Editing Vulnerabilities

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 8: Line 8:


== CD/DVD Swap tricks ==
== CD/DVD Swap tricks ==
=== PS2 Disc Swap Trick ===
The PS2 Disc Swap Trick uses a vulnerability in the PS2 disc label verification system of the PS2. Some PS2 games can take a long time to load ELF files from the disc and it is possible to swap the disc with a burnt one with the same file structure but where the ELF is an homebrew. This exploit was used as a cheap and more accessible alternative to the Swap Magic exploit. TnA made PS2 Disc Swap Trick famous in June 2008 and JNABK wrote a tutorial based on his instructions. The PS2 disc reader does not stop the disc before swapping and can hence cause the discs or drive to be damaged. Some users got their original PS2 discs scratched while trying the exploit.
* [https://www.1emulation.com/forums/topic/28441-turn-any-ps2-game-into-a-swap-disc/ Tutorial from 2008]


=== Swap Magic ===
=== Swap Magic ===
Line 43: Line 37:
Released on 15-08-2003 by Marcus R. Brown <mrbrown@0xd6.org>.
Released on 15-08-2003 by Marcus R. Brown <mrbrown@0xd6.org>.


Homebrew programs can be launched directly from a Memory Card on unmodified consoles by using a certain software that takes advantage of a long known and used exploit, dealing with the boot part of the EE/IOP process (PS2 Independence exploit). It was patched on the last batch of the PS2 SCPH-50000-series and the SCPH-55000GT special edition, which are known as "V11".
Homebrew programs can be launched directly from a Memory Card on unmodified consoles by using a certain software that takes advantage of a long known and used exploit, dealing with the boot part of the EE/IOP process (PS2 Independence exploit).
 
The PS2 Independence vulnerability consists in the fact that when a PS1 game is loaded, the PS1 game loader loads the savedata associated to this game from a PS2 memory card and executes the BOOT.ELF PS2 executable file contained in this savedata under the condition that the savedata also contains a valid TITLE.DB file. This vulnerability uses a PS1 game as a 'boot' disc to load a custom PS1 savedata which in turn runs arbitrary PS2 code. This method allows a PS2 to launch homebrews like uLaunchELF and then to install other PS2 exploits like FreeMCBoot.
 
To use this vulnerability, you need to craft a savedata specific to the PS1 game disc you have. You also need to transfer the modded savedata over the PS2 memory card. This can be done for example via an already hacked PS2, via a gameshark or similar cheat device, via a memory card adapter for PS3/PC and a PS3/PC, or via another PS2 usermode exploit. Once you place the modified PS1 game savedata onto a PS2 memory card, just insert your PS1 disc, and voila.


See [[PS2 Independence]].
See [[PS2 Independence]].
* [https://sksapps.haldrie.com/bootleg/tutorials/fmcb/armax2.php Official sp193 guide (backup)]
==== Tonyhax ====
Tonyhax is a software loader exploit for the Sony PlayStation 1 that also works on earlier models of the PlayStation 2. Tonyhax requires a PS1 entrypoint exploit. Although the name "tonyhax" suggests a link with the Tony Hawk's game whose savedata vulnerability can be used as an entrypoint, Tonyhax works with all sort of entrypoints like modchips or FreePSXBoot on PS1 specifically, or PS1 savedata exploits in other games like Final Fantasy IX, Sports Superbike, etc.
The SCPH-50XXX - SCPH-90XXX PS2 models are not supported by tonyhax because both SetSession() and the unlock commands do not function on these models. The laser re-calibration also seems to be ignored resulting in sub-optimal disc reading performance on the newer models. Technically it can still boot games but with no CD audio support and poor disc reading performance so it is not officially supported whatsoever.
* https://orca.pet/tonyhax/
* https://alex-free.github.io/tonyhax-international/
==== FreePSXBoot (not working) ====
The existing FreePSXBoot exploit chain for PS1 does not work on the PS2 (mainly inside mcman), due to the fact that the internal structure is different.
In mcman, there is no bounds check on linked_block member access relative to arrays on stack: https://github.com/ps2dev/ps2sdk/blob/d976e57349645cb940a9e0f9ec0207c16472ca2c/iop/memorycard/mcman/src/main.c#L3041-L3072
The code looks similar in 3.1.0 (last) mcman modules.
Briefly looking at it, it is possible to control where to write (basically positive 16 bit signed value), but not what value should be written (limited to 0-15), so a straightforward port of the FreePSXBoot chain is not possible. One would need to have knowledge of the thread stack layout at mcserv and afterwards, and possibly mirrored memory.
See [https://psdevwiki.com/ps1/index.php?title=Vulnerabilities#FreePSXBoot PS1 Dev Wiki].


=== OSDSYS ===
=== OSDSYS ===
Line 150: Line 117:
* [https://www.ps2-home.com/forum/viewtopic.php?f=10&t=3361 ESRPatcher Pro for Windows Release 07-16-2009 source code by insanity5000]
* [https://www.ps2-home.com/forum/viewtopic.php?f=10&t=3361 ESRPatcher Pro for Windows Release 07-16-2009 source code by insanity5000]


=== PlayStation 2 Linux RTE ===
=== Playstation 2 Linux RTE ===


==== Linux ====
==== Linux ====


To be documented.
To document
 
= Unclassified =
 
== Action Replay X-mas Exploit ==
 
This exploit utilizes cheats to "bend" the Action Replay to load a PS2 ELF file from USB. It requires an Action Replay disc that supports max media player.
 
An issue of this exploit is that the disc is very picky about which USB drives it supports, since at the time the Universal Serial Bus was only at version 1.1 and pretty new.


= Games =
= Games =
Line 178: Line 137:
== Network games ==
== Network games ==


It is possible to exploit some network-capable games to trigger custom PS2 code execution. Network exploits are an alternative to savedata exploits for example when you cannot move files to the Memory Card. TnA scarcely mentioned that method in January 2019 and it was finally made true in 2024 by grimdoomer who exploited the Tony Hawk's Pro Skater 4 game's network protocol.
It is possible to exploit network-capable games, to inject codes. This is perfect for Slim PS2 and people which can not move files to the MC.


On the Nintendo GameCube and on the Sega Dreamcast, a famous network exploit exists in the game Phantasy Star Online: Episode "1&2" (no public exploit for 1&2plus, nor 3). On PS2, there are similar network games like Phantasy Star Universe that might be vulnerable to remote code execution.
TnA scarcely mentioned that method since January 2019, like it can be seen in the comments of @Haldrie's video about the time-swap. TnA got the basic idea from some discoveries someone else mentioned.
* https://www.gc-forever.com/wiki/index.php?title=PSOload
* https://wololo.net/2012/11/12/sega-dreamcast-how-its-security-works-and-how-it-was-hacked/


See also:
The problem is to either inject it elsewhere, or find a way to run it.
* [https://github.com/grimdoomer/TonyHawksProStrcpy/tree/main/Playstation%202 Tutorial on how to setup PCSX2 and patch a game for network debug by grimdoomer (2024-07-24)]


=== Tony Hawk's games network exploits ===
== PS1 Savedata exploits ==


Most Tony Hawk's games on PS2 are vulnerable to network exploits. As of now, only Tony Hawk's Pro Skater 4 has been exploited but other target games are:
The existing FreePSXBoot exploit chain for PS1 does not work on the PS2 (mainly inside mcman), due to the fact that the internal structure is different.
* Tony Hawk's Underground
* Tony Hawk's Underground 2, adapted to PSP in Tony Hawk's Underground 2: Remix
* Tony Hawk's Pro Skater 3, also on PS1
* Tony Hawk's American Wasteland
* Tony Hawk's Downhill Jam
* Tony Hawk's Project 8, also on PSP and PS3
* Tony Hawk's Proving Ground, also on PS3


=== Tony Hawk's Pro Skater 4 RCE ===
In mcman, there is no bounds check on linked_block member access relative to arrays on stack: https://github.com/ps2dev/ps2sdk/blob/d976e57349645cb940a9e0f9ec0207c16472ca2c/iop/memorycard/mcman/src/main.c#L3041-L3072


Tony Hawk's Pro Skater 4 was exploited on Micosoft Xbox and on PS2 by Grimdoomer on July 24th, 2024, via network.
The code looks similar in 3.1.0 (last) mcman modules.


PS2 exploit:
Briefly looking at it, it is possible to control where to write (basically positive 16 bit signed value), but not what value should be written (limited to 0-15).
* https://github.com/grimdoomer/TonyHawksProStrcpy/tree/main/Playstation%202


Microsoft Xbox exploit:
So a straightforward port of the FreePSXBoot chain is not possible. For working on this exploit, it would need to have knowledge of the thread stack layout at mcserv and afterwards, and possibly mirrored memory.
* https://github.com/grimdoomer/TonyHawksProStrcpy/tree/main/Xbox


== PS1 Savedata exploits ==
See [https://psdevwiki.com/ps1/index.php?title=Vulnerabilities PS1 Dev Wiki Vulnerabilities].


The PS2 can play official PS1 games stored on CD. PS1 games require a PS1 memory card to save your game, even though you can copy PS1 savedata to a PS2 memory card, but only for archival purposes.
=== BOOT.ELF (Fat PS2 consoles only) ===


By inserting in a PS2 a vulnerable PS1 game, and in most cases also a PS1 memory card that contains an exploit savedata for that game, the PS2 can execute arbitrary PS1 code. It can then run PS1 games backups thanks to the tonyhax exploit.
[https://sksapps.haldrie.com/bootleg/tutorials/fmcb/armax2.php Official sp193 guide (backup)]


PS2 controllers may be used to play PS1 games, but may need to disable analog sticks depending on the game. Some PS1 games are not compatible with the PS2. While the vast majority of PS1 games will work perfectly fine, 7500x and later Slims remove the PS1 CPU and RAM, replaced with full emulation, and the list of games that will not function properly or at all is a bit longer than 7000x Slim and Fat. For example, the PS1 multitap does not work on one model of PS2 Slim. See https://en.wikipedia.org/wiki/List_of_PlayStation_games_incompatible_with_PlayStation_2 for a list of compatibility issues.
There exists a vulnerability using a PS1 game as a 'boot' disc to load a modified savedata which in turn runs arbitrary code. This method allows for installation of homebrew such as FMCB. In order to utilize this vulnerability you would need a gameshark or similar cheat device to transfer the modded save over from USB and you also need a PC tool to make the savedata modifications and a USB pen drive to use as a medium to transfer the save data from PC>USB>MC. Once you place the modified PS1 game savedata onto a PS2 memory card, just load your boot disc, and voila.
 
The list of vulnerable PS1 games can be found on the [https://www.psdevwiki.com/ps1/Vulnerabilities PS1 Dev Wiki].


== PS2 Savedata exploits ==
== PS2 Savedata exploits ==
Line 222: Line 167:
{| class="wikitable"
{| class="wikitable"
|+
|+
!Title ID
!Game/Application
!Game/Application
!Vulnerability
!Vulnerability
!Description
!Description
!Patched
!Revisions
!Date of discovery
!Date of discovery
!Discovered/exploited by
!Discovered by
|-
|SLUS-21759, SLES-55133
|LEGO Indiana Jones: The Original Adventures
|To be documented.
|To be documented.
This vulnerability is also present in the Nintendo Wii version of the game, and maybe also in the PSP and PS3 versions too.
|No
|July 15th, 2020 (?September 2009? for Nintendo Wii)
|Fighter19 for PS2, fail0verflow for Nintendo Wii
|-
|-
|?
|Carol Vorderman's Sudoku
|Carol Vorderman's Sudoku
|Stack Buffer Overflow via unchecked string length
|Stack Buffer Overflow via unchecked string length
|The save data file stores plaintext profile and high-score names. One can use a large string to overwrite the stack and jump to unsigned code.
|The save data file stores plaintext profile and high-score names. One can use a large string to overwrite the stack and jump to unsigned code.
This vulnerability is also present in the PSP version of the game. See the [https://github.com/ChampionLeake/SudokuSTACK PSP exploit].
This vulnerability is also present in the PSP version of the game. See the [https://github.com/ChampionLeake/SudokuSTACK PSP exploit].
|No
|N/A
|December 2021 (2011-01-06 for PSP)
|December 2021 (2011-01-06 for PSP)
|ChampionLeake for PS2, Jeerum for PSP
|ChampionLeake for PS2, Jeerum for PSP
|-
|-
|?
|OKAGE: Shadow King
|Stack Buffer Overflow via unchecked "Player/Town" name length
|Successfully exploited and chained with mast1c0re sandbox escape for the PS4/PS5.
CTurt's Writeup: [https://cturt.github.io/mast1c0re.html Here]
McCaulay's Writeup: [https://mccaulay.co.uk/mast1c0re-introduction-exploiting-the-ps4-and-ps5-through-a-gamesave/?t=1 Here]
|No
|September 14th, 2022
|CTurt, McCaulay for implementation
|-
|?
|Star Wars Racer Revenge
|Star Wars Racer Revenge
|Stack-Smash via unchecked "Record Name" length
|Stack-Smash via unchecked "Record Name" length
|The game allows players to record their names when breaking lap records on a course. However when displaying the Hall of Fame, the size of the names are not checked. Using a very large name can overwrite addresses on the stack and gain control of $ra, which can be used to jump to unsigned code.
|The game allows players to record their names when breaking lap records on a course. However when displaying the Hall of Fame, the size of the names are not checked. Using a very large name can overwrite addresses on the stack and gain control of $ra, which can be used to jump to unsigned code.
|No
|N/A
|August 2023
|August 2023
|ChampionLeake
|ChampionLeake
|-
|-
|?
|OKAGE: Shadow King
|GTA III and GTA Vice City Stories
|Stack Buffer Oveflow via unchecked "Player/Town" name length
|Stack Buffer Overflow via unchecked savedata size
|Successfully exploit through mast1c0re for the PS4/PS5.
|The game does a copy from the memory card into a fixed-size buffer with size supplied by the save data file.
CTurt's Writeup: [https://cturt.github.io/mast1c0re.html Here]
[https://github.com/halpz/re3/blob/9a7fa478578beaba947ea867c15a25e411d641d8/src/save/MemoryCard.cpp#L358 Bug in GTA III]
McCaulay's Writeup: [https://mccaulay.co.uk/mast1c0re-introduction-exploiting-the-ps4-and-ps5-through-a-gamesave/?t=1 Here]
[https://github.com/halpz/re3/blob/37e9ec0d19cbd3cd25823089380fcdae558bee0b/src/save/MemoryCard.cpp#L363 Bug in GTA VCS]
|N/A
[https://cturt.github.io/mast1c0re.html CTurt's writeup]
|Maybe in PSP version of GTA VCS and in GTA LCS PSP
|September 14th, 2022
|September 14th, 2022
|CTurt thanks to re3 decompilation project
|CTurt & McCaulay
|-
|?
|Jak X: Combat Racing (PAL and NTSC, PAL has more symbols)
|Two exploits: String Buffer Overflow via unchecked profile name length (implemented) and Custom code injection via patch.bin file (not implemented)
|When saving data, the profile name can be copied out-of-bounds, allowing to redirect code execution. By injecting a signed file named patch.bin in the savedata folder, custom code can be executed by the game.
|Maybe in Greatest Hits/Platinum release (to be documented)
|September 26th, 2024
|CelesteBlue
|}
|}


=== Confirmed vulnerable games ===
=== Confirmed vulnerable games ===
==== LEGO Indiana Jones: The Original Adventures ====
LEGO Indiana Jones: The Original Adventures has been exploited initially on the Nintendo Wii by fail0verflow, and ten year later on the PlayStation 2 by Fighter19.
Nintendo Wii exploit:
* https://www.wiibrew.org/wiki/Indiana_Pwns
* https://archive.org/details/indiana-pwns-hack
PS2 exploit:
* https://www.psx-place.com/resources/ind1anapsm2sh.967/
* Steps:
1. Boot up your copy of LEGO Indiana Jones: The Original Adventures.
2. Load the exploit save.
3. Walk to the Art Room (through the Courtyard), approach the left character on the podium. When it zooms on him, choose the switch to option (two silhouettes, staggered, with an arrow pointing between them).
4. Fighter19's implementation of the exploit should pop up PS2 Fortuna Launcher.
LEGO Star Wars II: The Original Trilogy and LEGO Indiana Jones: The Original Adventures use a custom checksum:
* Offset: FileSize - 4
* Calc. Start: 0
* Calc. Length: FileSize - 4
<syntaxhighlight lang="csharp">
private int CalculateChecksum(byte[] data) {
    using (var xIO = new MasterIO(data, Endian.Big)) {
        int count = (data.Length / 4) - 1;
        int sum = 0x5C0999;
        for (int i = 0; i < count; ++i)
            sum += xIO.Reader.ReadInt32();
        return sum;
    }
}
</syntaxhighlight>
==== Carol Vorderman's Sudoku ====
TODO


==== OKAGE: Shadow King ====
==== OKAGE: Shadow King ====
Line 350: Line 226:
* The records pages data are stored as follows: each track has its own page. Each page contains three categories of records: best total time, best lap time and best KO's count. For each category of record, the three best records are stored as three signed int (4 bytes) for the time/most KO's count, followed by three 21-byte string for the player's name, which must be null-terminated as they are each copied using an unsafe strcpy function.
* The records pages data are stored as follows: each track has its own page. Each page contains three categories of records: best total time, best lap time and best KO's count. For each category of record, the three best records are stored as three signed int (4 bytes) for the time/most KO's count, followed by three 21-byte string for the player's name, which must be null-terminated as they are each copied using an unsafe strcpy function.


<syntaxhighlight lang="C">
<source lang="C">
typedef struct track_record_struct { // size is 0xEA bytes
typedef struct track_record_struct { // size is 0xEA bytes
   int best_total_time[3];
   int best_total_time[3];
Line 380: Line 256:
- 119000 NORMAL.ICO      -> standard PS2 savedata icon
- 119000 NORMAL.ICO      -> standard PS2 savedata icon
*/
*/
</syntaxhighlight>
</source>


===== Bug description =====
===== Bug description =====
Line 401: Line 277:
* It is guessed that at least 0xB7B bytes of the savedata can be overwritten with a MIPS shellcode without breaking the main menu.
* It is guessed that at least 0xB7B bytes of the savedata can be overwritten with a MIPS shellcode without breaking the main menu.
* savedata string address: 0x61b76c in pcsx2 but may depend on PS2 BIOS:
* savedata string address: 0x61b76c in pcsx2 but may depend on PS2 BIOS:
<syntaxhighlight lang="C">
<source lang="C">
PTR_DAT_00383100 = 0x4339a0;
PTR_DAT_00383100 = 0x4339a0;
MAIN_CTX_OFF = 0x2dc;
MAIN_CTX_OFF = 0x2dc;
Line 408: Line 284:
player_data_address = main_ctx + CTX_PLAYER_DATA_ADDR_OFF; // =(pcsx2)= 0x60b470 + 0x102f0 = 0x61B760;
player_data_address = main_ctx + CTX_PLAYER_DATA_ADDR_OFF; // =(pcsx2)= 0x60b470 + 0x102f0 = 0x61B760;
player_data_address = *0x00433C7C + 0x102f0; // in summary
player_data_address = *0x00433C7C + 0x102f0; // in summary
</syntaxhighlight>
</source>


===== Official cheat codes =====
===== Official cheat codes =====
Line 423: Line 299:
* When using a save data that was badly hand-modified to unlock every characters and circuits, a bug can occur in the record page: only one of the pages can be accessed. Pressing left or right to change track page makes sound but remains on this page.
* When using a save data that was badly hand-modified to unlock every characters and circuits, a bug can occur in the record page: only one of the pages can be accessed. Pressing left or right to change track page makes sound but remains on this page.


==== GTA III and GTA Vice City Stories ====
==== GTA III ====


* [https://github.com/halpz/re3/blob/9a7fa478578beaba947ea867c15a25e411d641d8/src/save/MemoryCard.cpp#L358 vulnerability]
* [https://github.com/halpz/re3/blob/9a7fa478578beaba947ea867c15a25e411d641d8/src/save/MemoryCard.cpp#L358 vulnerability]


The game does a copy from the memory card into a fixed-size buffer with size supplied by the savedata.
The game does a copy from the memory card into a fixed-size buffer with size supplied by the savedata.
==== Jak X: Combat Racing ====
See also [https://jakanddaxter.fandom.com/wiki/Bugs Jak and Daxter games bugs on jakanddaxter.fandom.com].
===== Profile name string overflow during saving - Jak a dit a dit haX =====
Discovered and exploited by CelesteBlue on September 26th, 2024.
A profile name is asked to the player when starting a new game, and the length is limited to 12 characters by keyboard. However, by crafting a custom savedata, it is possible to use a longer profile name where the 20, 21, 22 and 23th bytes overwrite the $v1 register when the game saves. This leads to $pc redirection and so to code execution by planting a shellcode in the savedata body.
Before loading a savedata, the game asks the user to choose between available ones. The game displays the profile names of the savedata, loaded from the header of each savedata file. The header profile name is only used for display and does not create any bug when overflown except visual ones during savedata loading. The body profile name must not be too long else the game freezes during loading savedata. If it is short enough, the savedata loads fine, but being long enough it can overflow and be used for exploitation when saving data. When the body filename length is intermediate, the savedata can be loaded, the overflow occurs, but when saving data, instead of saving properly or crashing, the game enters an infinite loop like with the other classical savedata bug.
The profile name length is an important parameter of the behaviour of the game:
* Profile name should be between 1 and 12 characters if no hack was used.
* Extending profile name to between 13 and 19 characters does not create any bug.
* With a profile name of 20 characters or more, the game will be affected. During the load of an evil savedata, there is not necessarily any strange behaviour except the graphical glitches of too long profile name, however when saving with this extended profile name, the game crashes.
* Between 20 and 23 characters, the savedata can be loaded and when saving data, the game crashes with user-controlled $pc. The best choice is 23 characters since it allows to control the four bytes of the $v1 register, whilst using 20 characters only control one byte of $v1.
* Between 24 and ? characters, the savedata can be loaded but when saving data, the game enters an infinite loop.
* With ? or more characters, the savedata cannot be loaded because the game freezes.
* It is not possible to load a profile name longer than (0x6400-0x50=0x63B0) characters because the body size and profile name offset are hardcoded.
Using a profile name longer than 19 characters overwrites $v1 with the DWORD at offset 19 of the profile name in the savedata body. The game remains stable when using 23 characters and there is no advantage in using more characters.
The constants for exploitation of Jak X NTSC (SCUS-97429) are:
<pre>
shellcode_ptr_addr = 0x248838 - 0x34 = 0x248804
shellcode_addr = 0x71C728
shellcode size = 0x6400 - 0x50 - 0x13 - 4 = 0x6399 (about 25 kB)
shelldata_size = 0x400 - 0x40 - 4 - 4 = 0x3B8 (about 1 kB)
</pre>
It is required to craft valid header and footer in the savedata files else the game loops infinitely on the savedata loading screen. A Jak X savedata contains a few files of name format "saveX-Y-ZZZZZZZZ.bin" where X, Y, and Z are some decimal numbers. The default savedata files that are created by the player are:
* save0-3-00000001.bin
* save1-1-00000000.bin
* save2-2-00000000.bin
* save3-3-00000000.bin
* save4-0-00000000.bin
The Jak X savedata files follow mostly the same structure as Jak 1, 2 and 3 but with a different magic (0xc0dfaced) and a different checksum algorithm (CRC32). The file is made of a 0x400-byte header followed by 0x6400 bytes of body and a footer that is just a 1:1 copy of the header. To craft a valid Jak X savedata, the steps are:
* generate a valid body, eventually with extended profile name
* generate a default header with valid magic, profile name, etc.
* compute CRC32 of the body and write it to the header
* in a file of name type "saveX-Y-ZZZZZZZZ.bin" write the header, then the body, then again the header
===== Custom code injection via patch.bin file =====
The game savedata contains a file named patch.bin whose aim is to be loaded at address 0x00C00000 then executed. There is no protection except a CRC32 checksum (with 0xEDB88320 polynomial) and a sort of obfuscated (yet to be understood) format for the patch data. It seems that the patch.bin file contains a DER certificate with inside a magic and a rc5 key. At another position in the patch.bin is located a rc5 encrypted buffer, which is also believed to contain a DER certificate. There may be even more layers of security verified after the rc5 decryption, like:
* some simple but undocumented obfuscation (xor, byte swap, etc.)
* some compression (LZO/miniLZO as in DGO/CGO files, ...)
* some encryption (des/des_ede/desx/rc2/rc5/rc5_64/rc6/gencrypt algorithm with cbc/ecb/cbc_interleaved/cfb/cfb_pipelined/ofb/ofb_pipelined mode and nopad/pad/stream choice of padding)
* some [[DNAS]] check by connecting to SCE remote servers
The patch.bin file must contain a little-endian header of 16 bytes followed by patch data of arbitrary size.
<syntaxhighlight lang="C">
typedef struct jakx_patch_bin_hdr { // size is 0x10 bytes
  uint32_t magic;
  uint32_t digest; // crc32 of data
  uint32_t unk; // maybe unused
  uint32_t size; // equals patch.bin size minus header size
} jakx_patch_bin_hdr;
typedef struct jakx_patch_bin { // size is (0x10 + size) bytes
  jakx_patch_bin_hdr header;
  char data[size];
} jakx_patch_bin;
</syntaxhighlight>
===== Corruption after game autosaving =====
There is a bug with the autosave feature in Jak X that corrupts save data on memory card. It was fixed in the Platinum / Greatest Hits versions of the game.
https://gamefaqs.gamespot.com/boards/927166-jak-x-combat-racing/41999721
===== Infinite loop after game saving =====
There is a bug, at least in PCSX2, where when starting the game for the first time and creating a new profile, the game freezes on the memory card saving screen after saving data. The save data is however well written and on next tries the game can be played as the save is correctly loaded.
The same bug can be triggered by going to the Profile settings and selecting "Save game". After saving, the game freezes as it enters an infinite loop in the R3000 IOP processor, at $pc address 0xBE9C on NTSC version. The R5900 Emotion Engine processor indefinitely waits for an answer from IOP, looping around $pc address 0x81FC0 on PAL, NTSC and NTSC Greatest Hits. CelesteBlue's first hypothesis is that there is a bug in the IOP code for memory card write, or in the IOP-EE communication code. CelesteBlue's second hypothesis is that during the game initialization, the game open files from the memory card (for example patch.bin at address 0x00100884 on PAL), but closes the fd only if some condition are met, which by default are not as the patch.bin file is invalid.
https://github.com/PCSX2/pcsx2/issues/6935
The NTSC Greatest Hits version of Jak X does not fix this problem.


==== Dark Cloud 1 and 2 ====
==== Dark Cloud 1 and 2 ====
Line 531: Line 323:


Dark Cloud 2 uses a scripting engine described [https://tcrf.net/User:Kojin/Dark_Cloud_2_Technical_Information#Scripting_Engine here].
Dark Cloud 2 uses a scripting engine described [https://tcrf.net/User:Kojin/Dark_Cloud_2_Technical_Information#Scripting_Engine here].
=== Possible vulnerable games ===
==== Robotech: Battlecry ====
Robotech: Battlecry was exploited on Microsoft Xbox and Nintendo GameCube by InvoxiPlayGames on July 30th, 2023.
It is a stack overflow in the profile name.
Nintendo GameCube and Microsoft Xbox exploit:
* https://github.com/InvoxiPlayGames/robohaxx
* Steps:
1. Launch Robotech: Battlecry.
2. At the main menu, select the "Load Game" option.
3. After a few seconds, the shellcode should get executed.
==== True Crime: Streets of LA ====
True Crime: Streets of LA was exploited on Nintendo GameCube by Zephiles on July 16th, 2024.
Nintendo Gamecube exploit:
* https://github.com/Zephiles/sola-exploit
* https://www.gc-forever.com/forums/viewtopic.php?t=5779
==== Metal Arms: Glitch in the System ====
Metal Arms: Glitch in the System was exploited on Microsoft Xbox by dj0wns on Jan 14th, 2022. It uses some format string vulnerabilities to achieve code execution.
Microsoft Xbox exploit:
* https://github.com/Rocky5/Xbox-Softmodding-Tool/commit/b1cc20a17f2e1a4ada02d357dcdec43d5699fc71
* https://github.com/Rocky5/Xbox-Softmodding-Tool/tree/master/Other/Game%20Saves/Extracted/MetalArms-NTSC/UDATA/5655000a
* https://github.com/Rocky5/Xbox-Softmodding-Tool/tree/master/Other/Game%20Saves/Extracted/MetalArms-PAL/UDATA/5655000a
* [https://www.youtube.com/watch?v=ibGwoItaMkE PoC video by zstorm4]
* There are 3 known official releases of Metal Arms - NTSC, PAL and World Collection (NTSC-J). For NTSC and World Collection use the NTSC save file. For PAL use the PAL save file. Instructions are the same for both save files.
* Steps:
1. Launch the "Metal Arms: Glitch in the System" game
2. Select Multiplayer
3. Select the profile ending in "%hn"
4. Start any multiplayer level
5. Quit out of the game
6. Back out to profile selection
7. Select the profile ending in "2nd"
8. At gametype selection press X (More) and then Y (New) to create a new gametype
9. Replace the name "Unnamed19" with "%255x%n%x%hn"
10. Hit Done and then A to accept
11. Go back to gametype selection (do not go back to profile selection or you will have to repeat from step 8)
12. Select any gametype and multiplayer level
13. Quit out of the game
==== Frogger Beyond ====
Frogger Beyond was exploited on Microsoft Xbox by agarmash on October 2nd, 2022 and on Nintendo Gamecube by Zephiles on December 16th, 2022.
Microsoft Xbox exploit:
* https://github.com/agarmash/FroggerBeyondExploit
* https://agarmash.com/posts/xbox-frogger-beyond-exploit/
* https://github.com/Rocky5/Xbox-Softmodding-Tool/tree/master/Other/Game%20Saves/Extracted/FroggerBeyond/UDATA/4b4e0013
* Steps:
1. Launch the "Frogger Beyond" game.
2. Select "Continue".
3. Select "Xbox hard disk".
4. Select "Freedom".
5. The shellcode should get executed.
Nintendo Gamecube exploit:
* https://github.com/Zephiles/fb-exploit
* https://www.gc-forever.com/forums/viewtopic.php?t=5326
==== Tom Clancy's Splinter Cell ====
Tom Clancy's Splinter Cell was exploited on Microsoft Xbox by Andrew “bunnie” Huang and Michael Steil of the Xbox-Linux project and released at the 20th Chaos Communication Conference (20C3) in December 2003, and on Nintendo Gamecube by FIX-94 on April 2nd, 2016.
Microsoft Xbox exploit:
* https://github.com/agarmash/FroggerBeyondExploit/blob/master/extras/splinter_cell_exploit_decryptor.c
* https://github.com/Rocky5/Xbox-Softmodding-Tool/tree/master/Other/Game%20Saves/Extracted/SC-NTSC/UDATA/5553000c
* https://github.com/Rocky5/Xbox-Softmodding-Tool/tree/master/Other/Game%20Saves/Extracted/SC-PAL/UDATA/5553000c
Nintendo Gamecube exploit:
* https://github.com/FIX94/splintercell-exploit-gc
* https://www.gc-forever.com/forums/viewtopic.php?t=3401
==== Tom Clancy's Splinter Cell: Pandora Tomorrow ====
Tom Clancy's Splinter Cell: Pandora Tomorrow was exploited on Nintendo Gamecube by FIX-94 on August 27th, 2018.
Nintendo Gamecube exploit:
* https://github.com/FIX94/pandoratomorrow-exploit-gc
* https://www.gc-forever.com/forums/viewtopic.php?t=4113
==== Tom Clancy's Ghost Recon 2 ====
Tom Clancy's Ghost Recon 2 was exploited on Nintendo Gamecube by FIX-94 on August 29th, 2018.
Nintendo Gamecube exploit:
* https://github.com/FIX94/ghostrecon2-exploit-gc
* https://www.gc-forever.com/forums/viewtopic.php?t=4118
==== BMX XXX ====
BMX XXX was exploited on Nintendo Gamecube by FIX-94 on June 11th, 2016.
Nintendo Gamecube exploit:
* https://github.com/FIX94/bmx_hax_gc
* https://www.gc-forever.com/forums/viewtopic.php?t=3492
==== James Bond 007: Agent Under Fire ====
In 2003, a hacker named Habibi-Xbox discovered a method to make the Xbox run Linux software, using a buffer overflow in the load/save feature in the disc game Agent Under Fire. Habibi found that by using one of several USB storage devices recognized by the Xbox, the "load game" screen can also be used to load other software, including compact versions of the Linux operating system. The buffer overflow vulnerability is also present in the GameCube version of the game, exploited by FIX-94 on March 11th, 2016, and probably in the PS2 version too. The buffer overflow seems to be overflowing the profile name of the save game. From Xbox exploit savedata analysis: "This starts at offset 0x28. You can notice this from the long string of FF's. Inside the pattern of bytes following the FF's, you can see that the E7 FF 2B is present in four different places. It is not just a coincidence. That turns out to be the address the buffer overflow is writing, which then execution jumps to. Only the last one is important, I can only assume the others are there to make a nice little pattern."
Microsoft Xbox exploit:
* https://github.com/Rocky5/Xbox-Softmodding-Tool/tree/master/Other/Game%20Saves/Extracted/007/UDATA/4541000d
* https://web.archive.org/web/20030411132938/http://www.xboxhacker.net:80/forums/index.php?act=ST&f=12&t=10520
* https://web.archive.org/web/20031003093240/http://xbox-linux.sourceforge.net:80/docs/007analysis.html
* https://github.com/agarmash/FroggerBeyondExploit/blob/master/extras/007_exploit_decryptor.c
Nintendo Gamecube exploit:
* https://github.com/FIX94/007-exploit-gc
* https://www.gc-forever.com/forums/viewtopic.php?t=3342
==== Tony Hawk's games ====
Tony Hawk's games on PS2:
* Tony Hawk's Underground
* Tony Hawk's Underground 2, adapted to PSP in Tony Hawk's Underground 2: Remix
* Tony Hawk's Pro Skater 3, exploited via savedata on PS1
* Tony Hawk's Pro Skater 4, exploited via savedata on PS1 and via network on PS2 and Xbox
* Tony Hawk's American Wasteland, exploited via savedata on Xbox and Xbox360
* Tony Hawk's Downhill Jam
* Tony Hawk's Project 8, also on PSP and PS3
* Tony Hawk's Proving Ground, also on PS3
As a lot of PS1, Microsoft Xbox, GameCube/DreamCast, and some PC Tony Hawk games (Tony Hawk's Pro Skater 2, 3 and 4) have been exploited successfully (see [https://www.psdevwiki.com/ps1/Vulnerabilities PS1 Dev Wiki]), since the source code of the PS2, Xbox, and GameCube versions of Tony Hawk's Underground game was leaked at
* https://github.com/thug1src/thug
and since the Tony Hawk's games usually save strings in savedata, there is a good chance of finding a vulnerability inside a PS2 Tony Hawk game.
See also:
* https://github.com/pedro-javierf/Sk8_Fix
==== Tony Hawk's Underground and Underground 2 ====
Tony Hawk's Underground was exploited on Nintendo GameCube by Grimdoomer on September 9th, 2024. Tony Hawk's Underground and Underground 2 are not exploitable via savedata on Microsoft Xbox because these games implement stack cookies so stack buffer overflow is not possible without a smarter exploit strategy. On PS2, the games seem exploitable.
Nintendo Gamecube exploit:
* https://github.com/grimdoomer/TonyHawksProStrcpy/tree/main/Gamecube
* Steps:
1. Launch Tony Hawk Tony Hawk's Underground.
2. Choose free skate option from the main menu.
3. When you get to the level select screen choose "custom park"
4. Load the "Hack Gamecube" game save.
5. After the save is loaded, choose "start game".
6. The exploit will trigger during the loading screen and your homebrew file should run.
See also:
* https://github.com/thug1src/thug
* https://github.com/byxor/thug-pro-disassembly
==== Tony Hawk’s Pro Skater 3 ====
Tony Hawk's Pro Skater 3 was exploited on Microsoft Xbox by Grimdoomer on July 21th, 2024 via savedata.
Microsoft Xbox exploit:
* https://github.com/grimdoomer/TonyHawksProStrcpy/tree/main/Xbox
* Steps:
1. Launch Tony Hawk’s Pro Skater 3 game.
2. Choose the free skate option from the main menu.
3. When you get to the level select screen choose "custom park"
4. Load the "Hack Xbox" game save.
5. After the save is loaded choose "start game".
6. You have to wait until the player spawns in.
7. Press pause.
8. Quit back to the main menu.
9. The exploit should get triggered.
The following PS2 Tony Hawk's games contain debug symbols:
* Tony Hawk’s Pro Skater 3 (Europe) SLES-50400 2001-09-19
* Tony Hawk’s Pro Skater 3 (France) SLES-50401 2001-10-09
* Tony Hawk’s Pro Skater 3 (Germany) SLES-50402 2001-10-07
* Tony Hawk’s Pro Skater 3 (USA) SLUS-20199 2001-09-10
* Tony Hawk’s Pro Skater 3 (USA) (Rev 1) SLUS-20199 2001-09-10
==== Tony Hawk’s Pro Skater 4 ====
Tony Hawk's Pro Skater 4 was exploited on Microsoft Xbox by Grimdoomer in April 2017 and on Nintendo GameCube on July 28th, 2024, through a hacked Park savedata file. Tony Hawk's Pro Skater 4 on PS2 is exploitable but maybe more in a way like on the GameCube than the one on PS1.
PS1 exploit:
* See [https://www.psdevwiki.com/ps1/Vulnerabilities PS1 Dev Wiki].
* The steps to trigger the exploit on PlayStation are:
1. Launch Tony Hawk Tony Hawk’s Pro Skater 4.
2. At the main menu, wait until the save game exploit file is automatically loaded (it should say "Loading TONYHAX US/EU/DE/FR", depending on the game’s region).
3. Select "CREATE SKATER".
4. Confirm the selection.
5. The exploit will trigger during the loading screen and your shellcode should run.
Nintendo GameCube exploit:
* https://github.com/grimdoomer/TonyHawksProStrcpy/tree/main/Gamecube
* The steps to trigger the exploit on Nintendo GameCube are:
1. Launch Tony Hawk Tony Hawk’s Pro Skater 4.
2. Choose free skate option from the main menu.
3. When you get to the level select screen choose "custom park"
4. Load the "Hack Gamecube" game save.
5. After the save is loaded, choose "start game".
6. The exploit will trigger during the loading screen and your homebrew file should run.
Microsoft Xbox exploit:
* https://github.com/grimdoomer/TonyHawksProStrcpy/tree/main/Xbox
* https://www.xbmc4xbox.org.uk/forum/viewtopic.php?t=7310
* https://www.reddit.com/r/originalxbox/comments/69bqv7/tony_hawks_pro_skater_4_is_now_an_exploitable/?rdt=57523
* https://github.com/Rocky5/Xbox-Softmodding-Tool/tree/master/Other/Game%20Saves/Extracted
* "Grimdoomer said that THPS4 exploit was more advanced than the others, but still a buffer overflow. Grimdoomer created a shellcode to make exploiting any game easier but currently has not released it due to getting hired by Microsoft. From a conversation we had: "I was just poking around some save games for null terminated strings, then fuzzed them, and then based on the results from fuzzing them I loaded the game into a disassembler and poked around to figure out where the buffer overflow was occurring and how big the stack was, etc."
* https://www.youtube.com/watch?v=tH8DBq5-vUY
* On Microsoft Xbox, there are 3 versions of the savedata: NTSC, PAL and Region Free. The PAL Classics edition of TH4 is Region Free, so requires the region free save.
Original PAL games may be PAL or Region Free. The French version of TH4 requires the PAL save.
* The steps to trigger the exploit on Microsoft Xbox are:
1) Launch Tony Hawk's Pro Skater 4.
2) Select "Free Skate"
3) Select "Any Character"
4) Select "Play Level"
5) Select "Created Park"
6) Select "Load Park"
7) Pick "Yes"
8) Select "Hack Xbox Park" (this is the name of the exploit savedata on Xbox)
9) Select "Play Park"
10) The game should execute the shellcode, or crash if the exploit savedata is bad
The following PS2 Tony Hawk's games contain debug symbols:
* Tony Hawk’s Pro Skater 4 (USA) (v1.02) SLPS-99999 2002-09-21
* Tony Hawk’s Pro Skater 4 (USA) (v2.01) SLPS-99999 2002-09-20
==== Tony Hawk's American Wasteland ====
Tony Hawk's American Wasteland was exploited on Microsoft Xbox and Xbox360 by Grimdoomer on July 21th, 2024 via Park savedata.
Microsoft Xbox exploit:
* https://github.com/grimdoomer/TonyHawksProStrcpy/tree/main/Xbox
Microsoft Xbox360 exploit:
* https://github.com/grimdoomer/TonyHawksProStrcpy/tree/main/Xbox%20360
* Steps:
1. Launch Tony Hawk's American Wasteland.
2. Sign into the Player1 gamer profile.
3. Choose "Free skate" and once you get to the level select screen choose "custom park" and load the "Hack Xbox" park file.
4. Press "start game" and the exploit should trigger during the loading screen.


==== Soul Calibur III ====
==== Soul Calibur III ====
Line 788: Line 338:


https://gamefaqs.gamespot.com/boards/915821-playstation-2/79857492?page=3
https://gamefaqs.gamespot.com/boards/915821-playstation-2/79857492?page=3
=== Possible vulnerable games ===
==== Jak X: Combat Racing ====
There is a bug with the autosave feature that corrupts save data on memory card. It was fixed in the Platinum version of the game.
https://gamefaqs.gamespot.com/boards/927166-jak-x-combat-racing/41999721
There is a bug, at least in PCSX2, where when starting the game for the first time and creating a new profile, the game freezes on the memory card saving screen. The save data is however well written and on next tries the game can be played as the save is correctly loaded.
https://github.com/PCSX2/pcsx2/issues/6935
Profile name is limited to 12 characters by keyboard. The game displays up to ?32? characters and the profile name can be extended by editing saveX-Y-0000000Z.bin in the PSU savedata file. Extending profile name does not create any buffer overflow. The strings in the center of the saveX-Y-0000000Z.bin file cannot be edited for an unknown reason, else the game loops infinitely on the save data loading screen.


==== Metal Gear Solid 3: Subsistence ====
==== Metal Gear Solid 3: Subsistence ====


There is bug with the PCSX2 emulator and MGS3: Subsistence that causes save files to become corrupt. While the exact cause of this issue is unknown, anyone using the PCSX2 emulator with the saves below should wait a few seconds after accessing the memory to save the game and use the US BIOS. This seems to greatly reduce the likelihood of the bug corrupting the file. Also, do not save MGS3 on a memory card file that has a lot of other saves, because the bug corrupts the entire memory card.
There is bug with the PCSX2 emulator and MGS3: Subsistence that causes save files to become corrupt. While the exact cause of this issue is unknown, anyone using the PCSX2 emulaor with the saves below should wait a few seconds after accessing the memory to save the game and use the US BIOS. This seems to greatly reduce the likelihood of the bug corrupting the file. Also, do not save MGS3 on a memory card file that has a lot of other saves, because the bug corrupts the entire memory card.


https://retromaggedon.com/index.php/metal-gear-solid-3-subsistence-save-files-ps2/
https://retromaggedon.com/index.php/metal-gear-solid-3-subsistence-save-files-ps2/
Line 808: Line 372:
2. I had to restart the game. The game-save between chapters seemed to stop responding, so I turned it off. This corrupted the save file.
2. I had to restart the game. The game-save between chapters seemed to stop responding, so I turned it off. This corrupted the save file.


==== Electronic Arts games notably FIFA games ====
==== All FIFA games ====
 
A lot of Electronics Arts games have been exploited on PSP and on Nintendo DS so the PS2 may also have some exploitable games.


The following FIFA games were exploited on
FIFA06, FIFA08, FIFA Street 2 are vulnerable on Nintendo DS. See [https://github.com/CTurt/Dara|DARA by CTurt].
* FIFA 06 (E) -> Nintendo DS
* FIFA 07 (E and U) -> Nintendo DS
* FIFA 08 (E) -> Nintendo DS
* FIFA 09 (E) -> Nintendo DS
* FIFA 10 (E) -> Nintendo DS
* FIFA 11 -> Nintendo DS, PSP
* FIFA 12 -> PSP
* FIFA Street 2 (E and U) -> Nintendo DS
* FIFA Street 3 (E) -> Nintendo DS
* FIFA World Cup 2006 (E) -> Nintendo DS


See also:
Moreover, a lot of Electronics Arts games are vulnerable on PSP.
* [https://www.psdevwiki.com/psp/Vulnerabilities PSP Dev Wiki Vulnerabilities]


==== Psychonauts ====
==== Psychonauts ====
Line 838: Line 389:
* SavedGame* file format is "\n"-separated with also bars (|) separators. On each line is a setting. Each setting is made of between 1 and three parts separated by bars. Table|<name>|<value>. The name part is mandatory.
* SavedGame* file format is "\n"-separated with also bars (|) separators. On each line is a setting. Each setting is made of between 1 and three parts separated by bars. Table|<name>|<value>. The name part is mandatory.
* There is a digest check on psu-embedded files as the game says that the "profile is damaged" when the savedata is edited without precaution. Using pypsu by McCaulay, one can extract files contained in the psu, but there are even more digests as any SavedGame* file is detected as "Damaged Save Game" after editing it too much. The SavedGame* files start with a 16-byte MD5 hash of the following data.
* There is a digest check on psu-embedded files as the game says that the "profile is damaged" when the savedata is edited without precaution. Using pypsu by McCaulay, one can extract files contained in the psu, but there are even more digests as any SavedGame* file is detected as "Damaged Save Game" after editing it too much. The SavedGame* files start with a 16-byte MD5 hash of the following data.
==== Tales of Symphonia ====
Tales of Symphonia is maybe exploitable on PS2 since Tales of Symphonia: Dawn of the New World was exploited on Nintendo Wii.
Nintendo Wii exploit:
* https://wiibrew.org/wiki/Eri_HaKawai
==== RPG Maker games ====
RPG Maker 2 (RPG Tsukūru 5) and RPG Maker 3 (RPG Tsukūru) are potentially exploitable on PS2 since RPG Maker Fes (RPG Tsukūru Fes) was exploited on Nintendo 3DS.
* RPG Maker (RPG Tsukūru 3) -> PS1
* PlayStation the Best: RPG Tsukūru 3 -> PS1
* RPG Tsukūru 4 -> PS1
* RPG Maker 2 (RPG Tsukūru 5) -> PS2, Nintendo DS
* RPG Maker 3 (RPG Tsukūru) -> PS2
* RPG Maker Fes (RPG Tsukūru Fes) -> exploited on Nintendo 3DS
See also:
* https://en.wikipedia.org/wiki/RPG_Maker_2
* https://en.wikipedia.org/wiki/RPG_Maker_3
* https://en.wikipedia.org/wiki/RPG_Maker
Nintendo 3DS exploit:
* https://github.com/ChampionLeake/RPwnG3
==== Yu-Gi-Oh! games ====
Some Yu-Gi-Oh! games on PS1, PS2 and PSP may be vulnerable to savedata exploits because Yu-Gi-Oh 5D's Wheelie Breakers was exploited on Nintendo Wii by ichfly on August 9th, 2010. It uses a buffer overflow in savedata.
Yu-Gi-Oh! games on PS1, PS2 and PSP:
* Yu-Gi-Oh! Monster Capsule: Breed and Battle -> PS1
* Yu-Gi-Oh! Forbidden Memories -> PS1
* Yu-Gi-Oh! The Duelists of the Roses -> PS2
* Yu-Gi-Oh! Capsule Monster Coliseum -> PS2
* Yu-Gi-Oh! GX: The Beginning of Destiny -> PS2
* Yu-Gi-Oh! GX: Tag Force -> PSP
* Yu-Gi-Oh! GX: Tag Force 2 -> PSP
* Yu-Gi-Oh! GX: Tag Force 3 -> PSP
* Yu-Gi-Oh! 5D's: Tag Force 4 -> PSP
* Yu-Gi-Oh! 5D's: Tag Force 5 -> PSP
* Yu-Gi-Oh! 5D's: Tag Force 6 -> PSP
* Yu-Gi-Oh! Arc-V Tag Force Special -> PSP
Nintendo Wii exploit:
* https://wiibrew.org/wiki/Yu-Gi-OWNED!
* https://wiibrew.org/wiki/Yu-Gi-Vah
See also:
* [https://www.psdevwiki.com/ps1/Vulnerabilities PS1 Dev Wiki Vulnerabilities]
* [https://www.psdevwiki.com/psp/Vulnerabilities PSP Dev Wiki Vulnerabilities]


==== Lego games ====
==== Lego games ====
LEGO Indiana Jones was exploited on PS2 and Nintendo Wii, Lego Batman: The Videogame was exploited on Nintendo Wii, so other LEGO games on PS2 are probably also vulnerable.
* LEGO Batman: The Videogame -> exploited on Nintendo Wii
* LEGO Indiana Jones: The Original Adventures -> exploited on Nintendo Wii and PS2
* LEGO Star Wars: The Video Game -> exploited on Nintendo Wii through Lego Star Wars: The Complete Saga
* LEGO Star Wars II: The Original Trilogy -> exploited on Nintendo Wii through Lego Star Wars: The Complete Saga
* Soccer Mania
See also:
* [https://www.psdevwiki.com/ps1/Vulnerabilities PS1 Dev Wiki Vulnerabilities]
* [https://www.psdevwiki.com/psp/Vulnerabilities PSP Dev Wiki Vulnerabilities]
==== LEGO Batman: The Videogame ====
LEGO Batman: The Videogame was exploited on Nintendo Wii.
Nintendo Wii exploit:
* https://wiibrew.org/wiki/Bathaxx
LEGO Batman: The Videogame may use the same checksum as LEGO Star Wars II: The Original Trilogy and LEGO Indiana Jones: The Original Adventures, or the newer checksum used on PS3:
* Offset: 12
* Calc. Start: 16
* Calc. Length: Filesize - 16
<syntaxhighlight lang="csharp">
private int CalculateChecksum(byte[] data, int offset, int size) {
    int sum = -1;
    for (int i = 0; i < size; ++i) {
        sum *= 0x1000193;
        sum ^= data[offset++];
    }
    return ~sum;
}
</syntaxhighlight>
* https://tcrf.net/LEGO_Batman:_The_Videogame_(Windows,_PlayStation_Portable,_PlayStation_2,_PlayStation_3,_Wii,_Xbox_360)
==== LEGO Star Wars: The Video Game ====
LEGO Star Wars: The Video Game was exploited on Nintendo Wii through Lego Star Wars: The Complete Saga.
Nintendo Wii exploit:
* https://wiibrew.org/wiki/Return_of_the_Jodi
LEGO Star Wars: The Video Game may use the same checksum as LEGO Star Wars II: The Original Trilogy and LEGO Indiana Jones: The Original Adventures or no checksum at all.
* https://tcrf.net/LEGO_Star_Wars:_The_Video_Game_(PlayStation_2)
* https://tcrf.net/LEGO_Star_Wars:_The_Video_Game_(GameCube)#Development_Leftovers
* https://tcrf.net/LEGO_Star_Wars:_The_Video_Game_(PlayStation_2)/Debug_Menu
* https://tcrf.net/Notes:LEGO_Star_Wars:_The_Video_Game_(PlayStation_2)
==== LEGO Star Wars II: The Original Trilogy ====
LEGO Star Wars II: The Original Trilogy was exploited on Nintendo Wii through Lego Star Wars: The Complete Saga.
Nintendo Wii exploit:
* https://wiibrew.org/wiki/Return_of_the_Jodi


LEGO Star Wars II: The Original Trilogy and LEGO Indiana Jones: The Original Adventures use a custom checksum:
LEGO Star Wars II: The Original Trilogy and LEGO Indiana Jones: The Original Adventures use a custom checksum:
Line 955: Line 397:
* Calc. Length: FileSize - 4
* Calc. Length: FileSize - 4


<syntaxhighlight lang="csharp">
<source lang="csharp">
private int CalculateChecksum(byte[] data) {
private int CalculateChecksum(byte[] data) {
     using (var xIO = new MasterIO(data, Endian.Big)) {
     using (var xIO = new MasterIO(data, Endian.Big)) {
Line 965: Line 407:
     }
     }
}
}
</syntaxhighlight>
</source>


* https://tcrf.net/LEGO_Star_Wars_II:_The_Original_Trilogy_(PlayStation_2)
LEGO Star Wars may use the same checksum or no checksum at all. LEGO Batman: The Videogame may use the same checksum or the newer checksum:
 
* Offset: 12
==== Soccer Mania ====
* Calc. Start: 16
 
* Calc. Length: Filesize - 16
Soccer Mania is a LEGO themed soccer videogame on PS2, made by the same developers behind LEGO Island 2: The Brickster's Revenge on PS1.
<source lang="csharp">
 
private int CalculateChecksum(byte[] data, int offset, int size) {
* https://tcrf.net/Soccer_Mania_(PlayStation_2)
    int sum = -1;
 
    for (int i = 0; i < size; ++i) {
==== Bionicle ====
        sum *= 0x1000193;
 
        sum ^= data[offset++];
* https://tcrf.net/Bionicle_(PlayStation_2)
    }
 
    return ~sum;
==== Bionicle Heroes ====
}
 
</source>
* https://tcrf.net/Bionicle_Heroes
 
==== Sly Cooper and the Thievius Raccoonus ====
 
* https://github.com/TheOnlyZac/sly1
* https://github.com/zzamizz/weed-sheet
 
==== Star Wars: Starfighter ====
 
* https://tcrf.net/Star_Wars:_Starfighter_(PlayStation_2)
* https://gist.github.com/SlyCooperReloadCoded/8b613312626e7897651ca30049d4b084
 
==== Star Wars: Jedi Starfighter ====
 
* https://tcrf.net/Star_Wars:_Jedi_Starfighter
 
==== Star Wars Episode III: Revenge of the Sith ====
 
* https://tcrf.net/Star_Wars_Episode_III:_Revenge_of_the_Sith


==== List of other games ====
==== List of other games ====


See [https://github.com/libretro/LRPS2/blob/main/resources/GameIndex.yaml a list of almost all PS2 games]. Some may be vulnerable.
See [https://github.com/libretro/LRPS2/blob/main/resources/GameIndex.yaml a list of almost all PS2 games]. Some may be vulnerable.
Please note that all contributions to PS2 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS2 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)
Retrieved from "https://www.psdevwiki.com/ps2/Vulnerabilities"