PS2 Fortuna. ALL PS2s (incl. TV) HACKABLE! Another discless exploit!

That's is I believe doable but You need not only a file manager (or system driver/module to mcfs support) but driver for the device itself (and there are plenty of them, I have one of those junk Dragon-something, cheap Chinese stuff ;)).

I hope one day, someone create... MCSIO2SD adaptor which would solve all those problems. ;p
 
I'm simple man, I saw adaptor on Alliexpress, I'm buy it. ^^ I was thinking more on something which will be pretending to be a real PS2 Memory Card, with removable i.e SDHC.

wisi said:
This gives raw (sector) access to the SD card memory, so any (compatible) filesystem can be used, although it makes sense to use FAT, because SD cards are usually already formatted with it. Also this permits reading whatever is already present on the SD card, so as Maximus32 proved, it can be used to boot games from in OPL, and just the same it can be browsed with uLE and for example photos and videos can be played on SMS (if the driver is integrated in it).

This has nothing to do with the PS2 Memory Card (and its complex drivers and security). It just uses the SIO2 interface (which is also used for the Controllers). The SD card protocol is completely different from that of the PS2 MC and the PS1 MC and Controllers. The only reason this is not pointless is that it is a bit faster than USB and the MC port 2 is usually left unused, so no connectivity is lost. The hardware connection is also very simple.
Click to expand...
 
Last edited:
  • Like
Reactions: TnA
Updated attachment.

Fortuna rev2 for PS3 installation purpose. Contain two memory card images (with ECC *.VM2 and without ECC *.bin) and of course *.psv for all OFWs (do NOT change filename, it is part of data verification which PS3 performing before importing).

@TnA
 

Attachments

If you are going to pretend to be a real Memory Card, might as well throw in emulation of MagicGate as well on the MCU, which makes this exploit less useful over FMCB.
 
  • Like
Reactions: TnA
Yerp, with MC-Emulation and MG-Emulation, to exploit a PS2 directly with this adapter and an SD-Card + only a downloaded file.

Some of the stuff @pelvictrustman posted regarding a BT-Connection via a connection to the SIO-Ports can be re-used for this!!!
 
Asking questions is not allowed, lol...

Screenshot_20200105-122400.png


Screenshot_20200105-125228.png


This is not the first time you get denied to post in this thread for the same issue. Don't repeat the same offense again -- Final Warning!

FINAL WARNING for asking questions? Seriously?
That is NON-SERIOUS BUSINESS!
 
Last edited:
@TnA you're one step closer to see this message:
8d2ad9671de3.jpg

attack.png


Anyway, what about start a new conversation in this sub-forum (fortuna), not in the main topic?
 
  • Like
Reactions: TnA
Failing to get your answers, you could try to understand this exploit on your own.

The icon.sys file seems normal. It is the icon.icn file that is special. It seems to be mostly valid, but the texture region contains code. The code is in the RLE encoded part (at offset 0x15C). The RLE texture data length is 0x4090, as per the word at 0x158.

The RLE decompression logic from Sony is like this (based on the sample code from Sony):
  1. Read a halfword.
  2. If halfword value is greater than 0: copy the succeeding halfword by that number of times.
  3. Otherwise, negate the value and copy the next half words. For example, if -4 is read, then it means that the next 4 halfwords are to be copied as they are.
  4. Continue from 1, until there is no more data.

RepetitionsNumber of halfwords to zero
260x7FF0
010x1DE
Then the magic happens. From this point, OSDSYS will copy the payload in blocks of 254 halfwords (halfword count = -254) each.

The entrypoint in memory seems to be 0x00c020d0. I don't know what runs it, but other people are free to explore what actually got overwritten. A memory dump may be required, as this would depend on how the OSDSYS stores the icon data. Once that portion runs, it will copy another payload to 0x00090000 and executes it from there.

Since the payload is made to run at a fixed address - it may be dependent on the memory layout of OSDSYS...

BTW, the "DTL" consoles had a few types. The DEX (DebugStation) boot ROMs are similar to the CEX, so I would expect it to work too. The TOOLs have no OSDSYS program and I don't see why anybody would need such a thing on a TOOL...
 
Last edited:
@jolek: Well... If that's the case, they would make look themself more silly IMO...


@sp193: THX! Yes, I haven't really looked at it, because that supposedly is vindictive or a silly vendetta, so I figured "I just don't interfere."...

The questions are also meant as a tip, what would be interesting and how the Payload could get adapted to accomplish it.

FORTUNAtely (
8d2ad9671de3.jpg
) another post regarding this "per icon start" was approved in a separate thread!
https://www.ps2-home.com/forum/viewtopic.php?f=17&t=8625


I am almost certain that it depends on the memory-position of the icons to load additional code (hence initial Payload/space at the vulnerable spot, being small).

I figure it might be hard to accomplish an Exploit which can run every icon (like in the Browser 2.0/HDD-OSD), but I think it might be possible!


Btw.: Why aren't there gold or squared likes for posts like SP193's?!


Edit:
On another note! THX! It's great to hear/know, how he uses an internal function to copy it off there!

I still wonder about the initial vulnerability and exploit, which points to this location in RAM and executes it! ;)


I did not know the part you explained, so THX about that. Some fellow PS2-Hacker already pointed something out "in that direction", but it still does not explain the initial vulnerability, but how the Payload gets loaded into it's place/location.


I certainly think it is the first icon for offset-prediction and yes "2 stages/Payloads", tho'.


Edit 2: Does anyone think, those questions where "over the top" in any way, or anything else?
 
Last edited:
TnA said:
Edit 2: Does anyone think, those questions where "over the top" in any way, or anything else?
Click to expand...

For me, no.

You have IMO 2 options.
  1. As I mentioned before, create separate topic\post, somewhere in that Fortuna section.
  2. Ask this question via PM (contact an autor) - theoretically worst idea, but maybe this method will work.
 
  • Like
Reactions: TnA
I cannot enter this site, so at least I'll ask... do you get all the info that you wanted?
 
What do you expect to get from Fortuna, which OpenTuna can not possibly provide later on?

Also... Take a look at the possibilities of OpenTuna, THX to it's open source nature.
 
You must log in or register to reply here.

Similar threads

Back
Top