PS2 ProtoPwn (Protokernel Exploit by pcm720) - Now all PS2s are hackable via MemoryCard (MILESTONE)

Breaking News in the PS2 Scene, as a NEW MemoryCard Exploit for Protokernel PS2s (SCPH-10000, SCPH-15000, and DTL-H10000(S)) just got released!!! It took 25 years to reach this point, but NOW ALL PS2s including ALL special models (Arcade, Prototype, Debug, Consumer-model, "special/custom builds") can load Homebrew WITHOUT DISCS!

The exploit created by developer @pcm720 - who is known for "(H)OSDmenu" and NHDDL - has now titled the new MemoryCard Exploit as "ProtoPwn", This exploit will AUTOMATICALLY boots if present on the MemoryCard and it works from ANY MemoryCard so MagicGate support is not required for this Exploit to work!

You can even simply copy the Exploit "Save" to another MemoryCard, for example with the PS2's own "Browser"!

international.71e8126f72c944c3b2887685a6583cb0ef47bba48e421618b1e12bdfefff42ae.png

About

  • ProtoPwn
    An exploit for the Protokernel PlayStation 2 systems (SCPH-10000, SCPH-15000, and DTL-H10000(S)) that enables arbitrary code execution through a flaw in the OSDSYS Browser update code.
    Usage
    • Run make
    • Copy BIEXEC-SYSTEM to the root of your memory card
    • Copy the payload you want to run to BOOT/BOOT.ELF

    How it works
    ProtoPwn consists of a fairly simple two-stage payload and a packer tool:
    1. MBROWS replacement
      • Runs from 0x7a0000
      • Patches OSDSYS code to execute a custom function in the main thread
      • Applies the EELOAD kernel patch
      • Deinitializes OSDSYS
      • Finds the target ELF on mc0 or mc1
      • Executes the embedded ELF loader
    2. Embedded ELF loader
      • Cleans up after OSDSYS
      • Loads the target ELF
      • Resets the IOP
      • Executes the target ELF
    3. Simple packer script
      • Does the bare minimum required to get OSDSYS to accept and "decompress" our payload
      • Actually increases the file size
    The target ELF path can be modified at build-time by passing BOOT_PATH argument to make.
    BOOT_PATH must be relative to mc0/mc1, e.g. BOOT/BOOT.ELF

    Browser update
    During initialization, protokernel OSDSYS checks for a Browser (MBROWS) update manifest in mc1:/BIEXEC-SYSTEM/ and mc0:/BIEXEC-SYSTEM/.
    The manifest file is called OSBROWS and consists of just three lines:
    101 — module version, must be higher than 100
    PROTPWN — module filename, relative to `BIEXEC-SYSTEM`. Cannot exceed 7 characters
    007a0000 — module load address
    When this file exists, OSDSYS will parse it, load the specified file at 0x1000000 and decompress it to the specified load address. This module is then executed as the OSD Browser thread function.
    When this file exists, OSDSYS will parse it, load the specified file at 0x1000000 and decompress it to the specified load address. This module is then executed as the OSD Browser thread function.
    Similar to __mbr, this module must be headerless, with its entry point located at the beginning of the payload.
    For some reason, unlike system updates, the Browser update is completely unencrypted, has no intergrity or validity checks and uses a fairly unsophisitcated compression scheme that can be easily bypassed.
    Thus, it is possible to get code execution just by creating a custom payload that will run in the Browser thread.​

    Module compression
    OSD modules are always compressed. The compression scheme is block-based and structured as follows:
    <4-byte uncompressed payload length in little endian>
    <4-byte block descriptor>
    <30-byte block>
    <4-byte block descriptor>
    <30-byte block>
    ...
    The block descriptor marks whether the byte in this block is compressed and contains the byte shift and byte mask used to unpack the bytes.
    The block descriptor marks whether the byte in this block is compressed and contains the byte shift and byte mask used to unpack the bytes.
    The OSDSYS unpacker stops processing right after reaching the declared payload length, ignoring all trailing bytes.
    To bypass the compression, the uncompressed payload can be written as-is, with the length header at the start of the payload and four null bytes preceding each 30-byte block.
    See osdpack code for more details.​

    Credits


Sources & Additional Details:
.
 
Last edited by a moderator:
Click to expand...
V
I just hope that one day, when we can access OPL through PCMCIA to USB adaptors.

ProtoPwn is a huge start to that goal, at least, that's how I see it.
 
L
I have an SCPH-15000 and this looks to be very helpful. Can someone walk me through the installation?
Can the PS3MCA be used for this? If not, how do I get it on the memory card?
 
Berion
Code: 
ps3mca.exe -in BIEXEC-SYSTEM /
or maybe this:
Code: 
ps3mca.exe -mkdir BIEXEC-SYSTEM
ps3mca.exe -in BIEXEC-SYSTEM\OSBROWS /BIEXEC-SYSTEM
ps3mca.exe -in BIEXEC-SYSTEM\PROTPWN /BIEXEC-SYSTEM
Plus create and put something as /BOOT/BOOT.ELF, eg uLE. But reccomended PS2BBL and OSDM.
 
L
Berion said:
Code: 
ps3mca.exe -in BIEXEC-SYSTEM /
or maybe this:
Code: 
ps3mca.exe -mkdir BIEXEC-SYSTEM
ps3mca.exe -in BIEXEC-SYSTEM\OSBROWS /BIEXEC-SYSTEM
ps3mca.exe -in BIEXEC-SYSTEM\PROTPWN /BIEXEC-SYSTEM
Plus create and put something as /BOOT/BOOT.ELF, eg uLE. But reccomended PS2BBL and OSDM.
Click to expand...

Sorry, im still confused on how to do this. I have the ps3mca tool downloaded, is that all im required to have? I assume i use CMD for the commands you have listed, is that correct?
Im also confused on the /boot/bootelf.

When I download ProtoPWN, where do i put it? In the ps3mca folder on my PC?
Can someone write a tutorial?
 
El_isra
Larry Kuzniak said:
Sorry, im still confused on how to do this. I have the ps3mca tool downloaded, is that all im required to have? I assume i use CMD for the commands you have listed, is that correct?
Im also confused on the /boot/bootelf.

When I download ProtoPWN, where do i put it? In the ps3mca folder on my PC?
Can someone write a tutorial?
Click to expand...
It's not that hard to type a bunch of commands...

Here...

This batch file will install ProtoPWN + PS2BBL ready to use. only one thing missing, it has no OPL by default. if you want to add one, put the OPL of your liking inside the APPS folder of the package, named as OPNPS2LD.ELF.

If you do so, that OPL will be copied to the card, and it will be automatically integrated into PS2BBL (with the default config, doing nothing will jump to OPL after 4 seconds, holding R1 on logo will go to wLaunchELF)

of course, put your own ps3mca into the same Folder as the .bat file.....
 

Attachments

L
With a little trial and error I got it to install. I had to rename my ps3mca-tool.exe to ps3mca.exe, it is currently installing.

So, I tried it with a Magic Gate and Non Magic gate card.

With Magic Gate card, it fails to launch and stays on black screen. I remove the memory card and I get the PS2 menu and it shows 3 broken files on the card.

Using a Non Magic Gate card, it fails to inject the OPNPS2LD.ELF file, but it does boot correctly with the Non Magic Gate card and I can access wLaunchELF by holding R1.
 
Last edited:
  • Like
Reactions: TnA
Berion
ProtoPwn does not depend on MC auth, because doesn't use OSD Update mechanism. It is literally exploit.

I downloaded El_isra package and all folders have icons and meta files, which means you cannot see Corrupted Data. Maybe your card have bad sectors and that is the source of all your issues; or transfer files to card wasn't completed.
 
L
My cards are working perfectly for everything else so I doubt they have bad sectors.
It says files loaded correctly, but when I view files on the PS2 it says the memory card has corrupt files on the Magic gate card. Non Magic gate card works and doesn't have corrupt files, but every time I try the bat file it fails to inject the OPNPS2LD. Not sure why though.
 
Berion
It is like saying: "my HDD is working perfectly for everything else so I doubt it have bad sectors". Without diagnose it first, you cannot say anything about it... Having eg. one bad block, doesn't mean that device will write always on it to always damaging data. And even damaged data does not have red flag on it says "hello, I'm corrupted, help".

BTW: If you have now working exploit, whatever on which card, you can copy data from eg. USB by eg. uLE.
 
L
Yes, it is me saying my cards do not have bad sectors now. I have now tried with 4 brand new non Magic Gate cards, and 3 known good Magic Gate cards. The system always fails to boot with Magic Gate, and once at the menu when I remove and reinsert the card, it shows 3 corrupt files.

The 3 new non Magic Gate cards fail to inject OPNPS2LD.ELF that I put in the APPS folder. But, they all boot the exploit.
Yes, I have OPNPS2LD.ELF on a thumb drive and I can copy the data after holding R1 at the logo.

I'm just providing feedback on what I am encountering. I do thank you all for your help. As simple as the process is, its not that easy for someone who has very little history with PS2 exploits, only Sega Dreamcast.
 
El_isra
Larry Kuzniak said:
Yes, it is me saying my cards do not have bad sectors now. I have now tried with 4 brand new non Magic Gate cards, and 3 known good Magic Gate cards. The system always fails to boot with Magic Gate, and once at the menu when I remove and reinsert the card, it shows 3 corrupt files.

The 3 new non Magic Gate cards fail to inject OPNPS2LD.ELF that I put in the APPS folder. But, they all boot the exploit.
Yes, I have OPNPS2LD.ELF on a thumb drive and I can copy the data after holding R1 at the logo.

I'm just providing feedback on what I am encountering. I do thank you all for your help. As simple as the process is, its not that easy for someone who has very little history with PS2 exploits, only Sega Dreamcast.
Click to expand...
There must be something else going on....

In this video I'm testing it with original SCPH-10020 Green memory card
 
You must log in or register to reply here.

Similar threads

Featured content

Trending content

Latest posts

Back
Top