PS2 Julian's various PS2 projects (Worklog)

[uyjulian]

One thing I'd like to eventually do is make the pad, mc, and fileio RPC libraries "universal" (like I did with the rm RPC library).

Basically, how I'd like to get it is no matter what version of the modules are running on the IOP, it will "just work". No need to make a library variant for each version as the library can feature check to see what version it is.

For pad, check if/which RPC ID is binded.
For mc, check if RPC command is supported/handled.

For fileio, at least between 1000 and 2100, fill buffer of at least 144 bytes with e.g. 0xff, do a read RPC operation with invalid fd and 0 bytes, then check buffer to see if it is filled with something else. For between 2100 and 2200, and between 2200 and 3100, it needs more investigation.

 

[uyjulian]

For converting lirc codes to librm codes, you need to bitswap per byte (8 bits).
https://sourceforge.net/p/lirc-remotes/code/ci/master/tree/remotes/sony/SCPH-10420.lircd.conf

Here is the algorithm to do so:

def bit_swap(x):
    return (((x & (1 << 7)) >> 7) << 0) | (((x & (1 << 6)) >> 6) << 1) | (((x & (1 << 5)) >> 5) << 2) | (((x & (1 << 4)) >> 4) << 3) | (((x & (1 << 3)) >> 3) << 4) | (((x & (1 << 2)) >> 2) << 5) | (((x & (1 << 1)) >> 1) << 6) | (((x & (1 << 0)) >> 0) << 7)
def byte_swap_24(x):
    return (bit_swap(((x & 0xFF0000) >> 16)) << 16) | (bit_swap(((x & 0x00FF00) >> 8)) << 8) | (bit_swap(((x & 0x0000FF) >> 0)) << 0)

Some other references:

https://www.righto.com/2010/03/understanding-sony-ir-remote-codes-lirc.html
https://www.boehmel.de/sircs.htm
https://faculty-web.msoe.edu/johnsontimoj/Common/FILES/sony_sirc_protocol.pdf

 

[uyjulian]

Some notes on dev5/cdvd memory regions:

0xBF402xxx - ps2 cdvd
0xBF410xxx - atapi (register interface is same as SPEED dev9)
0xBF414xxx - fpga
0xBF415xxx - es

 

[uyjulian]

Modem AT command reference: https://arcelect.com/IML56_modem_AT_commands.pdf

One of the interesting commands is AT**
It will allow loading new firmware on the modem.

In spduart 3100 it has a firmware blob. It sends "ATI3\r" and checks if response is "P2109-V90". Then it will send the firmware blob (apparently "9A-40") which is formatted in s37 (aka Motorola SRECORD, S-RECORD, SREC, S-REC).

Possible related files: XmUL003.s37, XmDL003.s37

A program that can handle this format: https://srecord.sourceforge.net/

Interesting related article https://samag.ru/archive/article/219

---

Some files relevant to serial and modem on Playstation 2 Linux https://ps2linux.no-ip.info/playsta...t/showfilesf24a.html?release_id=90&group_id=1

 

[uyjulian]

It seems like it is possible to run big endian code on Raspberry Pi, with a NetBSD port to it.

https://mail-index.netbsd.org/port-arm/2020/12/03/msg007117.html

This provides a low cost avenue to debugging big endian code without needing to hunt down old systems or needing to rely on slow emulation with missing debugging features.

This will be useful once I get around to doing the feature upgrade of mcman and apa/pfs.

 

[El_isra]

feature upgrade of mcman and apa/pfs.

Will that inclued DONGLEMAN reversal?

 

[uyjulian]

Will that inclued DONGLEMAN reversal?

No near term plans at this time.

 

[El_isra]

No near term plans at this time.

if you ever delve into that. let me know. I'm hitting a dead end at the reversal (BR3 MCMAN).

I cant get it to detect both dongles and ps2 card. I even started to suspect SIO2MAN also had aditional code for the dongle auth.

 

[uyjulian]

Assorted modem stuff:

https://superuser.com/questions/153...ate-56k-connection-using-two-virtual-machines
https://web.archive.org/web/2020081....co.uk/2018/07/retro-dial-up-network-fun.html

 

[uyjulian]

I think, after I finish REing the arcade ATAPI stuff, that it might be interesting to implement read/write on large/removable ATAPI devices.

 

[uyjulian]

When reverse engineering a PS2 executable, if there is a PSP version also available, it might be more preferable to start with the PSP version due to the fact that it uses eabi32 in a standard way (compared to PS2 and its hacked up eabi64 with 32 bit pointers)

 

[uyjulian]

SN Systems network stack (snstkrel.irx/snstkdbg.irx) appears to use KwikNet, which is apparently known to have remote code execution exploits. CVE-2020-11901 might be interesting to check for.

https://www.jsof-tech.com/disclosures/ripple20/

Also, some information about KwikNet
http://ebook.pldworld.com/_semiconductors/Atmel/AT91 CDROM/thirdparty/kadak/kadak-kwicknet.pdf

 

[uyjulian]

The only changes in CLEARSPU between 1.3.4 and 3.1.0 is that the import version changed and some unreferenced data changed.

 

[uyjulian]

The ilink driver version in the sys246-b rom floating around is between these versions:
1621 exclusive
2000 inclusive
2030 exclusive

 

[uyjulian]

Here is some information about QueryBootMode/RegisterBootMode:

1, set from deci2, might be indicating that debugging module is loaded (and not deci1)
2, set from deci2, don't see any read references, might be ebootp flags
3, set from deci2, appears to be ibootp flags
4, set from loadcore is flags passed from udnl and/or iopboot
5, set from loadcore is reboot command (almost certainly rom0:UDNL)
6, set from boardinf 0xBF803204 (pio/pif) related
7, set from boardinf 0xBF803204 (pio/pif) related

 

[uyjulian]

Another patchless/offsetless way to gain code execution in both EE->IOP or IOP->EE:

sceSifSendCmd(SIF_CMD_SET_SREG, ...) isn't bounds checked, so you can use a negative index to write whatever function pointer you want.

The relative offset is same in 1.3.4 and 3.1.0, both sifcmd IOP and EE sides. (But I haven't checked in between versions)

So, basically:
* sceSifSetDma your payload to the other side
* sceSifSendCmd(SIF_CMD_SET_SREG, ...) with a negative offset (probably -2) such that sregs goes into sys_cmd_handler_handler[0x1f].handler, and is set to the address of the payload
* sceSifSendCmd(0x8000001f, ...) to execute the payload in an interrupt context

 

[TnA]

LOOOOOOOOOOL
Good find! That's interesting indeed!

 

[uyjulian]

Some information about the FreePSXBoot memory cards crashing PS2s...

In mcman, there is no bounds check on linked_block member access relative to arrays on stack: https://github.com/ps2dev/ps2sdk/bl...c/iop/memorycard/mcman/src/main.c#L3041-L3072

I can confirm that the code looks similar in 3.1.0 modules.

Briefly looking at it, it is possible to control where to write (basically positive 16 bit signed value), but not what value should be written (limited to 0-15).

So a straightforward port of the FreePSXBoot chain is not possible.

 

[uyjulian]

MIPS instructions decoded from 0 to 15:
0x00000000 sll zero, zero, 0
0x00000001 n/a invalid instruction
0x00000002 srl zero, zero, 0
0x00000003 sra zero, zero, 0
0x00000004 sllv zero, zero, zero
0x00000005 n/a invalid instruction
0x00000006 srlv zero, zero, zero
0x00000007 srav zero, zero, zero
0x00000008 jr zero
0x00000009 jalr zero, zero
0x0000000A movz zero, zero, zero
0x0000000B movn zero, zero, zero
0x0000000C syscall 0x0
0x0000000D break 0x0
0x0000000E n/a invalid instruction
0x0000000F sync

OSDSYS 100 appears to use the mcserv RPC functions to check/load the history file.

In all the OSDSYS versions I've checked, padman is always loaded after mcserv.

CreateThread on IOP allocates stack at end of memory (unlike CreateThread on EE which uses provided memory for stack).

Other thread stacks allocated before mcserv thread are mtapman, fileio, cdvdfsv, loadfile, reboot, modload, threadman (idlethread). Might be able to do some tricks with thread state or saved registers.

Using the memory mirror trick might work for overwriting instructions near sysmem and loadcore after corrupting return address to 0, 4, 8, or 12. Can also mess with interrupt stack, e.g. intrman, vblank.

I'll probably leave this for later (unless someone else gets to it before I do, like with the DVD player exploit)

 

[Nameless32]

@El_isra