A demo by CTurt shows a SNES emulator running on a PS2 from a burned DVD-R.
Almost 20 years after its initial release, a hacker has found a way to run homebrew software on an unmodified PlayStation 2 using nothing more than a carefully recorded DVD-ROM.
Previous efforts to hack the PS2 were based on internal modifications, external hardware (such as memory cards and previously hacked hard drives) or errors found only on very specific models of the system. The newly discovered FreeDVDBoot differs from this previous job by exploiting a bug in the console’s DVD video player to create a completely software-based method to execute arbitrary code on the system.
Security researcher CTurt presented the discovery and the FreeDVDBoot method in detail in a blog post this weekend. Deciphering and parsing the code used for the PS2 DVD player, CTurt found a function that expects a 16-bit string from a properly formatted DVD, but will actually easily accept more than 1.5 megabytes from a source. malicious.
Sending carefully formatted data to that function causes a buffer overflow which in turn triggers another misspelled function to tell the system to jump into a memory area with arbitrary code written by the attacker. That code may instruct the system to load an ELF file written to a DVD-R recorded on the system. Building on previous PS2 homebrew efforts like uLaunchELF, it’s relatively straightforward to use that DVD-R to load homebrew software or even full copies of copy-protected PS2 games.
The exploit is currently limited to very specific versions of the PS2 DVD player firmware found in later editions of the console and will not work on earlier systems. But CTurt writes that he is “sure that all other versions also contain these same trivial IFO parser overflows” and can be exploited with widely similar methods. The community is also examining the possibility of similar hackers through the Blu-ray player on PS3 and PS4 (or the CD player on PS1).
Better late than early?
In 2020, it seems unlikely that a new software-only piracy method for the PS2 will have much effect on Sony’s bottom line. But we can’t help but marvel at Sony’s fate that such a feat was not found and spread during the PS2’s heyday in the early 2000s.
A DVD-R copy of Shadow of the Colossus running on an unmodified PlayStation 2, courtesy of Cturt’s trick.
Remember, the PS2 existed in a time before the regular distribution of system firmware via download or packaged on game discs. Therefore, a PS2 exploit that allowed simple and widespread piracy with nothing more than a DVD burner could have had a major impact on the PS2 software market, just as similar exploits did for Dreamcast and its legacy.
However, more than that, this new PS2 hack proves once again that even the best copy protection schemes will eventually fall if the community pays enough attention and effort. At best, console makers are only buying time before someone finds a way to trick the system into acting like an arbitrary computer. Apparently, for Sony, their efforts provided more than 20 years of effective protection against simple DVD-R based hacks.
CTurt / YouTube listing image
