PS2Emu :: Emulation Gaming & Development News

PlayStation 2 Independence: The PS1DRV Hack

Friday, August 15th, 2003
Note: If you are having trouble getting the default .NPO files to work, you may be booting with a PS1 disc that isn't listed in the default TITLE.DB. You must get the Source Package and manually add your game's title ID with the supplied titleman program.
You can find your game's title ID by searching us.playstation.com (for US PS2 owners). The title ID is the first ten digits of the last part of the URL.

I will release more comprehensive docs in the near future (or someone can volunteer some :P). Also, if someone out there who owns a SharkPort or one of the other memcard adapters have save files they'd like to contribute, I'd be happy to post them here.

Files
nPort .NPO files:
BADATA-SYSTEM.npo (North America)
BEDATA-SYSTEM.npo (Europe)
BIDATA-SYSTEM.npo (Japan/Asia)

Source Package

README
PlayStation 2 Independence Day
http://www.0xd6.org/ps2-independence.html
Friday, August 15th, 2003

Marcus R. Brown <mrbrown@0xd6.org>
--

Introduction
--

I have released a binary and source package that exploits a flaw in the PS2's
handling of a special configuration file. This configuration file, named
TITLE.DB, is accessed from the PS2 PS1 driver (located at rom0:PS1DRV).

To make a long story short, the exploit allows anyone with a memory card and
a valid, legal PS1 disc to hijack the boot process and run any piece of code.
Absolutely no modification to the system is necessary to use the exploit (my
only working PS2 is not moddded, and I have developed and tested the exploit
on this machine). All one really needs is a way to send the files to the
memory card to enable the exploit.

<one pargraph gist>
PS1DRV parses a file called mc0:/BXDATA-SYSTEM/TITLE.DB (the X represents the
PS2's region code) to load graphic parameters for the PS1 game that was loaded
from the disc drive. There is a catastrophic buffer overflow in the parsing
routine that allows one to overflow the stack and execute arbitrary code by
rewriting the $RA register. If we load up our own TITLE.DB, with an entry for
every PS1 disc that we want to trigger the exploit, then we can take over the
PS2 boot process as soon as the disc is recognized and PS1DRV is executed.
</one paragraph gist>

The file exploit.c will have to serve as documentation on the exploit for
now, since I've been rushing to get this out and in people's hands.

If you use PS2 Independence for Evil - I AM NOT RESPONSIBLE.

All of the distributed source code is licensed under the Academic Free License
version 2.0. My copyrights _must_ remain intact if you choose to redistribute
the source package.

I'm looking forward to comments/criticisms about how the code can be improved,
and also creative uses for the exploit.

Using titleman
--

titleman allows you to create, add, and delete title entries from the TITLE.DB
file.

titleman supports to following options:

-c Create a new TITLE.DB file.
-a Add a title or a list of titles to TITLE.DB.
-d Delete a title or a list of titles from TITLE.DB.
-l List the contents of TITLE.DB.

-v Increase verbosity level.
-o Specify an output file (broken, don't use).

Examples:

$ ./titleman -c # Create a new TITLE.DB
$ ./titleman -a SCUS_000.67 # Add Castlevania:SOTN to TITLE.DB
$ ./titleman -a @title.lst # Add a list of titles found in title.lst to
# TITLE.DB (the '@' is required)
$ ./titleman -d PSXMAIN.EXE # Delete 'PSXMAIN.EXE' from TITLE.DB

Format of @list files
--

One title name per line. Comments are specified with ';' at the beginning of
the line.

Example:

; Castlevania: Symphony of the Night (one of my favorites :P)
SLUS_000.67

; Chrono Cross
SLUS_010.41

Further thoughts
--
There is another exploit that can be triggered exactly like this one, except
it lives on the PS1 disc in SYSTEM.CNF. I don't have a method to manufacture
valid PS1 discs, so this exploit doesn't interest me much. Developing code
for this exploit is an excercise left to the reader :).

Oh, if you or your company are looking for a low-level PS2 or GC hacker, I am
available for immediate contract work or other offers. My e-mail is the best
way to contact me.