Page 1 of 1

START-UP Card for retail, again

Posted: Fri Dec 03, 2004 12:17 pm
by Shine
I've seen a description about a DVD player at http://www.ps2home.co.uk/dvd.htm and it looks like a program can be started from the memory card (it is delivered with a DVD remote controller; I think I'll buy one tommorow...), at least when a movie DVD is inserted. My Linux Kit arrives next week, so until then I can't debug the ROM, but perhaps this gives a hint for more experienced hackers :-)

Posted: Fri Dec 03, 2004 12:39 pm
by Guest
Sony's official remote control (at least, the old one, don't know about the new one) comes with an update disk that installs a new dvdplayer binary onto a memory card.

Yes, this binary is executed by the system's bios when a DVD is inserted.

No, you cannot substitute your own code or something similar for this specific binary - it is magicgate encrypted.

There is a memcard file exploit available however, the information can easily be found buy searching around. [edit:] There is no relationships between the memcard exploit and the dvdplayer. But it seems to be what you were thinking of. As for your other thread of buffer overflows, thats how the memcard exploit is activated.

Posted: Fri Dec 03, 2004 12:47 pm
by Shine
gorim wrote:No, you cannot substitute your own code or something similar for this specific binary - it is magicgate encrypted.
Of course, you can, because you could disassemble the ROM part, which does the update from the update CD and you can analyze the update CD itself, but it may be difficult.
gorim wrote:There is a memcard file exploit available however, the information can easily be found buy searching around.
Yes, I know one, which needs a PS1 game. Very nice first hack, but I hope it could be done more elegant, with a memcard, only.

Posted: Fri Dec 03, 2004 1:28 pm
by Guest
Shine wrote:
gorim wrote:No, you cannot substitute your own code or something similar for this specific binary - it is magicgate encrypted.
Of course, you can, because you could disassemble the ROM part, which does the update from the update CD and you can analyze the update CD itself, but it may be difficult.
Of course you can't, because the decryption is done in hardware. The file is retrieved in encrypted form from the update CD, and is stored in the same encrypted form on the memcard. The bios rom will only retrieve such a file that has been encrypted, unless of course you are planning to burn your own rom chip and replace the one on the PS2.

There is only one way around this, and that is to reverse-engineer the magic-gate encryption algorithm itself, and thats not a topic for these forums.
Shine wrote:
gorim wrote:There is a memcard file exploit available however, the information can easily be found buy searching around.
Yes, I know one, which needs a PS1 game. Very nice first hack, but I hope it could be done more elegant, with a memcard, only.
Do you think you are the first person to think of, and hope for, that ?

A "nice first hack" ? For someone who seems to know little of the subject in question, of the people involved, and their dev work, you express quite a condescending attitude. If you want to impress people with it, I suggest going to ps2ownz.

Posted: Fri Dec 03, 2004 3:06 pm
by Shine
gorim wrote: Of course you can't, because the decryption is done in hardware. The file is retrieved in encrypted form from the update CD, and is stored in the same encrypted form on the memcard. The bios rom will only retrieve such a file that has been encrypted, unless of course you are planning to burn your own rom chip and replace the one on the PS2.

There is only one way around this, and that is to reverse-engineer the magic-gate encryption algorithm itself, and thats not a topic for these forums.
You are right, if the encrypting algorithm is implemented in hardware, perhaps with some private key stored in hardware, and using some public/private-key crypting algorithm, it would be nearly impossible to crypt own software. But perhaps some parts of the loader in ROM can be attacked with another buffer overflow? Then you don't need to reverse-engineer the encryption algorithm.
gorim wrote:
Shine wrote:Yes, I know one, which needs a PS1 game. Very nice first hack, but I hope it could be done more elegant, with a memcard, only.
Do you think you are the first person to think of, and hope for, that ?

A "nice first hack" ? For someone who seems to know little of the subject in question, of the people involved, and their dev work, you express quite a condescending attitude. If you want to impress people with it, I suggest going to ps2ownz.
Sorry, I didn't want to be condescending and I don't want to impress someone. I only want to develop some software for the Playstation 2, when I can spent some time on it, but I'm new to PS2 development, so I have to learn much (only the PS2 details, because I'm developing in C++ and Java on Windows, Unix and even assembler on PIC microcontrollers for years, and some decades ago assembler on C64).

I don't know ps2ownz, but looks like they don't care if someone uses such hacks for making illegal copies. This is not what I want. As a programmer I know how much work it is to write programs, so everybody should pay for it, if the programmer wants it. But protecting these rights must not cripple the Playstation in such a way, that homemade programs are difficult to play on normal Playstations and that's the reason why I'm searching for it.

It should be easy for end-users to download small programs from internet, perhaps with a hacked autostart memcard program, which provides an ethernet connection and where the programs are saved as saved-games. The free utilities and libs of ps2dev are a great work and can help to reach this.

Posted: Fri Dec 03, 2004 4:04 pm
by ooPo
Welcome to ps2dev. Try not to be scared away. :)

Posted: Fri Dec 03, 2004 4:43 pm
by Guest
Well, you are right that there may be other areas for buffer overflows. The author of the current memcard exploit did point out another, somewhat more difficult vector for a buffer overflow. And although you should assume that the ROMS have been combed over thousands of times, by all means, you should also do it too to get your own understand of how things work. Maybe you will find something new ?

As for the holy grail of a self-booting memcard, beware of what you ask, as that would also be the final nail in the coffin of playing warez software without a modchip or cosmetically/structurally damaging swap methods. Well, hdloader/advance almost made it there. I am not saying don't do your own research, but we all need to be careful about what we do in the name of Dev, especially considering the possibility of some things getting accidentally "released" into the wild. :)

As it stands, there are already many ways to boot the PS2 to do dev work and run/develop little programs, already mentioned, and they don't contribute nearly as much to the warez issue. Unless a self-booting memcard is an academic exercise you are willing to forever keep to yourself, you can always consider to focus on other areas. Your choice. :)

Oh and, as Oopo said, welcome to PS2DEV ;) The temperature can get hot, but its usually quite comfortable here ;)

Posted: Fri Dec 03, 2004 4:46 pm
by stefan
gorim wrote:Sony's official remote control (at least, the old one, don't know about the new one) comes with an update disk that installs a new dvdplayer binary onto a memory card.

Yes, this binary is executed by the system's bios when a DVD is inserted.

No, you cannot substitute your own code or something similar for this specific binary - it is magicgate encrypted.
Yes, you can substitute your own code - the entire file isn't "magicgate" encrypted. BTW, MagicGate is not an encryption method it's a process - a process for authentication. The PS2 uses the MagicGate process to authenticate licensed memory cards. It also uses the process to authenticate (or sign) executables, and possibly other binary formats we've never seen used on the PS2...

Anyway, back on point, with all of the armor used in the DVD player ELF, there are still sections of the file that are in plaintext and that are not checksummed. By overwriting those sections you can cause your own code to run with the DVD player is executed (or the browser if you copy the ELF to a certain spot on the memory card).

It's not a trivial task which is probably why no one has come forward publically with details yet. It's funny this came up because we were talking about this in #ps2dev the other day.

Posted: Fri Dec 03, 2004 7:47 pm
by Shine
gorim wrote:As it stands, there are already many ways to boot the PS2 to do dev work and run/develop little programs, already mentioned, and they don't contribute nearly as much to the warez issue. Unless a self-booting memcard is an academic exercise you are willing to forever keep to yourself, you can always consider to focus on other areas. Your choice. :)
I don't think that a self booting memcard would contribute to the warez issue, because with the save-game hack you can use a normal save-game transfer device and a PS1 CD and it is possible to misuse it. But for a booting memcard you need to write other areas and in other formats on the card, so you need something like the Linux kit.

Ok, you can combine both exploits, but this is nothing for the average user. The only danger is, when someone sells burned memcards with illegal "backup" loaders, but the only difference to the current state of the art is, that you don't need a PS1 CD any more.

Hmm, perhaps this is a reason not to release it. You can already create your own loader in the memory card, if you use the Linux kit CD1, so it is nothing what someone needs, who wants to show own little games on other PS2s.
gorim wrote: Oh and, as Oopo said, welcome to PS2DEV ;) The temperature can get hot, but its usually quite comfortable here ;)
Thanks.

I've browsed a little bit at this forum and the webpage and looks like there are really professional people. I like the idea to use the hardware without any library level provided by Sony. You can't do this on PC, because nowadays there are too much different hardware, but this is no problem with a PS2; feels like programming a C64, I hope (full control over the hardware)!

Posted: Tue Dec 28, 2004 5:05 pm
by zaphod
YOu can't put a backup loader onto a memcard and have it work. Sony wisely implemented the protection in dedicated hardware, instead of in software like on the X-Box. CDVDMAN is the rom library for reading from CD/DVD. But it doesn't do the protection checks. They are handled elsewhere in the ps2, and that's why you need a modchip to beat the checks.

I hope I didn't stray beyond the bounds of acceptable discussion. I only said what the protection isn't.