ProtoPwn

PS2 ProtoPwn v1.0.1

Go to download
Overview Extra info Updates (1) Reviews (1) History Discussion
pcm720

pcm720

Developer
ProtoPwn

About Usage A demonstration video How it works Credits
  • An exploit for the Protokernel PlayStation 2 systems (SCPH-10000, SCPH-15000, and DTL-H10000(S)) that enables arbitrary code execution through a flaw in the OSDSYS Browser update code.
  • Usage
    1. Run make
    2. Copy BIEXEC-SYSTEM to the root of your memory card
    3. Copy the payload you want to run to BOOT/BOOT.ELF
  • A new exploit:
    https://www.youtube.com/shorts/M-e-xG9k0x4
  • How it works

    ProtoPwn consists of a fairly simple two-stage payload and a packer tool:
    1. MBROWS replacement
      • Runs from 0x7a0000
      • Patches OSDSYS code to execute a custom function in the main thread
      • Applies the EELOAD kernel patch
      • Deinitializes OSDSYS
      • Finds the target ELF on mc0 or mc1
      • Executes the embedded ELF loader
    2. Embedded ELF loader
      • Cleans up after OSDSYS
      • Loads the target ELF
      • Resets the IOP
      • Executes the target ELF
    3. Simple packer script
      • Does the bare minimum required to get OSDSYS to accept and "decompress" our payload
      • Actually increases the file size
    The target ELF path can be modified at build-time by passing BOOT_PATH
    argument to make.
    BOOT_PATH must be relative to mc0/mc1, e.g. BOOT/BOOT.ELF.

    Browser update

    During initialization, protokernel OSDSYS checks for a Browser (MBROWS) update manifest in mc1:/BIEXEC-SYSTEM/ and mc0:/BIEXEC-SYSTEM/.
    The manifest file is called OSBROWS and consists of just three lines:
    Code: 
    101 — module version, must be higher than 100
PROTPWN — module filename, relative to `BIEXEC-SYSTEM`. Cannot exceed 7 characters
007a0000 — module load address

    When this file exists, OSDSYS will parse it, load the specified file at 0x1000000 and decompress it to the specified load address. This module is then executed as the OSD Browser thread function.
    Similar to __mbr, this module must be headerless, with its entry point located at the beginning of the payload.
    For some reason, unlike system updates, the Browser update is completely unencrypted, has no intergrity or validity checks and uses a fairly unsophisitcated compression scheme that can be easily bypassed.
    Thus, it is possible to get code execution just by creating a custom payload that will run in the Browser thread.

    Module compression

    OSD modules are always compressed. The compression scheme is block-based and structured as follows:
    Code: 
    <4-byte uncompressed payload length in little endian>
<4-byte block descriptor>
<30-byte block>
<4-byte block descriptor>
<30-byte block>
...

    The block descriptor marks whether the byte in this block is compressed and contains the byte shift and byte mask used to unpack the bytes.
    The OSDSYS unpacker stops processing right after reaching the declared payload length, ignoring all trailing bytes.
    To bypass the compression, the uncompressed payload can be written as-is, with the length header at the start of the payload and four null bytes preceding each 30-byte block.
    See osdpack code for more details.
  • Credits
 
It's really great. This makes boot time really short and a lot of simplicity for final users.
I'll follow this.
Thanks guys for your work.
 
Any chance you could upload EE_BIN_RAW / payload.bin pre-fakepacked? I'm gonna start compiling the ps2 sdk but if somehow you upload that before it would help me out alot with something (can you tell what that is yet) :)
 
ProtoPwn v1.0.1 is out!

This release introduces a UMCS variant (protopwn-umcs) that runs the payload from the following locations:
  • mc0:/BIEXEC-SYSTEM/BOOT.ELF
  • mc1:/BIEXEC-SYSTEM/BOOT.ELF
It does not bring any new features and only contains internal changes aimed at future-proofing the payload code.
If you are using version v1.0.0, there is no need to update unless you want a UMCS variant.
 
You must log in or register to reply here.

Similar threads

Back
Top