Προς το περιεχόμενο

ps2 exploit (The PS1DRV Hack)


Nemo

Προτεινόμενες αναρτήσεις

Δημοσ.

meta tin dynatotita prosthikis sklirou irthe kai to ps2 exploit -i dynatotita na fortosoume se unmodded ps2 ........

 

http://ps2.consolevision.com/ps2homebrew.shtml

http://www.0xd6.org/ps2-independence.html'>http://www.0xd6.org/ps2-independence.html

 

_____________________________________________________________

Guides

Jules: Using the PS1DRV exploit with nPort

 

 

 

Files

nPort .NPO files:

BADATA-SYSTEM.npo (North America)

BEDATA-SYSTEM.npo (Europe)

BIDATA-SYSTEM.npo (Japan/Asia)

 

 

Source Package

 

 

README

PlayStation 2 Independence Day

http://www.0xd6.org/ps2-independence.html

Friday, August 15th, 2003

 

Marcus R. Brown <[email protected]>

--

 

Introduction

--

 

I have released a binary and source package that exploits a flaw in the PS2's

handling of a special configuration file. This configuration file, named

TITLE.DB, is accessed from the PS2 PS1 driver (located at rom0:PS1DRV).

 

To make a long story short, the exploit allows anyone with a memory card and

a valid, legal PS1 disc to hijack the boot process and run any piece of code.

Absolutely no modification to the system is necessary to use the exploit (my

only working PS2 is not moddded, and I have developed and tested the exploit

on this machine). All one really needs is a way to send the files to the

memory card to enable the exploit.

 

<one pargraph gist>

PS1DRV parses a file called mc0:/BXDATA-SYSTEM/TITLE.DB (the X represents the

PS2's region code) to load graphic parameters for the PS1 game that was loaded

from the disc drive. There is a catastrophic buffer overflow in the parsing

routine that allows one to overflow the stack and execute arbitrary code by

rewriting the $RA register. If we load up our own TITLE.DB, with an entry for

every PS1 disc that we want to trigger the exploit, then we can take over the

PS2 boot process as soon as the disc is recognized and PS1DRV is executed.

</one paragraph gist>

 

The file exploit.c will have to serve as documentation on the exploit for

now, since I've been rushing to get this out and in people's hands.

 

If you use PS2 Independence for Evil - I AM NOT RESPONSIBLE.

 

All of the distributed source code is licensed under the Academic Free License

version 2.0. My copyrights _must_ remain intact if you choose to redistribute

the source package.

 

I'm looking forward to comments/criticisms about how the code can be improved,

and also creative uses for the exploit.

 

 

Using titleman

--

 

titleman allows you to create, add, and delete title entries from the TITLE.DB

file.

 

titleman supports to following options:

 

-c Create a new TITLE.DB file.

-a Add a title or a list of titles to TITLE.DB.

-d Delete a title or a list of titles from TITLE.DB.

-l List the contents of TITLE.DB.

 

-v Increase verbosity level.

-o Specify an output file (broken, don't use).

 

Examples:

 

$ ./titleman -c # Create a new TITLE.DB

$ ./titleman -a SCUS_000.67 # Add Castlevania:SOTN to TITLE.DB

$ ./titleman -a @title.lst # Add a list of titles found in title.lst to

# TITLE.DB (the '@' is required)

$ ./titleman -d PSXMAIN.EXE # Delete 'PSXMAIN.EXE' from TITLE.DB

 

 

Format of @list files

--

 

One title name per line. Comments are specified with ';' at the beginning of

the line.

 

Example:

 

; Castlevania: Symphony of the Night (one of my favorites :P)

SLUS_000.67

 

; Chrono Cross

SLUS_010.41

 

 

Further thoughts

--

 

Oh, if you or your company are looking for a low-level PS2 or GC hacker, I am

available for immediate contract work or other offers. My e-mail is the best

way to contact me.

Δημοσ.

endelexis synexeia ->

http://www.0xd6.org/exploitguide/

_____________________________________________________________

Using the PS1DRV exploit with nPort

by Jules

Last update : 17th of August 2003

 

Lets just go over how the exploits works. When an original PSOne CD-ROM is loaded on your PS2 via the PSOne driver (PS1DRV), it looks up the game in a file on your memory card and this file contains the exploit which can make you run own code. Marcus R. Brown has created the whole package for you, all you need to do is compile it (or download it precompiled) and then add your PSOne CD-ROM ID to file on the memory card, so you can take advantage of the exploit.

 

This guide uses nPort to transfer the exploited file to your memory, you can use either Pukklink or Naplink to load nPort from either native (with some sort of mod) or from PS2 Linux with reload1. You must have nPort installed and working in order to use this guide.

 

First of all you need to compile titleman (ps2-independence) with ps2lib, I will not get into how to compile it, but instead provide binaries of the file: Win32 Binary

 

As mentioned before Marcus R. Brown has been so kind to provide premade files to use with nPort, these files contain the exploit file as well ps2link (pukklink clone, loader for the Sony network adapter) which the exploit loads. If you want to use another ELF with the exploit, you have to replace the BOOT.ELF from ps2link with your file and remove all files related to ps2link aswell (IPCONFIG.DAT, PS2SMAP.IRX, PS2LINK.IRX, PS2IP.IRX), please note that not all PS2 ELFs which have IRX files included will load correctly, since there might not be memory card support included for IRX loading.

There are 3 different files, one for each region:

 

North America (NTSC-J)

Europe (PAL)

Japan/Asia

 

Now put the file which matches the region of your PS2 into the nPort saves sub-directory, in this directory you will also see a exectutable called npo-x.exe. This tool is an extractor and packer for nPort saves, since we are not sure that the PSOne CD-ROM we will be using is included with the exploit, we will extract the save and add it ourselves.

This we do it like this: npo-x x [npo_file]

For instance: npo-x x BEDATA-SYSTEM.npo.

 

This will now create a directory named the same as the .npo file with the files for the exploit. The file we are interested in is TITLE.DB (this is the exploit file), for this file we need titleman. But first we need to find out what the the ID is the of the PSOne CD-ROM we will be using is. To do this, put the PSOne CD-ROM into your computer and open SYSTEM.CNF.

This file's first line will be something like : BOOT=cdrom:\SCED_018.22;1 (this line is from an european demo disc). The part we are interested in is the bold part, the filename (or ID) of the start up exectuable.

 

Now we copy titleman to the directory with TITLE.DB created by npo-x.

Here we do this: titleman -a [iD/filename]

Which in my case is titleman -a SCED_018.22.

 

Now we have added our PSOne CD-ROM for the exploit. (In case you want to use ps2link, you might want to alter IPCONFIG.DAT aswell to fit your IP settings). You can of course add more PSOne ID's if you wish. What we need to do now is pack the .npo file again, in the nPort save directory.

We do npo-x a [save_dir] - [save_dir] is the name of the directory that npo-x x extracted to.

To follow the example from before, this will be npo-x a BEDATA-SYSTEM.

 

Now your npo file is updated and we need to get it onto the memory card. But first you need to index the file with the nPort indexer so nPort can find the save in the saves directory, simply just run it and it will tell "All done". Now start nPort and transfer the .npo file onto your memory card. If the file already exists you will have to delete it first.

 

Once you have the exploit on your memory card, all you need to do is put the memory card into your PS2 memory card slot and put int he PSOne CD-ROM from which you got the ID/filename into your PS2 drive and turn on your PS2, what you should see is a white screen flash for sec and then ps2link should start (unless you replaced the ELF with something else).

Δημοσ.

Se apla Ellinika,

brethike o tropos me ton opoio mporoume na trexoume kapoies efarmoges se ena atsiparisto PS2 meso tis memory card,

alla oxi akoma i efarmogi i opoia tha epitrepsei se antigrafa paixnidia na pexoun xoris tsipaki...

 

As elpisoume oti auto tha simbei grigora,

giati i poiotita tou laser tou PS2 deneinai gia polla,

kai i eggiisi einai oti pio politimo se autin tin konsola...

Δημοσ.

Θα το βάλεις με το x-port, ένα καλώδιο usb to usb, μαζί με το κατάλληλο πρόγραμμα, που μεταφέρει από και προς το PS2. Δυστυχώς δεν το έχω βρει Ελλάδα, αλλά το παρήγγειλα από to http://www.play.com με 18 λίρες περίπου. Το καλό με το x-port είναι ότι σε γλυτώνει από αγορά άλλης κάρτας, μιας και ουσιαστικά χρησιμοποιείς τον σκληρό σου για αποθήκευση.

Αρχειοθετημένο

Αυτό το θέμα έχει αρχειοθετηθεί και είναι κλειστό για περαιτέρω απαντήσεις.

  • Δημιουργία νέου...