Vulnerabilities
This page lists vulnerabilities found in the original Sony PlayStation system software and hardware.
System/Hardware[edit | edit source]
These flaws are related to the system/hardware that holds and powers the Sony PlayStation.
FreePSXBoot[edit | edit source]
FreePSXBoot is a software exploit that allows one to load arbitrary code on the PlayStation using only a memory card that contains special data. It can be seen as the PS1 equivalent of FreeMCBoot on PS2.
To use it, you will need a way to copy full raw memory card images (not individual files) to a memory card. Some possibilities are:
- A PS2 and the software Memory Card Annihilator v2 (use "Restore MC image")
- Memcarduino. Requires soldering wires to the memory card.
- Using a Memcard Pro, which lets you create your own virtual memory cards on a SD card. Simply drop the card image file you want to use as Memory Card 1, Channel 1.
- Using Unirom and NOTPSXserial with a serial/USB cable, using the command:
nops /fast /mcup 0 FILE.mcd COMPORTwhereFILEis the mcd file corresponding to your model, andCOMPORTcorresponds to your computer serial port.
See also:
- https://github.com/brad-lin/FreePSXBoot
- https://www.psx-place.com/resources/freepsxboot-by-brad-lin.1169/
FreePSXBoot does not work on the PlayStation 2. See the [PS2 Dev Wiki] for FreePSXBoot attempted application to the PS2.
Tonyhax[edit | edit source]
Tonyhax is a software loader exploit for the Sony PlayStation 1 that also works on earlier models of the PlayStation 2. Although the name "tonyhax" suggests a link with the Tony Hawk's game whose savedata vulnerability can be used as an entrypoint, Tonyhax works with all sort of entrypoints like modchips or FreePSXBoot on PS1, or PS1 savedata exploits in other games like Final Fantasy IX, Sports Superbike, etc.
The SCPH-50XXX - SCPH-90XXX PS2 models are not supported by tonyhax. See the [PS2 Dev Wiki] for tonyhax application to the PS2.
PS Game Savedata[edit | edit source]
Confirmed[edit | edit source]
| Game/Application name | Title ID | Vulnerability | Summary | Revisions | Date of the discovery | Author of the discovery |
|---|---|---|---|---|---|---|
| Brunswick Circuit Pro Bowling | SLUS-00571, SLES-01376 | Stack Buffer Overflow via unchecked Custom Bowler Name length | Brunswick Circuit Pro Bowling offers players to create their own bowlers in terms of physical appearances and names. The bowlers' name is limited up to 15 characters long. When the player wants to create name, it is copied to the stack, however the string length is not checked. With a very large string, one can overwrite the stack and take control of the return address ($ra register) to eventually jump to unsigned code in the savegame. | 1.0 | January 20th, 2019 | ChampionLeake |
| Brunswick Circuit Pro Bowling 2 | SLUS-00856, SLES-02618 | Stack Buffer Overflow via unchecked Custom Bowler Name length | Same as Brunswick Circuit Pro Bowling exploit. | 1.0 | January 20th, 2019 | ChampionLeake |
| Castlevania Chronicles | SLUS-01384, SLES-03532, SLPM-86754 | Stack Buffer Overflow via unchecked Player Name length | The player name has a limit of 8 character strings to create a savedata slot (both original or arranged modes of the game). Since the string length is not checked, one can use a very large string to overwrite several stack registers including the return address ($ra register) to eventually jump to unsigned code in the savedata. [1], [2] | N/A | August 12th, 2018 | ChampionLeake |
| Castrol Honda Super Bike Racing | SLUS-00882, SLES-01182, SLPM-86489 | N/A | ?2022? | ?alex-free? | ||
| Castrol Honda VTR | SLES-02942, SLPM-86922 | Same as Castrol Honda Super Bike Racing exploit. | N/A | ?2022? | @FMecha_EXE, alex-free | |
| Cool Boarders 4 | SCUS-94559, SCES-02283, SLPS-02527 | The savedata file format and checksums are slightly different between EU, US and JP versions. | N/A | ?2022? | Gerardo Rodriguez, alex-free | |
| Crash Bandicoot 2: Cortex Strikes Back | SCUS-94154, SCES-00967 | N/A | 2014, ?2022? | qwikrazor87, Acid_snake, ?alex-free? | ||
| Crash Bandicoot 3: Warped | SCUS-94244, SCES-01420, SCPS-10073, SCPS-45350, SCPS-91164, SCPS-91318 | Same as Crash Bandicoot 2: Cortex Strikes Back exploit. | N/A | 2014, ?2022? | qwikrazor87, Acid_snake, ?alex-free? | |
| Dokiou-ki, Doki Oki (Japanese: 土器王紀) | SLPS-00130 | N/A | ?2022? | ?alex-free? | ||
| Downhill Snow | SLPS-01391 | N/A | ?2022? | ?alex-free? | ||
| Final Fantasy IX (Disc 1) | SLUS-01251, SLES-02965, SLES-02966, SLES-02967, SLES-02968, SLES-02969, SCPS-45500, SLPM-87388, SLPS-02000 | Exploit type A works on consoles with BIOS versions 1.0-2.0. Exploit type B works on all newer BIOS versions (v2.1 to 5.0). | N/A | ?2022? | ?alex-free? | |
| Sports Superbike | SLES-03057 | [3] | N/A | 2014 | qwikrazor87 and Acid_snake | |
| Sports Superbike 2 | SLES-03827, SLUS-01459 | Same as Sports Superbike exploit. The exploit crashes when entering the Championship menu, but works when going to the Single race option. [4] | N/A | 2014 | qwikrazor87 and Acid_snake | |
| Tekken 2 | SLPS-00300, SLPS-91055, SLUS-00213, SCED-00467, SCED-00494 | [5], [6] | N/A | 2014, 2021 | qwikrazor8, Acid_snake (2014), krystalgamer (2021) | |
| Tekken 3 | SCPS-45213, SCPS-45215, SLPS-01300, SLPS-91202, SLUS-00402, SCES-01237 | Same as Tekken 2 exploit. | N/A | 2014, 2021 | qwikrazor8, Acid_snake (2014), krystalgamer (2021) | |
| Tony Hawk's Pro Skater 2 | SLUS-01066, SLES-02910, SLES-02908, SLES-02909 | Stack Buffer Overflow via unchecked Custom Skater name | The player has the chance to create their own skater (physical appearance, skateboard, names, etc.). The skater name is copied to the stack, however the string length is not checked. With a large skater name, one can overwrite the stack and control the return address ($ra register) to eventually jump to unsigned code in the savegame. One can trigger this overflow by selecting "Career Mode" and then selecting the "Create a new career" option. | 1.0 | January 22nd, 2019 | ChampionLeake |
| Tony Hawk's Pro Skater 3 | SLUS-01419, SLES-03647, SLES-03645, SLES-03646 | Same as Tony Hawk's Pro Skater 2 exploit. | N/A | ?2022? | ?alex-free? | |
| Tony Hawk's Pro Skater 4 | SLUS-01485, SLES-03955, SLES-03954, SLES-03956 | Same as Tony Hawk's Pro Skater 2 exploit. | N/A | ?2022? | ?alex-free? | |
| The Legend of Heroes I & II: Eiyuu Densetsu | SLPS-01323 | N/A | ?2022? | ?alex-free? | ||
| XS Moto | SLUS-01506, SLES-04095 | Same as Sports Superbike exploit. [7] | N/A | 2014 | qwikrazor87 and Acid_snake |
These flaws are relatively easy to find and exploit. There is a write-up on finding these savedata flaws here.
See also:
Pending Investigation[edit | edit source]
This is a list of games that have been suggested to be checked.
Harvest Moon: Back To Nature[edit | edit source]
SLUS-01115 (NPEF00286 on PS Store), SLES-02781 (NPUJ01115 on PS Store), SLUS-81115 (trade demo)
Discovered around 2015-09-28 by qwikrazor87.
Once you have installed the exploit file, start Harvest Moon: Back To Nature, then after about 20 seconds the screen should flash white.
Noon[edit | edit source]
Noon (ヌーン in Japanese), SLPM-86063 (NPJJ00466 on PS Store)
Discovered around 2014-04-19 by qwikrazor87 and vonjack.
Maybe not exploitable.
Wipeout[edit | edit source]
SCES-00010 (NPEE00004 on PS Store), SIPS-60003 (NPJI00035 on PS Store), SCUS-94301 (NPUI94301 on PS Store)
Discovered around 2014-04-08 by qwikrazor87 and vonjack.
Maybe not exploitable.
Wipeout source code was leaked in 2022
and its code was rewritten by a fan
- https://phoboslab.org/log/2023/08/rewriting-wipeout writeup
- https://github.com/phoboslab/wipeout-rewrite source code rewritten
- https://phoboslab.org/files/wipeout-data-v01.zip data needed
- Savedata structures and loading code (as rewritten, not PS1 specific): https://github.com/phoboslab/wipeout-rewrite/blob/master/src/wipeout/game.c#L393
- There is also a port of Wipeout for PC that uses PS1 game data: https://github.com/wipeout-phantom-edition/wipeout-phantom-edition
Pinball Golden Logres (SuperLite 1500 Series)[edit | edit source]
SLPM-86260 (NPJJ00460 on PS Store)
Discovered around 2014-04-21 by qwikrazor87 and vonjack.
Maybe not exploitable.
Castlevania: Symphony of the Night[edit | edit source]
Maybe exploitable the same way as Castlevania Chronicles.
Username modification in savedata causes freeze.
Donald Duck: Quack Attack?![edit | edit source]
Donald Duck: Quack Attack?! is the name in Europe, Donald Duck: Goin' Quackers in America, Paperino: Operazione Papero?! in Italy.
This game was made by Ubi Soft. It is "practically a clone of Crash Bandicoot 2/3". It also exists on PS2.
The game normally allows for a 3 characters name. Enlarging the name up to the first byte, makes it to freeze.
Spyro 3[edit | edit source]
This game was not tested for savedata exploitation.
Spyro 3 uses the Naughty Dog engine.
Gran Turismo[edit | edit source]
For PAL version (SCES-00984), when CRC hash verification of the car settings savedata (e.g. "BESCES-00984CS") fails, the game jumps to an address which can be overwritten by data at offset 0x1F4AC of the savedata, or 0x14AC of the last sector of your 16-sector save which you have looping back onto itself.
A method to trigger car settings savedata loading is:
- Enter Gran Turismo mode.
- Buy a used car.
- Go to Race -> Time Trial -> any track will do but Autumn Ring Mini is probably the fastest... but it doesn't matter because it takes a loooooong time to load a 16-sector save.
- Load your car settings.
See also:
Gran Turismo 2 (USA v1.0, Japan v1.0)[edit | edit source]
Early versions of Gran Turismo 2 have a garage bug involving handling of speed test records that can break garage data. The game can crash after a text entry upon right conditions once the bug happens. All you need to do to run into the glitch by accident is post ten times on a machine test leaderboard with at least two different cars. So it is naturally happening to any dedicated player. Doing too many machine tests would break the garage, and adeyblue found out how to control it. A player fixed his car by using a memory editor. The address of your first car is adjacent to the leaderboard hence why it gets overwritten.
Vulnerable versions are USA v1.0 (black label), Japan v1.0. Invulnerable versions are all PAL versions, USA v1.1 and v1.2.
Players had many horse power glitches occur. There is a bug in the historic car cup on Rome circuit where one of your opponents is a GT40 with 305BHP whilst the limit is 295BHP for that race. A player reported that it occurred 5 times in a row then just stopped. There is a glitch where for some reason, the horse power can go up into the 10 thousands and the rest of the stats are screwed up and usually it says "no name no name" but when you try to drive it, the car will not rev up or move an inch, and it slowly effects all your other cars. This has happened many times to a player and he had to start from the beginning several times because all his cars got glitches.
Crash Team Racing[edit | edit source]
It likely has character naming, and may be exploitable since some PlayStation Crash Bandicoot games have been exploited. Suggested by Patrick Vogt and Bowser Zeki.
Cart World Series[edit | edit source]
It has character naming. Suggested by Filiberto on a YouTube comment.
Jade Cocoon[edit | edit source]
It has character naming. Suggested by Shin m0h on a YouTube comment.
Spec Ops: Stealth Patrol (SLES-00844) & Spec Ops: Ranger Elite (SLES-03157)[edit | edit source]
Suggested via e-mail by Mew Mew.
Rally Championship (also known as Mobil 1 Rally Championship and Rally Championship 2000 Edition)[edit | edit source]
It has text input in multiple places for user names. Suggested by gamer4maker via e-mail.
Untested[edit | edit source]
- Kids Station: LEGO no Sekai (see [12])
- LEGO Racers (see [13])
- LEGO Rock Raiders (see [14])
- LEGO Island 2: The Brickster's Revenge (see [15])
- Star Wars Episode I: Jedi Power Battles (see [16])
- Star Wars Episode I: The Phantom Menace (see [17])
- Star Wars: Dark Forces (see [18])
- Tony Hawk's Pro Skater (also named Tony Hawk's Skateboarding), probably not exploitable because people exploited THPS 2, 3 and 4 but not the first
- Wipeout 2097 (released as Wipeout XL in North America and Japan)
- Wipeout 3
- Final Fantasy VII
- Tomb Raider 2, 3, 4, 5
- Urban Chaos
- Tarzan
- Resident Evil Director's cut
- Air Combat
- Dino Crisis
- Colin McRae Rally
- Deathrap Dungeon
- Ridge Racer Revolution
Not Exploitable[edit | edit source]
These are games that developers have fuzzed or researched trying to find bugs. Any useless crashes or games that do not crash at all go here. This is to inform researchers which games have already been studied.
- Family Feud - Using a large string for the family name does not seem to crash the game. In conclusion, the family name is not exploitable. Researched by ChampionLeake.
- Breath of Fire III - Every text field in the savedata is of fixed length. Researched by alex-free.
- Driver 2 - It causes the same graphical issues than on Hogs of War, but nothing exploitable. Researched by Patrick Vogt.
- Hogs of War - It has names that when overwritten just cause graphical issues in the team edition menu, but that is about it. Researched by alex-free.
- International Socer Pro '98 - Text is packed and the payload would have to use only the lowest 7 bits of a byte. Aside from this, everything seems to be copied using strncpy. Interestingly, using an ASCII control character seems to cause the game to go nuts and it starts self-destructing the RAM endlessly. Researched by alex-free.
- Mat Hoffmans Pro BMX - It uses the same engine as THPS, but there is no place where user can introduce text. Researched by alex-free.
- Micro Machines V3 - The game uses the save text as the user's name, extracting it from between the parentheses. Removing these parentheses or spacing them beyond what the game expects causes a good part of RAM to be overwritten with '?', which is not really useful. Researched by alex-free.
- Spiderman - Its savedata contains text but increasing their lengths just causes graphical issues. Savedata files have checksums. Researched by alex-free.
- Croc: Legend Of the Gobbos (PAL) - The game does not seem to have any place where one could exploit it. [19]. Researched by socram8888.