Author Archives: kakaroto

PSFreedom source code released!

Posted on by

Hi again,

As promised yesterday, I’ve just released the source code for PSFreedom. You can grab it now on github.

If you want to port it to work on another device, then fork the repository and start working, you can send me a pull request once it’s done. See the end of this post for a little howto on porting it to a new device.

I have also decided to remove that video I put yesterday on youtube. I didn’t give the link to anyone, but somehow people found it and it got linked on multiple news sites… that video is useless, hard to watch, and I’m sorry! I’ve made a new video that you can view here :

Since yesterday I’ve been spammed with emails, comments on my blog, PMs and pings on IRC, etc.. and my server even went down (doesn’t seem to be because of high traffic). So I’d like to answer everyone with this FAQ :

Q : What is your relationship with the PSGroove project ?

A: PSGroove was released a while ago while I was already working (about 50% done) on PSFreedom. I had help from Mathieulh and Phire from the PSGroove team, who gave me insight on what the jailbreak does. When PSGroove was released, I read its code to understand what it does and to make sure my code worked in the same way. I copied the descriptors and payload from the code of PSGroove, and I give them credit for what they did, and for what I copied from their project. I set my license to GPL v3 to match theirs, and I gave credits to those who helped me on IRC. However, I say and I insist that PSFreedom is not a port of PSGroove, because I never took their code and ported it to the N900, this is my original work, and I wrote all of its code from scratch. Some of the PSGroove team seem to be in conflict with me because of that, they insist that “if you looked at our code, then it is a without question a port of PSGroove”, and I believe we have two very different understanding of the term ‘port’.

Q : Can/when is it going to work on the iPhone/Symbian/My phone ?

A: PSFreedom is a  Linux driver, so it will only work on Linux-enabled devices.. which means, not on iOS, and not on Symbian, so please stop asking about that!

Q: Will it work on the 770/N800/N810 ?

A: I only did this for the N900, I might port it to other devices, but right now, I cannot give any guarantees to anyone that it will be ported or that it will work on another device… The source code has been released and whoever wants to contribute can go ahead, fork my repository, and send me a pull request when you got something working.

These are linux devices, so yes, it should work, but just like any other device, they use a different controller than the N900, so a little porting will be necessary.

Q: Will it work from a linux PC ?

A: Unfortunately, no, most PCs have a USB controller  that only supports Host mode, but you need Slave mode to be able to make this work.

Q: Can I run backups with this ?

A: At the moment, no, I have used the same payload as PSGroove, which means backups are disabled, although someone already released a version of PSFreedom with backups enabled. In the future, I will hopefully  make the module load any payload at runtime, this way you could choose between different payloads.

Q: Can you make it easier to use ?

A: Me? No.. someone else? Yes.. there is already someone working on a UI for PSFreedom, and it will be available once it’s ready.

Q: What do I need to use PSFreedom on my N900 ?

A: First, you need a N900 (duh) and a PS3 (duh) with firmware 3.41. The N900 should be running the stock kernel (-omap1) not a modified kernel. Then you just need to scp the files to the N900 and run the -enable script.

Q: How much of the source is Nokia N900 specific? Are you using the Linux USB Gadgets library?

A: Very little is N900 specific, I’m using the include/linux/gadget.h if that’s what you mean. See next Q/A for more info.

Q: How hard is it to port it to a new device ?

A: Well, I’ve just separated my code from the N900 specific stuff, so it’s quite easy, there are mainly two functions to write, one to get and one to set the USB address.. two other functions that only return some static result depending on the configuration of the controller (the name of the endpoints, and whether the controller supports high speed or full speed mode).

Read the README file provided with PSFreedom, and check the psfreedom_machine.c file for specifics on what to implement.

Q: How can I port it to a new device.

A: Well, first, you need to figure out what controller your device uses, in the case of the N900, it’s ‘musb’..

Then go to the driver code for that controller (probably in drivers/usb/gadget) and look for ‘SET_ADDRESS’. In the case of musb, it was in drivers/usb/musb/musb_gadget_ep0.c. In there it was setting the address to the USB device, so just copy that code into the psfreedom_machine.c to allow setting the address, and add a similar function to be able to retreive the address.

Then add a function to return 0 or 1 depending on whether the controller supports HIGH, FULL or LOW speed mode (go to usb_gadget_register_driver for your controller, and in the first lines, it should validate the speed argument, it will tell you which ones are acceptable), set LOW speed mode to return TRUE only if FULL speed isn’t available .

Finally, add a function to return the endpoint names.. it will usually be something like ‘epXin’ and ‘epXout’ (where X is the endpoint number), or “epXin-bulk”, etc.. look at how the driver initializes its endpoints or grep for “->name” in the file to find where it sets it…

That should be enough!

Ok this is it for now with the FAQ. Next time, I’ll tell you all about my experience, what problems I encountered and how I fixed them, maybe it will help others!

Enjoy it!

KaKaRoTo

PSFreedom (Jailbreak PS3 with N900) worked, finished and released!

Posted on by

Hi everyone,

As promised, here’s an update on my implementation of the PSJailbreak exploit : IT WORKS!

I made a video to show you, but I suck at making videos, so we can’t really see what’s going…  I’ll do a better one tomorrow.

It’s 9:30 AM here, and I really need to go to sleep, I’ll post more about this tomorrow, and I’ll release the code tomorrow for everyone to enjoy, compile, contribute, read, laugh at, etc…

So here’s the binary release of PSFreedom (thanks to xnt14 for the name) : PSFreedom driver

I would like to thank 3 people in particular who helped me, encouraged me and helped debug with me : NTAuth, philhug and phire (a.k.a phiren) from EFNet.

So here’s how it works.. download the .tar.gz, extract it, copy the files to your n900 (with scp, into /root), then ssh into your N900 and type : ./psfreedom-enable.sh

Then you can follow the usual procedure, unplug the PS3 from power, plug in the N900, connect the power to the PS3, then press power and *quickly* press the eject button… Then just let  the magic happen!

Once you’re done or want to revert back to the normal operation mode of the N900 (or to charge it) run the command ./psfreedom-disable.sh

In the future, we’ll have a nice package to install, a GUI application, I’ll make use of the LEDs  to show you the status of what it’s doing, and i’ll have it auto-revert to mass storage mode, so you can use your N900 not only to enable homebrew but also to store your homebrew!

See you tomorrow! Good night!

KaKaRoTo

Update on PSJailbreak linux kernel (for N900 devices)

Posted on by

Hi all,

For all those who kept bugging me on IRC about “what’s your status” and “when will you release it”, etc.. I’d like to give you a quick status update on my project :

First, this is NOT and I repeat, it’s NOT a port of PSGroove for the N900.. I started my project long before PSGroove was released, and my code has absolutely nothing to do with theirs and we don’t share any code in common. It is NOT a port, it’s a different implementation of the same exploit!
Secondly, it’s going pretty well so far, I finished writing it, all the code is there, and I’m testing it but I’m still getting some issues, for some reason the PS3 isn’t accepting the JIG, I hope I can get this fixed soon, so please, everyone just be patient, I will release it when it’s ready! But the good news is that it’s doable apparently!

For those who read my previous post, here’s an update :

– The kernel OOPS I was getting on linux was because my ‘hub’ was a high speed one, and when a device gets connected, the reply to GetPortStatus ommitted the ‘high speed’ flag in the response.. apparently, a high speed hub can only have high speed devices plugged into it, you can’t plug full speed or low speed devices in a hub, otherwise, your linux kernel crashes! It’s a use case the kernel developers didn’t think of (or didn’t find a way to test it). I will also soon release the code to reproduce that oops so people can look into it.

– I was able to get and set the address on the controller, but I had to add two new functions to the usb-gadget API. This means that you will eventually need to flash your device’s kernel to get advantage of the new functions.

– I figured out how to send a NAK in response to a IN interrupt.. you simply don’t queue anything, the controller apparently takes care of that automatically for you! and I had to read almost all of the controller’s code to figure that one out!

By writing this exploit as a standard linux driver, this means that my module can be used on any other linux-enabled devices.. this means not only the N900, but also the 770, N800, N810, Android phones and future Meego devices. It might need a little porting for some devices though, but it should still work…

That’s it, I’ll keep you informed on how it goes. Hopefully, we’ll soon be able to run homebrew on our PS3 simply by plugging our N900 to it, what a wonderful device it is 🙂

KaKaRoTo

PSJailbreak USB Gadget kernel driver

Posted on by

Hi,

***

For those who don’t want to read a long post, here’s the summary : I’m trying to write a USB gadget driver to make my N900 act as a hub, I don’t know if I can get it to work because the kernel subsystem doesn’t seem to allow me to do it. If someone knows how to get a request’s destination address, or override the usb_gadget_ep0.c SET_ADDRESS, or knows of limitations that would prevent me from making it work, let me know. I also have ‘working code’ for the usb hub now, but it seems that when I simulate a device insertion, my computer’s (not the N900’s) kernel crashes, so I’m a bit stuck.

Read the rest if this article interests you.

***

Some of you already know about the PSJailbreak, for those who don’t, it’s a USB dongle that exploits the PS3 and allows you to run unsigned packages (homebrew).

Some people tried (and some succeeded) to create a ‘cheap’ clone of the dongle by reverse engineering what it does, and rewriting it into some ATMega microcontroller.

My idea was to use an existing programmable linux-based device (my N900) to act as the dongle. So I started looking inside the kernel’s source to understand how I can achieve that. I found that the kernel has a ‘usb gadget’ subsystem for writing gadget drivers (in other words, a driver to make your device act as a slave/peripheral) so I started writing a gadget driver.

I must say it wasn’t an easy task (for someone with ~zero kernel experience) especially considering that the only ‘real’ documentation I found was the undocumented source code of other gadget modules…

Anyways, the PSJailbreak dongle emulates a USB Hub with multiple devices getting connected/disconnected to it, so I tried to write a driver to emulate a USB Hub, I thought that it would be a great idea and useful, since it could be used in order to allow my N900 to be in PCSuite mode *and* mass storage mode at the same time, without having to make that annoying choice everytime I plug it into USB.

Anyways, I first realized that I can’t just insmod/rmmod drivers to emulate a device getting connected/disconnected, because the usb_gadget_register_driver doesn’t allow us to register more than one driver. Ok, makes sense, I can live with that, but this means that I’ll have to modify the kernel to make sure the usb_gadget_register_driver redirects to my hub’s code to simulate the insertion/removal and let my hub driver be the only one registered on the controller. Anyways, for my use case, I thought I can just write all the code for all these ‘virtual devices’ directly into my driver for now.

Second issue I came up with is that the drivers never get a SET_ADDRESS.. that’s handled internally by the kernel (drivers/usb/musb/msub_gadget_ep0.c) which means that even if I say “new device connected”, if the host sends me a SET_ADDRESS, I won’t get it, so I can’t map addresses to my virtual devices… but not only that, but I found no way whatsoever to find what is my current address, or to which address a message is being sent… I suppose it’s all being handled by the usb subsystem.. but I can’t find a “if (destination != self->address) return; anywhere in the code either.. which makes me think that it might be handled by the controller itself.. (since we do receive messages destined to other devices, if we’re connected to a hub, it has to drop those somewhere), but I don’t know, either the controllers don’t let me do what I want, or the kernel’s USB subsystem was never written to allow for USB hubs to be created. I figured that if I could at least simulate a device being connected, I should be able to find out how the kernel would handle the newly received SET_ADDRESS or the requests being received to the virtual device… then maybe I would understand a bit more how to do it and whether or not it’s even possible.

Call it bad luck, but now, whenever I plug my N900 (with my driver module loaded) into my laptop (linux debian, kernel 2.6.32-5), my laptop crashes.. it completely freezes up, the kernel panics, and then I’m forced to reboot it.. I’ve looked at what messages I’m sending/receiving from the N900’s dmesg (yes, the N900 is perfectly fine and doesn’t kernel panic), and I compare it with the USB dump of a generic hub being plugged into the computer, and I see no difference, I’m doing exactly the same! And yet, my kernel segfaults, and now, I’m stuck as I don’t know how to move forward.. I only got a partial stack trace, I know the khubd thread gets the segfault, and that it’s when it’s trying to build a URB…  there also seems to be some error being reported by the power/battery manager or something, so maybe it has something to do with bad/wrong values of self-powered/power needs of the device.. but that’s it…

I went to the #kernel channel on freenode, asked about this issue, asked how to get proper debug/stacktrace, and asked how a usb gadget can know its own address, but noone seems to care/answer/be awake. So that’s why I’m posting this on my blog.. first, to let everyone know what I’m doing and how advanced (or not) I am in the project, but also to ask people for help, if they know of a solution to my problem, let me know in the comments. Please, do not post comments like “I have a PS3/N900/something if you need help testing”… I don’t.

Finally, I’d like to finish by saying that I do not condone piracy. The PSJailbreak is an exploit that jailbreaks the PS3 allowing you to run unsigned code, it opens the door to homebrew and yes, also to piracy, but it’s each individual’s choice to either use it for legal applications or not. It is fair use to be allowed to make backups of your expensive games (and I’ve got about 50+ disc-based games). I’m doing this project only because I like the challenge, I thought it would be a good experience for me to dive a bit into the kernel code, and I found it entertaining. I also wanted to showcase the power of the N900 even more by making it become any usb device I want.. even a PSJailbreak clone, I don’t think anyone has used it in this manner yet.

Thanks for reading!

Update : I got a stacktrace from the kernel crash!

KaKaRoTo

Release libnice 0.0.13

Posted on by

Hello,

Libnice 0.0.13 has just been released..  It’s a small release that fixes a few bugs, cleans the code a bit and makes coverity happy!

Also, this release adds support for IPv6 which now makes the library a bit more universal!

Another important fix was the ‘crc32’ function used internally in libnice which was conflicting with the same symbol in libz.so. After a user reported a crash in libnice when he used it with his application (which was linking to libz.so as well), I realized the conflict and have now renamed the function from ‘crc32’ into ‘stun_crc32’, which now makes libnice safer to use. Hopefully, there won’t be any more similar problem.

If you find issues or bugs with libnice, please report them and we’ll try to fix them for the next release!

As discussed in my previous post, TURN support still isn’t complete for now, and I’m still waiting for some charitable mind to send me a patch for upgrading TURN support in libnice to its latest RFC. Otherwise, you’ll have to be patient until I get some free time!

KaKaRoTo

GTalk-compatible file transfers in telepathy-gabble!

Posted on by

Update: This is now available in telepathy-gabble 0.9.13!

Hi all,

As some of you might know, I’ve worked for a while on telepathy-gabble and I had the task of adding GoogleTalk-compatible file transfers to it. I’m proud to announce that my changes have been merged into telepathy-gabble and you will be able to enjoy my (awesome) code in the next release of telepathy-gabble.

This means that anyone using Empathy or any other telepathy-enabled IM client will be able to enjoy the feature and transfer files with friends connected on Google Talk. This is also great news because even if you are not using GTalk, but you are using a @gmail.com account you will also be able to transfer your files using the new feature between you and another telepathy user. What this feature brings you is the ability to use libnice and do proper NAT traversal techniques in order to enjoy high speed file transfers instead of relying on the SOCKS proxies that jabber servers provide for people behind a NAT.

This was not a simple task to achieve though, I’ve had to reverse engineer the protocol, learn telepathy-gabble, and implement all that stuff. The biggest achievement that came from this is the new ability to have reliable streams in libnice as previously announced on my blog. Indeed, that feature was added in libnice mainly for the purpose of having reliable file transfers with GTalk.

Also, as announced by Google a while ago, their iGoogle service now also supports file transfers. However, the protocol it uses is slightly different (Gtalk dialect 3 instead of dialect 4). I’ve spent some time trying to see if my code was compatible with it, and I did some reverse engineering, and tried to make it work, but because of lack of time, I wasn’t able to make my code work in compatibility with iGoogle. However, fear not, as it should be fairly simple to implement, given enough time and motivation. Google also said that they would add file transfers support into the chat features of GMail, when that happens, I’ll have another go at this and try to make telepathy-gabble compatible with iGoogle and GMail file transfers.

I’ll let you know when telepathy-gabble gets released with the feature, in the meantime, you can go grab the latest git version of tp-gabble and enjoy the new high speed file transfers with your GTalk friends!

Telepathy gabble 0.9.13 has just been releeased with the feature, so go grab it and enjoy high speed file transfers with your GTalk friends!

Special thanks goes to Intel for sponsoring this work as a part of MeeGo Netbook 1.0.

Enjoy,

KaKaRoTo

Release libnice 0.0.12

Posted on by

Hello,

Libnice 0.0.12 has just been released.. It’s not a very important release as it doesn’t add any substantial feature, but it does fix a few nasty bugs, so it’s recommended to update.

The important thing to note is that recently ICE has been standardized and is now known as RFC 5245! This is great news as it means that the spec will stop changing (it actually became stable at draft 19, so we were already safe).

The same thing happened to TURN, which has been standardized as RFC 5766. TURN has been changing a lot lately, so having it as a finalized standard is very good news.

In this release, libnice  has now a NICE_COMPATIBILITY_RFC5245 which should be used instead of the compatibility mode NICE_COMPATIBILITY_DRAFT19. Although the old code should still work since I kept the DRAFT19 symbol for legacy reasons.

The problem now is with TURN.  I never had time to upgrade TURN from the last draft that I implemented (draft 9) and since the specs of TURN kept changing, I didn’t want (nor had time) to keep updating it to meet the spec changes. So the new libnice is compatible with RFC5245 but it doesn’t support the TURN 5766 draft yet. Hopefully, the next release will be compatible with TURN RFC 5766.

If someone wants to contribute to libnice, then implementing the changes to TURN to upgrade it from draft 9 to RFC 5766 would be the first step! Let me know if you want to help.

KaKaRoTo

Humble Source

Posted on by

Hi,

As some of you might have seen already, there’s this great great initiative called the Humble Indie Bundle. It’s basically a group of five independent developers who decided to make a ‘pay-what-you-want’ promotion for a bundle of five games, and the money can be distributed however you want between the developers and two charities (Child’s play and Electronic Frontier Foundation).

This whole idea is really awesome! The minimum donation requested is 0.01$ so for just one cent, you could be getting 6 very awesome games (World of Goo, Gish, Penumbra, Lugaru HD,  Aquaria and as a bonus Samorost 2) although I hope you will be more generous than that!

I think that the initiative is indeed humble, and by giving the power back to the consumer, you let him decide on the price and ask him for his generosity, you can get some really good results.  And the proof is here.. After only 10 days, they have raised over one million dollars! 30% of that went to charity and the rest went directly to the developers! What does this mean? It means that people thought that the developers deserved the money because of this brilliant idea. This also gives us some pretty awesome statistics.

As of the moment of writing this, the average donation was 9.05$ and The distribution is  : an average of $7.95 for Windows users, $10.18 for Mac users and $14.55 for Linux users! It looks like Linux users are more generous than Mac users who are more generous than Windows users! The developer seems to have noticed this and talks about it in his blog.

You can also see the distribution of the downloads, it looks like the Linux and Mac gamers are also a big part of the gaming market. As explained in the developper’s blog :

Our most recent promotion, the Humble Indie Bundle, shows even more dramatic statistics for Linux: 52% Windows, 24% Mac, and 24% Linux.

Finally, the most interesting thing for which I want to salute those developers is that, considering the success of the Humble Indie Bundle, they decided to open source 4 of the games from the bundle! This is great news for the open source community and for the gaming community as well.

The bundle has been extended for 3 more days, so I encourage everyone to go buy these games and help the developpers who had this brilliant idea!

KaKaRoTo

GObject generator for Emacs

Posted on by

Hi All,

I recently  had to create many classes and as everybody knows, writing classes with GObject is quite annoying.. it involves a lot of copy/paste and a lot of search&replace. So I’ve searched and I (actually my colleague, Olivier) found these GObject class helpers : http://www.emacswiki.org/emacs/GObjectClassHelpers

Those are some helpers functions for Emacs that automatically create the .c and .h files for you with all the GObject boilerplate. They were written by Gustavo Sverzut Barbieri and they do the job quite fine.

However, they are missing a few things, so I took the liberty of modifying the script to make them more complete and make them suit my needs.

Here is the changelog :

  • Added the option to include a Private structure to the class
  • Added a dummy property and the get/set functions
  • Added a dummy signal
  • Added a ‘constructed’ method
  • Added LGPL license header to generated .c and .h files
  • Reindent the whole files to match the user’s settings.

These additions (private structure, property, signals) are optional and the script asks you if you want them or not when it generates the code.

I thought that these changes would be useful to some people so I decided to share my script with the world. you can grab it here.

Have fun!

KaKaRoTo