inc hl pop de dec hl dec hl $$: inc hl inc hl xor a ld bc,24 cpir dec d jr nz,$B ld e,(hl) inc hl ld d,(hl) ex de,hl jp (hl) PS3Jailbreak: ;Set everything back to initial state ld a,02h out (54h),a set appAutoScroll,(iy+appFlags) call StartLog ld a,JB_INIT ld (jailbreakState),a xor a ld (lastPortResetClear),a ld (lastPortConnClear),a ld (hubIntResponse),a ld (portCur),a ld (curAddressIndex),a ld (lastPortResetClear),a ld (jigBytesReceived),a ld (iy+asm_Flag2),0 res overrideSize,(iy+PS3JBFlags) res useShortConfigDesc,(iy+PS3JBFlags) res sentInterruptData,(iy+PS3JBFlags) res 5,(iy+41h) res 0,(iy+41h) ld hl,deviceBitmap ld bc,12 B_CALL MemClear ld hl,deviceChangedBitmap ld bc,12 B_CALL MemClear ld hl,deviceAddressMap ld bc,7 B_CALL MemClear ld hl,HubDeviceDescriptor ld (deviceDescAddress),hl ld hl,HubConfigDescriptor ld (configDescAddress),hl call SetMaxPacketSize ld hl,USBactivityHook in a,(6) B_CALL EnableUSBActivityHook B_CALL ClrLCDFull B_CALL HomeUp ld hl,sInstructions call PutSApp mainKeyLoop: di ld a,(jailbreakState) cp P1_READY jr nz,$F xor a call SwitchPort ld a,P2_WAIT_RESET ld (jailbreakState),a ld a,1 call TogglePortConnection jr mainKeyLoop $$: ld a,(jailbreakState) cp HUB_READY jr nz,$F B_CALL ClrLCDFull B_CALL HomeUp ld hl,sWorking call IPutS ld a,P1_WAIT_RESET ld (jailbreakState),a xor a call TogglePortConnection jr mainKeyLoop $$: ld a,(hubIntResponse) or a jr z,$F push af xor a ld (hubIntResponse),a pop af ld b,01h ld c,01h ld hl,OP1 ld (hl),a call SendInterruptData $$: ld a,(jailbreakState) cp P2_READY jr nz,$F xor a call SwitchPort ld a,P3_WAIT_RESET ld (jailbreakState),a xor a ld (lastPortResetClear),a ld a,2 call TogglePortConnection jr mainKeyLoop $$: ld a,(jailbreakState) cp P3_WAIT_RESET jr nz,$F ld a,(lastPortResetClear) cp 3 jr nz,$F ld a,3 call SwitchPort ld hl,Device3DeviceDescriptor ld (deviceDescAddress),hl call SetMaxPacketSize ld hl,Device3ConfigDescriptor ld (configDescAddress),hl res useShortConfigDesc,(iy+PS3JBFlags) ld a,P3_WAIT_ENUMERATE ld (jailbreakState),a jr startKeyLoop $$: ld a,(jailbreakState) cp P3_READY jr nz,$F xor a call SwitchPort ld a,1 ;this is port 2 call DisconnectPort ld a,P2_WAIT_DISCONNECT ld (jailbreakState),a jr startKeyLoop $$: ld a,(jailbreakState) cp P1_WAIT_RESET jr nz,$F ld a,(lastPortResetClear) cp 1 jr nz,$F ;Time to switch the address and start listening to device 1 ld a,1 call SwitchPort ld hl,Device1DeviceDescriptor ld (deviceDescAddress),hl call SetMaxPacketSize ld hl,Device1ShortConfigDescriptor ld (shortConfigDescAddress),hl ld hl,Device1ConfigDescriptor ld (configDescAddress),hl set useShortConfigDesc,(iy+PS3JBFlags) ld a,P1_WAIT_ENUMERATE ld (jailbreakState),a jr startKeyLoop $$: ld a,(jailbreakState) cp P2_WAIT_RESET jr nz,$F ld a,(lastPortResetClear) cp 2 jr nz,$F ;Time to switch the address and start listening to device 2 ld a,2 call SwitchPort ld hl,Device2DeviceDescriptor ld (deviceDescAddress),hl call SetMaxPacketSize ld hl,Device2ConfigDescriptor ld (configDescAddress),hl res useShortConfigDesc,(iy+PS3JBFlags) ld a,P2_WAIT_ENUMERATE ld (jailbreakState),a jr startKeyLoop $$: ld a,(jailbreakState) cp P2_WAIT_DISCONNECT jr nz,$F ld a,(lastPortConnClear) cp 2 jr nz,$F res sentInterruptData,(iy+PS3JBFlags) ld a,P4_WAIT_RESET ld (jailbreakState),a xor a ld (lastPortResetClear),a ld (lastPortStatus),a ld a,3 ;port 4 call TogglePortConnection in a,(8Eh) push af ld a,1 out (8Eh),a in a,(91h) and 0EFh or 40h out (91h),a pop af out (8Eh),a jr mainKeyLoop $$: ld a,(jailbreakState) cp P4_WAIT_RESET jr nz,$F bit sentInterruptData,(iy+PS3JBFlags) jr nz,sentPort4Change ld a,(lastPortStatus) cp 02h jr nz,$F set sentInterruptData,(iy+PS3JBFlags) ld a,10h ld (hubIntResponse),a jr mainKeyLoop sentPort4Change: ld a,(lastPortResetClear) cp 4 jr nz,$F ld a,4 call SwitchPort ld a,P4_WAIT_ENUMERATE ld (jailbreakState),a ld hl,Device4DeviceDescriptor ld (deviceDescAddress),hl call SetMaxPacketSize ld hl,Device4ConfigDescriptor1 ld (configDescAddress),hl res useShortConfigDesc,(iy+PS3JBFlags) jr startKeyLoop $$: ld a,(jailbreakState) cp P4_READY jr nz,$F connectJig: xor a call SwitchPort ld a,P5_WAIT_RESET ld (jailbreakState),a res sentInterruptData,(iy+PS3JBFlags) xor a ld (lastPortResetClear),a ld a,4 call TogglePortConnection in a,(8Eh) push af ld a,1 out (8Eh),a in a,(91h) and 0EFh or 40h out (91h),a pop af out (8Eh),a jr mainKeyLoop $$: ld a,(jailbreakState) cp P5_WAIT_RESET jr nz,$F ld a,(lastPortResetClear) cp 5 jr nz,$F ;Time to switch the address and start listening to device 5 ld a,5 call SwitchPort ld hl,Device5DeviceDescriptor ld (deviceDescAddress),hl call SetMaxPacketSize ld hl,Device5ConfigDescriptor ld (configDescAddress),hl res useShortConfigDesc,(iy+PS3JBFlags) ld a,P5_WAIT_ENUMERATE ld (jailbreakState),a jr startKeyLoop $$: ld a,(jailbreakState) cp P5_WAIT_ENUMERATE jr nz,$F ld a,(jigBytesReceived) cp 64 jr c,$F ld a,P5_CHALLENGED ld (jailbreakState),a call WaitTimer20ms ;Send the jig response data ld hl,jigResponse ld b,8 sendJigResponseLoop: push bc ld b,8 ld c,01h push hl call SendInterruptData pop hl ld de,8 add hl,de pop bc djnz sendJigResponseLoop call WaitTimer20ms ;Disconnect port 3 xor a call SwitchPort ld a,2 call DisconnectPort ;At this point, the exploit will fire. We need to disconnect the other devices and connect 6 to get the confirmation so the payload can finish executing. xor a ld (lastPortStatus),a ld a,P3_WAIT_DISCONNECT ld (jailbreakState),a jr startKeyLoop $$: ld a,(jailbreakState) cp P3_WAIT_DISCONNECT jr nz,$F bit sentInterruptData,(iy+PS3JBFlags) jr nz,sentPort3Change ld a,(lastPortStatus) cp 03h jr nz,$F set sentInterruptData,(iy+PS3JBFlags) ld a,00001000b ld (hubIntResponse),a jr mainKeyLoop sentPort3Change: ld a,(lastPortConnClear) cp 3 jr nz,$F call WaitTimer20ms ;Disconnect port 5 xor a call SwitchPort ld a,4 call DisconnectPort xor a ld (lastPortStatus),a ld a,P5_WAIT_DISCONNECT ld (jailbreakState),a res sentInterruptData,(iy+PS3JBFlags) jr startKeyLoop $$: ld a,(jailbreakState) cp P5_WAIT_DISCONNECT jr nz,$F bit sentInterruptData,(iy+PS3JBFlags) jr nz,sentPort5Change ld a,(lastPortStatus) cp 03h jr nz,sentPort5Change set sentInterruptData,(iy+PS3JBFlags) ld a,00100000b ld (hubIntResponse),a jr mainKeyLoop sentPort5Change: ld a,(lastPortConnClear) cp 5 jr nz,$F call WaitTimer20ms ;Disconnect port 4 xor a call SwitchPort ld a,3 call DisconnectPort ld a,P4_WAIT_DISCONNECT ld (jailbreakState),a xor a ld (lastPortStatus),a res sentInterruptData,(iy+PS3JBFlags) jr startKeyLoop $$: ld a,(jailbreakState) cp P4_WAIT_DISCONNECT jr nz,$F bit sentInterruptData,(iy+PS3JBFlags) jr nz,sentPort4Change_1 ld a,(lastPortStatus) cp 05h jr nz,sentPort4Change_1 set sentInterruptData,(iy+PS3JBFlags) ld a,00010000b ld (hubIntResponse),a jr mainKeyLoop sentPort4Change_1: ld a,(lastPortConnClear) cp 04h jr nz,$F call WaitTimer20ms ;Disconnect port 1 xor a call SwitchPort xor a call DisconnectPort ld a,P1_WAIT_DISCONNECT ld (jailbreakState),a res sentInterruptData,(iy+PS3JBFlags) xor a ld (lastPortStatus),a res lastStatusReceived,(iy+PS3JBFlags) jr startKeyLoop $$: ld a,(jailbreakState) cp P1_WAIT_DISCONNECT jr nz,$F bit sentInterruptData,(iy+PS3JBFlags) jr nz,sentPort1Change ld a,(lastPortStatus) cp 04h jr nz,sentPort1Change set sentInterruptData,(iy+PS3JBFlags) ld a,00000010b ld (hubIntResponse),a xor a ld (lastPortStatus),a jr mainKeyLoop sentPort1Change: ld a,(lastPortConnClear) cp 01h jr nz,$F ld a,(lastPortStatus) cp 01h jr nz,$F bit lastStatusReceived,(iy+PS3JBFlags) jr nz,disconnectsDone xor a ld (lastPortStatus),a set lastStatusReceived,(iy+PS3JBFlags) jr mainKeyLoop disconnectsDone: call WaitTimer20ms ;Connect port 6 ld a,P6_WAIT_RESET ld (jailbreakState),a xor a ld (lastPortResetClear),a xor a call SwitchPort ld a,5 call TogglePortConnection in a,(8Eh) push af ld a,1 out (8Eh),a in a,(91h) and 0EFh or 40h out (91h),a pop af out (8Eh),a jr mainKeyLoop $$: ld a,(jailbreakState) cp P6_WAIT_RESET jr nz,$F ld a,(lastPortResetClear) cp 6 jr nz,$F ;Time to switch the address and start listening to device 6 ld a,6 call SwitchPort ld hl,Device6DeviceDescriptor ld (deviceDescAddress),hl call SetMaxPacketSize ld hl,Device6ConfigDescriptor ld (configDescAddress),hl res useShortConfigDesc,(iy+PS3JBFlags) ld a,P6_WAIT_ENUMERATE ld (jailbreakState),a jr startKeyLoop $$: ld a,(jailbreakState) cp DONE jr nz,$F B_CALL DispDone call IGetKey jr PS3Jailbreak $$: startKeyLoop: ei halt in a,(4) bit 3,a jr z,$F jr mainKeyLoop $$: ld a,2 out (54h),a call StopLog B_CALL DisableUSBActivityHook call RecycleUSB exitApp: ld a,(lwrCaseFlag) ld (iy+appLwrCaseFlag),a B_CALL ClrLCDFull B_CALL DisableUSBActivityHook B_CALL KillUSB call WaitTimer100ms call InitializePeriphUSB res indicOnly,(iy+indicFlags) B_JUMP JForceCmdNoChar StartLog: IF LOGGING_ENABLED = 1 di ld a,87h out (7),a ld hl,8000h ld (hl),0 ld de,8001h ld bc,4000h-1 ldir ld a,81h out (7),a ld hl,8000h ld b,87h call SetupLog ENDIF ret TogglePortConnection: push af ld b,0 ld c,a ld hl,deviceBitmap add hl,bc add hl,bc ld (hl),03h inc hl ld (hl),01h ld hl,deviceChangedBitmap add hl,bc add hl,bc ld (hl),01h inc hl ld (hl),00h pop af inc a ld d,1 or a $$: rl d dec a jr nz,$B ld a,d ld (hubIntResponse),a ret DisconnectPort: push af ld b,0 ld c,a ld hl,deviceBitmap add hl,bc add hl,bc ld (hl),00h inc hl ld (hl),01h ld hl,deviceChangedBitmap add hl,bc add hl,bc ld (hl),01h inc hl ld (hl),00h pop af inc a ld d,1 or a $$: rl d dec a jr nz,$B ld a,d ld (hubIntResponse),a ret SetMaxPacketSize: ld hl,(deviceDescAddress) ld de,7 add hl,de ld a,(hl) ld (maxPacketSize),a ret SwitchPort: ld hl,portCur ld b,(hl) cp b ret z ld (hl),a ld hl,deviceAddressMap ld b,0 ld c,a add hl,bc ld a,(hl) SetDeviceAddress: out (80h),a ld (USBaddress),a push af ld hl,deviceAddressMap ld bc,(portCur) ld b,0 add hl,bc pop af ld (hl),a ret mainMenu: DB "PS3JB ",VER_STRING,0 DB 4 DB "1) PS3 Jailbreak",0 DW PS3Jailbreak DB "2) View Log",0 DW DispLog DB "3) About",0 DW AboutScreen DB "4) Quit",0 DW exitApp sAboutText: DB " PS3Jailbreak " DB " Brandon Wilson ",0 ;Splash_DS: ; DB 5, 86 ; DB 231,188,199,107,220,28,204,107,222,103, 28 ; DB 214,25, 172,107, 26,49,172,105,140,214,176 ; DB 215,25, 236,123,154,25,172,105,140,214,152 ; DB 214,25, 172,107, 26,13,172,105,140,214,140 ; DB 231,153,167,107,220,56,207, 49,158,102,184 Intro_Web: DB "brandonw.net",0 Intro_Version: DB "Version ",VER_STRING,0 Intro_Build: DB "Build ",BUILD_STRING,0 sInstructions: DB "Connect your PS3" DB "to your " DB "calculator using" DB "a USB cable now." DB "Press ",LlBrack,"ON] at " DB "any time to " DB "quit.",0 jigResponse: DB 80h, 00h, 00h, 00h, 00h, 3Dh, 0EEh, 78h, 80h, 00h, 00h, 00h, 00h, 3Dh, 0EEh, 88h DB 80h, 00h, 00h, 00h, 00h, 33h, 0E7h, 20h, 0E8h, 83h, 0FFh, 0F0h, 0E8h, 63h, 0FFh, 0F8h DB 0E8h, 0A3h, 00h, 18h, 38h, 63h, 10h, 00h, 7Ch, 04h, 28h, 00h, 40h, 82h, 0FFh, 0F4h DB 38h, 0C3h, 0F0h, 20h, 7Ch, 0C9h, 03h, 0A6h, 4Eh, 80h, 04h, 20h, 04h, 00h, 00h, 00h sWorking: DB "Working",0CEh,0