I guess everyone already heard of M.R.Brown's "PS2
Independence"
PS2 exploit. This exploit makes it possible to execute
own code which is stored on a memory card (even without
a modchip).
When the PS2 boots up a PSone game, the file called title.db (which
resides in the "System Settings"
save file) will
be loaded from the memory card which, prepared with M.R.Brown's
tool, causes the PS2 to run into a buffer overflow
and to the code execution.
So it's possible to put NapLink (doesn't
work currently since Naplink seems to try to load some
IRX's from the CDROM) or PukkLink or
any other connectivity on your memorycard and then with
a
simple bootup of a PSone game (this has to match
one of the PSone games in the title.db) to run the Link application
without a swap (and of course, on a non modded PS2).
If you already compiled the PS2LIB library
using the guides here then we will start with compiling
the exploit (make sure that the environment variable PS2LIB is
set as described in the previous tutorials):
- Download the source package here
- Copy the source package somewhere in your ps2lib structure
(doesn't have to be, but I like it cleanly separated
on my harddisk)
- Uncompress the archive
tar -zxf ps2-id-0.1.tgz
- Now change in this directory
and build the exploit
make
- Now you have the exploit ready
for work
Now we should get us our original "System Settings" save.
To do this we need NapLink (or any
other communication tool with which we can send ELF's to
the PS2) and nPort (a game save
manager from Napalm).
NapLink Download
Link (installation/usage is explained
in Uploading to the PS2)
nPort
Download Link (this is a link to Wire's Napalm
Website)
- Load up Naplink
- Send the nPort.elf to the PS2 (make
sure that in the same directory where nPort.elf resides
there is
also a saves directory)
- Once nPort is booted up you see the
list of savegames on the left-hand side of the screen.
Choose "System Settings" and hit X.
- Now unpack the file BxDATA-SYSTEM with
the following commandline
npo-x x BxDATA-SYSTEM.npo
NOTE:
Depending on your region your letter x is
either I, E or A.
- Now the savegame is decompressed and ready to be manipulated
Now we have to create a valid title.db file with the buffer-overflow.
We do this with the PS2ID tool we just compiled.
- Change to the directory where you compiled PS2ID
- First we create an empty title.db file
titleman -c
- Now we add a game or utility disc we own (to get
the right code just insert your game/demo disc into
your CDROM-Drive and scribble down the name of the
SLES/SCUS File)
titleman -a SLES_xxx.xx
- Now you should have a nice title.db
lying in front of you
- Copy this file to where you unpacked your "System Settings"
savegame
Now we are still missing the binary that will be started.
Just copy the ELF and all accompanying IRX files
to the same directory where you just copied title.db.
Rename the ELF to BOOT.ELF (the case
is very important since the loadup is case-sensitive)
Now we repack the savegame...
- Go to the save directory
- Pack the just compiled files
together into a valid savegame
npo-x a BxDATA-SYSTEM
NOTE:
Depending on your region your letter x is either I, E or
A.
- Your savegame now contains
the exploit and our boot binary
What still remains to be done is sending these settings
back to the PS2 memory card.
- As before, fire up NapLink and upload nPort
- In the middle console choose DEL
- Now go to the left panel and delete "System
Settings"
- Switch back to CPY in the middle console
- Go to the right panel and choose BxDATA-SYSTEM and
hit X-Button
Your system is now prepared for the exploit. If during
the next reboot of the PS2 the added game is booted the binary
you included in the gamesave should be started.
|