Vulnerabilities: Difference between revisions

From PS2 Developer wiki
Jump to navigation Jump to search
Line 204: Line 204:
==== Star Wars Racer Revenge ====
==== Star Wars Racer Revenge ====


===== Save data format =====
* The save data has no digest. Strings can be modified and extended without making any crash.
* The save data has no digest. Strings can be modified and extended without making any crash.
* The records pages data are stored as follows: for each record, signed int (4 bytes) for the count/time, followed by ?22?-byte string.
* The records pages data are stored as follows: for each record, signed int (4 bytes) for the count/time, followed by ?22?-byte string.
===== Bug description =====
* max player name length allowed when breaking a record: 10 characters
* max player name length allowed when breaking a record: 10 characters
* max name length displayed in the record page: 21 characters
* max name length displayed in the record page: 21 characters
Line 211: Line 214:
* overflow size: >=257 -> freeze or crash during real time edit
* overflow size: >=257 -> freeze or crash during real time edit
* 256:256+16 -> overwrites s0 register
* 256:256+16 -> overwrites s0 register
===== Advices =====
* It might be useful to unlock more tracks in order to have more possibilities to trigger the buffer overflow in the records menu.
* To enable some cheat codes, at the main menu, hold R1, R2, L1, L2 then enter the following codes:
** Unlock All Tracks: Press and hold R1, R2, L1, L2, then press right, left, right, left, circle, square, circle, square
** Unlock Art Galleries: right, square, left, circle, down, x, up, triangle
* When using a save data that was hand-modified to unlock every characters and circuits, a bug can occur in the record page: only one of the page can be accessed. Pressing left or right makes sound but remains on this page.
* When using a save data that was hand-modified to unlock every characters and circuits, a bug can occur in the record page: only one of the page can be accessed. Pressing left or right makes sound but remains on this page.



Revision as of 03:24, 21 September 2024

See also [1]. (to wikify).

Hardware

Modchips

See Modchips.

CD/DVD Swap tricks

Swap Magic

Swap Magic is a specialized PlayStation 2 game disc used for tricking the console into reading non-retail or burned game discs, homebrew software, or games outside the console's region. The software has existed since at least mid-2003, with several different versions of the disc having been developed.

Swap Magic and its related mods, such as the Magic Switch and Swap Tool, which are used to allow the user to swap discs without the system being aware, are notable over other methods (such as a modchip) due to the fact that they do not void the PS2's warranty.

See Swap Magic.

Mechanics Controller

The MechaCon upon receiving power loads the ROM patches from its EEPROM.

Patches can be updated over the PMAP interface in test mode.

The performed security checks on it is three checksums over the DES-ECB encrypted data.

One can bruteforce this encryption key and apply their own patches.

Software

Software in ROM (Operating System)

PS1DRV

PS2 Independence

Released on 15-08-2003 by Marcus R. Brown <[email protected]>.

Homebrew programs can be launched directly from a Memory Card on unmodified consoles by using a certain software that takes advantage of a long known and used exploit, dealing with the boot part of the EE/IOP process (PS2 Independence exploit).

See PS2 Independence.

OSDSYS

FreeMCBoot

Released on 23-05-2008 by jimmikaelkael (with help from Neme). Maintained since 14-09-2011 by SP193.

FreeMCBoot allows homebrew programs to be launched without a trigger disc required unlike PS2 Independence.

This also allows use of homebrew on unmodded systems without a functional disc drive. However, installation of the exploit to each individual memory card requires either an already exploited/modded system in order to launch the installer, or boot image that can load an app that loads ELF files (network adapter and hard drive also required). Copying from one memory card to another will not work.

It does not work on the very newest PS2s (SCPH-9000x model with BIOS 2.30 and up) but will work on all models prior to that.

See FreeMCBoot/FreeHDBoot.

FreeHDBoot

The newest versions of Free McBoot, version 1.90 and newer, also have the ability to install and boot from both Sony and non-Sony HDDs when using a "fat" PS2 and network adapter. This support is called FreeHDBoot or FHDB. With a few minor issues, it is possible to launch a game entirely from the HDD, without needing to use the optical disc drive nor a physical memory card.

Fortuna

Released on 12-02-2019 by krat0s.

Fortuna is an homebrew launcher for most PS2 models. Every PS2 from 1.90 ROMVER 50k model (SCPH-18000) to the very last (up to the PS2 TV) can be exploited by scrolling to an MC-Icon and "back out" of the menu. This exploit has not been ported to the 10k and 15k models, it proved to be quite challenging to do so, probably related to the fact that these models do not have compressed OSDSYS programs. Different files are needed depending on the console version. Opentuna is an open source version of Fortuna.

Requirements
  • A PS2 Memory Card
  • A way to transfer files to the Memory Card (one time setup)
  • Making sure the hacked icon is displayed first (OSDSYS icon order is based on date)
Bug description

Fortuna exploits a vulnerability on the RLE decompression routine used for memory card icon textures, allowing to copy raw executables to protected area on RAM, and achieving code execution when going back to main menu. Alex Párrado, creator of Opentuna, left a technical write-up on how it works.

TnA writes (see [2]) that Fortuna exploit is a bit similar to the following bug: "There seems to be either an issue in FMCB/FHDB's Payload, or the OSDSYS has a fault which can cause code-injection via text-strings which use opcodes or some instructions. I can get it to freeze, with some funky OSDSYS-Item-Names... I have not tested however if this also happens with some weird mc-save-name-strings (not the folder-name on MC, but the actual shown name in the OSDSYS), without FMCB... Why? The idea was a 'kick-start'-icon which has the weird name and starts an ELF from Memory Card. The only issue is that - if it works - it would be immediately triggered, once the name is parsed."

Oddities

Fortuna/Opentuna exploit fails if the console is rendering some Japanese characters, either from a save data file or by setting the console to Japanese language.

During late test stages of Opentuna, it was found that if the hack is triggered from the Browser 2.0, the console stops recognizing the memory card until the user shut it down completely.

When the OSDSYS parses the hacked icon, any save folder using built-in icons (e.g "your system configuration") will stop getting rendered, showing no icon 3D model, like the exploit icon.

DVDPL (DVD Player)

FreeDVDBoot

An exploit released in 2020 by CTurt, which exploits the DVD Video Player and allows the execution of code (wLaunchElf in the pre-built ISOs). Currently supports all slim consoles, including the ones that don't support FMCB.

ESR Vulnerability

Vulnerability to bypass PS2 disc reader anticopy protection system.

Allows to run burnt PS2 CD/DVD on a PS2 without modchip. It is needed to have FreeMCBoot/FreeHDBoot, Fortuna or SwapMagic in order to launch ESR.

It does not yield code-execution, but once you have the ability to load code, you can access content on burned (Video-)DVDs, which have DVD-Video-content. This vulnerability is used in different apps like ESR or SMS and in varying 'formats' like ESR-Discs or simple Video-DVDs with extra-content.

Playstation 2 Linux RTE

Linux

Todo

Games

Demo games

PS2 Yabasic Exploit

Released on 12-10-2019 by CTurt.

Writeup by CTurt

Exploit code by CTurt

Network games

It is possible to exploit Network-capable games, to inject codes!!!

This is perfect for Slim PS2 and people which can not move files to the MC!

TnA scarcely mentioned that method since January 2019, like it can be seen in the comments of @Haldrie's video about the time-swap! TnA got the basic idea from some discoveries someone else mentioned.

The problem is to either inject it elsewhere, or find a way to run it!

PS1 Savedata exploits

The existing FreePSXBoot exploit chain does not work on the PS2 (mainly inside mcman), due to the fact that the internal structure is different.

In mcman, there is no bounds check on linked_block member access relative to arrays on stack: https://github.com/ps2dev/ps2sdk/blob/d976e57349645cb940a9e0f9ec0207c16472ca2c/iop/memorycard/mcman/src/main.c#L3041-L3072

The code looks similar in 3.1.0 (last) mcman modules.

Briefly looking at it, it is possible to control where to write (basically positive 16 bit signed value), but not what value should be written (limited to 0-15).

So a straightforward port of the FreePSXBoot chain is not possible. For working on this exploit, it would need to have knowledge of the thread stack layout at mcserv and afterwards, and possibly mirrored memory.

See PS1 Dev Wiki Vulnerabilities.

BOOT.ELF (Fat consoles only)

Official sp193 guide (backup)

There exists a vulnerability using a PS1 game as a 'boot' disc to load a modified savedata which in turn runs arbitrary code. This method allows for installation of homebrew such as FMCB. In order to utilize this vulnerability you would need a gameshark or similar cheat device to transfer the modded save over from USB and you also need a PC tool to make the savedata modifications and a USB pen drive to use as a medium to transfer the save data from PC>USB>MC. Once you place the modified PS1 game savedata onto a PS2 memory card, just load your boot disc, and voila.

PS2 Savedata exploits

Game/Application Vulnerability Description Revisions Date of discovery Discovered by
Carol Vorderman's Sudoku Stack Buffer Overflow via unchecked string length The savefile stores plaintext profile & highscore names. There are no checks regarding the size-length of the profile & highscore names. Once can use a very large string to overwrite and gain control of the stack and jump to unsigned code.

This vulnerability was ported over to the PSP version of the game. See here

N/A December 2021 ChampionLeake
Star Wars Racer Revenge Stack-Smash via unchecked "Record Name" length The game allows players record their names when breaking lap records on a course. However, the size of the name is not checked. Using a very large name can overwrite addresses on the stack and gain control of the $ra, which can be used to jump to unsigned code. N/A August 2023 ChampionLeake
OKAGE: Shadow King Stack Buffer Oveflow via unchecked "Player/Town" name length Successfully exploit through mast1c0re for the PS4/PS5.

CTurt's Writeup: Here McCaulay's Writeup: Here

N/A September 14th, 2022 CTurt & McCaulay

Confirmed vulnerable games

OKAGE: Shadow King

Credits
  • CTurt for discovering these vulnerabilities in September 2021.
  • CTurt for public disclosure on twitter (2022-09-14)
  • flatz, balika011, theflow0, chicken(s), PlayStation for helping CTurt
  • McCaulay for sharing publicly his implementation in February 2023.
Analysis
Bug Description

Okage Shadow King has a typical stack buffer overflow if you extend the player or town name in a savedata.

Exploit Implementation

Star Wars Racer Revenge

Save data format
  • The save data has no digest. Strings can be modified and extended without making any crash.
  • The records pages data are stored as follows: for each record, signed int (4 bytes) for the count/time, followed by ?22?-byte string.
Bug description
  • max player name length allowed when breaking a record: 10 characters
  • max name length displayed in the record page: 21 characters
  • buffer size: expected to be 256 bytes from tests (nothing happens when length is 256 characters followed by a zero byte)
  • overflow size: >=257 -> freeze or crash during real time edit
  • 256:256+16 -> overwrites s0 register
Advices
  • It might be useful to unlock more tracks in order to have more possibilities to trigger the buffer overflow in the records menu.
  • To enable some cheat codes, at the main menu, hold R1, R2, L1, L2 then enter the following codes:
    • Unlock All Tracks: Press and hold R1, R2, L1, L2, then press right, left, right, left, circle, square, circle, square
    • Unlock Art Galleries: right, square, left, circle, down, x, up, triangle
  • When using a save data that was hand-modified to unlock every characters and circuits, a bug can occur in the record page: only one of the page can be accessed. Pressing left or right makes sound but remains on this page.

GTA III

The game does a copy from the memory card into a fixed-size buffer with size supplied by the savedata.

Dark Cloud

Moving the cursor and pressing X on the same frame in the items menu allows us to pick up an item from out-of-bounds memory, which results in exploitable behaviour.

Soul Calibur III

overflow on real PS2

https://gamefaqs.gamespot.com/boards/915821-playstation-2/79857492?page=3

Viewtiful Joe 2 demo on the NTSC U/C region 2004 Holiday Demo Disc

overflow on real PS2

https://gamefaqs.gamespot.com/boards/915821-playstation-2/79857492?page=3

Possible vulnerable games

World War Zero Iron Storm

It can crash and delete the save or something.

4x4 Evolution

Additional: Game will also create a 30kb corruption on your memory card, seemingly at random, though it is deletable.

Mafia - NTSC version

1. I had to redo one mission. A car chase hit-job ended with the mark dying in a car accident (fail). 2. I had to restart the game. The game-save between chapters seemed to stop responding, so I turned it off. This corrupted the save file.

All FIFA games

Possibly vulnerable FIFA06, FIFA08, FIFA Street 2 are vulnerable on Nintendo DS. See by CTurt.

List of other games

See a list of almost all PS2 games. Some may be vulnerable.