Comment Re:This exploit is beautiful (Score 4, Insightful) 226
(clarification) At least, that's my speculation. (Darn it, mixing up preview and submit.)
You'll note no significant movement was ever made on a working modchip. PS3 remained pretty much hack-free... until Sony disabled OtherOS.
geohot's glitch - for it was a glitch attack, requiring hardware intervention, and a fair pile of luck for things not to crash - was specifically targeted at the OtherOS hypervisor, only worked in OtherOS, and was simply trying to get more hardware access, but it would never have gotten you complete access (for a start, by the time you're in OtherOS, the SPU in security mode is latched off the bus, I understand, although I never got the opportunity to check personally).
Sony (characteristically, some might say) totally overreacted in the worst possible way - geohot's glitch was really not a useful exploit! - but by taking everyone's toys away, and specifically by causing a problem to a lot of security researchers who used PS3 clusters for all kinds of research (including cryptographic research, for example the MD5/SHA-1 collisions) and who could now only get replacements from eBay praying they're not updated... they made a lot of people suddenly very interested and determined to crack it, and maybe those with clusters would be equally interested in something like this, perhaps even willing to fund research? *shrug* Merely idle speculation...
So, yeah. A fairly tight architecture it is, but start annoying security researchers with the resources to decap or fab chips, let alone dump firmware and look for bugs, and you've got to expect some kind of robust response - although where it really came from originally, we may never know, and what else they have in store for the future, it's hard to tell.
It's a cute little heap overflow in the USB controller; a nice little puppy-pile of (it appears, uncleanly nested) USB hellos and goodbyes to fill the heap, and a shellcode dump for the last one. Fixable in a firmware update, yes - and PSN-bannable (even brickable, if Sony are that hardcore) if used as is, as PS3s log what applications/games you run and send that info to Sony as part of DNAS authentication (at least, they do in unmodified DNAS; it's no longer foolproof) - but this is the tip of the iceberg I'm sure - when Sony fix this, I don't doubt another bug will be found in short order, maybe a software-only one (the PS3 parses enough formats that there's basically got to be something). The arms race has officially begun.
It's correctly named, too; this is really a 'jailbreak' in exactly the same sense as used on the iPhone for example, not some modchip to let people play copied games or anything (in fact, I don't believe it can... yet).