@@RadikAlice theoretically you could run a bunch of checks to see if the machine is uefi or not to determine what boot loader to use, and then overwrite the entire first partition (ie C:\ drive under windows) with a live cd esque thing that unpacks an image over itself on boot, like a ramdisk or smth
this is honestly better then King Kong because it required a patched shader and a flashed dvd drive, this on the other hand is basically no clicks required, only copy a save file via usb
@@luxploit yeah i know lol, awesome stuff for being the first of a kind for the 360. Hope this can in some way aid in making a more accessible softmod in the future
And audio enthusiasts loved the PS2 as it was the only console that supported surround at the time and xbox never supported it until the 360. I had family members that obsessed about audio and bought a PS2 because it had optical audio ports and played DVDs and CDs with no issue in full 5.1 surround.
the PS2 was a nightmare for devs especially at the start, because Sony thought "devs can just use our vector units to do tons of fast data transfers via DMA so they don't need much memory and we can flex the power of our hardware lol" too bad they never said this to devs and they had to eventually figure that out on their own
I guess RenderWare came into the picture to try and save they day with all the BS that is messing with Vector Units and CPU management. --- RenderWare was one of the most widely used game engines during the PS2 era. Originally developed by Criterion Software, RenderWare was a cross-platform graphics engine that provided a higher-level abstraction over the hardware, making it easier for developers to create games without needing to dive into the low-level complexities of the PS2. RenderWare handled many of the tasks that would otherwise require developers to manually program the VUs, such as 3D rendering, physics, and animation. It became popular for its ease of use and was employed in many high-profile games, including the Grand Theft Auto series, Burnout, and Tony Hawk's Pro Skater.
I shipped a couple of PS2 games. The VU0 and VU1 weren't TOO bad. Yes, people were using Excel spreadsheets for scheduling (to minimize latency / maximize throughput) but you would transfer data from the EE -> VU0 -> VU1 -> GS for rendering. What _really_ made the PS2 challenging was managing all of its SEVEN processors: EE, VU0, VU1, IOP, GS, SPU, and IPU. It was a PITA to get (especially managing DMA transfers) but once you had everything working it was magic. RenderWare was a god send for PC developers who didn't want to waste time learning idiosyncrasies of the system.
If PS2 has million haters, then Grimdoomer is one of them. If PS2 has one hater, then Grimdoomer is THAT ONE. If PS2 has no haters, that means Grimdoomer is dead.
@tcscomment Overly complex? Maybe. As with all SONY hw, the designers went a bit nuts with SIMD, and in this case, Toshiba did certain things to save space die space and thus $$$. Piece of Garbage? I definitely can't see that. The VUs allow you to do a lot of cool things, especially in 1999/2000. I suppose that making the hardware impossible for anyone outside of the SONY engineers to grasp would constitute "garbage", however hahaha
@@Quaker763 If the PS2 is overly complex then the PS3 is purely alien with its cell processor. But I do agree that Sony was on a bit of demon time when designing their earlier consoles
Amazing work! Fantastic to see the Xbox 360 been exploited truly in software, without having to flash the DVD drive or Jtag / RGH it after all this time.
This only works for the old Blade dashboard versions, which means you can't play a lot of older games, and it severely limits what systems you can use. Sadly
@@KingKrouchIf a hypervisor exploit can be found for newer dashboard versions, which is much more of a desirable target with this exploit existing, then that would change. I imagine no one’s been looking all that much since everyone’s just been doing RGH for so long.
@@IDontModWTFz un tutorial de actualizar los avatares con rgh. Es que mi xbox tenia una nand dañada, pero funcionaba, y al parecer, como actualize esa nand, se corrompio aun peor y ahora, cuando la enciendo, se apaga inmediatamente
The 360 exploit in this is particularly impressive. Love your work man - as someone who has utilized every single one of these softmods mentioned, this would've made life easier back in the day. Keep it up!
Wonderful broadcast thank you for sharing. As a Tony Hawk Veteran and console modder this video killed two of my weird niches with one stone. This is incredible stuff.
I was super into all of this stuff in 2012-2013 and then just stopped playing video games altogether. Almost like the unrestricted availability of all of these old games annihilated scarcity and made me lose interest. Coming back a decade later I don’t even know if I really like video games at all but the software side of this fascinates me. Very cool vid
Truly amazing stuff! I can't even imagine what you had to go through to get a 360 without burned bootloader efuses. Hope you didn't forget to remove the R6T3! Speaking of the PC version, IMO no one should play the version where strcpy isn't replaced with strncpy, the consequences can be quite severe. Also, the shellcode at 0:49 looks heartwarmingly familiar (I'm the guy behind the publicly available Frogger Beyond exploit :D)
I used to have my 360 soft modded and it was insanely easy. I can't remember the exact process I used but it enabled me to download 360 games to a flash drive and play them for free from the flash drive. They eventually caught me and my account was banned until 9999 lol
@@Mr_Twiglesworth it's an open door for remote code execution on your computer, which allows the attacker to do virtually anything: plant a malware / steal your data / etc
Congrats on the release and the nice write-up! Just wanted to clarify that when we were made aware of this exploit years ago, it was patched promptly. Saying that we weren't interested in fixing it is a bit misleading and unfair.
Absolutely stellar work. ACE / RCE videos absolutely blow my mind. I was 13 years old when THPS4 came out - I played it to death on PS2. Who would have thought this opportunity would be exploited 22 years later?! It's just fantastic how mind-bogglingly clever some people are! Outdone yourself here!
whoa, hold on, I was promised an exploit for the N64. (j/k. Very enjoyable video. Thank you for posting this. I can't imagine the time it took to put this together.)
haven't actually confirmed, but it probably does work on N64. it's just the N64 has no way of doing anything useful since there's no hard drive or USB port or way to load anything. if you're going as far as to make a custom cartridge.... then well you've already just made a flashcart
@@kneesnap1041 Or going the route of TASbot and making a serial I/O that sends data over the controller port(s) to load up a simple pong game, and then you've just built a very lowgrade network adapter (Cool as heck, but a lot of engineering.). Just saying, you toss out a cartridge like that, someone in the audience is going to ask for it ;)
Another fine example of closed versus open platforms: Console version: This exploit that lets you get arbitrary code execution is cool. Here's how to use it to run whatever you'd like on your console. PC version: This exploit that lets you get arbitrary code execution is scary. Don't play it online, and if you must, take these precautions.
Really cool video and excellent work, I can’t begin to pretend i understand how this stuff works, but it’s incredibly entertaining to see it being pulled off, especially on 360, as particular as this exploit is
Whatever effort Nintendo put on the GameCube architecture, they did get a return with the Wii. They didn't try the switch after the Wii because of the familiarity with PowerPC and cost to manufacture of something similar to the switch would be very prohibitive in 2013
I really think the Switch wasn't attempted earlier because there really wasn't an industry standard port that Nintendo could use to create a proper dock until like 2015-2016 with USB C. Every other solution before USB C sucked.
@@No-mq5lw Nintendo didn't give a damn about industry standard ports. Even when they do use them, they rarely use them correctly. (See: Switches being bricked by third-party chargers; GameCube controller adapter/Wiimote not being standard HID protocols...)
@@No-mq5lwswitch was released after USB-C PD standard, and Nintendo is one of the biggest companies on the planet. They can afford to implement the standard correctly.
Taking your PS2 slander on the chin and thanking you for giving me another reason to love THPS4. (also this exploit suits the specific situation i got with my ps2 right now very well so again thank you)
1:58* the Endgame usb exploit exists, which streamlines the process to just plugging a usb in and reading from it, so while its cool that a new softmod exploit is available for the og xbox, its reccomended to use endgame for ease of use.
The biggest advantage of the PS2 was the controller, since Hawk games were native to Playstation and the other versions were ports. Playing THPS with a stick is like eating pizza with a fork.
I never thought about this, but having played the original THPS on PS1 and THUG on GC, I can now see why it seemed to me that the learning curve was steeper!
@@wheedler Oh no just it's way easier to do tricks that require diagonals on a D-pad IMHO - and again I never realized this before reading the comment but it's true!
The PS2 is always going to be in a league of it's own, and some of it's features are overlooked by people trying to code for the device. PS2 had a full Linux OS you could buy and use on an unhacked console. PS2 was marketed towards audio enthusiasts as it was the only console that supported 5.1 surround with it's optical audio port (xbox didn't have surround audio like PS2 supported, no optical audio on Xbox). PS2 was marketed as a device for adults with it's more mature style of looks and features. It'll fit nicely next to an audio receiver with how it looks. There's a lot more about the PS2 that made it king of the consoles, but marketing towards the music and movie industry really solidified it's position, and at the time DVD players were over $200 a piece. You could even buy a remote that looked very professional/sleek to control a PS2 playing DVDs and CDs.
No other game console supported high quality audio or 5.1 surround until xbox 360 came out. Want the best audio/game music of that generation, get a PS2.
I expected this to be an elaborate metaphor on the nature of buffer overflow and how you can *jump* from it to places or something but man, the shite's literal 😂😂😂
Getting a ROP chain on the 360 is still damn impressive! I do wonder, with the OG Xbox emulator on the 360 employing a JIT machine code translator, I wonder if the hypervisor enforces code signing on that end.
Some game creators hacked the ps2 to make the games function better. Pretty sure that racing game was one of them, it was like Mario Kart but was that fox looking character. I think it was Crash Team Racing or whatever, watched a interview with the creator and it was super interesting.
The OG Xbox only has analog outputs, so the TV needs to sync to the signal before it can know what is supposed to be the top left of the image. This is not unique to CRTs, but is a requirement of the analog video signal.
@@banguseater All the newer model fats came with one, slim ditched it, thou you could still use a USB hard drive as plug and play. Thou I would like to correct myself, most functions of the hard drive were locked out of most games Socom 2 used it for DLC I think that's like the only game to every utilize it. With a mod chip, or FreeMcBoot and some other loaders, you can store whole games on it and read them from the hdd.
@@omicron0mega no what im saying is that the harddrive and the network adapter didnt come with it, you had to buy them. xbox OG came with it stock . thats why not too many PS2 games used the HDD way before the slim model came out. including the networking.
You might dislike the PS2 and I never cared for it until I messed around with PCSX2 shortly before v2 released in the past days but this might be a super simple method to me to get a freeMC memory card.
You mentioned Xbox 360, but I have no idea how that would work. Not only do you need to defeat the security cookie, you will also have to find a way to find and execute the kernel function from the stack, because of the page protection and encryption the Xbox has. If there was a way, the LEGO games also have a cross-platform strcpy vulnerability (although not networked), that was at least present in the Wii and PS2 version (where I could create a POC exploit) and likely is in the Xbox 360 version as well.
the exploit is still there in the Xbox 360 version, but the hypervisor prevents memory pages to be both readable, writable and executable at the same time. that's why a dashboard from like 2006 is needed: that specific version contains a bug in the hypervisor that's used to get full code execution
@@tcscomment I need to admit I wrote that comment, only skimming through the timeline and not finding the "Xbox360" screen and watched the video afterwards. It appears as if there is no security cookie in the first place on that game, which surprises me a lot, but also explains a lot. I thought the Xbox360 toolchain forces that to be on by default. Thinking of that, what prevents someone from writing entirely stack-based code other than being confined to the stack size? You could surely look for utility functions within the game, that when combined do the side effects you were looking for. If one was dedicated enough, surely you could create a universal Xbox360 "userspace" homebrew toolchain (including exploit)
@@tcscomment Why do you think so? Assuming, the compiler doesn't save valid return addresses and the hypervisor doesn't track them otherwise (for example through a hardware register with a list of last used jump targets), there's no way for the hypervisor to track "abused" code. You'd "only" need to find code inside the game that's small enough and allows for manipulation of the most important registers. I imagine the hardest part would be to find utility functions, that push elements to the stack without popping them. (You'd need to find a function that executes at least two push, before popping the return address). None of my code would need to be mapped as executable, because it will only point the return address into pages already mapped as executable. This would be entirely CPU-sided and to the supervisor it would look like only the game code is being used. The hypervisor could only tell through probing the PC and heuristics if the game is behaving abnormally. And for stability sake that's unlikely to be the case. Tbh, given the knowledge, that Tony Hawk's at least doesn't feature a stack cookie, I'm very intrigued about giving it a shot. Well at least depending on if I can test that in Xenia or not.
@@tcscomment Never mind, grimdoomer himself said, that a stack software only exploit is possible on his git repo for Xbox360. I might still try to make a nice demo out of it. By creating stack only based code using utility functions.
Finally, a way to softmod my PC.
This comment will be fun to look back at in 10 years.
I'm looking for a good hard mod so it can't be patched out by Microsoft.
@@renakunisaki SecureBoot: So I took that personally
Imagine someone uses this to do a fully automated Linux install on someone else's PC🤣
@@RadikAlice theoretically you could run a bunch of checks to see if the machine is uefi or not to determine what boot loader to use, and then overwrite the entire first partition (ie C:\ drive under windows) with a live cd esque thing that unpacks an image over itself on boot, like a ramdisk or smth
died 2006 born 2024 welcome back king kong exploit
this is honestly better then King Kong because it required a patched shader and a flashed dvd drive, this on the other hand is basically no clicks required, only copy a save file via usb
close enough, welcome back king kong exploit
@@luxploit yeah i know lol, awesome stuff for being the first of a kind for the 360. Hope this can in some way aid in making a more accessible softmod in the future
@@luxploit potentially even just join a networked game... can you still do that?
@@renakunisakiBelieve it's been shut down.
People who loved the PS2: Players.
People who hated the PS2: Programmers.
very true 🤣
And audio enthusiasts loved the PS2 as it was the only console that supported surround at the time and xbox never supported it until the 360. I had family members that obsessed about audio and bought a PS2 because it had optical audio ports and played DVDs and CDs with no issue in full 5.1 surround.
@@Vandius24Still is a half decent cd reader
@@remingtonjensen2231 lasers don’t live so long though. My ps1 is a more solid CD player
@@slarbiter oh whoops yea I meant ps1 lol
You're the guy that brought us exFAT support on PS2? God bless you hackerman!
Yeah seriously. With that and the memcard pro 2 this thing is a lot more usable
The greatest trick Tony pulled off since the 900.
The greatest trick Tony pulled was to convince the world an exploit didn't exist
christ, you're like my shadow
@@spv420 lmao
the PS2 was a nightmare for devs especially at the start, because Sony thought "devs can just use our vector units to do tons of fast data transfers via DMA so they don't need much memory and we can flex the power of our hardware lol"
too bad they never said this to devs and they had to eventually figure that out on their own
I guess RenderWare came into the picture to try and save they day with all the BS that is messing with Vector Units and CPU management.
---
RenderWare was one of the most widely used game engines during the PS2 era. Originally developed by Criterion Software, RenderWare was a cross-platform graphics engine that provided a higher-level abstraction over the hardware, making it easier for developers to create games without needing to dive into the low-level complexities of the PS2.
RenderWare handled many of the tasks that would otherwise require developers to manually program the VUs, such as 3D rendering, physics, and animation. It became popular for its ease of use and was employed in many high-profile games, including the Grand Theft Auto series, Burnout, and Tony Hawk's Pro Skater.
I shipped a couple of PS2 games. The VU0 and VU1 weren't TOO bad. Yes, people were using Excel spreadsheets for scheduling (to minimize latency / maximize throughput) but you would transfer data from the EE -> VU0 -> VU1 -> GS for rendering.
What _really_ made the PS2 challenging was managing all of its SEVEN processors: EE, VU0, VU1, IOP, GS, SPU, and IPU. It was a PITA to get (especially managing DMA transfers) but once you had everything working it was magic.
RenderWare was a god send for PC developers who didn't want to waste time learning idiosyncrasies of the system.
Thing is, that's how most mips hardware works though...
@@MichaelPohoreski In other words... the PS2 was literally a piece of shit.
@@DGTelevsionNetwork Many routers and Chinese Special media players/consoles use MIPS but are NOTHING like the PS2.
i thought this was about a obscure polish tony hawk game nobodys ever heard of but i wasnt disappointed
Pronounced "strotspee" for some reason.
?? Jaki tytuł?
If PS2 has million haters, then Grimdoomer is one of them.
If PS2 has one hater, then Grimdoomer is THAT ONE.
If PS2 has no haters, that means Grimdoomer is dead.
Hating the ps2 is wild
@@izBrnDDfrom a programmer's perspective it is indeed a real piece of garbage
@@tcscomment i'll look into it
@tcscomment Overly complex? Maybe. As with all SONY hw, the designers went a bit nuts with SIMD, and in this case, Toshiba did certain things to save space die space and thus $$$.
Piece of Garbage? I definitely can't see that. The VUs allow you to do a lot of cool things, especially in 1999/2000.
I suppose that making the hardware impossible for anyone outside of the SONY engineers to grasp would constitute "garbage", however hahaha
@@Quaker763 If the PS2 is overly complex then the PS3 is purely alien with its cell processor. But I do agree that Sony was on a bit of demon time when designing their earlier consoles
7:52 just a friendly reminder warranty seals are illegal in usa, have been for like 30 years. There's also a ftc lawsuit out right now.
1974 was 50 years ago partner. Sorry if that makes you feel old lol.
Really? Are they legal elsewhere?
@@hypnotised-clover africa
@@tissuepaper9962 thanks, I know the date
Sleep deprived coder, 2006: I don't need to sanitize the input for a gap, it'll be fine
Modders, 2024: you FOOL
Hahahahahah this made me laugh so hard 😂
Amazing work! Fantastic to see the Xbox 360 been exploited truly in software, without having to flash the DVD drive or Jtag / RGH it after all this time.
EHHH ERES EL DE DIGIEX!!!! SALUDOOOS!!!!
I think you'd still need to JTAG / RGH to get the needed keys and flash the nand, no?
This only works for the old Blade dashboard versions, which means you can't play a lot of older games, and it severely limits what systems you can use. Sadly
yo i recognize you from some 360 forums
@@KingKrouchIf a hypervisor exploit can be found for newer dashboard versions, which is much more of a desirable target with this exploit existing, then that would change. I imagine no one’s been looking all that much since everyone’s just been doing RGH for so long.
Stellar work, dude!
ey tu tutorial me brickeo la xbox 360
@@luzroja29AKApeyo unlucky bro
@@FSSHetPDGE si cierto. Me quiero comprar una ps3
@@luzroja29AKApeyo what tutorial did you follow? It's extremely hard to brick a 360 bud
@@IDontModWTFz un tutorial de actualizar los avatares con rgh. Es que mi xbox tenia una nand dañada, pero funcionaba, y al parecer, como actualize esa nand, se corrompio aun peor y ahora, cuando la enciendo, se apaga inmediatamente
For those wondering, yes, you do need the XBOX 360 version of American Wasteland for exploiting the 360, not OG version.
The 360 exploit in this is particularly impressive. Love your work man - as someone who has utilized every single one of these softmods mentioned, this would've made life easier back in the day. Keep it up!
Great work and find.
Hating the PS2 and still you gave us Exfat support for the PS2 HDD.
Nah, cursing the console with exfat is entirely appropriate.
Wonderful broadcast thank you for sharing. As a Tony Hawk Veteran and console modder this video killed two of my weird niches with one stone. This is incredible stuff.
clicked this expecting a ytp, now i'm intrigued
FOR REAL
if i had a nickel for every exploit that worked on multiple tony hawk games i’d have two nickels
Wait what’s the other nickel
@@gerardgeer642 TonyHax
@@gerardgeer642 tonyhax for the ps1
Are you Chad Kroeger because I want my nickelback
is this a meme i am seeing this phrase on a ton of videos
My dude only appears when he's got solid stuff to show.
Congrats.
I was super into all of this stuff in 2012-2013 and then just stopped playing video games altogether. Almost like the unrestricted availability of all of these old games annihilated scarcity and made me lose interest. Coming back a decade later I don’t even know if I really like video games at all but the software side of this fascinates me. Very cool vid
I have to agree with you, I used to game a lot, now I only care to get on GTA V-SP and FSX
I just downloaded a backup copy of my pro skater 4 few minutes ago and now I get your video in my recommendations.
dude, you rock
Truly amazing stuff!
I can't even imagine what you had to go through to get a 360 without burned bootloader efuses. Hope you didn't forget to remove the R6T3!
Speaking of the PC version, IMO no one should play the version where strcpy isn't replaced with strncpy, the consequences can be quite severe.
Also, the shellcode at 0:49 looks heartwarmingly familiar (I'm the guy behind the publicly available Frogger Beyond exploit :D)
I used to have my 360 soft modded and it was insanely easy. I can't remember the exact process I used but it enabled me to download 360 games to a flash drive and play them for free from the flash drive. They eventually caught me and my account was banned until 9999 lol
What are the consequences?
@@Mr_Twiglesworth it's an open door for remote code execution on your computer, which allows the attacker to do virtually anything: plant a malware / steal your data / etc
Congrats on the release and the nice write-up! Just wanted to clarify that when we were made aware of this exploit years ago, it was patched promptly. Saying that we weren't interested in fixing it is a bit misleading and unfair.
Was that swiftness ever communicated?
Thanks for confirming this!
I was wondering if now we'd have to be worried about joining created park servers on tpro
Gay
@@bongjovi4928brain rot detected. get off internet
so that's why Visual Studio tells me that strcpy is cringe
strcpy is fine if you 100% know that the source will not exceed the bounds of the destination
otherwise use strncpy
"Because strcpy is not safe, we can craft a malicious gap name" 💀
I already jailbroke my PS2 and installed free mcboot using my gran turismo 3 game disc but this is still insanely cool, keep up the great work!
Absolutely stellar work.
ACE / RCE videos absolutely blow my mind. I was 13 years old when THPS4 came out - I played it to death on PS2.
Who would have thought this opportunity would be exploited 22 years later?! It's just fantastic how mind-bogglingly clever some people are!
Outdone yourself here!
Your hatred for PS2 is palpable. xD
Great job as always!
god i hope the xbox 360 gets an easy softmod one day
we're getting close 🙏
whoa, hold on, I was promised an exploit for the N64. (j/k. Very enjoyable video. Thank you for posting this. I can't imagine the time it took to put this together.)
haven't actually confirmed, but it probably does work on N64. it's just the N64 has no way of doing anything useful since there's no hard drive or USB port or way to load anything. if you're going as far as to make a custom cartridge.... then well you've already just made a flashcart
@@kneesnap1041 Or going the route of TASbot and making a serial I/O that sends data over the controller port(s) to load up a simple pong game, and then you've just built a very lowgrade network adapter (Cool as heck, but a lot of engineering.). Just saying, you toss out a cartridge like that, someone in the audience is going to ask for it ;)
Congrats on the find! This is just what we needed to get some people interested in hypervisor exploit research.
Wow. What a blast from the past.
Softmodded many Xboxes with Agent Under Fire for friends, this would have been huge back in the day!
Another fine example of closed versus open platforms:
Console version: This exploit that lets you get arbitrary code execution is cool. Here's how to use it to run whatever you'd like on your console.
PC version: This exploit that lets you get arbitrary code execution is scary. Don't play it online, and if you must, take these precautions.
"it has 2 cpus that have to reboot multiple times and there's almost no RAM" we just played the games man
what games? ive always heard playstation has no games.
@@SaenGaems you're thinking of the ps5
@@kellymountain surely you mean the ps3
@@redhel the PS3 has game. singular
the ps5 has no games
@@redhelThe PS3 has an absolutely god awful hardware architecture, but it has quite few games on it.
Great console tbh.
WHY IS IT ALWAYS THE TONY HAWK GAMES
Best games
Even when played normally, you can see and feel the jank Neversoft had to contend with in their own work
Bc Tony hawk was great at skateboarding but a terrible coder.
Oh nice. I saw the blog post on HN and put it on my reading list. But it's nice to see there's a video too!
finally a good explanation for not having gaps in the 1+2 CAP
Awesome AND scary AF at the same time!
I understood about half of this but it was still interesting. I think it's well presented. Nice video
Really cool video and excellent work, I can’t begin to pretend i understand how this stuff works, but it’s incredibly entertaining to see it being pulled off, especially on 360, as particular as this exploit is
You’re a LEGEND! Thank you for what you’ve done for the PS2 community
Pro Skater 2 on PC with offbrand controller was the best,
Highlights of childhood!
Tony Hawk exploits led to so many great things in the past :D
Your presentation ability is great. I love it, and hope you keep making videos!
Played so much tony hawk proskater 4 as a kid always new this game held something special lol. Great work & research!
god i love these goofy titles on technical videos
Whatever effort Nintendo put on the GameCube architecture, they did get a return with the Wii. They didn't try the switch after the Wii because of the familiarity with PowerPC and cost to manufacture of something similar to the switch would be very prohibitive in 2013
I really think the Switch wasn't attempted earlier because there really wasn't an industry standard port that Nintendo could use to create a proper dock until like 2015-2016 with USB C. Every other solution before USB C sucked.
@@No-mq5lw Nintendo didn't give a damn about industry standard ports. Even when they do use them, they rarely use them correctly. (See: Switches being bricked by third-party chargers; GameCube controller adapter/Wiimote not being standard HID protocols...)
@@renakunisaki Proprietary USB C power delivery protocols weren't uncommon in the early days, and neither does Sony for their controllers.
@@No-mq5lwswitch was released after USB-C PD standard, and Nintendo is one of the biggest companies on the planet. They can afford to implement the standard correctly.
Dang, Tony keeps delivering!
Appreciate your work
What an awesome channel! Also like your blog! Please continue making such content
Taking your PS2 slander on the chin and thanking you for giving me another reason to love THPS4. (also this exploit suits the specific situation i got with my ps2 right now very well so again thank you)
Now that’s how you knows he’s a real gamer, he hates games 😂
As a lifelong THPS fan this is absolutely hilarious and insane, and only somewhat surprising
dude i spent so much time in the create a park as a kid
2 vids and theyre both bangers. subbed
1:58* the Endgame usb exploit exists, which streamlines the process to just plugging a usb in and reading from it, so while its cool that a new softmod exploit is available for the og xbox, its reccomended to use endgame for ease of use.
I remember seeing you do your live demo of this on the xbox original in College! I hope you're doin well, man!
Nice work! Can't wait to see what other fun work you'll do on the PS2 especially ;)
The biggest advantage of the PS2 was the controller, since Hawk games were native to Playstation and the other versions were ports. Playing THPS with a stick is like eating pizza with a fork.
Pc Keyboard gang
I never thought about this, but having played the original THPS on PS1 and THUG on GC, I can now see why it seemed to me that the learning curve was steeper!
Are you implying Playstation controllers don't have sticks?
@@wheedler His comment makes sense to me when we look at an N64 controller's layout in comparison
@@wheedler Oh no just it's way easier to do tricks that require diagonals on a D-pad IMHO - and again I never realized this before reading the comment but it's true!
The PS2 is always going to be in a league of it's own, and some of it's features are overlooked by people trying to code for the device. PS2 had a full Linux OS you could buy and use on an unhacked console. PS2 was marketed towards audio enthusiasts as it was the only console that supported 5.1 surround with it's optical audio port (xbox didn't have surround audio like PS2 supported, no optical audio on Xbox). PS2 was marketed as a device for adults with it's more mature style of looks and features. It'll fit nicely next to an audio receiver with how it looks. There's a lot more about the PS2 that made it king of the consoles, but marketing towards the music and movie industry really solidified it's position, and at the time DVD players were over $200 a piece. You could even buy a remote that looked very professional/sleek to control a PS2 playing DVDs and CDs.
No other game console supported high quality audio or 5.1 surround until xbox 360 came out. Want the best audio/game music of that generation, get a PS2.
certified glazer
Wow, great work, the true full exploit.
Everything I wondered about you explained. Excellent video.
I subscribed. You only have two videos on your channel but their both awsome. Hope to see more. Thanks.
I used to love this game back in the day, and now it can be used to mod consoles? Awesome!
0:00 Intro
1:36 Xbox
4:05 PS2
5:42 GameCube
6:35 Xbox 360
8:53 PC
Would love to see a deep dive into the payload after the buffer overflow
Nyan cat just took me back.
Also realized my pronunciation of both are different. "Nanya - to Nya"
Game: *Lets you write/save/read text*
Hackers: It's free real state!
I expected this to be an elaborate metaphor on the nature of buffer overflow and how you can *jump* from it to places or something but man, the shite's literal 😂😂😂
Badass breakdown and never knew this was in the games
I don't care for ACDC at all but hearing TNT will always give me a wild nostalgia rush
the lime green xbox is such a flex
Getting a ROP chain on the 360 is still damn impressive!
I do wonder, with the OG Xbox emulator on the 360 employing a JIT machine code translator, I wonder if the hypervisor enforces code signing on that end.
That's a good question. Honestly I wonder if there's any possibly exploits in the Hypervisor itself.
this is my type of community. keep it up!
Some game creators hacked the ps2 to make the games function better.
Pretty sure that racing game was one of them, it was like Mario Kart but was that fox looking character.
I think it was Crash Team Racing or whatever, watched a interview with the creator and it was super interesting.
MAYBE was Crash Bandicoot..
Yeah youre thinking of Crash Bandicoot on PS1
@@koraku8519 ahh yeah it was PS1 wasn't it
Cool to see soft mod community still around i soft modded my PS2 fat since i had badk from 02 back in 2010 with agent under fire
I have no idea what you just said to me little kid, but it hit me right me here!
What causes this CRT-like picture offset for a short time when Nyan cat is loaded at 2:22?
The OG Xbox only has analog outputs, so the TV needs to sync to the signal before it can know what is supposed to be the top left of the image. This is not unique to CRTs, but is a requirement of the analog video signal.
"A game console that doesn"t suck" "Gamecube"
The PS2 was, is, and will forever be the best console ever made
Gamecube was so trash lol no games more people had xbox than gamecube everyone and their mom had a ps2
remember, if you ever think "I know it's unsafe, but I know what input it's going to get" no you don't.
Damn hearing T.N.T at the start of this video put me in a great mood
The fat PS2 had persistent storage, the network adapter add-on had an IDE interface.
yea but It doesnt come with it stock so it’s not really the case
@@banguseater All the newer model fats came with one, slim ditched it, thou you could still use a USB hard drive as plug and play. Thou I would like to correct myself, most functions of the hard drive were locked out of most games Socom 2 used it for DLC I think that's like the only game to every utilize it. With a mod chip, or FreeMcBoot and some other loaders, you can store whole games on it and read them from the hdd.
@@omicron0mega no what im saying is that the harddrive and the network adapter didnt come with it, you had to buy them. xbox OG came with it stock . thats why not too many PS2 games used the HDD way before the slim model came out. including the networking.
This is very interesting, there are so many ways to xploit games nowadays
what are some other string copy bugs in video games? no way string copy and text overflow manips are so rare
dope video, love the technical explanation
"Moving on to a game console that doesn't suck." 😂 Gotta love the GC
Wait what about the PSP games? didnt it have 2 tony hawk games that could be affected by this?
oh cool can potentially hack the vita with it too then right?
@@LiEnbyPSP games on the Vita run in a sandbox, plus there are already ways to mod a PSVita
Solid effort and video man!
Finally, using a game series I already have
You might dislike the PS2 and I never cared for it until I messed around with PCSX2 shortly before v2 released in the past days but this might be a super simple method to me to get a freeMC memory card.
Another day, another strcopy exploit found in a mid-2000s video game
Haha just learning C and the possible exploitability of strcpy buffer overflow. =D
say what you will about the ps2 but its never red ringed of death on me, thing still works like 20 years later lol
Didn't know this game existed for so long on different consoles after i played it in my youth on pc and n64
ok. now THIS is epic.
I loved making parks in THPS
Finally we can play doom in tony hawk
mad tekkers and well explained. a sub well earned
It's insane how much damage a single strcpy can cause. Really makes you think.
can you do a video detailing exactly why you don't like the PS2 and its shortcomings please?
bro, chill on the ps2. sheesh.
You mentioned Xbox 360, but I have no idea how that would work.
Not only do you need to defeat the security cookie,
you will also have to find a way to find and execute the kernel function from the stack, because of the page protection and encryption the Xbox has.
If there was a way, the LEGO games also have a cross-platform strcpy vulnerability (although not networked), that was at least present in the Wii and PS2 version (where I could create a POC exploit) and likely is in the Xbox 360 version as well.
the exploit is still there in the Xbox 360 version, but the hypervisor prevents memory pages to be both readable, writable and executable at the same time. that's why a dashboard from like 2006 is needed: that specific version contains a bug in the hypervisor that's used to get full code execution
@@tcscomment I need to admit I wrote that comment, only skimming through the timeline and not finding the "Xbox360" screen and watched the video afterwards. It appears as if there is no security cookie in the first place on that game, which surprises me a lot, but also explains a lot. I thought the Xbox360 toolchain forces that to be on by default.
Thinking of that, what prevents someone from writing entirely stack-based code other than being confined to the stack size? You could surely look for utility functions within the game, that when combined do the side effects you were looking for. If one was dedicated enough, surely you could create a universal Xbox360 "userspace" homebrew toolchain (including exploit)
@@Littlefighter1911 that could be a way, yes, but I'm still afraid the hypervisor would catch that
@@tcscomment Why do you think so? Assuming, the compiler doesn't save valid return addresses and the hypervisor doesn't track them otherwise (for example through a hardware register with a list of last used jump targets), there's no way for the hypervisor to track "abused" code.
You'd "only" need to find code inside the game that's small enough and allows for manipulation of the most important registers.
I imagine the hardest part would be to find utility functions, that push elements to the stack without popping them. (You'd need to find a function that executes at least two push, before popping the return address).
None of my code would need to be mapped as executable, because it will only point the return address into pages already mapped as executable.
This would be entirely CPU-sided and to the supervisor it would look like only the game code is being used.
The hypervisor could only tell through probing the PC and heuristics if the game is behaving abnormally.
And for stability sake that's unlikely to be the case.
Tbh, given the knowledge, that Tony Hawk's at least doesn't feature a stack cookie, I'm very intrigued about giving it a shot. Well at least depending on if I can test that in Xenia or not.
@@tcscomment Never mind, grimdoomer himself said, that a stack software only exploit is possible on his git repo for Xbox360.
I might still try to make a nice demo out of it. By creating stack only based code using utility functions.