We are nearly at the half of this year over but 2020 was an weird year so far, don't you agree? First we lost one of our greatest athletes in Basketball history who was a great father and human as well - shortly after that we are still battling with the worldwide Corona virus outbreak - "and now you tell me that there are still people releasing brand new Exploits for the PS2 released in 2020 ?!?!?!" 
Yeah, you read it correctly. Today well-known Developer @CTurt showcases his newest achievements in "PS2 Hacking". While his previous method saw some critics due to its limitation using the official Sony PS2 YaBasic Interpreter, which was only bundled in very first PS2 Demo Discs released for the PAL region only, Developer @CTurt was so kind to find an even better entry point in launching Homebrew on an unmodified PS2. And guess what, he found a way to achieve exactly that by fully exploiting the DVD Video Player Functionality from a PS2 Console. And it comes even better. Not only you can enjoy all of the old but still good Homebrews and Emulators released back in the old days, this exploit also supports running your legally obtained Backups as well! And all that WITHOUT any need of an modified Memory Card, without any use any old and dirty Swap Magic Trick or to open your PS2 and install an Modchip like many did in the old days? Doesn't sound that cool or what do you think right now when reading this? I kinda mean it when I said that 2020 is a weird year so far. :P
Yeah, you read it correctly. Today well-known Developer @CTurt showcases his newest achievements in "PS2 Hacking". While his previous method saw some critics due to its limitation using the official Sony PS2 YaBasic Interpreter, which was only bundled in very first PS2 Demo Discs released for the PAL region only, Developer @CTurt was so kind to find an even better entry point in launching Homebrew on an unmodified PS2. And guess what, he found a way to achieve exactly that by fully exploiting the DVD Video Player Functionality from a PS2 Console. And it comes even better. Not only you can enjoy all of the old but still good Homebrews and Emulators released back in the old days, this exploit also supports running your legally obtained Backups as well! And all that WITHOUT any need of an modified Memory Card, without any use any old and dirty Swap Magic Trick or to open your PS2 and install an Modchip like many did in the old days? Doesn't sound that cool or what do you think right now when reading this? I kinda mean it when I said that 2020 is a weird year so far. :PUPDATE-2: FreeDVDBoot now supports EVERY "PStwo" Slim Model! Check the "Further Information"-Tab for additional Information and frequently updates.
UPDATE-3: Support added for DVD Version "2.10" which makes it the very first Firmware for FAT support and more vulnerabilities found for most PS2 FAT consoles from DVD Player Versions 1.00 up to 2.13. Check the "Further Information"-Tab for additional information and frequently updates.
Our Moderator @Fin9ersMcGee was so kind to provide a FreeMCBoot (FMCB) Installation Tutorial in combination with the newest FreeDVDBoot Exploit, which will give you any easy step-by-step guide to run FreeDVDBoot on your PS2. Check it out here!
Check also his new All-in-One Guide if you are new in PS2 Hacking!
Screenshot of running an recompiled Version of uLaunchELF on an UNMODIFIED PS2 using the newest FreeDVDBoot Exploit by @CTurt [Source: YouTube]
UPDATE-3: Support added for DVD Version "2.10" which makes it the very first Firmware for FAT support and more vulnerabilities found for most PS2 FAT consoles from DVD Player Versions 1.00 up to 2.13. Check the "Further Information"-Tab for additional information and frequently updates.
Our Moderator @Fin9ersMcGee was so kind to provide a FreeMCBoot (FMCB) Installation Tutorial in combination with the newest FreeDVDBoot Exploit, which will give you any easy step-by-step guide to run FreeDVDBoot on your PS2. Check it out here!
Check also his new All-in-One Guide if you are new in PS2 Hacking!
Screenshot of running an recompiled Version of uLaunchELF on an UNMODIFIED PS2 using the newest FreeDVDBoot Exploit by @CTurt [Source: YouTube]
FreeDVDBoot
Further developments
Loading backups with ESR
Optimisation and Conclusion
Further Information
-
I've previously discussed how the PlayStation 2 doesn't have any good entry-point software exploits for launching homebrew. You need to either purchase a memory card with an exploit pre-installed, open up the console to block the disc tray sensors, or install a modchip. For the best selling console of all time, it deserves better hacks.
My initial attempt to solve this problem was to exploit the BASIC interpreter that came bundeld with early PAL region PS2s. Although I was successful at producing the first software based entry-point exploit that can be triggered using only hardware that came with the console, the attack was largely criticized due to the requirement of having to enter the payload manually through the controller or keyboard, and limitation of being PAL only. I decided to write-off that exploit as being impractical, and so the hunt continued for a better attack scenario for the PlayStation 2.
The PlayStation 2 has other sources of untrusted input that we could attack; games which support online multiplayer or USB storage could almost definitely be exploited. But unlike say the Nintendo 64, where we don't really have any other choice but to resort to exploiting games over interfaces like modems, the PlayStation 2 has one key difference: its primary input is optical media (CD / DVD discs), a format which anyone can easily burn with readily available consumer hardware. This leaves an interesting question which I've wanted to solve since I was a child:
Ultimately, I was successfully able to achieve my goal by exploiting the console's DVD player functionality. This blog post will describe the technical details and process of reversing and exploiting the DVD player. All of my code is available on GitHub.
Demonstration video of new PlayStation 2 exploit through the DVD player, which allows burning homebrew games and running them on an unmodified console the same way you would with official discs. This demo shows the result of the PS2SDK patch which adds support for reading DVD video discs (uLaunchELF can now load homebrews from disc, and emulators can now load ROMs from disc). -
Whilst the exploit itself is now complete, there's not a huge amount we can currently do beyond loading small standalone homebrew games like Tetris.
Multi-file homebrew
Ideally, it would nice for the exploit to boot into a menu which would allow you to select a different homebrew program out of multiple stored on the same disc, and which could then in turn load further data from the disc (such as an emulator loading ROMs). Unfortunately, the PS2SDK filesystem code, and by extension all PS2 homebrew, doesn't support DVD videos. Since DVD videos are the only type of disc that unmodified consoles will accept which we can burn, I assume that everyone was previously satisfied with just loading data over USB.
I decided to show the exploit to some PS2 enthusiasts in the hope that it might inspire someone to take a look, and uyjulian was kind enough to spend some time adding support and submit a pull request. If you recompile the PS2SDK with this fix, and then recompile your homebrew application, it will have support for loading DVD video disc files from cdfs device.
This isn't a perfect solution since we don't have source code for all PS2 homebrew produced over the last 20 years, but it is also possible to binary patch homebrew to manually replace the cdvd.irx IOP module with a new one to add DVD video support. For instance, ChelseaFantasy patched the closed source SNES Station emulator, allowing me to make the following demo (special thanks!):
Demonstration video of new PlayStation 2 exploit through the DVD player, which allows burning homebrew games and running them on an unmodified console the same way you would with official discs. This demo shows the result of the PS2SDK patch which adds support for reading DVD video discs (uLaunchELF can now load homebrews from disc, and emulators can now load ROMs from disc). -
There already exists a tool (ESR patcher) which patches games to appear like DVD videos so that they'll be accepted by the 'mechacon' (security processor), and an associated loader program (ESR) that boots these patched "video discs". Chaining together this new exploit with that ESR loader would allow you to patch your backups so that they could just be burned and run on your console from boot as though they were official discs.
I don't really want to be responsible for maintaining a tool that does this, so I'm not including any of the code to do this in the repo, but the gist of it can be explained pretty quickly, so I'll just provide some notes explaining how to do it:
ESR patcher will add two files, VIDEO_TS.IFO and VIDEO_TS.BUP, to the disc's UDF filesystem. Our exploit requires two files named VIDEO_TS.IFO and VTS_01_0.IFO, so just replace the VIDEO_TS.BUP string it writes with VTS_01_0.IFO to create the filesystem structure we need.
Attributes we care about for those files are size (4-bytes) and LBA position (2-bytes). In the UDF specification these fields are adjacent, with LBA being stored as an offset from the directory descriptor containing these fields (VIDEO_TS at LBA 134 in our case). The tool creates these files with size 2032 bytes, and LBAs 138 and 139, so the byte patterns we are interested in are:
Code:VIDEO_TS.IFO: f0 07 00 00 0a 00 VIDEO_TS.BUP: f0 07 00 00 0b 00
Contents of the ISO 9660 filesystem used by games generally seem to start at around 260, which I believe is a requirement by Sony. This is great for us since it means that we have roughly 250KB ((262-137) * 0x800) of space to place the exploit files and loader, and we only need a fraction of that. Given this amount of space, it would even be possible to include some kind of Action Replay cheat menu or something on the disc, which could be a fun future project.
Keeping VIDEO_TS.IFO at LBA 138, we just need to extend its size to 14336, and copy the file contents to 138 * 0x800 = 0x45000 in the ISO. Our next free space is 7 sectors later at LBA 145, and will store the contents of our 12288 byte VTS_01_0.IFO file. Finally, the ESR loader program can be copied to the next available sector at 151; we won't bother creating an entry in the UDF filesystem for it since we've already had to manually modify the ISO anyway.
In summary, the patches we need to make to the UDF data to add our exploit to a patched game are:
Code:VIDEO_TS.BUP -> VTS_01_0.IFO (to rename the file) f0 07 00 00 0a 00 -> 00 38 00 00 0a 00 (VIDEO_TS.IFO filesize to 14336) 0x45000: paste VIDEO_TS.IFO exploit contents (compiled with LOAD_FROM_SECTOR_RELATIVE_TO_VIDEO_TS_IFO so as to boot the ELF from disc at 0x4B800) f0 07 00 00 0b 00 -> 00 30 00 00 11 00 (VIDEO_TS.BUP/VTS_01_0.IFO LBA to 145 and filesize to 12288) 0x48800: paste VTS_01_0.IFO contents 0x4B800: paste loader ELF
I only did this once, manually, but it should be pretty straight forward to modify the tool to change these patches. The result is a pretty cool demo showing total defeat of the PlayStation 2 copy-protection security model:
Demonstration video of new PlayStation 2 exploit through the DVD player, which allows burning homebrew games and running them on an unmodified console the same way you would with official discs. This demo shows loading ESR to boot a backup of an official game stored on the same disc, which is for all intents and purposes complete destruction of the PS2 copy protection security model. -
Optimisation
As previously mentioned, the exploit could probably be optimised to boot a fraction of a second faster by reducing the size of the overflow. Also worth noting is that part of the reason the screen flickers whilst triggering the exploit is because I happened to encode my base DVD video as NTSC, and so some of that flickering is an artifact of switching from PAL to NTSC back to PAL. If this bothers you, you can re-make the exploit based on a PAL base DVD instead. Some of the weird white pattern displayed is probably a result of the overflow, and you might be able to remove it by manipulating more of the overflow data.
Conclusion
I was successfully able to exploit the PlayStation 2 DVD Player to allow me to run my own burned homebrew discs simply by inserting them and booting, just as you would launch an official disc.
Although I only exploited version 3.10E, as its the version on the console I happen to own, it's a pretty late version (3.11J was the final version ever released), and so I'm confident that all other versions also contain these same trivial IFO parsing buffer overflows. If those prove to be difficult to exploit on other firmware versions, I'm also confident that there probably exist more generically exploitable bugs like stack buffer overflows if you reverse deeper, after all, I only got as far as reverse engineering the initial IFO parsing before I identified sufficient vulnerabilities for my exploit. I hope this article and these demos inspire others to have a crack at hacking their own console's firmware versions and share their methods in a centralised repo for the community to share.
The idea of booting discs with no user interaction was extremely appealing to me, but if you instead value having a single disc with compatibility against multiple different firmware versions, it may be possible to build a DVD video which starts with a DVD menu where you select your version and it plays a different video which launches a different exploit, depending on user selection.
As a final thought, there's really no reason this general attack scenario is specific to the PlayStation 2 as all generations support some combination of burned media: from the PlayStation 1's CD support, to the PlayStation 3 and 4's Blue-ray support, with the PlayStation 4 having only removed CD support. Hacking the PS4 through Blue-ray BD-J functionality has long been discussed as an idea for an entry point. This may be something I would be interested in looking into for a long-term future project: imagine being able to burn your own PlayStation games for all generations; 1 down, 3 to go... -
- [Tutorial] FMCB Installation with FreeDVDBoot by @Fin9ersMcGee
- SNES Station and FCEU with updated libcdvd by @HWNJ
- DVD Player Version 3.10A confirmed working thanks to @Tupakaveli
- DVD Player Version 3.10U confirmed working as well thanks to the updated full Blog Post by @CTurt
- [Tutorial] The Great PS2 All-in-One (AIO) Guide by @Fin9ersMcGee
- FreeDVDBoot Compatibility List by @Roxanne
-
PREBUILT ISOs working for both 3.10, 3.11 and HYBRID for every Region by @CTurt
- This means that the Exploit works on EVERY "PStwo" Slim Model including the "Sony BRAVIA PS2 HYBRID TV (KDL22PX300)! [Latter one tested by @InnocentX]
- Support for DVD Player Version 3.04 released for Testing purposes by @CTurt
- New HYBRID Test Version for DVD Player Version 3.10 + 3.11 released by @CTurt
- Announcement that more vulnerabilites have been found to support most PS2 FAT consoles by @CTurt
- New DVD Player Version 2.10 has been released by @CTurt
- Showcase of running the new Version 2.10 running on a SCPH-30001 PS2 FAT Console by @krHACKen
Source: Twitter @CTurtE
Download .iso-Image: PREBUILT ISOs
Complete Blog Post: FreeDVDBoot
FreeDVDBoot on GitHub: CTurt
YouTube Channel: CTurt
Last edited:
