PS2 Exploit Allows Running of Unsigned Code

DrEldarion writes "This man has figured out a way to make the PS2 run unsigned code without a modchip. "To make a long story short, the exploit allows anyone with a memory card and a valid, legal PS1 disc to hijack the boot process and run any piece of code.""

text

[jtilak]

I have released a binary and source package that exploits a flaw in the PS2's handling of a special configuration file. This configuration file, named TITLE.DB, is accessed from the PS2 PS1 driver (located at rom0:PS1DRV). To make a long story short, the exploit allows anyone with a memory card and a valid, legal PS1 disc to hijack the boot process and run any piece of code. Absolutely no modification to the system is necessary to use the exploit (my only working PS2 is not moddded, and I have developed and tested the exploit on this machine). All one really needs is a way to send the files to the memory card to enable the exploit. PS1DRV parses a file called mc0:/BXDATA-SYSTEM/TITLE.DB (the X represents the PS2's region code) to load graphic parameters for the PS1 game that was loaded from the disc drive. There is a catastrophic buffer overflow in the parsing routine that allows one to overflow the stack and execute arbitrary code by rewriting the $RA register. If we load up our own TITLE.DB, with an entry for every PS1 disc that we want to trigger the exploit, then we can take over the PS2 boot process as soon as the disc is recognized and PS1DRV is executed. The file exploit.c will have to serve as documentation on the exploit for now, since I've been rushing to get this out and in people's hands. If you use PS2 Independence for Evil - I AM NOT RESPONSIBLE. All of the distributed source code is licensed under the Academic Free License version 2.0. My copyrights _must_ remain intact if you choose to redistribute the source package. I'm looking forward to comments/criticisms about how the code can be improved, and also creative uses for the exploit.