welcome to www.hangar-eleven.de - your premier resource for console development





Development Env

Installing Cygwin

Building EE (R5900) toolchain
Compiling EE binutils
Compiling EE GCC

Building IOP(R3000) toolchain
Compiling IOP binutils
Compiling IOP GCC

Compiling PSX2LIB

PS2 Independence Exploit

Testing LIB and the Compilers
Writing the first program
Compiling the first program
Uploading to the PS2

Making a CD

Back to News

 

  "PS2 Independence" exploit
  Written: August 23, 2003 @ 4:06 PM By: Thorsten Titze
 
 

I guess everyone already heard of M.R.Brown's "PS2 Independence" PS2 exploit. This exploit makes it possible to execute own code which is stored on a memory card (even without a modchip).

When the PS2 boots up a PSone game, the file called title.db (which resides in the "System Settings" save file) will be loaded from the memory card which, prepared with M.R.Brown's tool, causes the PS2 to run into a buffer overflow and to the code execution.

So it's possible to put NapLink (doesn't work currently since Naplink seems to try to load some IRX's from the CDROM) or PukkLink or any other connectivity on your memorycard and then with a simple bootup of a PSone game (this has to match one of the PSone games in the title.db) to run the Link application without a swap (and of course, on a non modded PS2).

If you already compiled the PS2LIB library using the guides here then we will start with compiling the exploit (make sure that the environment variable PS2LIB is set as described in the previous tutorials):

  • Download the source package here
  • Copy the source package somewhere in your ps2lib structure (doesn't have to be, but I like it cleanly separated on my harddisk)
  • Uncompress the archive

    tar -zxf ps2-id-0.1.tgz
  • Now change in this directory and build the exploit

    make
  • Now you have the exploit ready for work

Now we should get us our original "System Settings" save. To do this we need NapLink (or any other communication tool with which we can send ELF's to the PS2) and nPort (a game save manager from Napalm).

NapLink Download Link (installation/usage is explained in Uploading to the PS2)
nPort Download Link (this is a link to Wire's Napalm Website)

  • Load up Naplink
  • Send the nPort.elf to the PS2 (make sure that in the same directory where nPort.elf resides there is also a saves directory)
  • Once nPort is booted up you see the list of savegames on the left-hand side of the screen. Choose "System Settings" and hit X.
  • Now unpack the file BxDATA-SYSTEM with the following commandline

    npo-x x BxDATA-SYSTEM.npo

    NOTE:
    Depending on your region your letter x is either I, E or A.
  • Now the savegame is decompressed and ready to be manipulated

Now we have to create a valid title.db file with the buffer-overflow. We do this with the PS2ID tool we just compiled.

  • Change to the directory where you compiled PS2ID
  • First we create an empty title.db file

    titleman -c
  • Now we add a game or utility disc we own (to get the right code just insert your game/demo disc into your CDROM-Drive and scribble down the name of the SLES/SCUS File)

    titleman -a SLES_xxx.xx
  • Now you should have a nice title.db lying in front of you
  • Copy this file to where you unpacked your "System Settings" savegame

Now we are still missing the binary that will be started. Just copy the ELF and all accompanying IRX files to the same directory where you just copied title.db. Rename the ELF to BOOT.ELF (the case is very important since the loadup is case-sensitive)

Now we repack the savegame...

  • Go to the save directory
  • Pack the just compiled files together into a valid savegame

    npo-x a BxDATA-SYSTEM

    NOTE:
    Depending on your region your letter x is either I, E or A.
  • Your savegame now contains the exploit and our boot binary

What still remains to be done is sending these settings back to the PS2 memory card.

  • As before, fire up NapLink and upload nPort
  • In the middle console choose DEL
  • Now go to the left panel and delete "System Settings"
  • Switch back to CPY in the middle console
  • Go to the right panel and choose BxDATA-SYSTEM and hit X-Button

Your system is now prepared for the exploit. If during the next reboot of the PS2 the added game is booted the binary you included in the gamesave should be started.

  Go to the Homepage of M.R.Brown [external link]

Back to Playstation 2 Development Main


DISCLAIMERS:
Website Design © 2002 by Thorsten Titze / hangar-eleven.de
(the pictures used for the design were taken from a WindowsXP Skin and WindowsXP)
All brand names used on this site are registered trademarks of their respective owners
No copyright infringement is intended
Last updated @ 23-Aug-2003 5:51 PM Contact me via eMail