I can't await the fully detailed technical writeup!
But basically, I think the "issue" or vulnerability can be explained this way:
You can "feed" the PS2 almost everything also "illegal characters" and "faulty icons"...
The tools which create files like icons don't permit these, but if you modify for example a Save, the PS2 does not check for the content and gladly copies what it gets to a buffer...
Now... This "string" however can have an opcode (or a set thereof) included, which stops a function (for example)...
...and I think the vulnerability can probably be triggered via various means!!!
Save-Icon, Save-name, OSD-Item-Text-String and so on...
Here is an old video, where I did something similar via FMCB and OSDSYS-Textstrings!
Note, that EVERY text got corrupted (also "Browser" and "Systemconfiguration)!
I got the PS2 to freeze with this as well and you can even have a OSDSYS-Textstring do these things, but they are obviously very short, so you have to have another file loaded to jump to (in Fortuna's case the 'icon' I think).
...and it must be the first icon, to predict the offset where the Payload is located and the offset-prediction/calculation also produces varying offsets on varying BOOT-ROM-Versions!
tl;dr
I suppose Fortuna and the stuff in the video and the vulnerability about text-strings I was talking about, are all based on that "issue"/Vulnerability!
It essentially works, due to the PS2 being "blind" for the content whilst reading and copying it (to RAM), but not whilst it is in the 'execution cycle', because then the Hardware cares for the content!
I hope I explained what I assume, properly!
So... A "PS1 Fortuna" would be neat as well!
I think there are even multiple consoles vulnerable to that kind of "entry", but obviously you can't do that so easily on consoles with encryption.
You have to get the file to be read by the system somehow... However, I think this "entry" or variations thereof might be usable on various consoles like the GameCube (that would be awesome as well as the following), the PS1, possibly PSX (PS2 DVR) and other consoles, where you can get it to read something...
Save-Exploits on NES, SNES, GB, GBC, GBA, SMS, SMD, etc. might be possible via this!!!
These probably can ALL have a new Exploit, DISCLESS, without other tools, etc., based on this approach...
But basically, I think the "issue" or vulnerability can be explained this way:
You can "feed" the PS2 almost everything also "illegal characters" and "faulty icons"...
The tools which create files like icons don't permit these, but if you modify for example a Save, the PS2 does not check for the content and gladly copies what it gets to a buffer...
Now... This "string" however can have an opcode (or a set thereof) included, which stops a function (for example)...
...and I think the vulnerability can probably be triggered via various means!!!
Save-Icon, Save-name, OSD-Item-Text-String and so on...
Here is an old video, where I did something similar via FMCB and OSDSYS-Textstrings!
Note, that EVERY text got corrupted (also "Browser" and "Systemconfiguration)!
I got the PS2 to freeze with this as well and you can even have a OSDSYS-Textstring do these things, but they are obviously very short, so you have to have another file loaded to jump to (in Fortuna's case the 'icon' I think).
...and it must be the first icon, to predict the offset where the Payload is located and the offset-prediction/calculation also produces varying offsets on varying BOOT-ROM-Versions!
tl;dr
I suppose Fortuna and the stuff in the video and the vulnerability about text-strings I was talking about, are all based on that "issue"/Vulnerability!
It essentially works, due to the PS2 being "blind" for the content whilst reading and copying it (to RAM), but not whilst it is in the 'execution cycle', because then the Hardware cares for the content!
I hope I explained what I assume, properly!
So... A "PS1 Fortuna" would be neat as well!
I think there are even multiple consoles vulnerable to that kind of "entry", but obviously you can't do that so easily on consoles with encryption.
You have to get the file to be read by the system somehow... However, I think this "entry" or variations thereof might be usable on various consoles like the GameCube (that would be awesome as well as the following), the PS1, possibly PSX (PS2 DVR) and other consoles, where you can get it to read something...
Save-Exploits on NES, SNES, GB, GBC, GBA, SMS, SMD, etc. might be possible via this!!!
These probably can ALL have a new Exploit, DISCLESS, without other tools, etc., based on this approach...
Last edited:
