Slashdot Mirror
PS2 Exploit Allows Running of Unsigned Code
DrEldarion writes "This man has figured out a way to make the PS2 run unsigned code without a modchip. "To make a long story short, the exploit allows anyone with a memory card and
a valid, legal PS1 disc to hijack the boot process and run any piece of code.""
... to get arbitrary files on a memory card? I don't know about you, but *I* don't have anything like that. Will a small industry be created selling pre-altered memory cards?
"I will trust Google to 'do no evil' until the founders no longer run it." Hello Alphabet.
Now all we need is someone to write a legal playstation emulator for the X-Box, and we can run linux on it with no additional money going to microsoft for buying/renting a particular x-box game!
Ñ'
Like LINUX!?
In related news, Sony pays $499 per each PS2 sold to SCO. The rest of the compensation is the release of a smash-hit game "Superdaryl and the Invasion of the IBM Drones", in which Daryl saves America from IBM-aided terrorists.
Am I the last guy on earth who actually goes out an pays for things?
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
It seems that it would be ueber-leet to be able to run linux to its full potential. Instead of just having the Sandbox environment we will have direct access to the hardware. I'd also be able to play tuxracer on the PS2. But then again I'm still waiting for a gamecube port of linux because thats what I have.
Nero-burning ROM for Linux!
I have a thing for the PC that lets me read/write my PS1 memory cards... Does that mean I can do this?
It was made by the same people that made gameshark
[sig]www.masterslate.org[/sig]
Oh, if you or your company are looking for a low-level PS2 or GC hacker, I am available for immediate contract work or other offers. My e-mail is the best way to contact me.
We'll get right on that.
After Sony's attorneys finish with you, "immediate contract work" is exactly what you'll need.
I'll be able to apply the "adult patch" to Equestriad 2001 and have the race mares rise their tails and wink at you after winning the race!
It's not an x86, so Windows won't run natively. Might as well try to run Windows on a Mac. With Linux, we have the source code, so we can make the necessary modifications for the PS2 system, recompile, and run. If Microsoft wanted, they could probably produce a Windows for PS2, but I bet they won't :-)
Real Daleks don't climb stairs - they level the building.
If I can get my American PS2 to run Japanese PS2 games without having to pay $100 and do a lot of fiddly soldering, that's worth it. I don't know how much it would actually cost to get a memory card reader, since I don't have one, but I doubt one would have to pay $200.
Dan Aris
Fun. Free. Online. RPG. BattleMaster.
This provides to PS2 what has existed for the X-box for a while now. It was mentioned on slashdot and allows the X-box to run unsigned code after some preparation.
It replaces some font files (which are not checksummed) with ones that use an exploit in X-box firmware.
I was reading about this before seeing this article. One of the points brought up is that it's not really a useful hack because it's quite tricky to utilize.
It looks like you need a memory card reader ($$), and then have to edit a file and add the Title ID for each game you want to play. This requires a bit of work to figure out, and a *nix system to run his software, I think.
It doesn't work with all games all the time, only the ones you specify. Also, there may be a limit to how many table entries you can have, which would limit the number of games you can run.
If someone is tech savvy enough to figure this out, they just might have what it takes to install some of the existing modchips out there. Mine only has one wire, and coupled with a GameShark, will run almost anything out there, but it's a bit of a pain.
Perhaps the bright side is that this will allow users of Linux on the PS2 to run code outside the restrictions of the OS that Sony added.
Does anyone know if there's a memory card reader out there that is in any way compatible with a Mac? For obvious reasons.
And actually, I honestly do want to play legal imports on my PS2. If there's a game I want to play, I usually think it's worth supporting the people who make it.
Dan Aris
Fun. Free. Online. RPG. BattleMaster.
I hadn't even thought about playing non-us games. Shoots a hole through my rant. Are US playstations able to output PAL?
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
sony's ps2 linux kit is crippled. read THE PLAYSTATION LINUX FAQ for more info. i'm assuming with this, someone can run a regular linux distro on the ps2.
So what? I've been running custom code on my unmodded PS2 using Sony's Linux kit for awhile now, even crunching Distributed.net with it. If you want to run custom code, buy the Linux kit. Show Sony people do want a Linux kit, that way they might release one for PS3 or even PSP. I'd rather use an official kit instead of a hack.
I tried compiling his titleman utility, since I don't have any of the games already in the title.lst file, but it seems like some stuff is missing...do you need to have a PS2 devkit of some sort to do this? His makefile seems to suggest it.....
Dan Aris
Fun. Free. Online. RPG. BattleMaster.
Oh boy, we can count to 4294967295 billion now!
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
Border, n: in C64, area of screen where no graphics can be displayed. Therefore it's the favourite place for all Commodore demoscene coders to display various graphics, causing engineers who designed it rip their hair from their heads and jump out through the windows, yelling "THIS CAN'T BE WORKING".
Understand now?
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
Quoted from the page:
PS1DRV parses a file called mc0:/BXDATA-SYSTEM/TITLE.DB (the X represents the
PS2's region code) to load graphic parameters for the PS1 game that was loaded
from the disc drive. There is a catastrophic buffer overflow in the parsing
routine that allows one to overflow the stack and execute arbitrary code by
rewriting the $RA register. If we load up our own TITLE.DB, with an entry for
every PS1 disc that we want to trigger the exploit, then we can take over the
PS2 boot process as soon as the disc is recognized and PS1DRV is executed.
Sorry but you must have bought the wrong kit...
The only thing PS2 Linux prevents you from accessing is the IOP which is NOT the majority of the PS2's features.
Even the diffences imposed by having a multi-user OS running on the machine are being dealt with by projects like SPS2.
You should check your facts before posting stuff like that.
So this hack would allow Backed up and Import games to run on an unmodded system? Basically all one needs is a USB/Mem card interface to put the files on a PS1 memcard and then use a legit PS1 game to boot the machine?
I've got a stack of games from SE Asia that I would love to play on my PS2 and this hack seems like the most non-invasive way to do it.
"There is no time, sir, at which ties do not matter," Jeeves, (Jeeves and the Impending Doom)
From now on, no slashdot posting while drunk, please.
"An agreement of law", Are you drunk?
One of the biggest problems with consoles and DVDs these days is that companies put region coding in them. If you live in a certain area of the world you get to play the games and watch the movies that they want you to, and no others.
This is a hideous practice and we must all publicly flaunt our disobedience of it at every opportunity. Otherwise they'll sneak it beneath the radar of the masses and make it part of the international copyright agreements.
Currently, region coding has no legal weight, though dishonest laws like the DMCA might have make bypassing it illegal in some jurisdictions.
If you believe you have the right to use your possessions however and whereever you wish, fight dishonest companies who do this!
You can already run Linux on the playstation by paying for the PS2 Linux kit at http://playstation2-linux.com/
That kit allows you to run any code that you want to anyway. Plus getting one allows companies to see that there is a paying group of individuals that would like configurable/extensible electronic products.
It's funny that many people criticize the software and media industry for promoting DRM and DMCA type laws, but then the same people turn around and promote/utilize cracks like this.
What do you expect the companies to do? Sit there and watch this happen?
Based on upvotes, Ageism is the only "-ism" Slashdotters care about and think isn't SJW
Why do we do anything challenging and not particularly useful?
Why do we climb the mountain, why do we run webservers on 6502 processors?
Because its there, man, because its there.
SCO to Hell
The sharkport is no longer available at the link you provided. You can get the x-port instead for $10 less.
you do not need linux or unix like some others have posted. you need ee-gcc - you can google it or if you're using win32 a direct link is here: http://www.thethirdcreation.net/tools/ps2DevEnviro nment.exe - just install that it sets up the dev environment for you. you'll need it to compile his tool.
well ps2 games are dirt cheap now. greatest hits titles are only $20, used games are even cheaper. so there is no need to pirate games, in my opinion. personally i prefer to have the orignial discs with instructions etc. i guess i'm a video game collector. although most gamers just want to play the games for free and dont care if its a copy or the original.
as far as running linux on ps2 i just think thats cool as hell. but i guess you have to be a geek to agree with that.
As I've mentioned a couple of times before in this thread, I want to use this (and was planning to get a modchip) to play games I have legally imported from Japan. I know that many people won't believe me, and that, unfortunately, that won't be the primary use of this exploit, but I know of no law that prohibits running region-locked games out of their region. I realize that it's possible the DMCA covers this, but if so, it really shouldn't. I paid for the PS2, I paid for the game, so why the heck shouldn't I be able to run it?
If this can really work (I haven't gotten the guy's code to compile, see one of my posts, above), it would be really great. I could use a $30 memory card reader/writer to let me play imported games, rather than a $100 modchip kit, which I would have to solder onto the PS2's motherboard. And those things look extremely fiddly.
So, yes, there is at least one legitimate use. And the point of our opposition to the DMCA is not (at least not for anyone who would have any chance against it) "so I can keep pirating stuff." My argument against it is that it probably will allow Sony to sue anyone who uses this hack, whatever purpose they put it to. It stops you from using certain devices or processes because they could be used for piracy or copyright infringement, even if you would truly, honestly, never use them for that purpose.
Dan Aris
Fun. Free. Online. RPG. BattleMaster.
This is just the beginning. Now that people know about this weakness it will be the focus of a lot of hacking to create a title.db that will run off of any game, thus meaning all you have to do is replace the file on a memory card (Is this a PS1 or PS2 memory card we're talking about?) and voila. Maybe even give us a nice "Insert unsigned disk now" prompt. Hopefully people will run with this, and it will turn out to be a lot less of a dirty hack in the end. The guy just rushed this out so it's understandable, but in time I think this will probably turn into something a lot more graceful if we're lucky.
--The universe will not be altered by forum threads, even those which are very wry. --Tycho Brahe (Penny Arcade)
Yesterday,
Algorithms programmed in any way
Now it looks as though there's liabilit-ay
And, it's 'cause of the D-M-C-A
Suddenly,
I'm not allowed to speak in C
There's a shadow hanging over me
Oh how D-M-C-A makes silence be
How some bits do flow, you can't know,
We couldn't say
I said something wrong
now I'm among, law D-M-C-A-ay-ay-ay
Yesterday,
"code" was such an easy game to play
Now I need a place to hide away
And, it's 'cause of the D-M-C-A
I think you mean my system which I bought and paid for. So yes, I should be able to do what I want with it
Please pay attention before replying. We're talking about their Linux distro. Sony is free to limit their software in whatever way they want, they are under absolutely no obligation to allow you access, through their software, to parts of the system they'd rather not have you muck with. If you want to utilize this hack to play around and explore, feel free, more power to ya, I agree that doing such a thing should not be illegal. But that is not what this thread is about.
btw, I was going to insert the following text after I wrote "their" system:
"their meaning that they designed it, since you obviously own it".
Because I KNEW that someone would bring that up.
This is a lame argument since the world abounds with systems that have software that limits your access to the underlying systems. How is this anything new?
I suspect that there will eventually be a PS2 dashboard with functionality similar to EvoX on Xbox. By running unsigned code, you could probably initialize the PS2 HDD - or maybe even Firewire HDD(s) - and load a PS2 native menu with options for then loading Linux, your PS1/2 game backups, native emulators and media players, and homebrew games, demos, and applications. In some ways the Xbox might be better for this; it has newer and more powerful processors, more Ram, and the x86-based architechture is a familiar hardware and software environment to many developers. But the PS2 Firewire port in particular does seem full of potential.
It might interest a few of you that there is a program available to use a USB-cable to screw around with the PS/2. It's available at naplink.napalm-x.com. Go wild :)
A USB -> PS 1&2 memory card adapter from Lik Sang can be found here.
I have PS2 linux, but the PS2 linux memory card drivers are crippleware, dunno how I'd write to the raw memory card from that environment. Do I need special hardware to program a PS1 memory card? Perhaps now a real PS2 linux distribution will be developed, that will unlock the full capability of the hardware. For example, under Sony's crippleware linux drivers, there is no support for ieee1394 or the hardware MPEG-2 codec. r4lv3k
Border, n: in C64, area of screen where no graphics can be displayed. Therefore it's the favourite place for all Commodore demoscene coders to display various graphics, causing engineers who designed it rip their hair from their heads and jump out through the windows, yelling "THIS CAN'T BE WORKING".
The C64 wasn't restrictive. It allowed hackers (as in coders) to do whatever they could think of with the hardware. There were crazy optimizations where two instructions executed at once, 27 sprites could be displayed at once (the hardware is limited to 8), 240 colors could be displayed (the hardware was limited to 16), and not once did the commodore engineers come and say, "Stop doing that! It wasn't designed for that!"
Fast forward 20 years, and take a look at major console manufacturers bitching if we exploit the hardware or software to install something they didn't intend.
Heck, even being a developer, you can't do to modern consoles that you could do to the C64... To get an XDK, or PDK, you have to adhere to all sorts of restrictions about what you can and cannot do in your code (no fancy ASM hacking to do cool stuff)... what's the point? No wonder all we have is cookie-cutter games... Developers aren't allowed to innovate, unless it meets with Sony or Microsoft's predetermined vision... bah, gimme a modern day C64 dammit!
---
Programming is like sex... Make one mistake and support it the rest of your life.
To summarize, stop blaming sony! They did a great thing by releasing ps2linux, and all the related info. That's impressive. You know, a few years ago, the hardware manuals where so secret that there was my company name printed across each page..
PS2linux is far from perfect, but it is up to you to enhance it, because of its open source nature.
And if you don't want to use linux, because of its bloat, there are even bootloader projects hosted on sony's own website(playstation2-linux.com) that allows you get raw low-level access.
According to me, sony's biggest mistake was to target linux zealots, instead of focusing on console programming enthusiasts, as they did with yaroze. So they got a lot of disapointed customers... But if you want to do console programming, ps2linux is still a great thing, with lots of things to create (and that's the interesting part!).
"Its already a bit of a known fact that the large console markets are PS2 and XBOX."
The PS2 has shipped 50,000,000 units. The Xbox and GameCube have both shipped 10,000,000 units.
I don't understand how one 10,000,000 is smaller than another 10,000,000 enough to be considered equal to 50,000,000.
Here's a well known fact: "well known facts" are often made up on the spot to support another argument, and make it look that much more believable.
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
Calm down! First of all, if I understand correctly, this exploit takes a valid PSX game, stops it from booting, then loads 'any piece of code' _right off the memory card_. It does not provide for any sort of disc swap. This means you can not use it to load any game which the PS2 would not normally load; you can only load an .elf (I think) file which is _on the memory card_.
:)
Meaning this is only useful for _small_ homebrew apps.
Second of all, it is unlikely this will ever be expanded to allow loading out-of-region/copied games. Sony uses a special copy-protection trick... as far as I know it involves a tiny sector in the beginning of a disc which has a checksum of zero. Inside this sector there is the data containing region information (should be impossible to contain any data if the checksum is zero, but it does). CD burners 'correct' this sector by writing the actual checksum, and hence PSX/PS2 games cannot be copied correctly. When you insert any disc into a PSX or PS2, the unmodified hardware checks that sector to see if the checksum is zero and if the region code is correct, and refuses to read any further data, _no matter what_, if that sector isn't just right. A mod chip works by injecting the correct data into the CPU at the right time.
This means, even though you could use the exploit to read abritrary data off something other than the disc the console was going to read from, you can't read it from another disc: if you eject that valid disc and put in another, the PS2 is going to check that special sector. Unless I misunderstand something, this exploit _does not_ address that, and so you can only load code off a memory card. Maybe someone will come out with a way to load stuff off a hard drive with it, but it's unlikely you'll ever be able to load stuff off a different (invalid) disc.
I should also point out that the terms 'signed' and 'unsigned' are possibly incorrect for this sort of thing, as the copy protection isn't really in the form of an encrypted key, per se... just a crazy sector containing simple data, with a checksum of zero.
This is how it has been explained to me over the years by a variety of people and is AFAIK the generally accepted understanding of the Sony copy protection method. I have never worked for Sony so I cannot verify it. If you have any corrections here, feel free to speak up
~ Aero
The c-64 games I wrote in the late eighties displayed over 40 flicker-free hardware sprites. The basic technique was to reposition the hardware position settings of each of the 8 hardware sprites with the raster interrupt. The tricky bit was sorting the raster lines for the handler (I used a bucket sort on the stack).
When doing scrolling you set a bit to make the borders come in so you wouldn't see the scrolling characters just pop on. If you used the raster interrupt to set this off again when the raster scan was in this region, the whole border disappeared.
I am doing equivalent hacks these days for the PS2, NGC and XBOX to get extra performance when I need it. Yes it is fancy ASM hacking - and no, they don't stop you doing it.
The difference is that these aren't open platforms - which sucks. Hard.
As far as I can read you seem to be mostly correct with one exception. This will eventually get ironed out into being able to load a small executable from a memory card and executing it which will read drivers for an external dvdrom, cdrom, hard disk, or even network card and allow you to read your backup or out of region games from a different media. As far as I know the copy protection is on the side of the disc reading, but I could be wrong.
Jamon
I can count to 1023 on my hands. Ask me about #132.
A cheap hard drive filled with downloaded game ISO's... Cheap, effective and probably better and faster than running the game from it's original media. Another possibility, running them from a networked computer holding the ISO's, probably slower though.
I don't typically read or post on /. these days, but since you folks were so kind as to saturate my cable connection :P, I read through the comments and wanted to clarify a few things:
Oh, about all the Linux posts: I've been developing a way to get ps2linux to boot without Sony's kit, and it will all tie into this. No ETA on that yet.
Cheers to all who've stepped up with the positive posts.