PlayStation Development Network

Hello,

2 weeks ago I stumbled upon a video by Modern Vintage Gamer: https://www.youtube.com/watch?v=8b5UX5xd-lE

Now, I have never developed for the PSX, and I had never even owned one, so I was extremely surprised to learn that arbitrary code execution on the PSX required a modchip until 3 weeks ago, when tonyhax was released. While tonyhax is a nice improvement for people who don't want to mod their PSX, it still requires an original game, and I took it as a challenge to go one step further: exploit the PSX with only a memory card. My goal was to achieve arbitrary code execution using nothing but a memory card.

So I immediately registered here, and I bought my first ever PSX the day after (an unmodded SCPH-9002), and started reversing the BIOS, and specifically the memory card management code. After a few days, I found a vulnerability which looked unexploitable at first, because of the many checks that the BIOS does when reading the memory card, but I eventually found a way to modify a value in RAM, which I used to escalate to arbitrary code execution, which I have finally achieved! The exploit was first tested successfully with the no$psx emulator (many thanks to the author, it was incredibly helpful), and then I soldered some wires to my memory card, attached it to an arduino board to upload the payload, and tested it on my real SCPH-9002 PSX.

For the first proof of concept, my exploit just turns the screen red (I used the code in tonyhax's entry.S file). The exploit is still not completely stable (sometimes it doesn't trigger), the CPU cache may be the cause. I will try to improve this, of course. I will release the technical details and the source code in the coming days.

While it still needs to be developed, I can already see 2 potential advantages with this exploit:

• All the games should work flawlessly without needing any patching: the exploit is very "clean", and merely overwrites a function pointer that can be easily restored afterwards (it doesn't use any kind of buffer overflow). This all happens before any game is loaded, so there is no BIOS functions to restore or anything of the sort.
• No need to launch a game, trigger the exploit, and swap the CD: faster and less annoying

The drawback is of course that the PSX must be started with the lid open

More seriously, the main drawback is that the exploit targets a specific BIOS version, and it must be recreated for every other version. The good news though is that there is no reason that the same vulnerability would not be exploitable on older BIOS versions (unless Sony somehow introduced the vulnerability in SCPH-9002, but that's highly unlikely).

It's getting late and I will continue working on it tomorrow, but in the meantime here's a video of the screen getting red after gaining code execution (I also tried the exploit with the green color, to ensure it was not a random glitch):

This is very impressive work! I'm not an expert on the PS1 (unfortunately) and so I'm not sure how much help I would be - but I really hope that you are able to get this exploit working. There are some really knowledgeable people on this forum who may be able to help you if required, and the author of tonyhax (socram) also just registered here a few weeks ago.

Good luck, and please continue to report your progress!

And it's released: https://github.com/brad-lin/FreePSXBoot/

Confirming it's also working with SCPH-7002 and SCPH-7502 consoles since they share the same bios version you're currently targetting for the SCPH-9002 one.
Great work !

Well, that escalated quickly. Unfortunately on PSone it's not working. Hope it will tho.

damiank94 wrote: ↑April 10th, 2021, 8:28 pm Well, that escalated quickly. Unfortunately on PSone it's not working. Hope it will tho.

For some reason, the BIOS on the mini-PSone seemed to resemble the one from the older SCPH-100x/55xx models rather than the newer SCPH-7xxx/900x models (even though the mini-PSone was released afterwards), which may be why this exploit doesn't work on the mini-PSone.

I'm not sure why Sony reverted back to the older BIOS style for the mini-PSone, but if anybody knows why then I would be interested to know the reason.

Thanks to the amazing work of the psxdev community, FreePSXBoot can now load a version of unirom which is capable of loading games. Updated images are available on github: https://github.com/brad-lin/FreePSXBoot

https://reachcoding.eu/psx-memory-card-formatter

I've used this one to format my memory card when it didn't work for me.

Also, didn't work on PSone with PM-41 and PM41(2) boards (hangs on browser when try to enter manager). Is mc image format any problem? I've used .gme through MC Annihilator.

I have working code to read and write PSX memory cards with the PC using Sony's official memory card USB device.
(I believe there's a PS2 McBoot install method that does this)

I'll put together a quick utility some time this week to install FreePSXBoot and see if we can't make this even easier.

oman

damiank94 wrote: ↑April 14th, 2021, 7:13 am https://reachcoding.eu/psx-memory-card-formatter

I've used this one to format my memory card when it didn't work for me.

Also, didn't work on PSone with PM-41 and PM41(2) boards (hangs on browser when try to enter manager). Is mc image format any problem? I've used .gme through MC Annihilator.

Didn't check the board on the 2 PSone I tested but both work fine with the memory card image for the 4.5 bios revision. Probably both are 41(2) with latest bios, didn't bother to open and check inside the consoles. 4.4 wasn't working.
Also I've written the memory card by simply flashing the file as it is with MC Annihilator, no rename, no conversion, nothing. Also converting the mem card image you probably lose the "triggering entry" for the exploit. I just pressed R2 (I think) and it listed all the file types on the usb pendrive and flashed it as it is.

Booting great on my laser-less 5552 machine. Nice easy way to boot unirom for me

Also, for using the PS3 Memory Card adapter - see this thread http://www.psxdev.net/forum/viewtopic.php?t=3428
Orion wrote a tool for using it a while ago. Havent tried it myself however.

damiank94 wrote: ↑April 14th, 2021, 7:13 am I've used .gme through MC Annihilator.

The files you can download there are raw images.
MC Annihilator requires raw images, which .gme-files are not.

freepsxboot fastload image won't load on scph-7502, only the non fastload 4.1 image will load.

on a slim i get a white screen with 4.5

Retry using latest releases.

scph-5552 work ok. scph-7502- scph-102 are picky with memory cards, 9002 works with official memory cards

A new release has just been posted, feedback is welcome. I can confirm it works with 9002 with a cheap knock-off memory card.

Bradlin wrote: ↑April 22nd, 2021, 8:14 am A new release has just been posted, feedback is welcome. I can confirm it works with 9002 with a cheap knock-off memory card.

how did you write it? i used memory card annihilator. the new images need putting on the unirom disc

Mdv wrote: ↑April 22nd, 2021, 9:18 am how did you write it? i used memory card annihilator. the new images need putting on the unirom disc

I used a STM32 based board (bluepill) with some custom code, but that's equivalent to memcarduino.

I had this idea in mind since years, but never took the time to actually work on it, (and I doubt I have the skill to reverse engineer the bios code)
so, very nice job on that !
as someone already pointed out, you can use my memory card manager tool to import a save to a memory card easily using the ps3 memory card usb adaptor
http://onorisoft.free.fr/psx/psx.htm

Orion_ wrote: ↑May 2nd, 2021, 6:55 pm I had this idea in mind since years, but never took the time to actually work on it, (and I doubt I have the skill to reverse engineer the bios code)
so, very nice job on that !
as someone already pointed out, you can use my memory card manager tool to import a save to a memory card easily using the ps3 memory card usb adaptor
http://onorisoft.free.fr/psx/psx.htm

That's nice, could you confirm that it will not attempt to "fix" the directory entry and/or the broken sector list? This is a requirement for the exploit to work.