Editing Vulnerabilities

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 49: Line 49:
FreeMCBoot allows homebrew programs to be launched without a trigger disc required unlike PS2 Independence.
FreeMCBoot allows homebrew programs to be launched without a trigger disc required unlike PS2 Independence.


This also allows one the use of homebrew on unmodded systems without a functional disc drive. However, installation of the exploit to each individual memory card requires either an already exploited/modded system in order to launch the installer, or boot image that can load an app that loads ELF files (network adapter and hard drive also required). Copying from one memory card to another will not work.
This also allows use of homebrew on unmodded systems without a functional disc drive. However, installation of the exploit to each individual memory card requires either an already exploited/modded system in order to launch the installer, or boot image that can load an app that loads ELF files (network adapter and hard drive also required). Copying from one memory card to another will not work.


It does not work on the very newest PS2s (SCPH-9000x model with BIOS 2.30 and up) but will work on all models prior to that.
It does not work on the very newest PS2s (SCPH-9000x model with BIOS 2.30 and up) but will work on all models prior to that.
Line 89: Line 89:
==== FreeDVDBoot ====
==== FreeDVDBoot ====


An exploit released in 2020 by CTurt, which exploits the DVD Video Player and allows the execution of code (wLaunchElf in the pre-built ISOs). It supports all PS2 slim consoles, including the ones that do not support FreeMCBoot.
An exploit released in 2020 by CTurt, which exploits the DVD Video Player and allows the execution of code (wLaunchElf in the pre-built ISOs). Currently supports all slim consoles, including the ones that don't support FMCB.


==== ESR Vulnerability ====
==== ESR Vulnerability ====


Vulnerability to bypass PS2 disc reader anticopy protection system. Implemented by ffgriever in 2008.
Vulnerability to bypass PS2 disc reader anticopy protection system.


Allows to run burnt CD/DVD of PS2 games on a PS2 without any modchip. It is needed to have FreeMCBoot/FreeHDBoot, Fortuna or SwapMagic in order to launch ESR homebrew.
Allows to run burnt PS2 CD/DVD on a PS2 without modchip. It is needed to have FreeMCBoot/FreeHDBoot, Fortuna or SwapMagic in order to launch ESR.


ESR does not itself yield code-execution, but once you have the ability to load code, you can access content on burned (Video-)DVDs, which have DVD-Video-content. This vulnerability is used in different apps like ESR or Simple Media System and in varying 'formats' like ESR-Discs or simple Video-DVDs with extra-content.
It does not yield code-execution, but once you have the ability to load code, you can access content on burned (Video-)DVDs, which have DVD-Video-content. This vulnerability is used in different apps like ESR or SMS and in varying 'formats' like ESR-Discs or simple Video-DVDs with extra-content.


To use ESR vulnerabilities, two operations are necessary:
===Playstation 2 Linux RTE===
* the burnt CD/DVD inserted in the PS2 must contain ESR-patched content. To patch that content, one can use ESR Disc patcher/unpatcher program by ffgriever.
* the PS2 must execute the ESR homebrew.


Analysis:
====Linux====
* [https://web.archive.org/web/20140704003121/http://psx-scene.com/forums/f164/esr-file-do-i-use-120905/#post1116390 Explanation by ffgriever (2014-01-02)]
* [https://www.ps2-home.com/forum/viewtopic.php?f=10&t=6957 Explanation by Jay-Jay (2016-01-03)]


Implementations:
Todo
* [https://www.ps2-home.com/forum/viewtopic.php?f=10&t=15 ESR homebrew r10f by ffgriever]
* [https://gitlab.com/ffgriever/esr/ ESR homebrew r10f source code by ffgriever]
* [https://www.ps2-home.com/forum/viewtopic.php?f=27&t=9725 ESR Disc patcher/unpatcher by bootsector]
* [https://www.ps2-home.com/forum/download/file.php?id=15475 ESR Disc patcher command line edition v0.2 source code by bootsector]
* [https://www.ps2-home.com/forum/download/file.php?id=15466 ESR Disc patcher/unpatcher JAVA edition v0.2.4 by bootsector]
* [https://www.ps2-home.com/forum/download/file.php?id=15464 ESR Disc patcher/unpatcher GUI for Windows v0.24a by bootsector]
* [https://github.com/jerrys123111/ESRDiscPatcher ESR Disc patcher/unpatcher GUI for Windows source code by bootsector]
* [https://www.ps2-home.com/forum/viewtopic.php?f=10&t=3361 ESRPatcher Pro for Windows Release 07-16-2009 source code by insanity5000]


=== Playstation 2 Linux RTE ===
=Games=


==== Linux ====
==Demo games==


To document
===PS2 Yabasic Exploit===
 
= Games =
 
== Demo games ==
 
=== PS2 Yabasic Exploit ===


Released on 12-10-2019 by CTurt.
Released on 12-10-2019 by CTurt.
Line 135: Line 117:
[https://github.com/CTurt/PS2-Yabasic-Exploit Exploit code by CTurt]
[https://github.com/CTurt/PS2-Yabasic-Exploit Exploit code by CTurt]


== Network games ==
==Network games==


It is possible to exploit network-capable games, to inject codes. This is perfect for Slim PS2 and people which can not move files to the MC.
It is possible to exploit Network-capable games, to inject codes!!!


TnA scarcely mentioned that method since January 2019, like it can be seen in the comments of @Haldrie's video about the time-swap. TnA got the basic idea from some discoveries someone else mentioned.
This is perfect for Slim PS2 and people which can not move files to the MC!


The problem is to either inject it elsewhere, or find a way to run it.
TnA scarcely mentioned that method since January 2019, like it can be seen in the comments of @Haldrie's video about the time-swap! TnA got the basic idea from some discoveries someone else mentioned.


== PS1 Savedata exploits ==
The problem is to either inject it elsewhere, or find a way to run it!


The existing FreePSXBoot exploit chain for PS1 does not work on the PS2 (mainly inside mcman), due to the fact that the internal structure is different.
==PS1 Savedata exploits==
 
The existing FreePSXBoot exploit chain does not work on the PS2 (mainly inside mcman), due to the fact that the internal structure is different.


In mcman, there is no bounds check on linked_block member access relative to arrays on stack: https://github.com/ps2dev/ps2sdk/blob/d976e57349645cb940a9e0f9ec0207c16472ca2c/iop/memorycard/mcman/src/main.c#L3041-L3072
In mcman, there is no bounds check on linked_block member access relative to arrays on stack: https://github.com/ps2dev/ps2sdk/blob/d976e57349645cb940a9e0f9ec0207c16472ca2c/iop/memorycard/mcman/src/main.c#L3041-L3072
Line 157: Line 141:
See [https://psdevwiki.com/ps1/index.php?title=Vulnerabilities PS1 Dev Wiki Vulnerabilities].
See [https://psdevwiki.com/ps1/index.php?title=Vulnerabilities PS1 Dev Wiki Vulnerabilities].


=== BOOT.ELF (Fat PS2 consoles only) ===
===BOOT.ELF (Fat consoles only)===
 
[https://sksapps.haldrie.com/bootleg/tutorials/fmcb/armax2.php Official sp193 guide (backup)]
[https://sksapps.haldrie.com/bootleg/tutorials/fmcb/armax2.php Official sp193 guide (backup)]


Please note that all contributions to PS2 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS2 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)