PS2 Exploit Allows Running of Unsigned Code

DrEldarion writes "This man has figured out a way to make the PS2 run unsigned code without a modchip. "To make a long story short, the exploit allows anyone with a memory card and a valid, legal PS1 disc to hijack the boot process and run any piece of code.""

What kind of hardware is needed...

[The+Raven]

... to get arbitrary files on a memory card? I don't know about you, but *I* don't have anything like that. Will a small industry be created selling pre-altered memory cards?

PS1 or PS2 memory card?

[MasterSLATE]

I have a thing for the PC that lets me read/write my PS1 memory cards... Does that mean I can do this?

It was made by the same people that made gameshark

Memory card reader for Mac?

[danaris]

Does anyone know if there's a memory card reader out there that is in any way compatible with a Mac? For obvious reasons.

And actually, I honestly do want to play legal imports on my PS2. If there's a game I want to play, I usually think it's worth supporting the people who make it.

Dan Aris

No fair

[EvilTwinSkippy]

I hadn't even thought about playing non-us games. Shoots a hole through my rant. Are US playstations able to output PAL?

Re:No fair

[siliC]

I have a similar setup. I only use PAL to play the UK version of ICO (beautiful game, available US but i wanted the Collector's Edition - give it a try if you haven't and like adventure/puzzle... anyway:)

A great program (open source! but windows only) to do the "full screen preview" is: dScaler It also deinterlaces the video signal if you want, and has various other nifty filters you can apply.

In case of slashdotting

[hhg]

Quoted from the page:

PS1DRV parses a file called mc0:/BXDATA-SYSTEM/TITLE.DB (the X represents the
PS2's region code) to load graphic parameters for the PS1 game that was loaded
from the disc drive. There is a catastrophic buffer overflow in the parsing
routine that allows one to overflow the stack and execute arbitrary code by
rewriting the $RA register. If we load up our own TITLE.DB, with an entry for
every PS1 disc that we want to trigger the exploit, then we can take over the
PS2 boot process as soon as the disc is recognized and PS1DRV is executed.

Re:Useful?

[clf8]

You didn't have to add a Title ID for each game you wanted to play. You had to add the Title ID for whatever particular PS1 disc you wanted to use to exploit the hack. Presumably, at this point you would switch discs and (somehow) put in a backup or foreign game that would boot even though it isn't "signed."

As for Linux on Playstation2, it's already there, supported by Sony.

So this hack allows what?

[dancingmad]

So this hack would allow Backed up and Import games to run on an unmodded system? Basically all one needs is a USB/Mem card interface to put the files on a PS1 memcard and then use a legit PS1 game to boot the machine?

I've got a stack of games from SE Asia that I would love to play on my PS2 and this hack seems like the most non-invasive way to do it.

Re:Less about Linux

[jtilak]

well ps2 games are dirt cheap now. greatest hits titles are only $20, used games are even cheaper. so there is no need to pirate games, in my opinion. personally i prefer to have the orignial discs with instructions etc. i guess i'm a video game collector. although most gamers just want to play the games for free and dont care if its a copy or the original.

as far as running linux on ps2 i just think thats cool as hell. but i guess you have to be a geek to agree with that.

It needs some work...

[sycomonkey]

This is just the beginning. Now that people know about this weakness it will be the focus of a lot of hacking to create a title.db that will run off of any game, thus meaning all you have to do is replace the file on a memory card (Is this a PS1 or PS2 memory card we're talking about?) and voila. Maybe even give us a nice "Insert unsigned disk now" prompt. Hopefully people will run with this, and it will turn out to be a lot less of a dirty hack in the end. The guy just rushed this out so it's understandable, but in time I think this will probably turn into something a lot more graceful if we're lucky.

Re:Cool, run...

Lilo

I suspect that there will eventually be a PS2 dashboard with functionality similar to EvoX on Xbox. By running unsigned code, you could probably initialize the PS2 HDD - or maybe even Firewire HDD(s) - and load a PS2 native menu with options for then loading Linux, your PS1/2 game backups, native emulators and media players, and homebrew games, demos, and applications. In some ways the Xbox might be better for this; it has newer and more powerful processors, more Ram, and the x86-based architechture is a familiar hardware and software environment to many developers. But the PS2 Firewire port in particular does seem full of potential.

A direct link...

[henele]

A USB -> PS 1&2 memory card adapter from Lik Sang can be found here.

Heh!

I setup a PC for a friend's father a while back. As usual I preloaded it with all the typical, erm, "evaluation software" that we know and love so much. He was genuinely shocked and horrified, and made me remove it. I was astounded. Most of the /. generation (and crowd) have grown up pirating software. It seems natural. But to him it was as if I'd put a stolen car in his garage. So, no, you're not the last person to pay for stuff.

How do I do this?

[r4lv3k]

I have PS2 linux, but the PS2 linux memory card drivers are crippleware, dunno how I'd write to the raw memory card from that environment. Do I need special hardware to program a PS1 memory card? Perhaps now a real PS2 linux distribution will be developed, that will unlock the full capability of the hardware. For example, under Sony's crippleware linux drivers, there is no support for ieee1394 or the hardware MPEG-2 codec. r4lv3k

Re:Repeat after me: LEGAL IMPORTS

You can't use all of the hardware in the Linux kit. Like the firewire port. You can't put CD-Rs in the box, Sony is worried about piracy but I'd like to get some Linux software in there off of CD-Rs from time to time rather than putting it in to another machine, nfs exporting it and then copying it over the network.

I totally respect Sony for what they've done, I have no problem paying for games and I have bought about 30. I understand their position but when I develop for Linux I'd like to know that I can use everything. I've been working on porting 2.6 of the kernel to PS2 but I'd really like to get to that firewire port... I've got some completely legal ideas to try. I guess the answer is to fork out the cash for a t10 but the Linux kit is the only option for us hobbiests.

Re:Repeat after me: LEGAL IMPORTS

[HeghmoH]

I hacked my DVD player's firmware to play discs from any region. Please explain how that is not a legitimate use. It's my DVD player, and I'm not using it to play pirated discs or anything. Region controls are an artificial limitation imposed by manufacturers, and I have a perfect right to get around those limitations if I wish, and can.

You can't use it to run out-of-region/copied games

[Aero+Leviathan]

Calm down! First of all, if I understand correctly, this exploit takes a valid PSX game, stops it from booting, then loads 'any piece of code' _right off the memory card_. It does not provide for any sort of disc swap. This means you can not use it to load any game which the PS2 would not normally load; you can only load an .elf (I think) file which is _on the memory card_.

Meaning this is only useful for _small_ homebrew apps.

Second of all, it is unlikely this will ever be expanded to allow loading out-of-region/copied games. Sony uses a special copy-protection trick... as far as I know it involves a tiny sector in the beginning of a disc which has a checksum of zero. Inside this sector there is the data containing region information (should be impossible to contain any data if the checksum is zero, but it does). CD burners 'correct' this sector by writing the actual checksum, and hence PSX/PS2 games cannot be copied correctly. When you insert any disc into a PSX or PS2, the unmodified hardware checks that sector to see if the checksum is zero and if the region code is correct, and refuses to read any further data, _no matter what_, if that sector isn't just right. A mod chip works by injecting the correct data into the CPU at the right time.

This means, even though you could use the exploit to read abritrary data off something other than the disc the console was going to read from, you can't read it from another disc: if you eject that valid disc and put in another, the PS2 is going to check that special sector. Unless I misunderstand something, this exploit _does not_ address that, and so you can only load code off a memory card. Maybe someone will come out with a way to load stuff off a hard drive with it, but it's unlikely you'll ever be able to load stuff off a different (invalid) disc.

I should also point out that the terms 'signed' and 'unsigned' are possibly incorrect for this sort of thing, as the copy protection isn't really in the form of an encrypted key, per se... just a crazy sector containing simple data, with a checksum of zero.

This is how it has been explained to me over the years by a variety of people and is AFAIK the generally accepted understanding of the Sony copy protection method. I have never worked for Sony so I cannot verify it. If you have any corrections here, feel free to speak up :)

Re:Restrictions

The c-64 games I wrote in the late eighties displayed over 40 flicker-free hardware sprites. The basic technique was to reposition the hardware position settings of each of the 8 hardware sprites with the raster interrupt. The tricky bit was sorting the raster lines for the handler (I used a bucket sort on the stack).

When doing scrolling you set a bit to make the borders come in so you wouldn't see the scrolling characters just pop on. If you used the raster interrupt to set this off again when the raster scan was in this region, the whole border disappeared.

I am doing equivalent hacks these days for the PS2, NGC and XBOX to get extra performance when I need it. Yes it is fancy ASM hacking - and no, they don't stop you doing it.

The difference is that these aren't open platforms - which sucks. Hard.

Re:You can't use it to run out-of-region/copied ga

[jamonterrell]

As far as I can read you seem to be mostly correct with one exception. This will eventually get ironed out into being able to load a small executable from a memory card and executing it which will read drivers for an external dvdrom, cdrom, hard disk, or even network card and allow you to read your backup or out of region games from a different media. As far as I know the copy protection is on the side of the disc reading, but I could be wrong.

Jamon

Re:You can't use it to run out-of-region/copied ga

[Mal+Reynolds]

A cheap hard drive filled with downloaded game ISO's... Cheap, effective and probably better and faster than running the game from it's original media. Another possibility, running them from a networked computer holding the ISO's, probably slower though.

Clarifications

[mrossbrown]

I don't typically read or post on /. these days, but since you folks were so kind as to saturate my cable connection :P, I read through the comments and wanted to clarify a few things:

• The hack does not enable or facilitate mass, rampant, or Carribean piracy of PS2 or PS1 software. The design of the PS2 thwarts software from patching the system so that the hardware copy/region protection fails.
• I am aware that Sony will be furious over this release. I myself know that legally, I have not broken the law. I used clean room reversing techniques to find the exploit, and Open Source software to develop it. Also, the exploit does not circumvent any security measures in the PS2, this should be obvious since you need a legal PS1 disc to perform the hack in the first place.
• Yeah, I interviewed for Sony and didn't get the job (it was for a position on SCEA's R&D team). Me getting turned down was not my motivation for releasing ps2id. The Sony folks that I've dealt with are very cool, they've always treated me with respect (their office in Foster City, CA is amazing too :P). I hope that SCE* continues to produce consoles as fun to hack as the PS2.
• My primary motivation was in getting this in people's hands was so that the barriers that prevent all PS2 owners from experiencing what I experience (when I develop homebrew PS2 software, or use it) would be removed. My ulterior motive (heh, there is always one, isn't there?) was to try and land other console hacking jobs professionally.
• Yeah, the initial release was very rushed, but some wily hacker came up with the mantra Release Early, Release Often :P. A couple of people have already submitted tutorials and save files for other memcard adapters, and a ton of people have offered to mirror the site. Testament to the power of Open Source, blah, blah, blah... :P. I will be updating the site within the next few days with all of this, and working on the next ps2id release.
• Overall, I'd like to see all kind of fun apps come from this that average, gaming PS2 owners can use, not just hackers.

Oh, about all the Linux posts: I've been developing a way to get ps2linux to boot without Sony's kit, and it will all tie into this. No ETA on that yet.

Cheers to all who've stepped up with the positive posts.