PS2 Julian's various PS2 projects (Worklog)

[uyjulian]

Looking at compressing OSDSYS+DVD player and its resources/modules.

Right now, it's looking like this:
dvdplayer.tar 9.6MB -> dvdplayer.tar.xz 1939KiB
osdsys.tar 4.2MB -> osdsys.tar.xz 957KiB

I could probably squeeze a bit more space out of it by doing something specific with the image resources.

Ideally, I could get the size under 983040 bytes, or 960KiB (that is, the memory range from 0x100000 to 0x1F0000)

 

[uyjulian]

Some information about the "OSD update" to enable HDD booting in SCPH-10000, SCPH-15000, SCPH-18000

"osdsys.elf" is the kernel update. Also patches to load "osd110.elf" next.
"icon.sys" and "sysdrv.ico" are icon information.
"osd110.elf" and "osd130.elf" is installed in "BIEXEC-SYSTEM", and contains the code for the opening animation (among other code/modules required for HDD booting).
The assets ("SNDIMAGE" and "TEXIMAGE") for the opening animation is also installed on the memory card.
"UMEIMAGE" is exactly 512,000 bytes and looks to be filled with random data (except the first 16 bytes). It also doesn't appear to be referenced by "osd110.elf" and "osd130.elf".

Basically the header consists of
15 4D 45 20 "UME "
00 00 01 00
66 6D 74 20 "fmt "
F0 CF 07 00 (little endian 32-bitvalue 511984)

 

[El_isra]

Some information about the "OSD update" to enable HDD booting in SCPH-10000, SCPH-15000, SCPH-18000

"osdsys.elf" is the kernel update. Also patches to load "osd110.elf" next.
"icon.sys" and "sysdrv.ico" are icon information.
"osd110.elf" and "osd130.elf" is installed in "BIEXEC-SYSTEM", and contains the code for the opening animation (among other code/modules required for HDD booting).
The assets ("SNDIMAGE" and "TEXIMAGE") for the opening animation is also installed on the memory card.
"UMEIMAGE" is exactly 512,000 bytes and looks to be filled with random data (except the first 16 bytes). It also doesn't appear to be referenced by "osd110.elf" and "osd130.elf".

Basically the header consists of
15 4D 45 20 "UME "
00 00 01 00
66 6D 74 20 "fmt "
F0 CF 07 00 (little endian 32-bitvalue 511984)

Sp193 mentioned that osd110 also has a kernel patch inside.

He took a simpler approach on FreeMcBoot by making both osdsys and osd110 individual kernel patches that run osd120

 

[uyjulian]

UDF related CVEs: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=udf

CVE-2014-9731 might be interesting

---

TIFF related CVEs: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tiff

CVE-2005-3084 and CVE-2006-4507 might be interesting

---

Won a DESR 5100 and ordered some SCPH 20401. Will probably arrive in a week or so.

 

[uyjulian]

Some notes about periodic broadcast retrieval on DESR 5500 / 7500

Page 129
Broadcast time auto set

Set date and time -> Automatically adjust time

1 Press .. to select [Just Clock] from the date and time setting screen and press .
2 Press .. to set and press . Item list
On: Adjust the time on this unit to the NHK Educational TV time signal.
Off: Do not automatically adjust the time.

Page 120
Program Guide Acquisition Channel/Program Guide Acquisition Time
Set the channels from which to obtain program information for the program guide. Program guide data is sent from stations marked with a "・" in the "Guide Channel List" (page 148) (as of November 2004).
1 Use .. to select [Program Guide Acquisition Channel] from the TV's settings screen and press .
2 Use .. to select a channel and press .

 

[uyjulian]

Apparently (not confirmed by me) BDZ-RX105 (may show typoed as DBZ-RX105) has a FR-V MB93475 processor.

---

Some Fujitsu/Cypress/Infineon FR series family / SOFTUNE Workbench V6 / SOFTUNE Pro Pack / SOFTUNE Professional Pack / uT-REALOS downloads here: https://www.pentax-hack.info/documents/downloads.html

Keywords: utrealos911 fs911s fcc911s FASM911 ProPack911

 

[uyjulian]

The implementation of usbd currently in ps2sdk does not support multiple HID sub classes.

This is probably why my Logitech unifying receiver doesn't work for mouse support.

 

[uyjulian]

I've confirmed that libeenet at 3.0.3 has the vulnerable code for CVE-2006-4304.

An easy way to tell if a game uses libeenet is to check if the file "ent_smap.irx" exists on the disc.

Notably, PBPX-95248 and XOSD uses libeenet.

 

[uyjulian]

As far as I know, these are the various CDVDMAN variants:
* Game
* Game (DNAS)
* OSD
* DVD player
* Utility disc
* XOSD

 

[El_isra]

As far as I know, these are the various CDVDMAN variants:
* Game
* Game (DNAS)
* OSD
* DVD player
* Utility disc
* XOSD

also: from the psdevwiki:

CDVDMAN included in games for mainland china perform additional check for valid value in 0x1F402038 register. Chinese PS2 is also the only one known to utilize the CDVD S command 0x27 (sceCdReadPS1BootParam) to launch PS1 games.

 

[TnA]

There are more!

You can make packages/frames which are not of the expected size, use the IOP EE exploitation after an entry and take over control.

 

[uyjulian]

Random OHCI debugging and areas to check
WDH interrupt is not firing after CLF flag is enabled: Check to see if you are manipulating the correct HcED buffer
The same request is being sent repeatedly: Check that the request is actually being removed from the list
One port not working (but the other works fine) at init? Check that you reset all ports

 

[uyjulian]

All the Sys147/148 titles dumped to this date use libraries 3.0.0.

---

The difference in the ROMs between Sys147 and Sys148:
rom0 only has changes in EXTINFO, KERNEL, RDRAM, and ROMDIR (probably to handle clock speed and/or RAM size. Haven't diffed yet)
rom1 is identical

 

[uyjulian]

I wonder if I can use pins from dev2/rom1 as GPIO

Address lines output, data lines output, dev2 (/CS2) enable output
`*(vu32 *)(0xBE0XXXXX) = 0x0000YYYY;`
Address lines output, data lines input, dev2 (/CS2) enable output
`u32 x = *(vu32 *)(0xBE0XXXXX);`
where XXXXX is address lines (0 to 0x7FFFF) and YYYY is data lines (0 to 0xFFFF)

 

[uyjulian]

A note on rom0:HDDBOOT :

This isn't actually a file. This string just gets passed as argv[0] to ExecPS2 after rom0:HDDLOAD loads the boot program into 0x100000.

A note on osd110.irx/osdmain.irx :

This gets loaded from memory card instead of rom0:OSDCNF when OSDSYS detects that it is loaded from memory card (e.g. argv[0]). This would probably be a self contained UDNL that has the contents of what rom0:OSDCNF would usually specify.

 

[uyjulian]

Some information on when OSDSYS on DESR shows the logo:

If SkipMc is not specified and update on memory card (not external flash ROM or hard disk drive) is found, no logo will be shown because the update code is executing.
If system was powered on from timer or dev9 device, no logo flag will be set if specific flag in mechacon EEPROM was set.
If system was powered on from "Exit Game" button or back ground, no logo flag will be set.
If BootError, BootClock, BootBrowser, BootWarning, or BootIllegal are specified and Initialize is also specified, logo will be shown.
If BootOpening is specified, logo will be shown (ignoring no logo flag).

 

[uyjulian]

I wonder if anyone saved "ent_eth.irx".

It shouldn't be too hard to make my own version anyways as the EE side interface looks to be the very similar as the smap interface.

EDIT 20240930: found in tlib_255.tgz

 

[uyjulian]

For anything using "libdeflt" / "PsIIlibdeflt", use binwalk -e to unpack it. (ps2-unpacker just gets stuck for some reason)

 

[uyjulian]

Github put out a bunch of security notices for the download-artifact workflow. So I went ahead and fixed those by updating the workflow version.

 

[uyjulian]

The difference in the ROMs between Sys246 and Sys256:
rom0 only has changes in EXTINFO, KERNEL, RDRAM, RESET, and ROMDIR (probably to handle clock speed and/or RAM size. Haven't diffed yet)

Sys148 and Sys256 have same KERNEL, RDRAM binary
Sys246, Sys147, and Sys148 have same RESET binary