PS2 Exploit Allows Running of Unsigned Code

DrEldarion writes "This man has figured out a way to make the PS2 run unsigned code without a modchip. "To make a long story short, the exploit allows anyone with a memory card and a valid, legal PS1 disc to hijack the boot process and run any piece of code.""

Unsigned code...

Like LINUX!?

In related news, Sony pays $499 per each PS2 sold to SCO. The rest of the compensation is the release of a smash-hit game "Superdaryl and the Invasion of the IBM Drones", in which Daryl saves America from IBM-aided terrorists.

Re:What kind of hardware is needed...

[Caff]

I believe you can use interact's SharkPort disc, and connect a USB cable between your computer and the PS2, or something like that. I think Datel makes a similar accessory, but I'm not sure. In addition to this, various manufacturers, such as EMS, make USB-compatible memory cards, or "Memory Adapters" where you plug in a memory card and have the ability to connect it to a PC using a parallel cable.

..yeah

Oh, if you or your company are looking for a low-level PS2 or GC hacker, I am available for immediate contract work or other offers. My e-mail is the best way to contact me.

We'll get right on that.
After Sony's attorneys finish with you, "immediate contract work" is exactly what you'll need.

Re:What kind of hardware is needed...

[DrEldarion]

Lik-Sang sells them for around $30, I believe.

-- Dr. Eldarion --

That's not the point

[danaris]

If I can get my American PS2 to run Japanese PS2 games without having to pay $100 and do a lot of fiddly soldering, that's worth it. I don't know how much it would actually cost to get a memory card reader, since I don't have one, but I doubt one would have to pay $200.

Dan Aris

Re:Great news!

[tprime]

I don't think that the people who just buy xboxes to "hurt" microsoft really understand what they are doing. In the short term, YES, you are costing Microsoft money on their per console loss. In the long term, you are helping them.

For instance, 1,000,000 MS haters buy xboxes with the hopes of making a serious dent in the $60 billion (yes with nine zeros) cash reserve that Microsoft holds. In the mean time, Microsoft is able to report to the software vendors that they have those 1,000,000 extra xboxes out there. Vendors see the large numbers and make more games to support the xbox. In turn, the xbox software library grows and so does its legit customer base. I know the 1,000,000 xboxes for the MS haters is an exaggeration, but hopefully you will get my point.

Sony's ps2 linux kit

[jtilak]

sony's ps2 linux kit is crippled. read THE PLAYSTATION LINUX FAQ for more info. i'm assuming with this, someone can run a regular linux distro on the ps2.

Re:What kind of hardware is needed...

[blincoln]

follow the link on that web site to the XPort, which does the same thing (and in fact probably is the same thing).

Yes, they're the same hardware. The Gameshark line of hardware (up until the V3) was made by a company called Datel in the UK and sold their under the Action Replay name. Interact just licensed it for North American sales. Their deal went sour, and now Datel sells it all here under their own brand.

Just to keep everyone confused, the Gameshark brand is now owned by MadCatz, and their "Gameshark V3" is actually closer to the Code Breaker that Pelican sells. Both were developed by a company called Fire.

Is that like the gaming equivalent of a soap opera or what?

Repeat after me: LEGAL IMPORTS

[danaris]

As I've mentioned a couple of times before in this thread, I want to use this (and was planning to get a modchip) to play games I have legally imported from Japan. I know that many people won't believe me, and that, unfortunately, that won't be the primary use of this exploit, but I know of no law that prohibits running region-locked games out of their region. I realize that it's possible the DMCA covers this, but if so, it really shouldn't. I paid for the PS2, I paid for the game, so why the heck shouldn't I be able to run it?

If this can really work (I haven't gotten the guy's code to compile, see one of my posts, above), it would be really great. I could use a $30 memory card reader/writer to let me play imported games, rather than a $100 modchip kit, which I would have to solder onto the PS2's motherboard. And those things look extremely fiddly.

So, yes, there is at least one legitimate use. And the point of our opposition to the DMCA is not (at least not for anyone who would have any chance against it) "so I can keep pirating stuff." My argument against it is that it probably will allow Sony to sue anyone who uses this hack, whatever purpose they put it to. It stops you from using certain devices or processes because they could be used for piracy or copyright infringement, even if you would truly, honestly, never use them for that purpose.

Dan Aris

You can't use it to run out-of-region/copied games

[Aero+Leviathan]

Calm down! First of all, if I understand correctly, this exploit takes a valid PSX game, stops it from booting, then loads 'any piece of code' _right off the memory card_. It does not provide for any sort of disc swap. This means you can not use it to load any game which the PS2 would not normally load; you can only load an .elf (I think) file which is _on the memory card_.

Meaning this is only useful for _small_ homebrew apps.

Second of all, it is unlikely this will ever be expanded to allow loading out-of-region/copied games. Sony uses a special copy-protection trick... as far as I know it involves a tiny sector in the beginning of a disc which has a checksum of zero. Inside this sector there is the data containing region information (should be impossible to contain any data if the checksum is zero, but it does). CD burners 'correct' this sector by writing the actual checksum, and hence PSX/PS2 games cannot be copied correctly. When you insert any disc into a PSX or PS2, the unmodified hardware checks that sector to see if the checksum is zero and if the region code is correct, and refuses to read any further data, _no matter what_, if that sector isn't just right. A mod chip works by injecting the correct data into the CPU at the right time.

This means, even though you could use the exploit to read abritrary data off something other than the disc the console was going to read from, you can't read it from another disc: if you eject that valid disc and put in another, the PS2 is going to check that special sector. Unless I misunderstand something, this exploit _does not_ address that, and so you can only load code off a memory card. Maybe someone will come out with a way to load stuff off a hard drive with it, but it's unlikely you'll ever be able to load stuff off a different (invalid) disc.

I should also point out that the terms 'signed' and 'unsigned' are possibly incorrect for this sort of thing, as the copy protection isn't really in the form of an encrypted key, per se... just a crazy sector containing simple data, with a checksum of zero.

This is how it has been explained to me over the years by a variety of people and is AFAIK the generally accepted understanding of the Sony copy protection method. I have never worked for Sony so I cannot verify it. If you have any corrections here, feel free to speak up :)

Clarifications

[mrossbrown]

I don't typically read or post on /. these days, but since you folks were so kind as to saturate my cable connection :P, I read through the comments and wanted to clarify a few things:

• The hack does not enable or facilitate mass, rampant, or Carribean piracy of PS2 or PS1 software. The design of the PS2 thwarts software from patching the system so that the hardware copy/region protection fails.
• I am aware that Sony will be furious over this release. I myself know that legally, I have not broken the law. I used clean room reversing techniques to find the exploit, and Open Source software to develop it. Also, the exploit does not circumvent any security measures in the PS2, this should be obvious since you need a legal PS1 disc to perform the hack in the first place.
• Yeah, I interviewed for Sony and didn't get the job (it was for a position on SCEA's R&D team). Me getting turned down was not my motivation for releasing ps2id. The Sony folks that I've dealt with are very cool, they've always treated me with respect (their office in Foster City, CA is amazing too :P). I hope that SCE* continues to produce consoles as fun to hack as the PS2.
• My primary motivation was in getting this in people's hands was so that the barriers that prevent all PS2 owners from experiencing what I experience (when I develop homebrew PS2 software, or use it) would be removed. My ulterior motive (heh, there is always one, isn't there?) was to try and land other console hacking jobs professionally.
• Yeah, the initial release was very rushed, but some wily hacker came up with the mantra Release Early, Release Often :P. A couple of people have already submitted tutorials and save files for other memcard adapters, and a ton of people have offered to mirror the site. Testament to the power of Open Source, blah, blah, blah... :P. I will be updating the site within the next few days with all of this, and working on the next ps2id release.
• Overall, I'd like to see all kind of fun apps come from this that average, gaming PS2 owners can use, not just hackers.

Oh, about all the Linux posts: I've been developing a way to get ps2linux to boot without Sony's kit, and it will all tie into this. No ETA on that yet.

Cheers to all who've stepped up with the positive posts.