Vulnerabilities: Difference between revisions
CelesteBlue (talk | contribs) |
CelesteBlue (talk | contribs) |
||
(9 intermediate revisions by the same user not shown) | |||
Line 49: | Line 49: | ||
FreeMCBoot allows homebrew programs to be launched without a trigger disc required unlike PS2 Independence. | FreeMCBoot allows homebrew programs to be launched without a trigger disc required unlike PS2 Independence. | ||
This also allows use of homebrew on unmodded systems without a functional disc drive. However, installation of the exploit to each individual memory card requires either an already exploited/modded system in order to launch the installer, or boot image that can load an app that loads ELF files (network adapter and hard drive also required). Copying from one memory card to another will not work. | This also allows one the use of homebrew on unmodded systems without a functional disc drive. However, installation of the exploit to each individual memory card requires either an already exploited/modded system in order to launch the installer, or boot image that can load an app that loads ELF files (network adapter and hard drive also required). Copying from one memory card to another will not work. | ||
It does not work on the very newest PS2s (SCPH-9000x model with BIOS 2.30 and up) but will work on all models prior to that. | It does not work on the very newest PS2s (SCPH-9000x model with BIOS 2.30 and up) but will work on all models prior to that. | ||
Line 89: | Line 89: | ||
==== FreeDVDBoot ==== | ==== FreeDVDBoot ==== | ||
An exploit released in 2020 by CTurt, which exploits the DVD Video Player and allows the execution of code (wLaunchElf in the pre-built ISOs). | An exploit released in 2020 by CTurt, which exploits the DVD Video Player and allows the execution of code (wLaunchElf in the pre-built ISOs). It supports all PS2 slim consoles, including the ones that do not support FreeMCBoot. | ||
==== ESR Vulnerability ==== | ==== ESR Vulnerability ==== | ||
Vulnerability to bypass PS2 disc reader anticopy protection system. | Vulnerability to bypass PS2 disc reader anticopy protection system. Implemented by ffgriever in 2008. | ||
Allows to run burnt | Allows to run burnt CD/DVD of PS2 games on a PS2 without any modchip. It is needed to have FreeMCBoot/FreeHDBoot, Fortuna or SwapMagic in order to launch ESR homebrew. | ||
ESR does not itself yield code-execution, but once you have the ability to load code, you can access content on burned (Video-)DVDs, which have DVD-Video-content. This vulnerability is used in different apps like ESR or Simple Media System and in varying 'formats' like ESR-Discs or simple Video-DVDs with extra-content. | |||
To use ESR vulnerabilities, two operations are necessary: | |||
* the burnt CD/DVD inserted in the PS2 must contain ESR-patched content. To patch that content, one can use ESR Disc patcher/unpatcher program by ffgriever. | |||
* the PS2 must execute the ESR homebrew. | |||
== | Analysis: | ||
* [https://web.archive.org/web/20140704003121/http://psx-scene.com/forums/f164/esr-file-do-i-use-120905/#post1116390 Explanation by ffgriever (2014-01-02)] | |||
* [https://www.ps2-home.com/forum/viewtopic.php?f=10&t=6957 Explanation by Jay-Jay (2016-01-03)] | |||
Implementations: | |||
* [https://www.ps2-home.com/forum/viewtopic.php?f=10&t=15 ESR homebrew r10f by ffgriever] | |||
* [https://gitlab.com/ffgriever/esr/ ESR homebrew r10f source code by ffgriever] | |||
* [https://www.ps2-home.com/forum/viewtopic.php?f=27&t=9725 ESR Disc patcher/unpatcher by bootsector] | |||
* [https://www.ps2-home.com/forum/download/file.php?id=15475 ESR Disc patcher command line edition v0.2 source code by bootsector] | |||
* [https://www.ps2-home.com/forum/download/file.php?id=15466 ESR Disc patcher/unpatcher JAVA edition v0.2.4 by bootsector] | |||
* [https://www.ps2-home.com/forum/download/file.php?id=15464 ESR Disc patcher/unpatcher GUI for Windows v0.24a by bootsector] | |||
* [https://github.com/jerrys123111/ESRDiscPatcher ESR Disc patcher/unpatcher GUI for Windows source code by bootsector] | |||
* [https://www.ps2-home.com/forum/viewtopic.php?f=10&t=3361 ESRPatcher Pro for Windows Release 07-16-2009 source code by insanity5000] | |||
= | === Playstation 2 Linux RTE === | ||
== | ==== Linux ==== | ||
===PS2 Yabasic Exploit=== | To document | ||
= Games = | |||
== Demo games == | |||
=== PS2 Yabasic Exploit === | |||
Released on 12-10-2019 by CTurt. | Released on 12-10-2019 by CTurt. | ||
Line 117: | Line 135: | ||
[https://github.com/CTurt/PS2-Yabasic-Exploit Exploit code by CTurt] | [https://github.com/CTurt/PS2-Yabasic-Exploit Exploit code by CTurt] | ||
==Network games== | == Network games == | ||
This is perfect for Slim PS2 and people which can not move files to the MC | It is possible to exploit network-capable games, to inject codes. This is perfect for Slim PS2 and people which can not move files to the MC. | ||
TnA scarcely mentioned that method since January 2019, like it can be seen in the comments of @Haldrie's video about the time-swap | TnA scarcely mentioned that method since January 2019, like it can be seen in the comments of @Haldrie's video about the time-swap. TnA got the basic idea from some discoveries someone else mentioned. | ||
The problem is to either inject it elsewhere, or find a way to run it | The problem is to either inject it elsewhere, or find a way to run it. | ||
==PS1 Savedata exploits== | == PS1 Savedata exploits == | ||
The existing FreePSXBoot exploit chain does not work on the PS2 (mainly inside mcman), due to the fact that the internal structure is different. | The existing FreePSXBoot exploit chain for PS1 does not work on the PS2 (mainly inside mcman), due to the fact that the internal structure is different. | ||
In mcman, there is no bounds check on linked_block member access relative to arrays on stack: https://github.com/ps2dev/ps2sdk/blob/d976e57349645cb940a9e0f9ec0207c16472ca2c/iop/memorycard/mcman/src/main.c#L3041-L3072 | In mcman, there is no bounds check on linked_block member access relative to arrays on stack: https://github.com/ps2dev/ps2sdk/blob/d976e57349645cb940a9e0f9ec0207c16472ca2c/iop/memorycard/mcman/src/main.c#L3041-L3072 | ||
Line 141: | Line 157: | ||
See [https://psdevwiki.com/ps1/index.php?title=Vulnerabilities PS1 Dev Wiki Vulnerabilities]. | See [https://psdevwiki.com/ps1/index.php?title=Vulnerabilities PS1 Dev Wiki Vulnerabilities]. | ||
===BOOT.ELF (Fat consoles only)=== | === BOOT.ELF (Fat PS2 consoles only) === | ||
[https://sksapps.haldrie.com/bootleg/tutorials/fmcb/armax2.php Official sp193 guide (backup)] | [https://sksapps.haldrie.com/bootleg/tutorials/fmcb/armax2.php Official sp193 guide (backup)] | ||
Line 153: | Line 170: | ||
!Vulnerability | !Vulnerability | ||
!Description | !Description | ||
! | !Patched | ||
!Date of discovery | !Date of discovery | ||
!Discovered by | !Discovered/exploited by | ||
|- | |- | ||
|Carol Vorderman's Sudoku | |Carol Vorderman's Sudoku | ||
Line 161: | Line 178: | ||
|The save data file stores plaintext profile and high-score names. One can use a large string to overwrite the stack and jump to unsigned code. | |The save data file stores plaintext profile and high-score names. One can use a large string to overwrite the stack and jump to unsigned code. | ||
This vulnerability is also present in the PSP version of the game. See the [https://github.com/ChampionLeake/SudokuSTACK PSP exploit]. | This vulnerability is also present in the PSP version of the game. See the [https://github.com/ChampionLeake/SudokuSTACK PSP exploit]. | ||
| | |No | ||
|December 2021 (2011-01-06 for PSP) | |December 2021 (2011-01-06 for PSP) | ||
|ChampionLeake for PS2, Jeerum for PSP | |ChampionLeake for PS2, Jeerum for PSP | ||
|- | |||
|OKAGE: Shadow King | |||
|Stack Buffer Overflow via unchecked "Player/Town" name length | |||
|Successfully exploit through mast1c0re for the PS4/PS5. | |||
CTurt's Writeup: [https://cturt.github.io/mast1c0re.html Here] | |||
McCaulay's Writeup: [https://mccaulay.co.uk/mast1c0re-introduction-exploiting-the-ps4-and-ps5-through-a-gamesave/?t=1 Here] | |||
|No | |||
|September 14th, 2022 | |||
|CTurt & McCaulay | |||
|- | |- | ||
|Star Wars Racer Revenge | |Star Wars Racer Revenge | ||
|Stack-Smash via unchecked "Record Name" length | |Stack-Smash via unchecked "Record Name" length | ||
|The game allows players to record their names when breaking lap records on a course. However when displaying the Hall of Fame, the size of the names are not checked. Using a very large name can overwrite addresses on the stack and gain control of $ra, which can be used to jump to unsigned code. | |The game allows players to record their names when breaking lap records on a course. However when displaying the Hall of Fame, the size of the names are not checked. Using a very large name can overwrite addresses on the stack and gain control of $ra, which can be used to jump to unsigned code. | ||
| | |No | ||
|August 2023 | |August 2023 | ||
|ChampionLeake | |ChampionLeake | ||
|- | |- | ||
| | |GTA III and GTA Vice City Stories | ||
|Stack Buffer | |Stack Buffer Overflow via unchecked savedata size | ||
| | |The game does a copy from the memory card into a fixed-size buffer with size supplied by the save data file. | ||
[https://github.com/halpz/re3/blob/9a7fa478578beaba947ea867c15a25e411d641d8/src/save/MemoryCard.cpp#L358 Bug in GTA III] | |||
[https://github.com/halpz/re3/blob/37e9ec0d19cbd3cd25823089380fcdae558bee0b/src/save/MemoryCard.cpp#L363 Bug in GTA VCS] | |||
| | [https://cturt.github.io/mast1c0re.html CTurt's writeup] | ||
|September | |Maybe in PSP version of GTA VCS and in GTA LCS PSP | ||
| | |June 27th, 2020 | ||
|re3 decompilation project then CTurt | |||
|- | |||
|Jak X: Combat Racing (PAL and NTSC, PAL has more symbols) | |||
|Custom code injection via patch.bin file | |||
|By injecting a file named patch.bin in the savedata folder, this file gets loaded and executed by the game. | |||
|Maybe in Greatest Hits/Platinum release | |||
|September 26th, 2024 | |||
|CelesteBlue | |||
|} | |} | ||
=== Confirmed vulnerable games === | === Confirmed vulnerable games === | ||
==== Carol Vorderman's Sudoku ==== | |||
TODO | |||
==== OKAGE: Shadow King ==== | ==== OKAGE: Shadow King ==== | ||
Line 207: | Line 245: | ||
===== Save data format ===== | ===== Save data format ===== | ||
* The save data has no digest nor any kind of security. | * The save data has no digest nor any kind of security. | ||
* The records pages data are stored as follows: | * The records pages data are stored as follows: each track has its own page. Each page contains three categories of records: best total time, best lap time and best KO's count. For each category of record, the three best records are stored as three signed int (4 bytes) for the time/most KO's count, followed by three 21-byte string for the player's name, which must be null-terminated as they are each copied using an unsafe strcpy function. | ||
<source lang="C"> | |||
typedef struct track_record_struct { // size is 0xEA bytes | |||
int best_total_time[3]; | |||
char best_total_time_player[3][22]; | |||
int best_lap_time[3]; | |||
char best_lap_time_player[3][22]; | |||
int best_kos_count[3]; | |||
char best_kos_count_player[3][22]; | |||
} track_record_struct; | |||
typedef struct player_data_struct { // size is 0xD64 bytes | |||
track_record_struct track_record[13]; // 0xBE2 bytes, default value is fake records by NPC | |||
uint8_t unk_0xBE2[0x96]; // probably unused | |||
char player_name[0x2C]; // player name displayed with a 10 chars-limited keyboard when making a new track record, default value is "PLAYER 1" | |||
uint8_t flags[0xC0]; // probably cheat codes enable status | |||
} player_data_struct; | |||
typedef struct BESLES_50366 { // size is 0xF508 bytes | |||
uint32_t magic; // must be 7 | |||
uint32_t unk_4; // ex: 0x1712 | |||
uint8_t game_data[0xE79C]; // contains strings (maybe filenames) about "songs", at BESLES_50366+0x4A is a bitflag | |||
player_data_struct player_data; // contains Hall of Fame records, player name and probably cheats status, loaded to 0x61b760 in pcsx2 but may depend on PS2 BIOS | |||
} BESLES_50366; | |||
/* | |||
"BESLES-50366.psu" content: | |||
- 62728 BESLES-50366 -> see BESLES_50366 structure | |||
- 964 icon.sys -> standard PS2 savedata information | |||
- 119000 NORMAL.ICO -> standard PS2 savedata icon | |||
*/ | |||
</source> | |||
===== Bug description ===== | ===== Bug description ===== | ||
Line 220: | Line 290: | ||
* latest valid $ra: 0x1E4048 | * latest valid $ra: 0x1E4048 | ||
* latest valid $pc: 0x1E4050 (jl ra) -> crash when executed so put breakpoint at 0x1E4050 | * latest valid $pc: 0x1E4050 (jl ra) -> crash when executed so put breakpoint at 0x1E4050 | ||
* current savedata payload: 256 | * $s0 to restore: ?0000000000FF1280? (to dump with valid savedata and bkpt at 1E4048) | ||
* $ra -> 5857565554535251 (bottom), 0000000000005A59 (top) | * $r0 to restore: ? (to dump with valid savedata and bkpt at 1E4048) | ||
* $s0 -> 4847005A59585756 (bottom), 504F4E4D4C4B4A49 (top) | * current savedata payload in PSU file: at offset 0xefb0 256 characters then <code>41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 59 5A 00 00 00 00 00 00</code> | ||
* $sp: 01F7F790 | |||
* $ra read from $sp+0x10 -> 5857565554535251 (bottom), 0000000000005A59 (top) | |||
* $s0 read from $sp -> 4847005A59585756 (bottom), 504F4E4D4C4B4A49 (top) | |||
* It is guessed that at least 0xB7B bytes of the savedata can be overwritten with a MIPS shellcode without breaking the main menu. | * It is guessed that at least 0xB7B bytes of the savedata can be overwritten with a MIPS shellcode without breaking the main menu. | ||
* savedata string address: 0x61b76c in pcsx2 but | * savedata string address: 0x61b76c in pcsx2 but may depend on PS2 BIOS: | ||
<source lang="C"> | |||
PTR_DAT_00383100 = 0x4339a0; | |||
MAIN_CTX_OFF = 0x2dc; | |||
CTX_PLAYER_DATA_ADDR_OFF = 0x102f0; | |||
main_ctx = *(PTR_DAT_00383100 + MAIN_CTX_OFF) = *(0x4339a0 + 0x2dc) = *0x433c7c; // =(pcsx2)= 0x60b470; | |||
player_data_address = main_ctx + CTX_PLAYER_DATA_ADDR_OFF; // =(pcsx2)= 0x60b470 + 0x102f0 = 0x61B760; | |||
player_data_address = *0x00433C7C + 0x102f0; // in summary | |||
</source> | |||
===== Official cheat codes ===== | ===== Official cheat codes ===== | ||
Line 239: | Line 320: | ||
* When using a save data that was badly hand-modified to unlock every characters and circuits, a bug can occur in the record page: only one of the pages can be accessed. Pressing left or right to change track page makes sound but remains on this page. | * When using a save data that was badly hand-modified to unlock every characters and circuits, a bug can occur in the record page: only one of the pages can be accessed. Pressing left or right to change track page makes sound but remains on this page. | ||
==== GTA III ==== | ==== GTA III and GTA Vice City Stories ==== | ||
* [https://github.com/halpz/re3/blob/9a7fa478578beaba947ea867c15a25e411d641d8/src/save/MemoryCard.cpp#L358 vulnerability] | * [https://github.com/halpz/re3/blob/9a7fa478578beaba947ea867c15a25e411d641d8/src/save/MemoryCard.cpp#L358 vulnerability] | ||
The game does a copy from the memory card into a fixed-size buffer with size supplied by the savedata. | The game does a copy from the memory card into a fixed-size buffer with size supplied by the savedata. | ||
==== Jak X: Combat Racing ==== | |||
See also [https://jakanddaxter.fandom.com/wiki/Bugs Jak and Daxter games bugs on jakanddaxter.fandom.com]. | |||
===== Custom code injection via patch.bin file ===== | |||
The game savedata contains a file named patch.bin whose aim is to be loaded at address 0x00C00000 then executed. There is no protection except a CRC32 checksum (with 0xEDB88320 polynomial) and a sort of obfuscated (yet to be understood) format for the patch data. CelesteBlue's hypothesis are: | |||
* some simple but undocumented obfuscation (xor, byte swap, etc.) | |||
* some compression (LZO/miniLZO as in DGO/CGO files, ...) | |||
* some encryption (des/des_ede/desx/rc2/rc5/rc5_64/rc6/gencrypt algorithm with cbc/ecb/cbc_interleaved/cfb/cfb_pipelined/ofb/ofb_pipelined mode and nopad/pad/stream choice of padding) | |||
* some [[DNAS]] check by connecting to SCE remote servers | |||
The patch.bin file must contain a little-endian header of 16 bytes followed by patch data of arbitrary size. | |||
<source lang="C"> | |||
typedef struct jakx_patch_bin_hdr { // size is 0x10 bytes | |||
uint32_t magic; | |||
uint32_t digest; // crc32 of data | |||
uint32_t unk; // maybe unused | |||
uint32_t size; // equals patch.bin size minus header size | |||
} jakx_patch_bin_hdr; | |||
typedef struct jakx_patch_bin { // size is (0x10 + size) bytes | |||
jakx_patch_bin_hdr header; | |||
char data[size]; | |||
} jakx_patch_bin; | |||
</source> | |||
===== Corruption after game autosaving ===== | |||
There is a bug with the autosave feature in Jak X that corrupts save data on memory card. It was fixed in the Platinum / Greatest Hits versions of the game. | |||
https://gamefaqs.gamespot.com/boards/927166-jak-x-combat-racing/41999721 | |||
===== Infinite loop after game saving ===== | |||
There is a bug, at least in PCSX2, where when starting the game for the first time and creating a new profile, the game freezes on the memory card saving screen after saving data. The save data is however well written and on next tries the game can be played as the save is correctly loaded. | |||
The same bug can be triggered by going to the Profile settings and selecting "Save game". After saving, the game freezes as it enters an infinite loop (in R59000 at $pc address 0x81FC0 on PAL and NTSC Greatest Hits and in R3000 at $pc address 0xBE9C). CelesteBlue's hypothesis is that during the game initialization, the game open files from the memory card (for example patch.bin at address 0x00100884 on PAL), but closes the fd only if some condition are met, which by default are not as the patch.bin file is invalid. | |||
https://github.com/PCSX2/pcsx2/issues/6935 | |||
The NTSX Greatest Hits version of Jak X does not fix this problem. | |||
===== Strings overflow ===== | |||
Profile name is limited to 12 characters by keyboard. The game displays up to ?32? characters and the profile name can be extended by editing saveX-Y-0000000Z.bin in the PSU savedata file. Extending profile name does not create any buffer overflow. The strings in the center of the saveX-Y-0000000Z.bin file cannot be edited for an unknown reason, else the game loops infinitely on the save data loading screen. | |||
==== Dark Cloud 1 and 2 ==== | ==== Dark Cloud 1 and 2 ==== | ||
Line 263: | Line 392: | ||
Dark Cloud 2 uses a scripting engine described [https://tcrf.net/User:Kojin/Dark_Cloud_2_Technical_Information#Scripting_Engine here]. | Dark Cloud 2 uses a scripting engine described [https://tcrf.net/User:Kojin/Dark_Cloud_2_Technical_Information#Scripting_Engine here]. | ||
=== Possible vulnerable games === | |||
==== Soul Calibur III ==== | ==== Soul Calibur III ==== | ||
Line 278: | Line 409: | ||
https://gamefaqs.gamespot.com/boards/915821-playstation-2/79857492?page=3 | https://gamefaqs.gamespot.com/boards/915821-playstation-2/79857492?page=3 | ||
==== Metal Gear Solid 3: Subsistence ==== | ==== Metal Gear Solid 3: Subsistence ==== | ||
Line 314: | Line 431: | ||
==== All FIFA games ==== | ==== All FIFA games ==== | ||
FIFA06, FIFA08, FIFA Street 2 are vulnerable on Nintendo DS. See [https://github.com/CTurt/Dara | FIFA06, FIFA08, FIFA Street 2 are vulnerable on Nintendo DS. See [https://github.com/CTurt/Dara DARA by CTurt]. | ||
Moreover, a lot of Electronics Arts games are vulnerable on PSP. | Moreover, a lot of Electronics Arts games are vulnerable on PSP. |
Latest revision as of 00:09, 18 October 2024
See also [1]. (to wikify).
Hardware[edit | edit source]
Modchips[edit | edit source]
See Modchips.
CD/DVD Swap tricks[edit | edit source]
Swap Magic[edit | edit source]
Swap Magic is a specialized PlayStation 2 game disc used for tricking the console into reading non-retail or burned game discs, homebrew software, or games outside the console's region. The software has existed since at least mid-2003, with several different versions of the disc having been developed.
Swap Magic and its related mods, such as the Magic Switch and Swap Tool, which are used to allow the user to swap discs without the system being aware, are notable over other methods (such as a modchip) due to the fact that they do not void the PS2's warranty.
See Swap Magic.
Mechanics Controller[edit | edit source]
The MechaCon upon receiving power loads the ROM patches from its EEPROM.
Patches can be updated over the PMAP interface in test mode.
The performed security checks on it is three checksums over the DES-ECB encrypted data.
One can bruteforce this encryption key and apply their own patches.
Software[edit | edit source]
Software in ROM (Operating System)[edit | edit source]
PS1DRV[edit | edit source]
PS2 Independence[edit | edit source]
Released on 15-08-2003 by Marcus R. Brown <[email protected]>.
Homebrew programs can be launched directly from a Memory Card on unmodified consoles by using a certain software that takes advantage of a long known and used exploit, dealing with the boot part of the EE/IOP process (PS2 Independence exploit).
See PS2 Independence.
OSDSYS[edit | edit source]
FreeMCBoot[edit | edit source]
Released on 23-05-2008 by jimmikaelkael (with help from Neme). Maintained since 14-09-2011 by SP193.
FreeMCBoot allows homebrew programs to be launched without a trigger disc required unlike PS2 Independence.
This also allows one the use of homebrew on unmodded systems without a functional disc drive. However, installation of the exploit to each individual memory card requires either an already exploited/modded system in order to launch the installer, or boot image that can load an app that loads ELF files (network adapter and hard drive also required). Copying from one memory card to another will not work.
It does not work on the very newest PS2s (SCPH-9000x model with BIOS 2.30 and up) but will work on all models prior to that.
FreeHDBoot[edit | edit source]
The newest versions of Free McBoot, version 1.90 and newer, also have the ability to install and boot from both Sony and non-Sony HDDs when using a "fat" PS2 and network adapter. This support is called FreeHDBoot or FHDB. With a few minor issues, it is possible to launch a game entirely from the HDD, without needing to use the optical disc drive nor a physical memory card.
Fortuna[edit | edit source]
Released on 12-02-2019 by krat0s.
Fortuna is an homebrew launcher for most PS2 models. Every PS2 from 1.90 ROMVER 50k model (SCPH-18000) to the very last (up to the PS2 TV) can be exploited by scrolling to an MC-Icon and "back out" of the menu. This exploit has not been ported to the 10k and 15k models, it proved to be quite challenging to do so, probably related to the fact that these models do not have compressed OSDSYS programs. Different files are needed depending on the console version. Opentuna is an open source version of Fortuna.
Requirements[edit | edit source]
- A PS2 Memory Card
- A way to transfer files to the Memory Card (one time setup)
- Making sure the hacked icon is displayed first (OSDSYS icon order is based on date)
Bug description[edit | edit source]
Fortuna exploits a vulnerability on the RLE decompression routine used for memory card icon textures, allowing to copy raw executables to protected area on RAM, and achieving code execution when going back to main menu. Alex Párrado, creator of Opentuna, left a technical write-up on how it works.
TnA writes (see [2]) that Fortuna exploit is a bit similar to the following bug: "There seems to be either an issue in FMCB/FHDB's Payload, or the OSDSYS has a fault which can cause code-injection via text-strings which use opcodes or some instructions. I can get it to freeze, with some funky OSDSYS-Item-Names... I have not tested however if this also happens with some weird mc-save-name-strings (not the folder-name on MC, but the actual shown name in the OSDSYS), without FMCB... Why? The idea was a 'kick-start'-icon which has the weird name and starts an ELF from Memory Card. The only issue is that - if it works - it would be immediately triggered, once the name is parsed."
Oddities[edit | edit source]
Fortuna/Opentuna exploit fails if the console is rendering some Japanese characters, either from a save data file or by setting the console to Japanese language.
During late test stages of Opentuna, it was found that if the hack is triggered from the Browser 2.0, the console stops recognizing the memory card until the user shut it down completely.
When the OSDSYS parses the hacked icon, any save folder using built-in icons (e.g "your system configuration") will stop getting rendered, showing no icon 3D model, like the exploit icon.
DVDPL (DVD Player)[edit | edit source]
FreeDVDBoot[edit | edit source]
An exploit released in 2020 by CTurt, which exploits the DVD Video Player and allows the execution of code (wLaunchElf in the pre-built ISOs). It supports all PS2 slim consoles, including the ones that do not support FreeMCBoot.
ESR Vulnerability[edit | edit source]
Vulnerability to bypass PS2 disc reader anticopy protection system. Implemented by ffgriever in 2008.
Allows to run burnt CD/DVD of PS2 games on a PS2 without any modchip. It is needed to have FreeMCBoot/FreeHDBoot, Fortuna or SwapMagic in order to launch ESR homebrew.
ESR does not itself yield code-execution, but once you have the ability to load code, you can access content on burned (Video-)DVDs, which have DVD-Video-content. This vulnerability is used in different apps like ESR or Simple Media System and in varying 'formats' like ESR-Discs or simple Video-DVDs with extra-content.
To use ESR vulnerabilities, two operations are necessary:
- the burnt CD/DVD inserted in the PS2 must contain ESR-patched content. To patch that content, one can use ESR Disc patcher/unpatcher program by ffgriever.
- the PS2 must execute the ESR homebrew.
Analysis:
Implementations:
- ESR homebrew r10f by ffgriever
- ESR homebrew r10f source code by ffgriever
- ESR Disc patcher/unpatcher by bootsector
- ESR Disc patcher command line edition v0.2 source code by bootsector
- ESR Disc patcher/unpatcher JAVA edition v0.2.4 by bootsector
- ESR Disc patcher/unpatcher GUI for Windows v0.24a by bootsector
- ESR Disc patcher/unpatcher GUI for Windows source code by bootsector
- ESRPatcher Pro for Windows Release 07-16-2009 source code by insanity5000
Playstation 2 Linux RTE[edit | edit source]
Linux[edit | edit source]
To document
Games[edit | edit source]
Demo games[edit | edit source]
PS2 Yabasic Exploit[edit | edit source]
Released on 12-10-2019 by CTurt.
Network games[edit | edit source]
It is possible to exploit network-capable games, to inject codes. This is perfect for Slim PS2 and people which can not move files to the MC.
TnA scarcely mentioned that method since January 2019, like it can be seen in the comments of @Haldrie's video about the time-swap. TnA got the basic idea from some discoveries someone else mentioned.
The problem is to either inject it elsewhere, or find a way to run it.
PS1 Savedata exploits[edit | edit source]
The existing FreePSXBoot exploit chain for PS1 does not work on the PS2 (mainly inside mcman), due to the fact that the internal structure is different.
In mcman, there is no bounds check on linked_block member access relative to arrays on stack: https://github.com/ps2dev/ps2sdk/blob/d976e57349645cb940a9e0f9ec0207c16472ca2c/iop/memorycard/mcman/src/main.c#L3041-L3072
The code looks similar in 3.1.0 (last) mcman modules.
Briefly looking at it, it is possible to control where to write (basically positive 16 bit signed value), but not what value should be written (limited to 0-15).
So a straightforward port of the FreePSXBoot chain is not possible. For working on this exploit, it would need to have knowledge of the thread stack layout at mcserv and afterwards, and possibly mirrored memory.
See PS1 Dev Wiki Vulnerabilities.
BOOT.ELF (Fat PS2 consoles only)[edit | edit source]
There exists a vulnerability using a PS1 game as a 'boot' disc to load a modified savedata which in turn runs arbitrary code. This method allows for installation of homebrew such as FMCB. In order to utilize this vulnerability you would need a gameshark or similar cheat device to transfer the modded save over from USB and you also need a PC tool to make the savedata modifications and a USB pen drive to use as a medium to transfer the save data from PC>USB>MC. Once you place the modified PS1 game savedata onto a PS2 memory card, just load your boot disc, and voila.
PS2 Savedata exploits[edit | edit source]
Game/Application | Vulnerability | Description | Patched | Date of discovery | Discovered/exploited by |
---|---|---|---|---|---|
Carol Vorderman's Sudoku | Stack Buffer Overflow via unchecked string length | The save data file stores plaintext profile and high-score names. One can use a large string to overwrite the stack and jump to unsigned code.
This vulnerability is also present in the PSP version of the game. See the PSP exploit. |
No | December 2021 (2011-01-06 for PSP) | ChampionLeake for PS2, Jeerum for PSP |
OKAGE: Shadow King | Stack Buffer Overflow via unchecked "Player/Town" name length | Successfully exploit through mast1c0re for the PS4/PS5. | No | September 14th, 2022 | CTurt & McCaulay |
Star Wars Racer Revenge | Stack-Smash via unchecked "Record Name" length | The game allows players to record their names when breaking lap records on a course. However when displaying the Hall of Fame, the size of the names are not checked. Using a very large name can overwrite addresses on the stack and gain control of $ra, which can be used to jump to unsigned code. | No | August 2023 | ChampionLeake |
GTA III and GTA Vice City Stories | Stack Buffer Overflow via unchecked savedata size | The game does a copy from the memory card into a fixed-size buffer with size supplied by the save data file. | Maybe in PSP version of GTA VCS and in GTA LCS PSP | June 27th, 2020 | re3 decompilation project then CTurt |
Jak X: Combat Racing (PAL and NTSC, PAL has more symbols) | Custom code injection via patch.bin file | By injecting a file named patch.bin in the savedata folder, this file gets loaded and executed by the game. | Maybe in Greatest Hits/Platinum release | September 26th, 2024 | CelesteBlue |
Confirmed vulnerable games[edit | edit source]
Carol Vorderman's Sudoku[edit | edit source]
TODO
OKAGE: Shadow King[edit | edit source]
Credits[edit | edit source]
- CTurt for discovering these vulnerabilities in September 2021.
- CTurt for public disclosure on twitter (2022-09-14)
- flatz, balika011, theflow0, chicken(s), PlayStation for helping CTurt
- McCaulay for sharing publicly his implementation in February 2023.
Analysis[edit | edit source]
Bug Description[edit | edit source]
Okage Shadow King has a typical stack buffer overflow if you extend the player or town name in a savedata.
- The save data has a CRC digest.
Exploit Implementation[edit | edit source]
Star Wars Racer Revenge[edit | edit source]
Save data format[edit | edit source]
- The save data has no digest nor any kind of security.
- The records pages data are stored as follows: each track has its own page. Each page contains three categories of records: best total time, best lap time and best KO's count. For each category of record, the three best records are stored as three signed int (4 bytes) for the time/most KO's count, followed by three 21-byte string for the player's name, which must be null-terminated as they are each copied using an unsafe strcpy function.
typedef struct track_record_struct { // size is 0xEA bytes
int best_total_time[3];
char best_total_time_player[3][22];
int best_lap_time[3];
char best_lap_time_player[3][22];
int best_kos_count[3];
char best_kos_count_player[3][22];
} track_record_struct;
typedef struct player_data_struct { // size is 0xD64 bytes
track_record_struct track_record[13]; // 0xBE2 bytes, default value is fake records by NPC
uint8_t unk_0xBE2[0x96]; // probably unused
char player_name[0x2C]; // player name displayed with a 10 chars-limited keyboard when making a new track record, default value is "PLAYER 1"
uint8_t flags[0xC0]; // probably cheat codes enable status
} player_data_struct;
typedef struct BESLES_50366 { // size is 0xF508 bytes
uint32_t magic; // must be 7
uint32_t unk_4; // ex: 0x1712
uint8_t game_data[0xE79C]; // contains strings (maybe filenames) about "songs", at BESLES_50366+0x4A is a bitflag
player_data_struct player_data; // contains Hall of Fame records, player name and probably cheats status, loaded to 0x61b760 in pcsx2 but may depend on PS2 BIOS
} BESLES_50366;
/*
"BESLES-50366.psu" content:
- 62728 BESLES-50366 -> see BESLES_50366 structure
- 964 icon.sys -> standard PS2 savedata information
- 119000 NORMAL.ICO -> standard PS2 savedata icon
*/
Bug description[edit | edit source]
Star Wars Racer Revenge has a typical stack buffer overflow if you extend a player name in a savedata.
- To trigger the exploit, in the main menu, go to Options then Hall of Fame. The Hall of Fame will trigger the exploit when you go to the page where the player name was extended in save data to more than 256 characters as the code copies from save data the best players' names without checking length.
- Player name max length allowed when breaking a record: 10 characters as the keyboard gets disabled
- Player name is registered in save data the first time that you make a new record but it seems not used at all.
- Player name max length displayed in the record page: 21 characters as it is done a sort of "memcpy(src, dst, 21)" in a 22-byte null buffer.
- 9 player names are displayed on each Hall of Fame page, stored temporarily in memory respectively at addresses: 0xF98B20, 0xFADB60, 0xFB29D0, 0xFB4E00, 0xFB7210, 0xFB9640, 0xFBBA50, 0xFBDE80, 0xCCE320
- buffer size: expected to be 256 bytes from tests (nothing happens when length is 256 characters followed by a zero byte)
- latest valid $ra where pcsx2 debugger can go to quickly, then need to go by small step: 0x140D2C
- latest valid $ra: 0x1E4048
- latest valid $pc: 0x1E4050 (jl ra) -> crash when executed so put breakpoint at 0x1E4050
- $s0 to restore: ?0000000000FF1280? (to dump with valid savedata and bkpt at 1E4048)
- $r0 to restore: ? (to dump with valid savedata and bkpt at 1E4048)
- current savedata payload in PSU file: at offset 0xefb0 256 characters then
41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 59 5A 00 00 00 00 00 00
- $sp: 01F7F790
- $ra read from $sp+0x10 -> 5857565554535251 (bottom), 0000000000005A59 (top)
- $s0 read from $sp -> 4847005A59585756 (bottom), 504F4E4D4C4B4A49 (top)
- It is guessed that at least 0xB7B bytes of the savedata can be overwritten with a MIPS shellcode without breaking the main menu.
- savedata string address: 0x61b76c in pcsx2 but may depend on PS2 BIOS:
PTR_DAT_00383100 = 0x4339a0;
MAIN_CTX_OFF = 0x2dc;
CTX_PLAYER_DATA_ADDR_OFF = 0x102f0;
main_ctx = *(PTR_DAT_00383100 + MAIN_CTX_OFF) = *(0x4339a0 + 0x2dc) = *0x433c7c; // =(pcsx2)= 0x60b470;
player_data_address = main_ctx + CTX_PLAYER_DATA_ADDR_OFF; // =(pcsx2)= 0x60b470 + 0x102f0 = 0x61B760;
player_data_address = *0x00433C7C + 0x102f0; // in summary
Official cheat codes[edit | edit source]
- It might be useful to unlock more tracks in order to have more possibilities to trigger the buffer overflow in the records menu.
- To enable cheat codes, it is often forgotten in guides that you have to make a new record, then type "NO TIME" as player name. This has to be done only once as it is stored in save data. Then at the main menu, hold R1, R2, L1 and L2 while you press successively the following cheat combos. The cheats remain in save data but some can be disabled at wish. The following cheat codes were found by looking at the debug strings of the binary files:
- No Player Damage Cheat ON/OFF: uuddlrlrscsc ON/OFF -> up, up, down, down, left, right, left, right, square, circle, square, circle
- (NOT CONFIRMED) No Player Overheat Cheat ON/OFF: balrefsc -> ?ba?, left, right, ?ef?, square, circle.
- Hard Mode Cheat ON/OFF: simply triangle, not too late.
- One Hit Kills Cheat ON/OFF: ssssxctsxxxxctsxcccctsxcttttsxct
- All Tracks Unlocked!: rlrlcscs -> right, left, right, left, circle, square, circle, square.
- All Podracers Unlocked!: uldtsxurdtcxuldtcxurdtsx -> up, left, down, triangle, square, x, up, right, ...
- All Podracers' Stats Maxed Out!: uuxxddttllccrrss -> up, up, x, x, down, down, triangle, triangle, left, left, circle, circle, right, right, square, square.
- All Art Galleries Unlocked!: main combo then rslcdxut -> right, square, left, circle, down, x, up, triangle.
- When using a save data that was badly hand-modified to unlock every characters and circuits, a bug can occur in the record page: only one of the pages can be accessed. Pressing left or right to change track page makes sound but remains on this page.
GTA III and GTA Vice City Stories[edit | edit source]
The game does a copy from the memory card into a fixed-size buffer with size supplied by the savedata.
Jak X: Combat Racing[edit | edit source]
See also Jak and Daxter games bugs on jakanddaxter.fandom.com.
Custom code injection via patch.bin file[edit | edit source]
The game savedata contains a file named patch.bin whose aim is to be loaded at address 0x00C00000 then executed. There is no protection except a CRC32 checksum (with 0xEDB88320 polynomial) and a sort of obfuscated (yet to be understood) format for the patch data. CelesteBlue's hypothesis are:
- some simple but undocumented obfuscation (xor, byte swap, etc.)
- some compression (LZO/miniLZO as in DGO/CGO files, ...)
- some encryption (des/des_ede/desx/rc2/rc5/rc5_64/rc6/gencrypt algorithm with cbc/ecb/cbc_interleaved/cfb/cfb_pipelined/ofb/ofb_pipelined mode and nopad/pad/stream choice of padding)
- some DNAS check by connecting to SCE remote servers
The patch.bin file must contain a little-endian header of 16 bytes followed by patch data of arbitrary size.
typedef struct jakx_patch_bin_hdr { // size is 0x10 bytes
uint32_t magic;
uint32_t digest; // crc32 of data
uint32_t unk; // maybe unused
uint32_t size; // equals patch.bin size minus header size
} jakx_patch_bin_hdr;
typedef struct jakx_patch_bin { // size is (0x10 + size) bytes
jakx_patch_bin_hdr header;
char data[size];
} jakx_patch_bin;
Corruption after game autosaving[edit | edit source]
There is a bug with the autosave feature in Jak X that corrupts save data on memory card. It was fixed in the Platinum / Greatest Hits versions of the game.
https://gamefaqs.gamespot.com/boards/927166-jak-x-combat-racing/41999721
Infinite loop after game saving[edit | edit source]
There is a bug, at least in PCSX2, where when starting the game for the first time and creating a new profile, the game freezes on the memory card saving screen after saving data. The save data is however well written and on next tries the game can be played as the save is correctly loaded.
The same bug can be triggered by going to the Profile settings and selecting "Save game". After saving, the game freezes as it enters an infinite loop (in R59000 at $pc address 0x81FC0 on PAL and NTSC Greatest Hits and in R3000 at $pc address 0xBE9C). CelesteBlue's hypothesis is that during the game initialization, the game open files from the memory card (for example patch.bin at address 0x00100884 on PAL), but closes the fd only if some condition are met, which by default are not as the patch.bin file is invalid.
https://github.com/PCSX2/pcsx2/issues/6935
The NTSX Greatest Hits version of Jak X does not fix this problem.
Strings overflow[edit | edit source]
Profile name is limited to 12 characters by keyboard. The game displays up to ?32? characters and the profile name can be extended by editing saveX-Y-0000000Z.bin in the PSU savedata file. Extending profile name does not create any buffer overflow. The strings in the center of the saveX-Y-0000000Z.bin file cannot be edited for an unknown reason, else the game loops infinitely on the save data loading screen.
Dark Cloud 1 and 2[edit | edit source]
- videos of bug triggering
- video of freeze in Dark Cloud 1
- money/stats glitch in Dark Cloud 1
- full demonstration video of glitch in Dark Cloud 1
- complete video explaining how integer overflow works and how to enable debug menu in Dark Cloud 2
- Fastest way to enable debug menu in Dark Cloud 2 NTSC on PS5
- Slow way to enable debug menu in Dark Cloud 2 NTSC
- debug menu showcase in Dark Cloud 2
Moving the cursor and pressing X on the same frame in the items menu allows us to pick up an item from out-of-bounds memory, which results in an exploitable behaviour. This integer overflow leads to infinite money, statistics, duplicate items, enable debug menu (in Dark Cloud 2), or to game freeze according to the context. However, even in case of game freeze, from an exploitation point of view, this integer overflow may not be controllable enough to specify a specific address to jump to.
The overflow bug can be removed by simply changing one byte in the game's binary file.
The debug menu in Dark Cloud 2 might be vulnerable to $ra overwrite. The debug menu features are detailed here.
Dark Cloud 2 uses a scripting engine described here.
Possible vulnerable games[edit | edit source]
Soul Calibur III[edit | edit source]
overflow on real PS2
https://gamefaqs.gamespot.com/boards/915821-playstation-2/79857492?page=3 https://gamefaqs.gamespot.com/ps2/927089-soulcalibur-iii/faqs/40424 https://gamefaqs.gamespot.com/boards/927089-soulcalibur-iii/24774951 https://www.reddit.com/r/SoulCalibur/comments/uqiff7/is_the_soulcalibur_iii_save_corruption_glitch/
Viewtiful Joe 2 demo on the NTSC U/C region 2004 Holiday Demo Disc[edit | edit source]
overflow on real PS2
https://gamefaqs.gamespot.com/boards/915821-playstation-2/79857492?page=3
Metal Gear Solid 3: Subsistence[edit | edit source]
There is bug with the PCSX2 emulator and MGS3: Subsistence that causes save files to become corrupt. While the exact cause of this issue is unknown, anyone using the PCSX2 emulaor with the saves below should wait a few seconds after accessing the memory to save the game and use the US BIOS. This seems to greatly reduce the likelihood of the bug corrupting the file. Also, do not save MGS3 on a memory card file that has a lot of other saves, because the bug corrupts the entire memory card.
https://retromaggedon.com/index.php/metal-gear-solid-3-subsistence-save-files-ps2/
World War Zero Iron Storm[edit | edit source]
It can crash and delete the save or something.
4x4 Evolution[edit | edit source]
Additional: Game will also create a 30kb corruption on your memory card, seemingly at random, though it is deletable.
Mafia - NTSC version[edit | edit source]
1. I had to redo one mission. A car chase hit-job ended with the mark dying in a car accident (fail). 2. I had to restart the game. The game-save between chapters seemed to stop responding, so I turned it off. This corrupted the save file.
All FIFA games[edit | edit source]
FIFA06, FIFA08, FIFA Street 2 are vulnerable on Nintendo DS. See DARA by CTurt.
Moreover, a lot of Electronics Arts games are vulnerable on PSP.
Psychonauts[edit | edit source]
Psychonauts is maybe vulnerable to string overflow although it seems very secure as for now by using fixed-length copy functions:
- Profile name is not vulnerable. It is limited to 8 characters by keyboard and to 10 characters in display.
- Level name is not vulnerable: the game displays a maximum of 127 characters as the level name is memcpied to a 128-byte null-terminated buffer.
- Profile* file must be exactly 64-byte long.
- SavedGame* file must be exactly 245760-byte long.
- The only important information stored in the Profile* file is the profile name as the remaining data can be overwritten.
- SavedGame* file format is "\n"-separated with also bars (|) separators. On each line is a setting. Each setting is made of between 1 and three parts separated by bars. Table|<name>|<value>. The name part is mandatory.
- There is a digest check on psu-embedded files as the game says that the "profile is damaged" when the savedata is edited without precaution. Using pypsu by McCaulay, one can extract files contained in the psu, but there are even more digests as any SavedGame* file is detected as "Damaged Save Game" after editing it too much. The SavedGame* files start with a 16-byte MD5 hash of the following data.
Lego games[edit | edit source]
LEGO Star Wars II: The Original Trilogy and LEGO Indiana Jones: The Original Adventures use a custom checksum:
- Offset: FileSize - 4
- Calc. Start: 0
- Calc. Length: FileSize - 4
private int CalculateChecksum(byte[] data) {
using (var xIO = new MasterIO(data, Endian.Big)) {
int count = (data.Length / 4) - 1;
int sum = 0x5C0999;
for (int i = 0; i < count; ++i)
sum += xIO.Reader.ReadInt32();
return sum;
}
}
LEGO Star Wars may use the same checksum or no checksum at all. LEGO Batman: The Videogame may use the same checksum or the newer checksum:
- Offset: 12
- Calc. Start: 16
- Calc. Length: Filesize - 16
private int CalculateChecksum(byte[] data, int offset, int size) {
int sum = -1;
for (int i = 0; i < size; ++i) {
sum *= 0x1000193;
sum ^= data[offset++];
}
return ~sum;
}
List of other games[edit | edit source]
See a list of almost all PS2 games. Some may be vulnerable.