PS2 Exploit-List

Discussion in 'General PS2 Discussion' started by TnA, Oct 15, 2019.

  1. 1,219
    660
    222
    TnA

    TnA Senior Member

    Joined:
    Jul 1, 2018
    Messages:
    1,219
    Likes Received:
    660
    Trophy Points:
    222
    Gender:
    Male
    Location:
    Germany --> Saxony
    I can't find a thread, which lists all known (and possibly unknown) Exploits and vulnerabilities, which can be used for arbitrary code-execution (a.k.a loading apps) or some other things, so I will go ahead and list them all (hopefully) here.


    Swap-methods:
    • Swap-Magic or a Cheat-Disc
    • Game-swap-trick; replacing a secondary ELF on the disc-image
    • (Double-)Time-swap; exchange the main-ELF and swap multiple times during disc-boot
    • Single-swap at boot-stage for some discs like the DVD-Player-Update-Discs (AFAIK for CDs only)
    • etc.

    Exploits:
    • FMCB
    • FHDB (can be written via a PC as well)
    • Directly booting Homebrew from HDD (can be written via a PC as well)
    • DVD-Player Update-Exploit (essentially the same vulnerability like FMCB, just another path for the KELF + additional files for the ID/VER and it will only start on insertion of a Video-DVD).
    • PS1-Exploit/'Independence Exploit'; files can be moved to MC via Cheat-tools, but only works on FAT PS2s
    • Xmas-Exploit for Action Replay; causes AR to 'cheat itself' to boot an ELF from USB
    • YaBasic Exploit; typing the Exploit&Payload once, saving it as programm and execution via original Demo-Disc which includes YaBasic
    • Starting ELFs via original Linux-RTE/Disc
    • PS2-MC2USB-Adapter to either install the PS1-Exploit (non-original adapter) or FMCB (Sony's adapter)
    • Starting an app via a game-Loader like HD-Loader or USB-Advance
    • Starting an app via MC, USB or specially crafted CDs (a kind of UMCDR) via commercial but non-licensed discs, like SM-Coder, AR Max, etc.
    • Special MemoryCards like Memor32 or MaxMemory 64 PLUS
    • DVD-Player 1.00-Issue
    • etc.

    What's more?:

    1. DECKARD-Models seem to have an incomplete USB-Update-System.


    2. There seems to be either an issue in FMCB/FHDB's Payload, or the OSDSYS has a fault which can cause code-injection via text-strings which use opcodes or some instructions.

    I can get it to freeze, with some funky OSDSYS-Item-Names... I haven't tested however, if this also happens with some weird mc-save-name-strings (not the folder-name on MC, but the actual shown name in the OSDSYS), without FMCB...

    Why? The idea was a 'kick-start'-icon which has the weird name and starts an ELF from MC. The only issue is, that - if it works - it would be immediately triggered, once the name is parsed.


    3. There is another vulnerability, which in itself does not yield code-execution, but once you have the ability to load code, you can access content on burned (Video-)DVDs, which have DVD-Video-content. This vulnerability is used in different apps like ESR or SMS and in varying 'formats' like ESR-Discs or simple Video-DVDs with extra-content.


    I know that some of them are not actually 'Exploits' in a literal technical sense, but only in 'User-Jargon' and are actually 'entry-points'.

    The list is by no means complete yet and I will add more 'entry-points' later + make it visually more appealing + link to some threads.


    If I have forgotten anything, please mention it/them.
     
    Last edited: Oct 15, 2019
    Algol, wisi, deba5er and 3 others like this.
  2. 1,219
    660
    222
    TnA

    TnA Senior Member

    Joined:
    Jul 1, 2018
    Messages:
    1,219
    Likes Received:
    660
    Trophy Points:
    222
    Gender:
    Male
    Location:
    Germany --> Saxony
    It seems the Vulnerability mentioned here:

    (...and in some other places...)

    ...has been EXPLOITED by @krat0s!

    https://www.ps2-home.com/forum/viewtopic.php?f=107&t=8542


    That means EVERY PS2 including the TV can be exploited by scrolling to an MC-Icon and "back out" of the menu!


    I am not entirely sure as of right now, if he uses that exact vulnerability or a variation thereof, or an entirely different vulnerability which allows code-injection and -execution in a similar way, though!


    @sp193: Well... It can be exploited as it seems. A while ago you told me in a PM that various people searched for a Vulnerability/Exploit there and did not get it to work...

    Fortunately, the concept does work!


    I haven't looked at its files as of right now, but the coincidence of it being so similar are quite striking! :D
    Edit: Tryed it! It seems to be remarkably similar!

    THX to @krat0s for the hard work! That's sooo freakin' cool! A dream comes true for me! :)
     
    Last edited: Dec 3, 2019
    Peppe90, ted209 and Algol like this.

Share This Page