PS2 FINALLY! ALL PS2s (incl. TV) HACKABLE! ANOTHER DISCLESS EXPLOIT!

Discussion in 'PS2 Homebrew' started by TnA, Dec 3, 2019.

  1. 1,351
    729
    222
    TnA

    TnA Senior Member

    Joined:
    Jul 1, 2018
    Messages:
    1,351
    Likes Received:
    729
    Trophy Points:
    222
    Gender:
    Male
    Location:
    Germany --> Saxony
    I can't await the fully detailed technical writeup!
    But basically, I think the "issue" or vulnerability can be explained this way:

    You can "feed" the PS2 almost everything also "illegal characters" and "faulty icons"...
    The tools which create files like icons don't permit these, but if you modify for example a Save, the PS2 does not check for the content and gladly copies what it gets to a buffer...

    Now... This "string" however can have an opcode (or a set thereof) included, which stops a function (for example)...

    ...and I think the vulnerability can probably be triggered via various means!!!
    Save-Icon, Save-name, OSD-Item-Text-String and so on...

    Here is an old video, where I did something similar via FMCB and OSDSYS-Textstrings!



    Note, that EVERY text got corrupted (also "Browser" and "Systemconfiguration)!

    I got the PS2 to freeze with this as well and you can even have a OSDSYS-Textstring do these things, but they are obviously very short, so you have to have another file loaded to jump to (in Fortuna's case the 'icon' I think).

    ...and it must be the first icon, to predict the offset where the Payload is located and the offset-prediction/calculation also produces varying offsets on varying BOOT-ROM-Versions!

    tl;dr
    I suppose Fortuna and the stuff in the video and the vulnerability about text-strings I was talking about, are all based on that "issue"/Vulnerability! ;)
    It essentially works, due to the PS2 being "blind" for the content whilst reading and copying it (to RAM), but not whilst it is in the 'execution cycle', because then the Hardware cares for the content!

    I hope I explained what I assume, properly!


    So... A "PS1 Fortuna" would be neat as well! :D

    I think there are even multiple consoles vulnerable to that kind of "entry", but obviously you can't do that so easily on consoles with encryption.

    You have to get the file to be read by the system somehow... However, I think this "entry" or variations thereof might be usable on various consoles like the GameCube (that would be awesome as well as the following), the PS1, possibly PSX (PS2 DVR) and other consoles, where you can get it to read something...
    Save-Exploits on NES, SNES, GB, GBC, GBA, SMS, SMD, etc. might be possible via this!!!

    These probably can ALL have a new Exploit, DISCLESS, without other tools, etc., based on this approach...
     
    Last edited: Dec 4, 2019
  2. 121
    93
    82
    Vedita BR

    Vedita BR Member

    Joined:
    Aug 5, 2018
    Messages:
    121
    Likes Received:
    93
    Trophy Points:
    82
    Gender:
    Male
    Occupation:
    ---
    Location:
    BRA
    Home Page:
    just tested with the .psu berion upload and F%$# it worrked on 90010.
     
    TnA likes this.
  3. 1,351
    729
    222
    TnA

    TnA Senior Member

    Joined:
    Jul 1, 2018
    Messages:
    1,351
    Likes Received:
    729
    Trophy Points:
    222
    Gender:
    Male
    Location:
    Germany --> Saxony
    This seems to be almost a ROP/JOP-Chain-Exploitation! :D
    ...on a pretty old Hardware... Soooo freakin' cool!
    That job was fabulous! Splendid!

    All those who read my earlier comment/post: I updated it quite a bit! Please re-read, if you are interested!
     
  4. 429
    310
    97
    RandQalan

    RandQalan Member

    Joined:
    Oct 4, 2014
    Messages:
    429
    Likes Received:
    310
    Trophy Points:
    97
    No this is a native save vutibitly but rops back to browser of PS2 but because of this rops back t MC.
    So an exception happens to allow to run without key.
    So FUMBAR the startup and will allow non key

    OBTW all system with update can be exploited this way just most DEVS are afraid to show this!!!!!!!!!!

    YES EVEN PS4
     
    VTSTech likes this.
  5. 1,351
    729
    222
    TnA

    TnA Senior Member

    Joined:
    Jul 1, 2018
    Messages:
    1,351
    Likes Received:
    729
    Trophy Points:
    222
    Gender:
    Male
    Location:
    Germany --> Saxony
    Where do you know that? Have you dissected it already?!?

    "No key"? I doubt that is possible... It at least has to show the icon once IMO and to enter the MC-Menu, you definetly need to press some buttons...

    I agree, that it MIGHT be possible without a key, once the icon had been shown/read though!

    First off... I think MOST Systems EVEN WITHOUT UPDATEABLE SOFTWARE, MIGHT be vulnerable to this...!

    Second... No,... First off it has to 'inject' Custom code via those "faulty functions"... But I agree, that pretty much any Hardware in itself probably has that fault, but depending on the software it can be triggered or not...
     
  6. 429
    310
    97
    RandQalan

    RandQalan Member

    Joined:
    Oct 4, 2014
    Messages:
    429
    Likes Received:
    310
    Trophy Points:
    97
    @TnA don't ask don't tell It something I have known for a long time like PS3 Ps4 Exloits
    I have no way to tell you how I know BUY I DO know
    I know this sounds like a FUBAR but you know I am not a lost cause
     
  7. 331
    417
    97
    VTSTech

    VTSTech Developer

    Joined:
    Apr 8, 2019
    Messages:
    331
    Likes Received:
    417
    Trophy Points:
    97
    Gender:
    Male
    Home Page:
  8. 161
    97
    57
    remlei

    remlei Member

    Joined:
    Mar 6, 2019
    Messages:
    161
    Likes Received:
    97
    Trophy Points:
    57
    I guess this is a very good alternative for non-freemcboot slims. though it would be cool if it executes FMCB hacked OSDSYS instead of uLanch.
     
  9. 1,351
    729
    222
    TnA

    TnA Senior Member

    Joined:
    Jul 1, 2018
    Messages:
    1,351
    Likes Received:
    729
    Trophy Points:
    222
    Gender:
    Male
    Location:
    Germany --> Saxony
    It can... Just install FMCB and replace the BOOT.ELF (in mc0:/FORTUNA) with HWNJ's OSDSYS-Launcher...!
     
  10. 199
    334
    122
    uyjulian

    uyjulian Developer

    Joined:
    May 27, 2017
    Messages:
    199
    Likes Received:
    334
    Trophy Points:
    122
    Gender:
    Male
    Another good thing about this exploit is that it doesn't require MagicGate, so you can use it on generic third party cards and build the exploit without needing to use any keys.
     
    RivalK93, Algol, TnA and 1 other person like this.
  11. 48
    16
    32
    Haker120

    Haker120 Member

    Joined:
    Feb 22, 2017
    Messages:
    48
    Likes Received:
    16
    Trophy Points:
    32
    Gender:
    Male
    Location:
    Poland
    Also, my 90004 with FW 2.30 has soldered one of those 'better' modbo760 that run flawlessly ps1 games, no matter region, and this Fortuna exploit really doesn't give a crap about it. I hope FMCB/FHDB will be more tolerant for modchips... ;)
     
    TnA likes this.
  12. 1,351
    729
    222
    TnA

    TnA Senior Member

    Joined:
    Jul 1, 2018
    Messages:
    1,351
    Likes Received:
    729
    Trophy Points:
    222
    Gender:
    Male
    Location:
    Germany --> Saxony
    I agree!
    These 2 points are the most important, beside it working without a disc!
     
    Algol likes this.
  13. 154
    62
    57
    unseen

    unseen Member

    Joined:
    Jan 23, 2018
    Messages:
    154
    Likes Received:
    62
    Trophy Points:
    57
    Gender:
    Male
    Could you attach HWNJ's OSDSYS-Launcher? I'm unable to access the ps2-home site for two days. Thanks.
     
  14. 1,351
    729
    222
    TnA

    TnA Senior Member

    Joined:
    Jul 1, 2018
    Messages:
    1,351
    Likes Received:
    729
    Trophy Points:
    222
    Gender:
    Male
    Location:
    Germany --> Saxony
  15. 38
    4
    57
    kenzy

    kenzy Member

    Joined:
    Oct 3, 2018
    Messages:
    38
    Likes Received:
    4
    Trophy Points:
    57
    Gender:
    Male
    It is really working, I just finish testing on a phat ps2. Thanks very much for making it easier for people to hack ps2.
     
  16. 121
    93
    82
    Vedita BR

    Vedita BR Member

    Joined:
    Aug 5, 2018
    Messages:
    121
    Likes Received:
    93
    Trophy Points:
    82
    Gender:
    Male
    Occupation:
    ---
    Location:
    BRA
    Home Page:
    worked on my fat 50k
     
  17. 1,665
    1,323
    347
    jolek

    jolek Senior Member

    Joined:
    Dec 29, 2017
    Messages:
    1,665
    Likes Received:
    1,323
    Trophy Points:
    347
    Gender:
    Male
    From what I remember there was no official version for FAT models.

    I needed to delete "Your System Configuration" (BEDATA-SYSTEM) to make it work on my SCPH-50004.
    The same MC with Fortuna without any problems works on my SLIM model (without a need to delete this folder).

    Table for other regions from here:
    RegionSystem Executable DirectorySystem Data Directory
    JapanBIEXEC-SYSTEMBIDATA-SYSTEM
    USBAEXEC-SYSTEMBADATA-SYSTEM
    AsiaBAEXEC-SYSTEMBADATA-SYSTEM
    EuropeBEEXEC-SYSTEMBEDATA-SYSTEM
    ChinaBCEXEC-SYSTEMBCDATA-SYSTEM
     
    Last edited: Dec 15, 2019
    Peppe90 likes this.
  18. 154
    62
    57
    unseen

    unseen Member

    Joined:
    Jan 23, 2018
    Messages:
    154
    Likes Received:
    62
    Trophy Points:
    57
    Gender:
    Male
    This is f***ing awesome. :biggrin2:
    Today I bought a 90004 0C just to test it on BIOS v2.30
    I will also do some tests on my SCPH-30004.
     
  19. 19
    28
    37
    deba5er

    deba5er Member

    Joined:
    Jan 7, 2018
    Messages:
    19
    Likes Received:
    28
    Trophy Points:
    37
    Gender:
    Male
    Fortuna worked on my SCPH-90001 (BIOS 0230) and my SCPH-50001 (BIOS 0190, DVD player version 3.02U) with no difference, and no special changes needed. When used on my SCPH-50001 (BIOS 0170, DVD player version 3.00U) it did not work, regardless of deletion of folders. Instead of running my BOOT.ELF it would return to a barely recognizable Browser/System Configuration menu with messed up graphics. I am using a non-Magicgate, non-FMCB memory card for testing.
     
  20. 1,665
    1,323
    347
    jolek

    jolek Senior Member

    Joined:
    Dec 29, 2017
    Messages:
    1,665
    Likes Received:
    1,323
    Trophy Points:
    347
    Gender:
    Male
    You mean something like this:
    [​IMG]
    I have this problem on SCPH-50004 (ROMVER 0190, DVD Player 3.02E) when I have BEDATA-SYSTEM folder on my MC.

    Version for SLIM consoles might work on FAT, but it doesn't have to.
    Currently we need to wait for dedicated for FAT consoles version.
     

Share This Page