2 weeks ago I stumbled upon a video by Modern Vintage Gamer: https://www.youtube.com/watch?v=8b5UX5xd-lE
Now, I have never developed for the PSX, and I had never even owned one, so I was extremely surprised to learn that arbitrary code execution on the PSX required a modchip until 3 weeks ago, when tonyhax was released. While tonyhax is a nice improvement for people who don't want to mod their PSX, it still requires an original game, and I took it as a challenge to go one step further: exploit the PSX with only a memory card. My goal was to achieve arbitrary code execution using nothing but a memory card.
So I immediately registered here, and I bought my first ever PSX the day after (an unmodded SCPH-9002), and started reversing the BIOS, and specifically the memory card management code. After a few days, I found a vulnerability which looked unexploitable at first, because of the many checks that the BIOS does when reading the memory card, but I eventually found a way to modify a value in RAM, which I used to escalate to arbitrary code execution, which I have finally achieved! The exploit was first tested successfully with the no$psx emulator (many thanks to the author, it was incredibly helpful), and then I soldered some wires to my memory card, attached it to an arduino board to upload the payload, and tested it on my real SCPH-9002 PSX.
For the first proof of concept, my exploit just turns the screen red (I used the code in tonyhax's entry.S file). The exploit is still not completely stable (sometimes it doesn't trigger), the CPU cache may be the cause. I will try to improve this, of course. I will release the technical details and the source code in the coming days.
While it still needs to be developed, I can already see 2 potential advantages with this exploit:
- All the games should work flawlessly without needing any patching: the exploit is very "clean", and merely overwrites a function pointer that can be easily restored afterwards (it doesn't use any kind of buffer overflow). This all happens before any game is loaded, so there is no BIOS functions to restore or anything of the sort.
- No need to launch a game, trigger the exploit, and swap the CD: faster and less annoying
More seriously, the main drawback is that the exploit targets a specific BIOS version, and it must be recreated for every other version. The good news though is that there is no reason that the same vulnerability would not be exploitable on older BIOS versions (unless Sony somehow introduced the vulnerability in SCPH-9002, but that's highly unlikely).
It's getting late and I will continue working on it tomorrow, but in the meantime here's a video of the screen getting red after gaining code execution (I also tried the exploit with the green color, to ensure it was not a random glitch):