Editing Vulnerabilities
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 17: | Line 17: | ||
See [[Swap Magic]]. | See [[Swap Magic]]. | ||
== Mechanics Controller == | === Mechanics Controller === | ||
The [[MechaCon]] upon receiving power loads the ROM patches from | The [[MechaCon]] upon receiving power loads the ROM patches from it's EEPROM. | ||
Patches can be updated over the PMAP interface in test mode. | Patches can be updated over the PMAP interface in test mode. | ||
Line 25: | Line 25: | ||
The performed security checks on it is three checksums over the DES-ECB encrypted data. | The performed security checks on it is three checksums over the DES-ECB encrypted data. | ||
One can bruteforce | One can bruteforce that encryption key and apply their own patches. | ||
= Software = | = Software = | ||
== | == Operating System == | ||
=== PS2 Independence === | |||
Released on 15-08-2003 by Marcus R. Brown <[email protected]>. | Released on 15-08-2003 by Marcus R. Brown <[email protected]>. | ||
Homebrew programs can be launched directly from a | Homebrew programs can be launched directly from a memory card on unmodified consoles by using certain software that takes advantage of a long known and used exploit, dealing with the boot part of the EE/IOP process (PS2 Independence exploit). | ||
See [[PS2 Independence]]. | See [[PS2 Independence]]. | ||
=== FreeMCBoot === | |||
Released on 23-05-2008 by jimmikaelkael (with help from Neme). Maintained since 14-09-2011 by SP193. | Released on 23-05-2008 by jimmikaelkael (with help from Neme). Maintained since 14-09-2011 by SP193. | ||
Line 49: | Line 45: | ||
FreeMCBoot allows homebrew programs to be launched without a trigger disc required unlike PS2 Independence. | FreeMCBoot allows homebrew programs to be launched without a trigger disc required unlike PS2 Independence. | ||
This also allows | This also allows use of homebrew on unmodded systems without a functional disc drive. However, installation of the exploit to each individual memory card requires either an already exploited/modded system in order to launch the installer, or boot image that can load an app that loads ELF files (network adapter and hard drive also required). Copying from one memory card to another will not work. | ||
It does not work on the very newest PS2s (SCPH-9000x model with BIOS 2.30 and up) but will work on all models prior to that. | It does not work on the very newest PS2s (SCPH-9000x model with BIOS 2.30 and up) but will work on all models prior to that. | ||
Line 55: | Line 51: | ||
See [[FreeMCBoot/FreeHDBoot]]. | See [[FreeMCBoot/FreeHDBoot]]. | ||
=== FreeHDBoot === | |||
The newest versions of Free McBoot, version 1.90 and newer, also have the ability to install and boot from both Sony and non-Sony HDDs when using a "fat" PS2 and network adapter. This support is called FreeHDBoot or FHDB. With a few minor issues, it is possible to | The newest versions of Free McBoot, version 1.90 and newer, also have the ability to install and boot from both Sony and non-Sony HDDs when using a "fat" PS2 and network adapter.[3] This support is called FreeHDBoot or FHDB. With a few minor issues, it is now possible to game entirely from the HDD, without needing to use the optical disc drive nor a physical memory card. | ||
=== Fortuna === | |||
Released on 12-02-2019 by krat0s. | Released on 12-02-2019 by krat0s. | ||
Fortuna is an homebrew launcher for | Fortuna is an homebrew launcher for all PS2 models. | ||
That means EVERY PS2 including the TV can be exploited by scrolling to an MC-Icon and "back out" of the menu. | |||
Fortuna | Fortuna supports all PS2 models, from the first to the very last. However, different files are needed depending on the console version (SLIM or FAT). | ||
Requirements: | |||
*A PS2 Memory Card | |||
*A way to transfer files to the Memory Card (one time setup) | |||
Technical explanation on how it works will be provided later by krat0s. | |||
TnA writes it is a bit similar to this bug: | |||
"There seems to be either an issue in FMCB/FHDB's Payload, or the OSDSYS has a fault which can cause code-injection via text-strings which use opcodes or some instructions. | |||
I can get it to freeze, with some funky OSDSYS-Item-Names... I haven't tested however, if this also happens with some weird mc-save-name-strings (not the folder-name on MC, but the actual shown name in the OSDSYS), without FMCB... | |||
Why? The idea was a 'kick-start'-icon which has the weird name and starts an ELF from MC. The only issue is, that - if it works - it would be immediately triggered, once the name is parsed." | |||
== | See [https://www.ps2-home.com/forum/viewtopic.php?f=107&t=8542]. | ||
=== FreeDVDBoot === | |||
An exploit released in 2020 by CTurt, which exploits the DVD Video Player and allows the execution of code (wLaunchElf in the pre-built ISOs). | An exploit released in 2020 by CTurt, which exploits the DVD Video Player and allows the execution of code (wLaunchElf in the pre-built ISOs). Currently supports all slim consoles, including the ones that don't support FMCB. | ||
=== ESR Vulnerability === | |||
Vulnerability to bypass PS2 disc reader anticopy protection system | Vulnerability to bypass PS2 disc reader anticopy protection system. | ||
Allows to run burnt CD/DVD | Allows to run burnt PS2 CD/DVD on a PS2 without modchip. It is needed to have FreeMCBoot/FreeHDBoot, Fortuna or SwapMagic in order to launch ESR. | ||
It does not yield code-execution, but once you have the ability to load code, you can access content on burned (Video-)DVDs, which have DVD-Video-content. This vulnerability is used in different apps like ESR or SMS and in varying 'formats' like ESR-Discs or simple Video-DVDs with extra-content. | |||
=== Linux === | |||
Todo | |||
= Games = | = Games = | ||
Line 137: | Line 110: | ||
== Network games == | == Network games == | ||
It is possible to exploit | It is possible to exploit Network-capable games, to inject codes!!! | ||
This is perfect for Slim PS2 and people which can not move files to the MC! | |||
The problem is to either inject it elsewhere, or find a way to run it | TnA scarcely mentioned that method since January 2019, like it can be seen in the comments of @Haldrie's video about the time-swap! TnA got the basic idea from some discoveries someone else mentioned. | ||
The problem is to either inject it elsewhere, or find a way to run it! | |||
== PS1 Savedata exploits == | == PS1 Savedata exploits == | ||
Maybe not exploitable on PS2. | |||
See [https://playstationdev.wiki/ps1devwiki/index.php?title=Vulnerabilities PS1 Dev Wiki Vulnerabilities]. | |||
NOTE: There exists a vulnerability using a PS1 game as a 'boot' disc to load a modified savedata which in turn runs arbitrary code. I had previously used this vulnerability to install FMCB back when PS2 was in its prime. In order to utilize this vulnerability you would need a gameshark or something similar to transfer the modded save over from USB and you also need a PC tool to make the savedata modifications and a USB pen drive to use as a medium to transfer the save data from PC>USB>MC. I can't remember exactly at this time however if my memory serves you need to put the modified PS1 game savedata onto a PS2 memory card, then load your boot disc, and voila. I will find references and post them soon: Stinger101. | |||
There exists a vulnerability using a PS1 game as a 'boot' disc to load a modified savedata which in turn runs arbitrary code. | |||
== PS2 Savedata exploits == | == PS2 Savedata exploits == | ||
== a PS2 game by ChampionLeake == | |||
To be disclosed. |