Editing Vulnerabilities
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 19: | Line 19: | ||
== Mechanics Controller == | == Mechanics Controller == | ||
The [[MechaCon]] upon receiving power loads the ROM patches from | The [[MechaCon]] upon receiving power loads the ROM patches from it's EEPROM. | ||
Patches can be updated over the PMAP interface in test mode. | Patches can be updated over the PMAP interface in test mode. | ||
Line 25: | Line 25: | ||
The performed security checks on it is three checksums over the DES-ECB encrypted data. | The performed security checks on it is three checksums over the DES-ECB encrypted data. | ||
One can bruteforce | One can bruteforce that encryption key and apply their own patches. | ||
= Software = | = Software = | ||
Line 37: | Line 37: | ||
Released on 15-08-2003 by Marcus R. Brown <[email protected]>. | Released on 15-08-2003 by Marcus R. Brown <[email protected]>. | ||
Homebrew programs can be launched directly from a | Homebrew programs can be launched directly from a memory card on unmodified consoles by using certain software that takes advantage of a long known and used exploit, dealing with the boot part of the EE/IOP process (PS2 Independence exploit). | ||
See [[PS2 Independence]]. | See [[PS2 Independence]]. | ||
Line 57: | Line 57: | ||
==== FreeHDBoot ==== | ==== FreeHDBoot ==== | ||
The newest versions of Free McBoot, version 1.90 and newer, also have the ability to install and boot from both Sony and non-Sony HDDs when using a "fat" PS2 and network adapter. This support is called FreeHDBoot or FHDB. With a few minor issues, it is possible to | The newest versions of Free McBoot, version 1.90 and newer, also have the ability to install and boot from both Sony and non-Sony HDDs when using a "fat" PS2 and network adapter.[3] This support is called FreeHDBoot or FHDB. With a few minor issues, it is now possible to game entirely from the HDD, without needing to use the optical disc drive nor a physical memory card. | ||
==== Fortuna ==== | ==== Fortuna ==== | ||
Line 63: | Line 63: | ||
Released on 12-02-2019 by krat0s. | Released on 12-02-2019 by krat0s. | ||
Fortuna is an homebrew launcher for | Fortuna is an homebrew launcher for all PS2 models. | ||
That means EVERY PS2 from 1.90 ROMVER 50k model up to the TV can be exploited by scrolling to an MC-Icon and "back out" of the menu. | |||
==== Opentuna ==== | |||
an open source version of fortuna. supports almost all PS2 models, from the SCPH-18000 to the very last. This exploit hasn't been ported to the 10k and 15k models, it proved to be quite challenging to do so, probably related to the fact that these models does not have compressed OSDSYS programs. Different files are needed depending on the console version. | |||
===== Requirements ===== | ===== Requirements ===== | ||
*A PS2 Memory Card | |||
*A way to transfer files to the Memory Card (one time setup) | |||
*Making sure the hacked icon is displayed first (OSDSYS icon order is based on date) | |||
===== The exploit ===== | |||
Fortuna/Opentuna exploit a vulnerability on the RLE decompression routine used for memory card icon textures, allowing to copy raw executables to protected area on ram, and achieving execution when going back to main menu. Alex Párrado, creator of Opentuna, left a [https://www.psx-place.com/#tab_1710732308 technicall write-up on how it works] | |||
TnA writes it is a bit similar to this bug: | |||
"There seems to be either an issue in FMCB/FHDB's Payload, or the OSDSYS has a fault which can cause code-injection via text-strings which use opcodes or some instructions. | |||
I can get it to freeze, with some funky OSDSYS-Item-Names... I haven't tested however, if this also happens with some weird mc-save-name-strings (not the folder-name on MC, but the actual shown name in the OSDSYS), without FMCB... | |||
Why? The idea was a 'kick-start'-icon which has the weird name and starts an ELF from MC. The only issue is, that - if it works - it would be immediately triggered, once the name is parsed." | |||
See [https://www.ps2-home.com/forum/viewtopic.php?f=107&t=8542]. | |||
===== Oddities ===== | ===== Oddities ===== | ||
Fortuna/Opentuna exploit fails if the console is rendering some japanese characters, either from a save file or by setting the console to Japanese language. | |||
During late test stages of Opentuna, it was found that if the hack is triggered from the Browser 2.0, the console stops recognizing the memory card untill you shit it down completely | |||
When the OSDSYS parses the hacked icon, any save folder using built-in icons (eg: "your system configuration") will stop getting rendered, showing no icon 3d model, like the exploit icon | |||
When the OSDSYS parses the hacked icon, any save folder using built-in icons ( | |||
=== DVDPL (DVD Player) === | === DVDPL (DVD Player) === | ||
Line 99: | Line 109: | ||
It does not yield code-execution, but once you have the ability to load code, you can access content on burned (Video-)DVDs, which have DVD-Video-content. This vulnerability is used in different apps like ESR or SMS and in varying 'formats' like ESR-Discs or simple Video-DVDs with extra-content. | It does not yield code-execution, but once you have the ability to load code, you can access content on burned (Video-)DVDs, which have DVD-Video-content. This vulnerability is used in different apps like ESR or SMS and in varying 'formats' like ESR-Discs or simple Video-DVDs with extra-content. | ||
===Playstation 2 Linux RTE=== | === Playstation 2 Linux RTE === | ||
====Linux==== | ==== Linux ==== | ||
Todo | Todo | ||
=Games= | = Games = | ||
==Demo games== | == Demo games == | ||
===PS2 Yabasic Exploit=== | === PS2 Yabasic Exploit === | ||
Released on 12-10-2019 by CTurt. | Released on 12-10-2019 by CTurt. | ||
Line 117: | Line 127: | ||
[https://github.com/CTurt/PS2-Yabasic-Exploit Exploit code by CTurt] | [https://github.com/CTurt/PS2-Yabasic-Exploit Exploit code by CTurt] | ||
==Network games== | == Network games == | ||
It is possible to exploit Network-capable games, to inject codes!!! | It is possible to exploit Network-capable games, to inject codes!!! | ||
Line 127: | Line 137: | ||
The problem is to either inject it elsewhere, or find a way to run it! | The problem is to either inject it elsewhere, or find a way to run it! | ||
==PS1 Savedata exploits== | == PS1 Savedata exploits == | ||
The existing FreePSXBoot exploit chain does not work on the PS2 (mainly inside mcman), due to the fact that the internal structure is different. | The existing FreePSXBoot exploit chain does not work on the PS2 (mainly inside mcman), due to the fact that the internal structure is different. | ||
Line 141: | Line 151: | ||
See [https://psdevwiki.com/ps1/index.php?title=Vulnerabilities PS1 Dev Wiki Vulnerabilities]. | See [https://psdevwiki.com/ps1/index.php?title=Vulnerabilities PS1 Dev Wiki Vulnerabilities]. | ||
===BOOT.ELF (Fat consoles only)=== | === BOOT.ELF (Fat consoles only) === | ||
[https://sksapps.haldrie.com/bootleg/tutorials/fmcb/armax2.php Official sp193 guide (backup)] | [https://sksapps.haldrie.com/bootleg/tutorials/fmcb/armax2.php Official sp193 guide (backup)] | ||
Line 148: | Line 158: | ||
== PS2 Savedata exploits == | == PS2 Savedata exploits == | ||
== a PS2 game by ChampionLeake == | |||
= | |||
To be disclosed. |