10 Days of Hacking, Day 3: The PS2
The PS2 still remains as the best selling console of all times, only almost surpassed by the DS, almost. With the PS2 we get to see once again modchips and disc swap, only more advanced, and the introduction of software-based hacks.
With the PS2 modchips became much more complex, having to patch much more than simply the CD drive, some modchips even resorted to fully replacing the PS2 BIOS to be able to work. Disc Swapping was also out of the question, Sony learned from their mistakes and you can no longer simply fool the PS2 as you did with the PS1.
Despite this, hackers weren’t stopped and many ways to circumvent the PS2’s security were found, most of which relied on modchips, but I will not reviewing them, I will review other PS2 hacks I consider clever or a stupid mistake by Sony.
Also, since the PS2 security is vast, I will not talk about it as I did for the NES and PS1, I will only talk about the specific hacks and how they work, not more not less.
Although the swapping trick used on the PS1 doesn’t apply for PS2 games, Swap Magic made good use of a feature the PS2 had.
PS2 games have the ability to load ELF files inside the disc, as long as the inserted disc is verified. Once the PS2 verifies the disc, it starts by loading the ELF file pointed to by a SYSTEM.CNF file inside the disc, from there on the game has the ability to do whatever it wants, as there’s no real Operating System, the game runs on bare metal, the only check the PS2 does from now on is on the laser sensors (which vary depending on the model) to know if the tray has been opened or not. Swap Magic takes advantage of this.
Swap Magic is a pressed disc that the PS2 recognizes as legit (how they managed to press PS2 discs is beyond me, but unofficial pressed discs have been existing since the PS1 era). The PS2 reads SM’s main ELF and loads it as any other game, and this is where the fun begins. Swap Magic has a set of intentionally bad sectors where some files are supposed to exist, when Swap Magic tells the PS2’s CDVD drive to read these files on such bad sectors, it fails, the PS2 keeps retrying but is eventually unable to read them, causing the CDVD drive to stop both the laser and motor, so the disc stops spinning. This allows the user to then easily swap Swap Magic for another game, be it a backup or an import, as long as the tray’s sensors are all blocked and the PS2 doesn’t know that the tray is being opened, then you can easily swap it.
Once the disc has been swapped, Swap Magic’s main ELF is still in memory, so it doesn’t stop Swap Magic from working, the user can now tell Swap Magic that it has changed the disc, Swap Magic then proceeds to read the disc’s SYSTEM.CNF file to obtain the filename for the main disc ELF and load it like any other game can load an ELF.
Swap Magic works due to two reasons: the PS2 stopping the CDVD drive when a bad sector is being read, and the user’s ability to swap the discs without the PS2 knowing, as long as the PS2 doesn’t know the drive is being opened, it doesn’t recheck the game. It’s a pretty clever hack that many people used in its time, and it’s still being used.
Little Known Fact: Swap Magic still works even on the PS3, even on the latest PS3 firmware! Although Sony did patch the swapping method, you can still use Swap Magic to load an ELF from USB and launch your favorite PS2 homebrews on your PS3 in HD glory, something very nice for people like me who have no other way of running homebrews on the PS3.
FREE MC BOOT
The Grand Master of all PS2 hacks.
FMCB is a software hack that gets installed on the Memory Card of your PS2 and lets you run homebrew ELFs from it.
It doesn’t cause any hard, it doesn’t require opening the PS2 and the hack can be easily reverted by simply removing the Memory Card itself, but, how did it work?
To know how FMCB works we need to know one little known fact about the PS2: it was originally meant to be upgradeable by means of the Memory Card. It was simple, you insert an official Sony update disc into the system, it installs on the memory card and your PS2’s system menu is updated with new features and bug fixes, we can also assume it patches exploits.
The idea was quickly scraped by Sony due to obvious reasons: it’s so easy to downgrade! all you have to do is change the memory card, and the update was also tied to your system, which prevented the second hand market of memory cards, and back then Sony wasn’t that draconian. Fact is that only one actual update was issued, and it may still be floating around the interwebs.
Even though Sony never ended up using the PS2’s ability to be updated from the MC, they never really removed such features from their console, not even slimline models. You can now guess how FMCB work, right? it’s simple, it tricks the PS2 into thinking it’s a valid update from Sony, therefore patching the entire browser. One thing to note is that, although the updates where originally intended to work only on the system they were applied to, FMCB managed to patch this, so you can install it on a PS2 and use them on another, as long as they have the same region.
Unfortunately Sony released an updated PS2 model that is no longer upgradeable through the Memory Card, rendering FMCB non-installable in SCPH-9000X models.
There are only two problems with Free MC Boot: the installer needs to be executed somehow, so you must already have a way to run ELFs, Swap Magic and another trick I’ll explain later will work just fine, and it does not allow you to play backup games, as FMCB only patches the browser to be able to execute ELF files, but does not patch the CDVD drive to circumvent its security measures, for that there’s another clever hack.
ESR is an application that lets you play certain PS2 backups without modifying the system as long as these backups are specially patched. ESR is always used in conjunction with FMCB: FMCB loads ELF files like ESR and ESR loads backup games.
The way ESR plays backups is by taking advantage of two of the main selling points of the PS2: its DVD drive and its ability to play Video DVD.
The standard format used for DVDs on the PS2 is UDF (Universal Disk Format), which greatly supports multi-session discs.
What ESR does is patch the ISO image of the game to include two different data sessions or tracks, the first one, and the one that is immediately accessible to the CDVD drive is a dummy track that resembles that of a Video DVD, fooling the CDVD drive into thinking that a Video DVD has been inserted. Since playing recorded Video DVDs is allowed on the PS2 as the machine does no other check on the media, the CDVD drive gives green light to the disc as a supported disc.
With the CDVD drive fooled it is now time to mount the DVD using the second session, which contains the game itself, since we have already fooled the system into booting ESR and we have already fooled it into recognizing our disc, we can now freely load ELF files from there, so all ESR has to do now is read the SYSTEM.CNF file to obtain the path of the game’s main ELF and load it, effectively running our game.
ESR no longer works on the PS3 (Sony is not that stupid this time around), but it still work on every PS2 model, with the difference that SCPH-9000X models have patched FMCB, so Swap Magic or a modchip are better options there, and if you have any of those then there’s no real need for ESR.
REPLACING A GAME’S ELF
This is the other hack I mentioned that you can use to install FMCB if you don’t have Swap Magic, although it requires having very specific games. I didn’t know about this hack until I found it in a thread here at /talk, so make sure to check it out, it’s in Other Platforms -> Homebrews & Security -> [Tutorials] PS2 Thread: Softmod, game backups, homebrew, for more insight on how to perform this hack.
As I mentioned a few times already, PS2 games can load other ELF files inside the game disc. Some PS2 games have a bunch of other ELF they run for a specific task in which the main game is not needed or where it needs to be unloaded to free up RAM.
The idea behind this hack is to create an exact copy of such a game, but replacing one of those secondary ELFs with your own crafted one, most widely used is ULaunchELF, being extra careful that the resulting crafted ISO has the same exact size as the original one.
Once you have this crafted copy of the game burned to a DVD, you play the original game and come to the part just before the secondary ELF is going to be loaded and swap the original game with the crafted backup so that the game loads the UlauchELF ELF instead of the original one.
It’s a fairly critical procedure as even the slightest mistake can make the whole thing fail, but once done right you’ll have a permanent way to fool your PS2 into loading whatever you want, and you don’t have to pay for Swap Magic, although Swap Magic is much more convenient, but it may be possible that you already own one of the games known to work with this trick. Be sure to check out the thread, I really loved this hack as it was clever, even if I have no real use for it, I do not know who came up with it, but big props.
Being an old system as the PS2 is, it’s still incredible how many clever and interesting hacks came out of it, and the huge amount of juice you can get from such hacks: homebrews, cheat devices, linux, game modding. I remember spending countless hours in front of my PS2 either playing games or messing with its homebrew scene, a scene that although dead, still has a lot of jewels to uncover.