New PS2 exploit found, uses official Yabasic demo discs as its entry point
The gaming community may be itching to read all the latest news about Sony's upcoming console, but that doesn't mean homebrew enthusiasts have left the previous generations behind just yet. In fact, one developer in particular (@CTurt, a name already familiar to those in the PS4 scene) has decided to go back a whopping 19 years to revisit the PlayStation 2 not for a quick nostalgia dive, but to crack it even further than it's ever been!
As a lot of you readers may know by now, Sony's best-selling console is by no means a stranger to hacks: a plethora of modchips, software exploits and other types of clever tricks to bypass the platform's security have popped up over the years, all of them with their own methods and pros/cons. However, most of them require either purchasing some pieces of hardware or having a pre-modded console at hand to later pass an exploit over to your own, which is by no means ideal for a multitude of reasons. But this is about to change starting today, as @CTurt has managed to find an exploit which only needs a PS2 Yabasic demo disk to work.
The exploit consists of two stages: the first overflows one of the interpreter's built-in functions and gains arbitrary code execution, while the second is a payload that launches an ELF from a medium available to the system (the repo includes one that loads the FIFA demo bundled with a specific revision of the disc, however, someone could technically choose whichever executable they want - even on a different/burned CD). Support for USB/HDD drives and loading ELFs over the network is also reportedly possible, but no compatible payload has been written for those yet. Everything said so far only requires a stock PlayStation 2 and an aforementioned Yabasic demo disk (something many European owners may already have as Sony originally included one with the consoles to avoid EU import taxes) so this should not only open up the doors to hacking & homebrew for many more people, but the exploit also works with late Slim models that don't support FreeMCBoot at all!
There are, however, a few things you should keep in mind. First and foremost, while everything is already in a working state and the code has been made public, it's not really that user-friendly yet: you need to compile the exploit yourself and, as previously stated, some otherwise useful payloads are still missing and will be added sometime in the future (other devs are welcome to make their own contributions!). Secondly, while most demo disks containing Yabasic are supported (serials PBPX-95204, PBPX-95205 and PBPX-95506), one of them is still not compatible as it uses a different executable version and the developer wasn't able to get their hands on it (serial PBPX-95520 - if you have it, please consider contacting the dev!). Lastly, those discs have only been produced for PAL consoles, so NTSC PS2 cannot take advantage of the exploit due to region locking.
Here is the usage guide included in the README:
Install the PS2DEV toolchain (really you just need a MIPS compiler), place your assembly payload in payloads/name.s and run make to build it into a Yabasic exploit.
On PS2, run the %lg patch corresponding to your disc first. EG: for PBPX-95205 that will be in out/patches-95205.yab.
Then you can run your payload (located at out/name.yab).
If your payload writes a value, you'll need to run the feEgG patch, and then you can run the debugger program to print it (both in out/patches-version.yab).
Feeling experimental? You can find PS2-Yabasic-Exploit's GitHub repo by clicking the source link below! You can also find out more about how the exploit works by reading the technical writeup here.
Source
Last edited by RattletraPM,