PS2 FINALLY! ALL PS2s (incl. TV) HACKABLE! ANOTHER DISCLESS EXPLOIT!

Discussion in 'PS2 Homebrew' started by TnA, Dec 3, 2019.

  1. 1,219
    660
    222
    TnA

    TnA Senior Member

    Joined:
    Jul 1, 2018
    Messages:
    1,219
    Likes Received:
    660
    Trophy Points:
    222
    Gender:
    Male
    Location:
    Germany --> Saxony
    @krat0s over at Ps2-home.com released an Exploit which (theoretically) can be used ON EVERY PS2-Model 'out there'/available, regardless of region, model, version, slim, fat, 'what have you'(?)!!!

    I repeat: ALL PS2 ARE HACKABLE DISCLESS AND ONLY WITH A FILE/SAVE ON MC!

    In that sense, it is quite similar to FMCB, but has 2 main-differences:
    • It doesn't automatically boot from MC, but must be "triggered" manually via "surfing" onto the MC and let it load 2-3 Icons until exiting out again!
    • It works on every model the "Save" (the embedded Payload) is adapted to (due to patching different offsets in different BOOT-ROMs I suppose)
    ...and of course it doesn't have all the bells and whistles, like the FMCB-Payload has but the embedded Payload can also just start FMCB on the newer BOOT-ROMs if made to do so.


    The name is "(PS2) Fortuna [Project]" (I added the brackets to the name here! I think PS2 Fortuna, Fortuna Project or the whole name or just Fortuna is fine, but I rather let krat0s clarify that!)

    The current 'save' (embedded Payload) is ONLY compatible with BOOT-ROM 2.20 and up (all Slims and the TV)!

    Source:
    https://www.ps2-home.com/forum/viewtopic.php?f=107&t=8542


    Edit: Can someone please test and cross-verify it, BEFORE it becomes headline-news?! :)


    Edit 2: @krat0s: I see you wrote me a message over at Ps2-home.com (and then deleted it?). I'm sorry I did not see it before it was deleted and I can't reply on Ps2-home.com, because I am on moderation-status...

    Anyway...

    An impressive work you've done there @krat0s!
    If it is the the text/parsing-vuln, even better! You really got that "sucker" exploited!
    Finally all PS2s exploited and discless! A dream comes true! :)


    Edit.3: I tried it! Can't get much easier!
    For those who want to use it as an FMCB-Kickstart-ELF on SCPH-900XX and the PS(2) TV, just replace the BOOT.ELF with @HWNJ's OSDSYS-Launcher!


    • What are the requirements?
      • A PS2 Memory Card
      • A way to transfer files to the Memory Card (one time setup)
      1. Download the package (FORTUNA.zip).
        Currently this exploit works only on SLIM (all of them),
        starting all the way from SCPH-700x and up to PS2 TV.

        If you have a FAT PS2, for know you have to wait...

      2. On your PS2 go to System Configuration and set the date to a year like 2050 or so.

        Q: Why do I have to set the date first before installing?
        A: The file must be the first file on the memory card (MC) when you see the PS2 Browser menu. The first file the save file which has been last written to. If you don't do the clock trick, then when saving games the icon will no longer be the first one in the PS2 Browser menu.

      3. Extract the contents of the package and copy the entire FORTUNA folder to the ROOT (mc0:/) of your memory card.
        [​IMG]

      4. On your PS2 go to System Configuration and set the date to the correct date.

      5. Turn off\on your PS2.

      6. Go to the PS2 Browser menu (PS2 default browser where you see all your game saves on your memory cards).

      7. Select the memory card (MC) you have copied the file to -- preferably mc0: (SLOT 1) for now.
        [​IMG]

      8. Let it load ONLY 2-3 icons and then hit back right away. Do not allow it overpopulate the list.
        [​IMG]

      9. You will notice a memory card (MC) icon is missing.
        [​IMG]
      10. Go back one more time, this time mc0:/FORTUNA/BOOT.ELF
        it will execute which in fact is the latest uLauchELF (uLE).
        --- now from there you can do what you want and etc., like load homebrew APPS and etc.

      11. Now once everything has been installed, repeat step from 6 to 10.
    • [​IMG]

      Additionally for this exploit VTSTech made this launcher:
      https://www.psx-place.com/threads/fortuna-launcher-by-vtstech-boot-elf-replacement.27254/.
     

    Attached Files:

    Last edited by a moderator: Dec 7, 2019 at 8:53 AM
  2. 2,314
    2,247
    372
    Berion

    Berion Developer

    Joined:
    Feb 3, 2015
    Messages:
    2,314
    Likes Received:
    2,247
    Trophy Points:
    372
    Gender:
    Male
    Location:
    Poland
    No need for date changing. I repacked it to *.psu with 2050 year. ;)

    Didn't test if it works because I have one of the fat model but, well, it should if this exploit is real.
     

    Attached Files:

  3. 1,219
    660
    222
    TnA

    TnA Senior Member

    Joined:
    Jul 1, 2018
    Messages:
    1,219
    Likes Received:
    660
    Trophy Points:
    222
    Gender:
    Male
    Location:
    Germany --> Saxony
    THX! Yes, @krat0s has the skill to pull it off IMO.

    I couldn't test it as of right now, but give it a shot later on.


    THX for attaching it @Berion!
    I couldn't upload it (due to extremely limited bandwidth right now) and I wasn't quite certain, if krat0s is fine with it, or if he prefers linking to the thread on Ps2-home.com! ;)
     
    Algol likes this.
  4. 2,314
    2,247
    372
    Berion

    Berion Developer

    Joined:
    Feb 3, 2015
    Messages:
    2,314
    Likes Received:
    2,247
    Trophy Points:
    372
    Gender:
    Male
    Location:
    Poland
    I'm extremely curious how it works. That's stuff somehow exploiting icon parser but how? Very interesting and... a killing blow to Yabasic exploit. ;(
     
  5. 1,219
    660
    222
    TnA

    TnA Senior Member

    Joined:
    Jul 1, 2018
    Messages:
    1,219
    Likes Received:
    660
    Trophy Points:
    222
    Gender:
    Male
    Location:
    Germany --> Saxony
    Naaah, YaBasic is still useful, because it needs no files to be copied, but definitely quite a blow for a YaSP! :)
    We basically only need a Payload which loads an ELF from USB, or copies a Save from USB to MC (with the correct timestamp) now...


    Regarding, how it works:
    I SUPPOSE it uses the text-parsing-vulnerability to exit the parsing-function via an opcode or specific return-value and since his follow-up-code for initiating the Payload probably is VERY short, I suppose he patches either the offset to jump to on "backing out" or directly calls a syscall, or patches a register...

    I think he Patches an/the offset the "back out" function maps (is linked) to and the new offset is in the location within the range of the icon-file... Thus the icon needs to be in first position, to be able to predict the offset to point to... ;)
    This would also need different Payloads depending on the BOOT-ROM-Version (due to offsets being different).

    He might need to manually load parts of the Payload manually to RAM, or maybe it also works due to the OSDSYS loading it to RAM (I mean the function which actually places the icon&payload in RAM. Manual loading might be needed, due to how it/the OSDSYS backs out and possibly unloads the icon then.).


    BUT! I am not yet even certain, IF he used that vulnerability! It certainly seems strikingly similar, but I never got it to load an ELF! His progress on this is quite a lot and quite fast!
     
    Last edited: Dec 3, 2019
    Algol likes this.
  6. 1,219
    660
    222
    TnA

    TnA Senior Member

    Joined:
    Jul 1, 2018
    Messages:
    1,219
    Likes Received:
    660
    Trophy Points:
    222
    Gender:
    Male
    Location:
    Germany --> Saxony
    I have to say one thing: A small test-Payload is (should be) possible with this vulnerability, which is a bit pesky and only if you want to annoy someone... (+ it is even simpler than starting an ELF I think)

    I know for a fact, that it can be used to "freeze" any PS2, once the parsing-vulnerability is triggered!

    It SHOULD also be possible to link to the button, which backs out... A kind of similar "flexing" is possible, but like I said I never tried it with the icons, but OSDSYS-Items... :-|

    You want to delete your Save? Freeze or Auto-Backout!
    Nananananaaanaaaa! :D

    How would you call that? MC-Blocker?
    ...and it can technically spread like a Virus/Worm (when entering the MC, it could copy itself off to the other MC) and it can also "flex" to the OSDSYS's internal format-function for MCs!!! :eek:


    So,... I am just waiting for:
    • MC Block
    • "McRanzom" (Ransomware keeping MC-Saves) and
    • McWorm (self-replicating Exploit/Save)
    • ...and I wonder when Sony drops "McJuggle" or whatever, which selectively deletes anything regarding modding!
    • etc.
    ...to appear!

    Where the heck is my "McRanzom" or "McWorm"?!? Lol! :D
    Just kidding, but possible!
    ...
     
    Last edited: Dec 3, 2019
    Berion and Algol like this.
  7. 1,219
    660
    222
    TnA

    TnA Senior Member

    Joined:
    Jul 1, 2018
    Messages:
    1,219
    Likes Received:
    660
    Trophy Points:
    222
    Gender:
    Male
    Location:
    Germany --> Saxony
    I added various things to my previous reply! Sorry, for these MULTIPLE edits and posts!

    This last post can be edited, but I think it is important to notice these things!


    So, I am just saying it... Evil villain that I am, lol!
    A Console-Virus/Worm/Ransomware/etc. IS possible via this vulnerability!
    Well, it won't do a lot of harm, but better safe than sorry or not? ;)


    Just listing what is needed for the "McRanz-Worm":
    • the vulnerability
    • code to copy off the file
    • code to automatically return to the previous menu
    • possibly some extra-code with kernel-patches, to block games from accessing the Saves!
    • etc.

    That's quite a perfect case-study!
    It is:
    • a Console (thus is not meant to start any custom code or being vulnerable to such things)
    • which has no flashable parts
    • and the most spreaded Hardware on earth
    • etc.
    Btw.: Regarding the name... "Ranz" (noun) = the stuff around old Butter "ranzig" (adjective) can be used as a synonym for "disgusting"! So this would be the "disgusting worm burger"! :D
    It is derived from "MemoryCard Ransomware Worm"!

    The idea is, to let the Exploit/Save copy itself to another MC with the highest possible date as a time-stamp and then kick you back out of the MC-Menu + possibly patch the Kernel-RAM to keep games from accessing the saves!

    The only way to safely remove it without formatting the MC or losing the saves? Getting Homebrew and delete it via wLE (etc.)! :D
     
    Last edited: Dec 3, 2019
    Berion and Algol like this.
  8. 1,219
    660
    222
    TnA

    TnA Senior Member

    Joined:
    Jul 1, 2018
    Messages:
    1,219
    Likes Received:
    660
    Trophy Points:
    222
    Gender:
    Male
    Location:
    Germany --> Saxony
    Merged into previous posts. Can you please delete this @STLcardsWS or someone else? Sorry for the inconvenience! :-/

    Oh! I tested it and it works fine on my SCPH-900XX R-Chassis DateCode 8B with BOOT-ROM 2.20 (I do not have the model which is incompatible with autobooting FMCB! Only that rare model! :D)!

    Definitely worth FRONT PAGE NEWS!
     
    Last edited: Dec 3, 2019
  9. 69
    27
    67
    neo88

    neo88 Member

    Joined:
    Nov 20, 2018
    Messages:
    69
    Likes Received:
    27
    Trophy Points:
    67
    Gender:
    Male
    And with this you no longer need to burn a boot disk? I ask because in my country you get many consoles with the damaged disc reader at very low prices. I have some ps2 games I have made some backup of those disks using my ps3 to emulate them and some games have certain graphic errors and performance problems.
     
    Algol likes this.
  10. 1,219
    660
    222
    TnA

    TnA Senior Member

    Joined:
    Jul 1, 2018
    Messages:
    1,219
    Likes Received:
    660
    Trophy Points:
    222
    Gender:
    Male
    Location:
    Germany --> Saxony
    Yes, it works with only a MemoryCard and the specifically crafted Save, just like FMCB!

    It only has to be manually launched and doesn't automatically boot!
    ...and you have to get it onto MC in some way, just like FMCB!
     
    neo88 likes this.
  11. 38
    14
    57
    dergamer1212

    dergamer1212 Member

    Joined:
    May 1, 2018
    Messages:
    38
    Likes Received:
    14
    Trophy Points:
    57
    Gender:
    Male
    Location:
    Somewhere, where you don't live
    Thank you for creating this save data. I installed fmcb using an unsupported (for win) memory card adapter on my ps3 by creating an Virtual MC copying the VM2 file to PC importing the save file via mymc then copying it back to the Ps3 and copying the Fortuna save to my physical MC
     
    Kitsumi, Berion, Algol and 1 other person like this.
  12. 1,507
    1,195
    347
    jolek

    jolek Senior Member

    Joined:
    Dec 29, 2017
    Messages:
    1,507
    Likes Received:
    1,195
    Trophy Points:
    347
    Gender:
    Male
    Which post do you want to merge?
    #1+#6+#7?
     
  13. 1,219
    660
    222
    TnA

    TnA Senior Member

    Joined:
    Jul 1, 2018
    Messages:
    1,219
    Likes Received:
    660
    Trophy Points:
    222
    Gender:
    Male
    Location:
    Germany --> Saxony
    Well, it is also o.k. the way it is!

    I tried to merge corresponding info per post though! ;)
     
  14. 2
    3
    7
    TheSeek

    TheSeek Forum Noob

    Joined:
    Dec 3, 2019
    Messages:
    2
    Likes Received:
    3
    Trophy Points:
    7
    Gender:
    Male
    Feel free to correct me if there's something i missed, but by the looks of it, it's not really a discless method.
    The first thing you need for this method is a way to copy the files onto your Memory Card, and to do that you need uLauncheElf.
    How do you launch uLaunchElf on a non-modded PS2? Either via disc swap method with a modded disc with the elf on it, or with something that can launch elfs from a USB, like AR MAX, which...is a disc.
    The only other method that do not require a disc is using a modded ps2 that already has a way lo launch uLaunchElf on its own(aka a FMCB modded one, cause even a chip modded PS2 needs a disc to launch uLaunchElf), but this is valid for installing FMCB as well.
    Or, using a Memor32 or a PS3 MMC Adapter, but then again, this is valid for FMCB as well.

    To recap, to use this new method you need either
    1. an already FMCB modded PS2 to use uLaunchElf to copy the files(discless, but needs FMCB)
    2. a PS2 capable of running modded discs or AR MAX like discs to use uLaunchElf to copy the files(not discless)
    3. a Memor32 or PS3 MMC Adapter to copy the files directly(discless, but requires specific hardware)

    And to install FMCB you need either
    1. an already FMCB modded PS2 to use uLaunchElf to run the installer(discless, but needs FMCB)
    2. a PS2 capable of running modded discs or AR MAX like discs to run the installer(not discless)
    3. a Memor32 or PS3 MMC Adapter to copy the files directly(discless, but requires specific hardware)

    So, while this new method certainly is good news since it works on ALL ps2 models, it's not discless at all, not more than FMCB already was.
     
    jacobsson and Algol like this.
  15. 275
    296
    97
    VTSTech

    VTSTech Member

    Joined:
    Apr 8, 2019
    Messages:
    275
    Likes Received:
    296
    Trophy Points:
    97
    Gender:
    Male
    Home Page:
    It worked! Just tested on a completely formatted MC on SCPH-70001

    Now we really need someone to test on an 8C or later SCPH-9XXXX
     
    Louis Garry, jolek and TnA like this.
  16. 1,219
    660
    222
    TnA

    TnA Senior Member

    Joined:
    Jul 1, 2018
    Messages:
    1,219
    Likes Received:
    660
    Trophy Points:
    222
    Gender:
    Male
    Location:
    Germany --> Saxony
    @TheSeek: It doesn't matter HOW IT IS installed, but if it works without a disc, WHEN it is installed!

    Is FMCB discless? Yes! It still needs to be installed to MC somehow, though!

    An FMCB-Installer (person, not app), could also simply copy it (this new Exploit) to an MC!
     
    Last edited: Dec 3, 2019
  17. 2
    3
    7
    TheSeek

    TheSeek Forum Noob

    Joined:
    Dec 3, 2019
    Messages:
    2
    Likes Received:
    3
    Trophy Points:
    7
    Gender:
    Male
    @TnA: it does matter how it is installed though, cause even if to use it on non-FMCB compatible PS2 you don't need a disc to launch the exploit each time, you do need a disc to install it.
    A "method" doesn't only applies to how the exploit itself works and is executed, but also to how it is installed.
    The title is misleading as it makes it appear like this new method doesn't require disc at all.
    Proof of this mislead is what neo88 said, asking about requiring or not a Boot Disc cause most PS2 where he lives have faulty disc readers.
    Does the exploit works discless? Yes.
    Can it be installed on a PS2 that does not read discs? No.
    So even if it's discless in its usage, if neo88 has a PS2 with a faulty disc reader this new method won't work for him regardless, cause he can't install it.

    This looks trivial and nitpicky, but it's actually crucial to how something is presented.
    If at any point in any method from start(in this case, an unmodded PS2) to finish the user needs X, even just once, then the method is not X-less.
    More often than not, when a person reads that something is finally "X-less" they're interested because, in a way or another, they have no access to X.
    So in this case if the user has no access to X, this method won't work for them, even if they need X just once.

    I'd suggest to edit the title so it's more precise, either removing the discless part of it, or stating that it specifically refers to not needing a boot disc each time on non-FMCB compatible PS2.

    For all intents and purposes, this new method is only useful on non-FMCB compatible PS2.
    Stating in the title that ALL PS2 models are now hackable discless is misleading, as it makes it sound like this new method is somehow useful regardless of what your PS2 model is, even if it's a FMCB compatible one, cause this method is "discless".
    But that's not the case, for all those models this new method doesn't change anything.
     
    Last edited by a moderator: Dec 3, 2019
    jacobsson likes this.
  18. 1,507
    1,195
    347
    jolek

    jolek Senior Member

    Joined:
    Dec 29, 2017
    Messages:
    1,507
    Likes Received:
    1,195
    Trophy Points:
    347
    Gender:
    Male
    I've tried it on SCPH-70004 & 77004.
    It works.
    To make it work, I needed to copy "FORTUNA" folder into root of the memory card in the 1st slot.
    For now 2nd slot do not work giving me red border, as instruction is mentioning.

    Thanks for the info.
     
    Louis Garry and TnA like this.
  19. 275
    296
    97
    VTSTech

    VTSTech Member

    Joined:
    Apr 8, 2019
    Messages:
    275
    Likes Received:
    296
    Trophy Points:
    97
    Gender:
    Male
    Home Page:
    Did some more testing. It has to be the only folder on the MC.

    Having another folder, even if FORTUNA is first. doesn't work (text becomes veritcal lines. elf doesn't launch)

    Tried renaming as !FORTUNA with an APPS folder, also tried naming it OPL and FORTUNA (it still first) neither worked.

    Has to be only folder.
     
  20. 1,219
    660
    222
    TnA

    TnA Senior Member

    Joined:
    Jul 1, 2018
    Messages:
    1,219
    Likes Received:
    660
    Trophy Points:
    222
    Gender:
    Male
    Location:
    Germany --> Saxony
    Does either of both exploits need a disc to start? No!
    Does it matter how an Exploit is installed in order to determine, if it "needs a disc"? No!

    There you are wrong...
    There is the "method of installing an Exploit" (which can vary a lot) and the "method how an Exploit is started"... Both are MUTUALLY different things, regardless how you try to intermingle them!

    It is not, or calling FMCB an Exploit/Softmod which works without a disc, would be wrong as well (then), which it is not!!!

    Looooool! User-Requests have NEVER been ANY PROOF of ANYTHING!

    2 Topics, 2 questions, 2 answers!

    Other PS2, friend, post...?!?

    Correct! This is, why I stated correctly that the Exploit works without a disc, regardless of what the Install-Method requires!

    This method is NOT about 'Entry-Methods', or "Install-Methods"! It is about the INSTALLED Exploit, NOT about "to be installed"!

    FMCB has at least 10 methods of installing it... Does that mean it is related to i.e. Swap Magic? No!

    Is it a discless Exploit? Yes, it is!

    You fail to realize, that the first entry-point to install it, is ANOTHER KIND OF entry or Exploit!
    It has nothing to do with THIS Exploit...

    It doesn't matter how the Exploit is installed, but what it needs itself to start custom code!!!
    That's the whole krux about your argumentation!!!

    Does this Exploit need a Disc to START Code or apps? No!
    Can it be copied from someone else or on another console or via various tricks into the MC? Yes!
    Does it matter for an Exploit to be called "discless", if it needs some kind of way (Btw. even DISCLESS variations) of installing it? No!
    (Oh, you certainly will argue that...! "But... Installing..."... "no working disc drive..."
    How do you think, those with a bad disc-drive got FMCB on it?)

    Does it matter if it can start a Homebrew without a disc, yes! THAT matters MUCH more, than if it can be installed without a disc!
    To refer to an Exploit as "discless", it matters if it needs a disc to start an App, NOT how it had been installed in the first place!

    You do realize that STARTING AN APP, or INSTALLING AN EXPLOIT, already needs ANOTHER EXPLOIT, to do that?!? THUS, IT DOES NOT MATTER, if the install-method needs a disc, because THAT IS AN ENTIRELY DIFFERENT EXPLOIT/ENTRY!!!

    Now just one final reason, why your argument is ABSOLUTE Nonsense... How do you expect a "discless exploit" to work on a PS2?
    I assume the only example would be FHDB... and there you would need a PC... (and probably Internet, downloading, etc.)
    Do you see, where this is going to end?
    Either there is NO DISCLESS EXPLOIT AT ALL out there, or you are simply wrong...

    THX for your suggestion, but I rather keep it that way rather than extending the title...
    MOST users will probably get along with the title "being so unprecise"! ;)
    On another note, it is also discless on an FMCB-Compatible PS2 or in fact on all PS2s!

    Possibly, yes...
    But that includes WAY more models than just the PS2's with BOOT-ROM 2.30 and newer, like some DTL-Hs where the Independence Exploit and FMCB and FHDB all don't work!!!

    No, it is not! It is a matter of fact that STARTING CODE DOESN'T NEED A DISC WITH THIS EXPLOIT and that is, what this is all about!
    "DISCLESS" is an ATTRIBUTE OF THE EXPLOIT, NOT IT'S INSTALL-METHOD(-EXPLOIT)!

    You kinda start to sound like a broken record/vinyl! ^^
    I understood it, when you said it the first time...
    Regardless of that, you fail to see that you are intermingling 2 TOTALLY UNRELATED THINGS!

    Installation of the Exploit vs. Execution of an App through the Exploit...

    It is not?

    Please tell me, what of these things is wrong?:
    • It can start APPS without a disc needed to be inserted... (Independence Exploit and various others need a disc to start or trigger starting the ELF... THOSE are not discless!)
    • It is theoretically compatible to all models!
    You are also wrong on the last sentence! Yes it does change a thing for users with FMCB-compatible consoles as well!
    Those users don't need a method to EXECUTE the Installer, but merely to COPY off a folder (including it's files)!

    Copying can be done by a lot of tools! Executing NOT!
     
    Last edited: Dec 3, 2019

Share This Page