FreePSXBoot - arbitrary code execution with ONLY a memory card (no game needed)

Start a work log and update it occasionally with your projects progress
Bradlin
Interested PSXDEV User
Interested PSXDEV User
Posts: 7
Joined: Mar 23, 2021

FreePSXBoot - arbitrary code execution with ONLY a memory card (no game needed)

Post by Bradlin » April 8th, 2021, 9:42 am

Hello,

2 weeks ago I stumbled upon a video by Modern Vintage Gamer: https://www.youtube.com/watch?v=8b5UX5xd-lE

Now, I have never developed for the PSX, and I had never even owned one, so I was extremely surprised to learn that arbitrary code execution on the PSX required a modchip until 3 weeks ago, when tonyhax was released. While tonyhax is a nice improvement for people who don't want to mod their PSX, it still requires an original game, and I took it as a challenge to go one step further: exploit the PSX with only a memory card. My goal was to achieve arbitrary code execution using nothing but a memory card.

So I immediately registered here, and I bought my first ever PSX the day after (an unmodded SCPH-9002), and started reversing the BIOS, and specifically the memory card management code. After a few days, I found a vulnerability which looked unexploitable at first, because of the many checks that the BIOS does when reading the memory card, but I eventually found a way to modify a value in RAM, which I used to escalate to arbitrary code execution, which I have finally achieved! The exploit was first tested successfully with the no$psx emulator (many thanks to the author, it was incredibly helpful), and then I soldered some wires to my memory card, attached it to an arduino board to upload the payload, and tested it on my real SCPH-9002 PSX.

For the first proof of concept, my exploit just turns the screen red (I used the code in tonyhax's entry.S file). The exploit is still not completely stable (sometimes it doesn't trigger), the CPU cache may be the cause. I will try to improve this, of course. I will release the technical details and the source code in the coming days.

While it still needs to be developed, I can already see 2 potential advantages with this exploit:
  • All the games should work flawlessly without needing any patching: the exploit is very "clean", and merely overwrites a function pointer that can be easily restored afterwards (it doesn't use any kind of buffer overflow). This all happens before any game is loaded, so there is no BIOS functions to restore or anything of the sort.
  • No need to launch a game, trigger the exploit, and swap the CD: faster and less annoying :)
The drawback is of course that the PSX must be started with the lid open :)

More seriously, the main drawback is that the exploit targets a specific BIOS version, and it must be recreated for every other version. The good news though is that there is no reason that the same vulnerability would not be exploitable on older BIOS versions (unless Sony somehow introduced the vulnerability in SCPH-9002, but that's highly unlikely).

It's getting late and I will continue working on it tomorrow, but in the meantime here's a video of the screen getting red after gaining code execution (I also tried the exploit with the green color, to ensure it was not a random glitch):

Last edited by Bradlin on April 13th, 2021, 8:07 am, edited 1 time in total.

yaroze
Curious PSXDEV User
Curious PSXDEV User
Posts: 21
Joined: Jun 07, 2016

Post by yaroze » April 9th, 2021, 8:50 am

This is very impressive work! :) :) I'm not an expert on the PS1 (unfortunately) and so I'm not sure how much help I would be - but I really hope that you are able to get this exploit working. There are some really knowledgeable people on this forum who may be able to help you if required, and the author of tonyhax (socram) also just registered here a few weeks ago.

Good luck, and please continue to report your progress!

Bradlin
Interested PSXDEV User
Interested PSXDEV User
Posts: 7
Joined: Mar 23, 2021

Post by Bradlin » April 10th, 2021, 9:36 am


User avatar
Squaresoft74
Verified
/// PSXDEV | ELITE ///
/// PSXDEV | ELITE ///
Posts: 303
Joined: Jan 07, 2016
PlayStation Model: SCPH-7502
Location: France
Contact:

Post by Squaresoft74 » April 10th, 2021, 10:42 am

Confirming it's also working with SCPH-7002 and SCPH-7502 consoles since they share the same bios version you're currently targetting for the SCPH-9002 one.
Great work ! :)

damiank94
Curious PSXDEV User
Curious PSXDEV User
Posts: 22
Joined: Feb 09, 2019

Post by damiank94 » April 10th, 2021, 8:28 pm

Well, that escalated quickly. Unfortunately on PSone it's not working. Hope it will tho.

yaroze
Curious PSXDEV User
Curious PSXDEV User
Posts: 21
Joined: Jun 07, 2016

Post by yaroze » April 11th, 2021, 10:45 am

damiank94 wrote: April 10th, 2021, 8:28 pm Well, that escalated quickly. Unfortunately on PSone it's not working. Hope it will tho.
For some reason, the BIOS on the mini-PSone seemed to resemble the one from the older SCPH-100x/55xx models rather than the newer SCPH-7xxx/900x models (even though the mini-PSone was released afterwards), which may be why this exploit doesn't work on the mini-PSone.

I'm not sure why Sony reverted back to the older BIOS style for the mini-PSone, but if anybody knows why then I would be interested to know the reason.

Bradlin
Interested PSXDEV User
Interested PSXDEV User
Posts: 7
Joined: Mar 23, 2021

Post by Bradlin » April 13th, 2021, 8:07 am

Thanks to the amazing work of the psxdev community, FreePSXBoot can now load a version of unirom which is capable of loading games. Updated images are available on github: https://github.com/brad-lin/FreePSXBoot

damiank94
Curious PSXDEV User
Curious PSXDEV User
Posts: 22
Joined: Feb 09, 2019

Post by damiank94 » April 14th, 2021, 7:13 am

https://reachcoding.eu/psx-memory-card-formatter

I've used this one to format my memory card when it didn't work for me.

Also, didn't work on PSone with PM-41 and PM41(2) boards (hangs on browser when try to enter manager). Is mc image format any problem? I've used .gme through MC Annihilator.
Last edited by damiank94 on April 14th, 2021, 7:55 am, edited 1 time in total.

oman
What is PSXDEV?
What is PSXDEV?
Posts: 1
Joined: Apr 14, 2021

Post by oman » April 14th, 2021, 7:35 am

I have working code to read and write PSX memory cards with the PC using Sony's official memory card USB device.
(I believe there's a PS2 McBoot install method that does this)

I'll put together a quick utility some time this week to install FreePSXBoot and see if we can't make this even easier.

oman

Ichisuke
Curious PSXDEV User
Curious PSXDEV User
Posts: 17
Joined: Jun 19, 2020

Post by Ichisuke » April 14th, 2021, 8:29 am

damiank94 wrote: April 14th, 2021, 7:13 am https://reachcoding.eu/psx-memory-card-formatter

I've used this one to format my memory card when it didn't work for me.

Also, didn't work on PSone with PM-41 and PM41(2) boards (hangs on browser when try to enter manager). Is mc image format any problem? I've used .gme through MC Annihilator.
Didn't check the board on the 2 PSone I tested but both work fine with the memory card image for the 4.5 bios revision. Probably both are 41(2) with latest bios, didn't bother to open and check inside the consoles. 4.4 wasn't working.
Also I've written the memory card by simply flashing the file as it is with MC Annihilator, no rename, no conversion, nothing. Also converting the mem card image you probably lose the "triggering entry" for the exploit. I just pressed R2 (I think) and it listed all the file types on the usb pendrive and flashed it as it is.

danhans42
BANNED
BANNED
Posts: 330
Joined: Nov 28, 2012

Post by danhans42 » April 14th, 2021, 5:54 pm

Booting great on my laser-less 5552 machine. Nice easy way to boot unirom for me :)

Also, for using the PS3 Memory Card adapter - see this thread http://www.psxdev.net/forum/viewtopic.php?t=3428
Orion wrote a tool for using it a while ago. Havent tried it myself however.

Elbart
Interested PSXDEV User
Interested PSXDEV User
Posts: 7
Joined: Apr 13, 2021

Post by Elbart » April 14th, 2021, 9:53 pm

damiank94 wrote: April 14th, 2021, 7:13 am I've used .gme through MC Annihilator.
The files you can download there are raw images.
MC Annihilator requires raw images, which .gme-files are not.

User avatar
Mdv
Active PSXDEV User
Active PSXDEV User
Posts: 69
Joined: Jul 06, 2020
PlayStation Model: SCPH-7502
Location: United Kingdom

Post by Mdv » April 19th, 2021, 11:05 am

freepsxboot fastload image won't load on scph-7502, only the non fastload 4.1 image will load.

on a slim i get a white screen with 4.5

User avatar
Squaresoft74
Verified
/// PSXDEV | ELITE ///
/// PSXDEV | ELITE ///
Posts: 303
Joined: Jan 07, 2016
PlayStation Model: SCPH-7502
Location: France
Contact:

Post by Squaresoft74 » April 20th, 2021, 12:50 pm

Retry using latest releases. ;)

User avatar
Mdv
Active PSXDEV User
Active PSXDEV User
Posts: 69
Joined: Jul 06, 2020
PlayStation Model: SCPH-7502
Location: United Kingdom

Post by Mdv » April 21st, 2021, 4:56 am

scph-5552 work ok. scph-7502- scph-102 are picky with memory cards, 9002 works with official memory cards

Bradlin
Interested PSXDEV User
Interested PSXDEV User
Posts: 7
Joined: Mar 23, 2021

Post by Bradlin » April 22nd, 2021, 8:14 am

A new release has just been posted, feedback is welcome. I can confirm it works with 9002 with a cheap knock-off memory card.

User avatar
Mdv
Active PSXDEV User
Active PSXDEV User
Posts: 69
Joined: Jul 06, 2020
PlayStation Model: SCPH-7502
Location: United Kingdom

Post by Mdv » April 22nd, 2021, 9:18 am

Bradlin wrote: April 22nd, 2021, 8:14 am A new release has just been posted, feedback is welcome. I can confirm it works with 9002 with a cheap knock-off memory card.
how did you write it? i used memory card annihilator. the new images need putting on the unirom disc

Bradlin
Interested PSXDEV User
Interested PSXDEV User
Posts: 7
Joined: Mar 23, 2021

Post by Bradlin » April 22nd, 2021, 6:57 pm

Mdv wrote: April 22nd, 2021, 9:18 am how did you write it? i used memory card annihilator. the new images need putting on the unirom disc
I used a STM32 based board (bluepill) with some custom code, but that's equivalent to memcarduino.

Orion_
Verified
Legendary Programmer
Legendary Programmer
Posts: 240
Joined: Aug 13, 2012
I am a: Programmer
PlayStation Model: Net Yaroze
Location: France
Contact:

Post by Orion_ » May 2nd, 2021, 6:55 pm

I had this idea in mind since years, but never took the time to actually work on it, (and I doubt I have the skill to reverse engineer the bios code)
so, very nice job on that !
as someone already pointed out, you can use my memory card manager tool to import a save to a memory card easily using the ps3 memory card usb adaptor :)
http://onorisoft.free.fr/psx/psx.htm
Retro game development on Playstation and other consoles http://orionsoft.free.fr/

Bradlin
Interested PSXDEV User
Interested PSXDEV User
Posts: 7
Joined: Mar 23, 2021

Post by Bradlin » May 5th, 2021, 12:16 am

Orion_ wrote: May 2nd, 2021, 6:55 pm I had this idea in mind since years, but never took the time to actually work on it, (and I doubt I have the skill to reverse engineer the bios code)
so, very nice job on that !
as someone already pointed out, you can use my memory card manager tool to import a save to a memory card easily using the ps3 memory card usb adaptor :)
http://onorisoft.free.fr/psx/psx.htm
That's nice, could you confirm that it will not attempt to "fix" the directory entry and/or the broken sector list? This is a requirement for the exploit to work.

Post Reply

Who is online

Users browsing this forum: No registered users and 4 guests