from the playing-games-with-game-playing-consoles dept.
Security Expert Discovered Flaw in PS2 That Gives a Way to Play Any Game
A security engineer who uses the nickname "Cturt" has hacked a PlayStation 2 console and managed to make it run any game title that he burns on a DVD. We're not talking about pirated games here, but titles that were never meant to run on a PS2, like the classic Mario platformer, for example. The man is calling the hack "FreeDVDBoot" and claims that no hardware intervention or any other type of mods are required to make it work. All that is needed is the exploitation of an existing flaw that triggers a read overflow vulnerability.
The researcher gives all the technical details on his write-up, saying that he had to experiment with emulators a lot in order to figure out the crucial aspects that hide behind Sony's proprietary container format (VOB) used on the PS2 DVD disk reading system. The hacker looked specifically for buffer overflow vulnerabilities in the "getDiscData" call system and found four of them. The existence of these flaws means that if a disc specifies lengths larger than allowed, one can trigger a buffer overflow exploit. Based on this and some luck on the existence of valid memory jumps that occur in regions that can be modified, a series of corruption states can be achieved.
A similar exploit may work with the PS1, which only supports CDs, and the PS3 and PS4, which both support Blu-ray discs. The security engineer may be eligible to earn up to $50,000 for a working PS4 exploit.
PlayStation 2 was released in Japan in March 2000, and discontinued worldwide in January 2013.
Also at Ars Technica.
(Score: 2) by Snotnose on Monday June 29 2020, @09:57PM (2 children)
Playing a DVD presents a huge attack surface. Why would this be so? MPEG2 is a container format. It's got a bunch of containers, each with an ID. Every once in a while you get a table of contents that says stuff like ID1 is english, ID2 is spanish, ID3 is closed captioning, ID4 is video, etc. Literally, you can put pretty much what you want in a container.
So if your container ID is sound, CC, or video, you just ensure the embedded packet length matches the packet length you read. Oops, lazy programmer detected. Plus, if you don't recognize an ID you just ignore it. Oops, another lazy programmer.
Is it really that hard? Or is the whole "callback to MPAA" shit so bad you can get hacked playing a, for $diety's sake, DVD.
Relationship status: Available for curbside pickup.
(Score: 2) by The Mighty Buzzard on Monday June 29 2020, @10:02PM
Both.
My rights don't end where your fear begins.
(Score: 2) by Snotnose on Monday June 29 2020, @11:03PM
Just remembered MPEG isn't packetized, so you can't go by how many bytes the hardware read. But still, each packet has a sync, a byte count, and a checksum/CRC. How hard can it be to figure out that something about your packet is dodgy, and scan the stream looking for the sync pattern?
Relationship status: Available for curbside pickup.
(Score: 1, Funny) by Anonymous Coward on Monday June 29 2020, @10:38PM (2 children)
So I just burn a .nes ROM to a DVD with this hack and it will magically work? What about my MAME collection? Does it support PS4 games?
(Score: 4, Touché) by takyon on Monday June 29 2020, @10:49PM
Disregard that line if you value your sanity.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 0) by Anonymous Coward on Monday June 29 2020, @11:33PM
Read the writeup.
He shows an example where he uses the exploit to boot existing NES and SNES emulators for the PS2 from a DVD.
(Score: 3, Informative) by Anonymous Coward on Monday June 29 2020, @11:19PM
The news stories were incredibly light on detail to the point of absolute uselessness.
The writeup was properly informative.
Man, selfboot games on PS2. Really, really cool.
The exploit that lets him run code from DVD can be chained into running ESR, which will boot the patched game on the disc.
It's not perfect since the first stage of the exploit is model specific and would need different offsets on different machines, but an attack which hits all system versions at the same time might be possible.
Even if it isn't, you could just burn a disc containing an FMCB installer that uses this exploit to boot, and that's it.
The installer would be model specific, but that's fine, it'd massively simplify the install process to "what model PS2 do you have? burn this DVD, run the installer, done", which would be amazing. No more need to own specific discs beforehand or have a friend who did it already to run the install for you.