Fuzzing the PS2 Mechacon

Discussion in 'Sony Programming and Development' started by Myria, Mar 11, 2018.

Tags:
  1. Myria

    Myria Peppy Member

    Joined:
    Aug 21, 2012
    Messages:
    340
    Likes Received:
    13
    It seems to me that the PS2 Mechacon, being quite a bit more complicated than its PS1 counterpart, is complex enough that the probability that it has no exploitable vulnerabilities is around zero. It would be fun to find ways to read and write its RAM.

    I unfortunately don't know much about the PS2 Mechacon. Is there a list of commands it understands and things like that?
     
    Last edited: Mar 12, 2018
  2. PixelButts

    PixelButts Site Soldier

    Joined:
    Aug 19, 2014
    Messages:
    2,426
    Likes Received:
    1,670
  3. root670

    root670 Robust Member

    Joined:
    Apr 4, 2010
    Messages:
    205
    Likes Received:
    17
  4. Armorant

    Armorant Spirited Member

    Joined:
    Sep 13, 2014
    Messages:
    184
    Likes Received:
    56
  5. sp193

    sp193 Site Soldier

    Joined:
    Mar 29, 2012
    Messages:
    2,107
    Likes Received:
    860
    There may be at least two ways to issue commands and the command sets are different. Commands may be issued from the IOP or via the serial port (in service mode).
    When commands are issued from the IOP, there are two types of commands: N-commands and S-commands. I guess N stands for Normal and S stands for Special... since S-commands normally don't deal with disc reading, but with things like ID management and MagicGate.

    The protocol running over the serial interface will indicate the type of error. Whether the command is invalid, the parameters are wrong or if the parameter length is wrong. This doesn't seem to be done for the PS2 N and S-commands.

    The CDVDMAN psuedo code from the CDVDMANIA archive has some commands listed: http://lukasz.dk/mirror/cdvdmania/
    There's also PCSX2's source code.
    For the service mode stuff, there is PMAP's source code.

    Beware that it is possible to overwrite your EEPROM with some commands, so I do strongly encourage you to back it up first.

    From the Dragon series, the EEPROM layout and the command sets were altered. They also made the ID-writing functions do nothing (i.e. it does not fail, but no visible change to the EEPROM is made).

    You may find that different PlayStation 2 MECHACON models have different command sets.
    For example, there is a function for reading regional-specific information, for the SCPH-75000 and up. This isn't done for the SCPH-50000 series.
     
    uyjulian, the7thchild, AKuHAK and 3 others like this.

Share This Page