With uLaunchELF as the initial program, users can include multiple homebrew programs on the same disc. For technical details please refer to my blog post. Read from here if you have a Slim PS2. Your console must be set to English language for the exploit to work other languages cause memory contents to change. To do this, boot without a disc inserted, press Circle to enter System Configuration and set your system language to English. Insert the disc into your console, and wait. It should boot into uLaunchELF within a few seconds.
Many people choose to run FreeMCBoot or Fortuna installer, as they find booting from a memory card more convenient. Try unplugging your controller, and plugging it back in. Apparently that solved the issue for this user. Try removing all memory cards. Try burning with different software. Apparently for this user and this user ImgBurn didn't work, but CDBurnerXP with 1x speed, compatibility settings, and finalize option worked.
Check the GitHub repo to see if the image has been updated recently. Download the new one if it has. Please, only open a GitHub issue if you have read and tried all of the above. If you do open an issue, please confirm that you tried a real DVD movie and it worked on your system so that we know it's not just a laser failure; also include your DVD player version, the name of the ISO you tried, the type of DVD, and what happens when you launch the disc.
Phat consoles have many different firmware version revisions, which makes them harder to add support for. The IFO file format is probably the simplest format used, and is responsible for storing the metadata that links the video files together. The interaction machine is what allows for interactive menus and games in DVD Videos. It has 32 groups of instructions, and is interesting because it could potentially be used to dynamically manipulate internal memory state to prime an exploit, or it could be used to create a universal DVD with a menu which allows you to select your firmware version and trigger the appropriate exploit.
Clearly it's not practical to do most of our testing on the real hardware since burning hundreds of test discs would be wasteful and time inefficient. We need an emulator with some debugger support, which is where we hit our first roadblock: the most popular emulator for PlayStation 2, PCSX2, does not support playing DVD Videos, and no one is interested in adding support.
I'd like to thank krHacken for helping me out with that first roadblock. I will continue to use Ghidra for decompilation as I've been using throughout my previous articles.
The DVD player does not contain any symbols so all names in code snippets were assigned by me through reverse engineering. Searching memory for contents of the file and then setting memory write breakpoints there to track back where it was written we quickly locate the API that reads disc contents used by the IFO parsing code, getDiscByte at 0x25c It's a stream reader which caches a number of sectors into a RAM buffer, and then automatically seeks more data once needed:.
From searching calls to this, we can also quickly find wrappers that fetch data of larger sizes: getDiscU16 0x25c , getDiscU32 0x25c9b8 , and getDiscData 0x25c9f0 , which is the most interesting as it reads an arbitrary length of data:. The first thing I did was search for calls to getDiscData in the hope of finding one with controllable size, and no bounds checking. Sure enough, we very quickly identify about 4 blatant buffer overflow vulnerabilities of this nature.
Relating back to the IFO file format, we can see that there are numerous bit array lengths which are needed to parse the variably sized data structures in the file. The DVD player mistakenly only ever expects the maximum lengths allowed by the DVD specification, and so it is missing checks to reject discs with larger lengths. Since all of the copies are done on statically allocated memory buffers, specifying larger than allowed lengths will cause buffer overflows. For example, below is decompilation for the one at 0x25b3bc :.
As you can see, we can control quite a large region of memory using the above vulnerability. However, scanning through that memory is initially very disappointing; there are very few pointers, and none of them look particularly interesting to corrupt!
Although there are no interesting pointers in this region, there are some indexes, which if corrupted could lead to further out of bounds memory corruption. Note that large reads like this won't always copy contiguous data from the IFO file, as sectors will start repeating once we exceed the file size, but generally assume that all data written by a getDiscData call can be controlled as it originates from somewhere on the disc.
Also, after writing a certain amount, we may overflow into internal state used by getDiscByte functions, but we will get to this later.
At 0x25e we have this call to an entry in a function pointer array, where we can control the bit fpIndex at 0xa from the overflow:. This primitive is not quite ideal, as none of our overflow bugs allow us to control the memory where the jump targets are read from.
Worse still, most of this memory region is mapped from a read-only section of the DVD Player, so it's unlikely that we can influence the contents of this memory region without another bug. After the function pointers, we do some see some addresses for switch case labels, which is slightly interesting because that allows us to jump into the middle of a function and execute its epilogue without having executed its prologue, allowing us to misalign the stack pointer and return to an unexpected value on the stack.
I went through all of these and unfortunately I was only ever able to use that to jump to 0. Finally after the code pointers, we see read only string data. Interestingly, this data can be changed by switching languages in the PS2 menu, which gives greater hope for finding at least 1 usable jump target in every firmware version, however it unfortunately comes at the cost of forcing the user to reconfigure their language.
I decided to dump the entire region of possible jump targets, group them into 4-bytes and see if any of them would point to memory that we control via the overflow vulnerability Amazingly, there is a result: index 0xe07e address 0x5f1f38 points to 0x , which is within our controlled range! This isn't perfect, since it's the cached virtual address, and so we might run into cache coherency problems, but it could work.
It's amazingly lucky that there happens to be a valid jump target we can use which already points to memory we can control. Since other DVD Player versions with different address spaces probably won't have this same luxury, I'll briefly talk about one other corruption primitive, in case it turns out to be useful for anyone trying to exploit their own console's version. Since indexForOOBW is a bit value, corrupting it via the large overflow could potentially allow writing to an arbitrary address in this path.
There's the constraint that the value must be 0 before you write it per the first line in that snippet , but that shouldn't make exploitation significantly more difficult. You could easily overwrite a NOP in a delay-slot somewhere into a jump to a register which happens to be controlled at time of execution.
Alternatively, a better approach would be chaining this OOB write with the OOB call mentioned above; you overwrite one of the addresses we can use as a jump target which happens to be 0 into an arbitrary new jump target. IFO' didn't exist.
We can't create this file normally because the code has a maximum filename length which we run into when we try large indexes like this I think it's either 15 or 16 bytes. You could work around the length limitation, and still use this bug to corrupt quite a large region of memory, or it might be possible to corrupt enough internal.
Chaining together this new exploit with that ESR loader would allow you to patch your backups so that they could just be burned and run on your console from boot as though they were official discs.
I don't really want to be responsible for maintaining a tool that does this, so I'm not including any of the code to do this in the repo, but the gist of it can be explained pretty quickly, so I'll just provide some notes explaining how I did it:. IFO to create the filesystem structure we need. Attributes we care about for those files are size 4-bytes and LBA position 2-bytes. The tool creates these files with size bytes, and LBAs and , so the byte patterns we are interested in are:.
Contents of the ISO filesystem used by games generally seem to start at around , which I believe is a requirement by Sony. Given this amount of space, it would even be possible to include some kind of Action Replay cheat menu or something on the disc, which could be a fun future project.
Latest: alexparrado, Nov 22, at PM. Any solution for the weird ps3 controller sync issue? General PS3 Discussion.
Latest: solomonbyte, Nov 22, at PM. Latest: M4j0r, Nov 22, at PM. Hardware Mods. Error d every time I try to download a game on PS3. CFW Tools. Latest: mrjaredbeta, Nov 22, at PM.
PS2 on PS4. PS3 Jonnysp's ird library is down.
0コメント