Avenues for 900xx exploits (aka shots in the dark)

[sleipnir]

Hi all

It is well known that BIOS v2.30, present in most of the newest PSTwos (SCPH-900xx), blocks the loophole that allowed FMCB to run in the first place. So these consoles are, as of now, incapable of running FMCB (or any other homebrew) without the help from Swap Magic or other similar solution.

I can imagine that some of the devs are probably busy looking for some new exploit. Yesterday something occurred to me. I haven't seen this possibility mentioned anywhere, although I suppose that some dev has probably figured it out already. But just in case, here it goes.

The idea, basically, would be to test whether the PS2 browser has some kind of weakness in the code that reads the directory of the MC. (I mean, if you start the console without a disc or with the tray open, it has two options, "Browser" and "System Configuration"; if you press X twice, it will take you to a listing of the contents of the memory card). I have another (modded) PS2, of an older revision, and I remember that the MC got corrupted somehow and the console would lock up when accessing the card. And it was probably not due to some hardware failure, since we reformatted the card and it has been working perfectly ever since. So there is (or was, at least) some ungraceful error handling in that part of the code.

What I was thinking is something similar in principle to the Zelda exploit on the Wii: craft a MC save which looks legitimate to the PS2, but that has some kind of anomalous data (ie. a very large title of the game, a specially crafted icon, something) which could trigger some (as of yet undiscovered, I think) buffer overflow in the MC-listing routines in the BIOS. Then, by opening the crafted savegame (or, maybe, just listing the MC contents), an .elf could be (hopefully) launched. Step 1, find buffer overflow; step 3, profit

It would not be as elegant as pre-2.30 FMCB, of course, but still easy. Open tray, power up, X, X, X, there you go.

Of course, it is just an idea, probably crazy, probably impractical, probably not original. Feel free to flame me

Now, unfortunately I don't really have the know-how to tinker with this (I have a 90004, so I would at least be able to legally obtain my BIOS and have a look at it), other than as a help tester. And I'd be in favor of donating $20 or something towards buying a 9000x for the developers to tinker with , but, of course, only if they really are in the position (and want to) try their hand at this task.

Best
sleipnir

[yoshi314]

the most certain way would be to analyze a bios dump.

btw are both dvd AND osd update features removed?

[sleipnir]

I suppose I could get a BIOS dump (or should be able to) if it would help you guys, although the utility I used (DUMPBIOS-MASS.ELF) did not seem to play nice with my USB stick (it did recognize my BIOS as a 2.30, but did not write anything out).

Let me know and I'll do some more tests. (If any of you is aware of a specific USB stick brand that does work, also tell me - I understand that USB mass storage support is somewhat flaky).

Cheers!

[Krairo]

Does anyone know how I can turn my 90001-8c bios files into a ps2 bios file to be used by the ps2 emulator?

[Bootlegninja]

you use the dumped files you previously attached and place it in teh BIOS folder of the emulator's working folder.

[yoshi314]

I suppose I could get a BIOS dump (or should be able to) if it would help you guys, although the utility I used (DUMPBIOS-MASS.ELF) did not seem to play nice with my USB stick (it did recognize my BIOS as a 2.30, but did not write anything out).

if you launch it off ulaunchelf, make sure it does NOT initialize usb before you launch the dumper.

i had to
- copy the dumper to memcard,
- reboot ps2,
- start ulaunchelf again,
- launch dumper off memcard.

then it managed to dump the bios properly

[sleipnir]

That could work, I'll try it when I have some time to kill. Thanks for the tip!

Edit: Worked beautifully. I did not even have to reboot the PS2, I just copied the dumper via FTP and loaded it with the filebrowser (I plugged the USB drive right before launching it). I have obtained the SPCH-9003_BIOS_VX_PAL_230.xxx collection of files (with .xxx being .BIN, .EROM, .NVM, .ROM1 and .ROM2). If anybody wants to take hold of them, PM me.

[TnA]

Hi all

It is well known that BIOS v2.30, present in most of the newest PSTwos (SCPH-900xx), blocks the loophole that allowed FMCB to run in the first place.

First off,... FMCB uses no "loophole", but the OSD-Upgrade-Feature, which Sony implemented.

So these consoles are, as of now, incapable of running FMCB (or any other homebrew) without the help from Swap Magic or other similar solution.

That is right (as of now).

I can imagine that some of the devs are probably busy looking for some new exploit. Yesterday something occurred to me. I haven't seen this possibility mentioned anywhere, although I suppose that some dev has probably figured it out already. But just in case, here it goes.

The idea, basically, would be to test whether the PS2 browser has some kind of weakness in the code that reads the directory of the MC. (I mean, if you start the console without a disc or with the tray open, it has two options, "Browser" and "System Configuration"; if you press X twice, it will take you to a listing of the contents of the memory card). I have another (modded) PS2, of an older revision, and I remember that the MC got corrupted somehow and the console would lock up when accessing the card. And it was probably not due to some hardware failure, since we reformatted the card and it has been working perfectly ever since. So there is (or was, at least) some ungraceful error handling in that part of the code.

I heard about "corrupted MCs" which let those Versions also stay in BSOD.
Seems, there is some MC-Access done.

What I was thinking is something similar in principle to the Zelda exploit on the Wii: craft a MC save which looks legitimate to the PS2, but that has some kind of anomalous data (ie. a very large title of the game, a specially crafted icon, something) which could trigger some (as of yet undiscovered, I think) buffer overflow in the MC-listing routines in the BIOS. Then, by opening the crafted savegame (or, maybe, just listing the MC contents), an .elf could be (hopefully) launched. Step 1, find buffer overflow; step 3, profit

It would not be as elegant as pre-2.30 FMCB, of course, but still easy. Open tray, power up, X, X, X, there you go.

Of course, it is just an idea, probably crazy, probably impractical, probably not original. Feel free to flame me

I think it is possible (depending on what vulnerabilities, or hidden features are left...).
But once Sony get knowledge about a new exploit, they´ll probably fix it very fast.
Just let them produce more,...
I think there will be an exploit for all PS2s, when it is officially abandoned.

Now, unfortunately I don't really have the know-how to tinker with this (I have a 90004, so I would at least be able to legally obtain my BIOS and have a look at it), other than as a help tester. And I'd be in favor of donating $20 or something towards buying a 9000x for the developers to tinker with , but, of course, only if they really are in the position (and want to) try their hand at this task.

Best
sleipnir

I just think a "short-life-time-exploit" is something no-one really wants.
When they produce more PS2s which might have the same lag, the exploit is of/has more use.

[sleipnir]

First off,... FMCB uses no "loophole", but the OSD-Upgrade-Feature, which Sony implemented.

Which, I suppose, was never meant to enable direct loading of homebrew/backups from an unmodified console with a bona fide Sony MC. Hence the "loophole".

I heard about "corrupted MCs" which let those Versions also stay in BSOD.
Seems, there is some MC-Access done.

Hmmm. Do you mean with v2.30? I have seen reports of people with the screen just going black etc. after installing FMBC, but from what I have gathered, these have been cases of botched installations of FMCB in pre-v2.30 BIOSes. With v2.30, the PS2 just ignores FMCB and that's it.

With the MC I told you about in my other post, there was no error screen or anything else - the PS2 browser just hung halfway through listing the contents.

I think it is possible (depending on what vulnerabilities, or hidden features are left...).
But once Sony get knowledge about a new exploit, they´ll probably fix it very fast.

It depends. I can imagine that they have plenty of the 900xx PS2s already produced. In fact, if I am not mistaken, the letter of the datecode corresponds to the month of the year the console was assembled. Well, I bought mine like two weeks ago, and it is a 8D (=April 2008). So there are about eight months worth of already produced consoles in the pipeline. I doubt Sony is going to recall them all if a new exploit is found, so there would be ample time for interested people to grab one.

In fact, if I am not mistaken, the feature which was recently patched was the same one used in Memento, so they have taken their time to fix it. The first working versions of Memento surfaced in Nov'07, and it has taken them about a year to get the patched PS2s to surface. Besides, now several important pieces of the puzzle (uLE, FMCB, ESR) are already done and working very well, so all that is needed is "only" finding the new exploit (not that it will be easy, but the apps are already there, and it will be useful from day 1).

Besides, my hunch is that the PS2 is already near the end of its supported lifetime, if only because the next major revision would need another number (10000xx )

Just let them produce more,...
I think there will be an exploit for all PS2s, when it is officially abandoned.

Hopefully.

I just think a "short-life-time-exploit" is something no-one really wants.
When they produce more PS2s which might have the same lag, the exploit is of/has more use.

Again, if the FMCB/Memento exploit is any indication, the "short-life-time" would be around a year. Not only because of all the already fabricated PS2s, but also because I'm sure that the new BIOS versions have to undergo a rather strict QC process. Since they can not be updated via software, it would be a disaster to ship consoles with broken BIOSes.

Besides, I do not really think that Sony is that active in fixing the exploits. Sure, they have to do it eventually, but it does not seem to be a very high priority for them. After all, I'm sure that it has been a long time since they lost money on PS2 sales - they are probably making a nice profit on them. Besides, PS3 sales have finally overtaken the PS2 sales for good, and PS2 sales are declining fast, so the incentive to keep the PS2 alive is not as good. If they are able to bring the price point of the PS3 somewhat closer to that of XBOX360/Wii (and they eventually will), they will probably discontinue the PS2 to force people to go for the PS3 (and I'm sure they are rather impatient to do it).

Cheers

[yoshi314]

Well, I bought mine like two weeks ago, and it is a 8D (=April 2008)

that would mean they modified the bios in order to disable memento - fmcb came a few weeks later.

my hunch is that the PS2 is already near the end of its supported lifetime, if only because the next major revision would need another number (10000xx )

does that mean that ps3 will be around forever? :> it does not seem to be versioned - yu can only guess by the size of the initially fitted hdd which model are you dealing with.