Just in from RichdevX and Disane. Disane has shared the shell code you can check it out below. Apparently the shell code repeats 32 times and patches lvl2. The code may only run on a certain firmware which explains why the dongle only works on firmware 3.41
Quote Disane:
This is the disassembled PPC code more like the shell code that is being injected. The best way would be to use the lv2 dump and this to figure out how the stack overflow exploit works in the USB buffer of the PS3 after that it can be reproduced on any FW. On both slim and fat PS3s.
The JIG ID is probably passed to trigger some code pathern which the Configuration Descriptor overflows and injects the shell code after that the code gets executed. The shell code patches lv2 to run fselfs and all kinds of interesting flags which I haven’t noticed yet…
Part 1: http://pastebin.com/AE6ghMpG
Part 2: http://pastebin.com/H7pkQJcE