PS2 [New PS2 Exploit] Hacking the PS2 using Yabasic on (PAL) demo disc ( by Cturt )

Discussion in 'General PS2 Discussion' started by STLcardsWS, Oct 13, 2019.

By STLcardsWS on Oct 13, 2019 at 1:20 PM
  1. 8,979
    9,149
    1,172
    STLcardsWS

    STLcardsWS Administrator

    Joined:
    Sep 18, 2014
    Messages:
    8,979
    Likes Received:
    9,149
    Trophy Points:
    1,172
    The PlayStation 2 is still in the cross-hairs for many developer's in the homebrew scene, hacker Cturt known for his work with PlayStation 4 exploits has turned his attention to the PS2. The motive for this exploration was to provide a "slightly more convenient" way to execute homebrew on the PS2 and also with the newer consoles being hacked via webkit exploitation and the PAL models Ps2 demo disc that contain Yabasic, the hacker seen the potential and now that potential has came to fruition with the release of this write up of exploiting a PS2 with Yabasic on a PS2 Demo Disc in PAL regions. The developer states in NTSC there may be a future solution (as mentioned in the conclusion of the writeup) ​


    photo-10-15661019359741745776403.jpg

    • Hacking the PS2 with Yabasic
      Introduction
      I recently stumbled upon a PS2 demo disc containing Yabasic, a simple Basic interpreter, and was curious to research whether it could be used for anything interesting. These demo discs shipped with all PAL region PS2 consoles between 2000 - 2003 as an attempt to classify the PS2 as a personal computer instead of a video game console for tax reasons (which ultimately failed, however nowadays video game consoles are no longer subject to this import tax).

      In particular, although there are existing methods of running homebrew on PS2 consoles, none of them are perfect since they all seem to have undesirable requirements like opening up your console or purchasing unofficial hardware, or are limited to only specific models.

      The most desirable method is to use FreeMCBoot to boot from a memory card, however installing this onto said memory card requires an already hacked console. Whilst you could purchase a memory card with FreeMCBoot pre-installed on it by someone else, it would be nice to have a way to install the exploit yourself. That's where I see a Yabasic exploit fitting in nicely, as an entry-point for launching the FreeMCBoot installer. In addition, a Yabasic exploit could be useful for people with the latest slim consoles, which are not vulnerable to FreeMCBoot.

      In this article I will describe how I developed an exploit that allows running arbitrary code through Yabasic. Since these programs can be saved and loaded from the memory card, the exploit just need to be typed out once, and can then be reloaded more conveniently in the future. If you're just interested in using the exploit but not the technical analysis you can checkout the repository for details.


    • Be sure to read full write up in link provided below, this is just a snippet
      Conclusion

      Nowadays, scripting engines for languages like JavaScript are usually the first thing attacked in modern video game consoles, so I find it odd how the PS2 release of Yabasic has received so little attention from hackers given that it was bundled with every console in PAL region for the first 3 years, and is easy to dump and analyse, especially being based on open source code. Regardless, these discs are readily available for cheap today, and so it's my hope that at least some people will benefit from having a slightly more convenient homebrew method than having to open up their consoles or purchase more expensive, unofficial hardware.

      Unfortunately, NTSC regions never received a Yabasic port, however they do have a different Basic interpreter, "Basic Studio", which I might look at in the future.

      Finally, maybe now that the Yabasic can be used to execute arbitrary code, Sony can argue that it really did allow the PS2 to be "freely programmed" after all, and they can claim back their import taxes :P



    CONTINUE READING FULL WRITE-UP >>>> HERE <<<<

    Developer's Twitter: https://twitter.com/CTurtE/status/1183010790862917634
     
    Last edited: Oct 13, 2019
    ntodek, dazzaXx, littlebalup and 12 others like this.

Comments

Discussion in 'General PS2 Discussion' started by STLcardsWS, Oct 13, 2019.

    1. Peppe90
      Peppe90
      Interesting. I have the PBPX-95514 from 2002, I'll check if it have the Yabasic elf.
      TnA, jolek and esc0rtd3w like this.
    2. Naked_Snake1995
      Naked_Snake1995
      Yabasic, now that's a name i didn't heard in a long time...

      I always knew that PBPX-95506 Demo Disc would be useful someday, still have the disc after 18 years,might give it a try.

      Sent from my G8141 using Tapatalk
      Th3-J0k3r, Berion, jolek and 3 others like this.
    3. No body
      No body
      This is neat, but installing freemcboot doesn't require an already hacked console. And while only a certain few games supposedly work, I've tried with quite a few games which have separate elf files on the disc and it has worked with quite a few. I know for certain mortal kombat armageddon i believe worked to install freemcboot on my ps2
      jolek, Peppe90 and STLcardsWS like this.
    4. TnA
      TnA
      Well, we recently also got some (untested) patches from @krHACKen for the DVD-Player Update/Install-Discs + there is also the double-'time-swap' which works with almost all games out there!

      Make sure to like it (this new Exploit with YaBasic) here and on GitHub as well (if you are there) and share it, if you are interested in PS2-Homebrewing and/or exploits (especially for consoles)! :)

      I am sure, this won't be the last Exploit, but it is nice that this works with only a disc and using a Keyboard once! No swapping and so on! :)

      Starting FMCB on the new models should be quite possible as well... If an ELF-Loader can be loaded as a Payload, it can launch wLE, or for FMCB @HWNJ's OSDSYS-Launcher
      Last edited: Oct 14, 2019
      jolek, uyjulian, STLcardsWS and 3 others like this.
    5. Berion
      Berion
      Awesome idea, especially to those peoples with fw v2.30 or 2.40 and those which do not want any modchips.

      That would be even funnier if we can get very VERY exotic ROP on ps2emu in PS3 with EE/GS (since we can sign PSV on PC :D).

      I still have such demo disc with YetAnotherBasic but for PAL.
      Last edited: Oct 14, 2019
      jolek and DeViL303 like this.
    6. TnA
      TnA
      I don't know where a 2.40 BOOT-ROM has been installed in... I only know 2.30 in the later 90k and 2.50 in the TV...
      Berion likes this.
    7. atreyu187
      atreyu187

      What they are getting at is consoles that can't launch FMCB directly can use this to launch FMCB. The last models out had this patched and required a modchip to launch FMCB. Now you can launch it with this. It's not very useful in it's current state more of a POC and just showing there are other hacks and access points not yet discovered.
      DeViL303 likes this.
    8. TnA
      TnA
      Loading an ELF from MC should be easy with it and should not need much typing for the payload.
      Other devices like USB would probably need much more...

      The fastest way would be for those which already can copy files (or saves) to MC...
      Copy a YaBasic-Config-folder with the Payloads to MC + copy a BOOT-Folder with a BOOT.ELF to the MC + have a Payload which loads the ELF from that location.

      Re-enabling the OSDSYS-Update or implementing a custom Update-function is possible. I am just not sure, which variant would need less lines tho'.


      Those which already can execute Homebrew or move files to the MC, are actually the people which could help out, because being able to simply copy the Exploit-files to MC could short debugging-&testing-time immensely!
    9. lotus78
      lotus78
      @Peppe90
      As I read in the internet, the demo cd 95514 ist the only one from the 5 demo CDs without yabasic.
      Can you confirm this ?
      thx in advance
      Peppe90 likes this.
    10. Peppe90
      Peppe90
      You're right:

      Immagine.jpg
      If I remember correctly, I got this demo with my first Ps2 (a silver one). It was autumn 2004. The demo disc is dated 2002 though.
      jolek and lotus78 like this.
    11. lotus78
      lotus78
      thx for your fast answer - this was interesting for me because of looking a demo cd at eBay. ..
      Peppe90 likes this.
    12. Berion
      Berion
      Someone have compiled payload which launch i.e "mc0:/BOOT/BOOT.ELF"? I have PBPX-95506 and could test it.
      jolek likes this.
    13. TnA
      TnA
      @Berion: There is none for that kind of task, as of yet!
      ...and someone would still need to get the file onto the MC somehow.
    14. Berion
      Berion
      Putting stuff on MC can be done several ways, i.e as *.max or *.xps importing>>unpacking via they origins software (of course we talking about peoples without access to modded or exploited consoles in other ways).
    15. TnA
      TnA
      Like I said... You/Someone would need to get the file onto an MC in the first place, which partially voids the reason for this exploit , but is alright to test the exploit with it.
    16. Berion
      Berion
      Tell this to peoples with fw without osd-update support. ;p Yabasic hack is mainly exactly for them as every other would use FMCB/FHDB.
    17. TnA
      TnA
      I am saying that EXACTLY because of these users...
      If someone has a way to copy a Save to the MC, they usually already have a way to start Homebrew...

      Those with a 90k and no YaBasic-Save on MC, would need to type out the whole Exploit + patches + Payloads manually!
    18. Berion
      Berion
      What I understand is that peoples with late SCPH-9xxxx which want "softmod" are doomed to use demo disk with Yabasic to launch exploit every time + some cheat device to moved exploit files to MC in smoke cover as "saves".
    19. TnA
      TnA
      They don't have to copy any save to MC (which you need at least to swap for or 'special equipment' like cheat discs) with thus Exploit, but can type it out to begin with, without the need for any special tools!

      There are other methods available on 90ks if you have one of these tools like Swap Magic or AR Max to begin with, so the main-point of this exploit is, to be ONLY RELIANT ON THE DEMO-DISC!

Share This Page