PS2 Fortuna. ALL PS2s (incl. TV) HACKABLE! Another discless exploit!

The first version of FORTUNA was never advertised as working on FAT consoles.

Also, It is possible to get this type of line corruption on a slim, if other icons/saves are loaded the same behavior is exhibited.
--
Find the corresponding file for your PS2 model.
  1. If you have a SLIM PS2, starting all the way from SCPH-700x and up to PS2 TV you should get the SLIM PACKAGE. It works on all of them.
  2. If you have a FAT PS2, you must wait for your package version. More updates later...
 
Apparently, asking krat0s if he would talk about his Exploit on one of the biggest Hacker-Conventions on the Planet (36C3) is considered "Drama", "vindictive", and "Beating the dead horse.", etc. and is not approved over at Ps2-home.com!

Maybe creating this post is considered "Drama" and "vindictive" as well? Ahhhrr... Damn... This sentence must be vindictive and drama-creating and a way of petty payback, feed the drama, or silly vendettas! ^^
 
Last edited:
Well, it is in the release-post of "Fortuna"...

It might have been him, but I have the feeling that these are some words, which came from another mind and fingers... (or possibly via krat0s as a proxy)

I am on moderation-status over there, but I really don't get why asking him if he would make a talk about it on the "Chaos Communication Congress" is not approved, while the rest of the post was...

If that would be considered "Beating the dead horse", I have to argue that this is a quite flawed reasoning, because especially a "Yes!" would have laid any questions - regarding how it works - to rest!
 
TnA said:
Apparently, asking krat0s if he would talk about his Exploit on one of the biggest Hacker-Conventions on the Planet (36C3) is considered "Drama", "vindictive", and "Beating the dead horse.", etc. and is not approved over at Ps2-home.com!

Maybe creating this post is considered "Drama" and "vindictive" as well? Ahhhrr... Damn... This sentence must be vindictive and drama-creating and a way of petty payback, feed the drama, or silly vendettas! ^^
Click to expand...

Does your posts were in some way deleted?
If not ask him again, maybe there was some misunderstanding...

Theoretically $ony will not patch in any way PS2 by creating ROMVER 2.60,
so some details can be explain about this exploit.



Anyway, recently when I want to enter this site I'm getting:
attack.png

For now I'll leave it...
 
No... I wrote the request on multiple posts, but only that specific request was deleted from my post, before my posts got approved!
 
Yeah, let's just leave it at that...

It doesn't matter that much!

Let's just wait and see what else emerges from it (updates, documentation and/or tools, etc.)! ;)


I asked for it... It wasn't approved... He couldn't or didn't answer... and the schedule is final... So... :(

Anyway... So the info remains exclusive to Ps2-home.com, so go watch this thread! :rolleyes: --> https://www.ps2-home.com/forum/viewtopic.php?f=107&t=8542
 
Last edited:
Regarding an "Explanation"...

Well... I don't know and I don't know if anyone has taken a closer look at how it works!


I SUPPOSE, that it uses a vulnerability to "escape" a function at a point, where it should not do that, then patches an offset or return-value ($v1 possibly?) in the OSDSYS (Payload 1/Exploitation of the vulnerability) to jal or jump to a specific adress upon returning to the main-menu...

This adress is, where the icon resides in RAM, which allows for a prediction on which offset the 2nd Payload is stored. The second Payload is in the "icon"... The offsets are different for various BOOT-ROMs, which needs varying patches for various OSDSYS-Versions, but the offset for the first icon can ever be predicted!

GAIN! There is the interesting (2nd) Payload (ELF-Loader, etc)!

It jumps/jals to that 2nd Payload, due to the OSDSYS-Patches made with the 1st/Entry/Exploit-Payload and executes the ELF-Loader...
This then loads a (currently) fixed ELF-Name...

The "pointing to another place" is likely also related to a quite limited amount of space for the "escape"/exploit/1st Payload (so I think that might be the text-vuln, but theoretically the "opcode-injection" might be possible via other "triggers" as well). If it is the text-thing, it is limited to 64Bytes (correct?) - the exit-char(s)... Not much, but enough to point to a predictable offset, where the real Payload can reside! ;)

This is just a rough idea! It might work entirely different, so let's just wait and see!


@Md Hesam:
It is a "Save" meant to be copied to the MC... No,... Not an USB-Exploit, although that would be neat!
 
Last edited:
unseen said:
One could disassamble and see how exactly is working.
Click to expand...
True... But I rather don't interfere with it no more and rather wait for the documentation/tools/stuff...!

You can change the path and the ELF name using a hex editor. Just beware to not alter the overall length.
Click to expand...
True, but that is still a fixed path for the specific Payload!
It's also possible to have another length, but that would likely need more edits!


So, the current compatible BOOT-ROM Versions seem to be "CEX" 1.90, 2.20, 2.30, 2.50, correct?
Anyone with a DTL, out there?
 
Last edited:
New rev_2 is out.
Grab it from a 1st post.

Changelog:
Code: 
REV2 - 12-23-2019
* Added memory card slot 2 (MC1) support.
* Removed debug colors. If BOOT.ELF not found it will boot OSDSYS again.
* Added new ELF launcher (used the one from ulaunchELF) so whatever compatibility ulaunchELF has for loading ELF should the same give compatibility here as well. IOP is always reset. OPL should work now.
* Proper timestamp for folder and files. Clock trick should now be obsolete but depending on how you transfer files you might be forced to use it for installation.
* PSU format included as well.
* No longer mandatory to quickly return when save icons start showing. This was causing issues sometimes. Now should work fine even if all icons are loaded and whatever operation is performed. You can return whenever you want.
* Decreased file-size. Now its just 17kb instead of 50kb, won't be smaller. BOOT.ELF is still the same, replace if needed.

Supported models of this package.
Slim 70000x
Slim 75000x
Slim 77000x
Slim 79000x
Slim 90000x
PS TV PX300

* Potentially any other console (TEST, DEBUG, etc..) which has a MC browser and has a bios version >2.00 and higher. The only true way to know is just to try and see if it works. Please report back. KEEP FORTUNA THE FIRST SAVE ON MEMORY CARD

** FORTUNA SAVE MUST BE THE FIRST SAVE IN MEMORY CARD **
** Rev.2 should be stable but since many changes were implemented something might have broken. **
** Users who reported that this only worked on specific language and GMT settings, please retest and report! **
** Fat consoles will have to wait because they have minor differences which require time. **

REV1 - 12-02-2019
-- Initial Release...
 
Last edited:
I can test it, but I'm not exactly sure how it works.
I mean when I copy (renamed "LaunchOSDSYS.ELF") BOOT.ELF in BOOT folder in mc?:/,
try to launch, I'm only getting this screen:
XEB-1.png

Nothing happens after that.

EDIT: Launcher has to be on a memory card in 1st slot.
If it is in 2nd slot I'll get this screen.

EDIT 2: I'm getting BSOD after I'll initialize with Rev_2.

Hmm, maybe because of a this change:
Added new ELF launcher (used the one from ulaunchELF) so whatever compatibility ulaunchELF has for loading ELF should the same give compatibility here as well. IOP is always reset. OPL should work now.
Click to expand...

For now I've only tried it on theoretically unsupported SCPH-5004.
 
Last edited:
Ah! So it is a limitation of the OSDSYS Launcher?! I did not knew about that!

Yet another reason for a ReBoot(er)/ReLaunch(er), "gelle" @VTSTech? :D
 
If someone have to much time and want try export PSV on PS3, I made two VMC (*.VM2 is for PS3, it have ECC) and one is without ECC (*.bin for MCA2).

//attachment removed, reattached few post forward
 
Last edited:
  • Like
Reactions: TnA
I'd be very interested, if Fortuna can be installed via a PS3 this way!

It is also possible to push the save via PC and such an MC2USB-Adapter!

It is just not possible to sign files/KELFs!



If someone would ever enhance or develop a util to manage saves on a real MC via these adapters for a PC, it would certainly be able to use various adapters for file-management on MCs!!!
Just signing files would likely not be possible for either Clone MCs and also third-party adapters, but I won't say "I am certain." because MAYBE it is possible with at least one or both of them in the future!
 
Last edited:
You must log in or register to reply here.

Similar threads

Back
Top