Skip to main content

"Hacking" the PS2

Okay, it's not really hacking, but I got your attention, didn't I?

The story begins as follows: basically I had some old demo discs from PSi2 (an inofficial PS2 magazine) laying around. I had no idea what's on those discs, so a few weeks ago I started popping them in my phat PS2 and checking out the games and videos. I even found some "new" games I've put on my wishlist since then. But that's not the point right now.

On one of these discs there were some demos written for a software called YaBasic. Well, I know QBasic from DOS times, so I got interested. YaBasic is apparently the *nix implementation of the Basic programming language and this was the PS2 port of that. Well, let's see what it can do! Oh, but wait. I don't have YaBasic itself. I never had an official PS2 demo disc which contains the software.

Let's get to tha choppa! I mean, emulator! Let's get to PCSX2!


I extracted the PSi2 games from my memory card with a little help of uLaunchELF and copied them to a USB stick to read them on the PC. Then, I "obtained" a copy of one of the demo discs which has YaBasic and tried out the games in PCSX2. It was great fun. But you know what would be even more fun? Writing a game myself! My first ever venture into the world of game development for consoles! (I did some tinkering in Unity before, so this one's specifically for consoles.)

A first "Hello World" was quickly implemented, even though I had to use the on-screen keyboard. But that would be really tedious for anything longer. Since I can't use my keyboard to actually type inside PCSX2 (because it's already used to emulate a controller) I had to find another way to write code easily.

I wrote another "Hello World", but this time on my PC in Notepad. Copied it to the PCSX2's memory card file and... "An error occurred whilst loading". What? Did I mess up the save file? Nope, looks good. I looked at the games I got from PSi2. Hmmm...

The games all had four strange bytes in the beginning of the file, before the actual source code started. I got my first "Hello World" from my memory card and it also had 4 bytes in it, which I definitely didn't put there... Since consoles are closed systems I assumed it's some kind of protection (so that you can only use source code written on a PS2 in YaBasic). *puts on tinfoil hat*

I tried Googling what these 4 bytes could be, but didn't have any luck. I found exactly one forum post, where a guy mentioned that he discovered the same thing 12 years before me and he wanted to get back on that, but he was never heard from again. I was on my own.

Since the PS2 was a *nix-based system I tried finding out what YaBasic itself does while saving/loading the file. I had no experience in reverse engineering stuff before and boy did I learn a lot the last few days!

I extracted the whole YaBasic folder from the demo disc for further inspection. Fortunately the binary was a standard "ELF" format according to Linux' file. The only other tool to get started, I knew was strings. At least with strings I could verify that the error message I've got was in that binary, but nothing more. Google gave me a few other pointers on using readelf and objdump. Unfortunately the only thing those told me, that this was a 32-bit 2's complement little endian binary for a MIPS R3000 CPU. Another dead end? Can't really debug a MIPS architecture binary on an x86 CPU.

Next, I tried out IDA on Windows. This was the holy grail - if you can read assembly and if you can read assembly for MIPS, that is. With the help of IDA I found the subroutine which put out the error message and the whole chain of subroutines which led to that error message. But since I didn't really understand the code I couldn't do much with it. I was about to give up.

I fiddled around in IDA a little bit longer and found a "graph view" which showed the subroutines in nice little boxes, connected with arrows to each other (kinda like MS Access). Here, I found my next clue - even if I didn't realize it at that time. Just before the ominous "An error occurred whilst loading" message appears, the calling subroutine has another text which was never shown on the display! "Crc did not match: calculated %8d, loaded %8x".

Okay, so it has something to do with a checksum. But what? The next day I told a colleague about my forays into reverse engineering. He combined two pieces of the puzzle in a way I haven't realized before: the four bytes and CRC. CRC32 is 4 bytes long. Maybe it's a simple checksum of the file itself? I quickly found a website which could calculate different kinds of CRC (there are a lot of variants!) and input my "Hello World" to see if any of the results matches the stuff generated by YaBasic.

Another round of "almost giving up"... But I have come so far, how can I stop now? Somehow the word "endian" was still lingering in my head. I've read something about it the day before. Was the PS2 little endian or big endian? I had no idea. What would be the difference? Something about the order of bytes.

Basically by pure luck (and stubbornness) I thought about reversing the order of those 4 bytes and voilá! I've found it! I FRICKIN' FOUND IT!

The checksum in the beginning of the file is CRC32, more specifically the Bzip2 version of it (Linux, duh!) in a reversed order.

So in order to write the code on a PC and then create a save file on a PS2 memory card which will be accepted by YaBasic you have to append this checksum to the source code. Here's how it goes:

  1. Write your source in an IDE or text editor of your choosing
  2. If you have Linux at your disposal you can use jacksum to calculate the checksum:
    • jacksum -E hex -a crc32_bzip2 $filename
  3. This will give you something like "da4877ab   50   $filename". You'll need those first 8 characters.
  4. Reverse them in groups of 2, like this: da-48-77-ab becomes ab-77-48-da
  5. These are your 4 bytes (in hex) you'll need to add to the beginning of the file. You can do that with your hex editor of your choosing. *
Basically that's it. Now you have a source code file which you can copy to your memory card and read with YaBasic on the PS2. Enjoy!

I hope that after all these years - where the PS2 has been discontinued for so long - this post can help somebody else to rediscover the magic of this great console or maybe inspire somebody to try and hack / reverse engineer a different problem they had.

*: here's a small Bash script I wrote to quickly add the necessary checksum to a file. Since you don't want to delete the 4 bytes every time before you edit the file, you can use something like a "workfile" and the script generates the "PS2-compatible" file from that. I use "filename.bas" as my workfile (so vim automatically does syntax highlighting for Basic) and the script creates "filename" from this:

#!/bin/bash

ORIG=$1

if [ -z $ORIG ]; then
  echo "usage: $0 filename"
  echo "for example: BESCES-50008DEV.bas"
  exit 1
fi

NOEXT=$(echo $ORIG | sed "s/\.bas//g")

CRC=$(jacksum -E hex -a crc32_bzip2 $ORIG | sed "s/^\(..\)\(..\)\(..\)\(..\).*/\\\x\4\\\x\3\\\x\2\\\x\1/g")
echo -n -e $CRC | cat - $ORIG > $NOEXT && echo "done." || echo "failed."

Comments

Post a Comment

Popular posts from this blog

Making a game for the PlayStation 2

Actually, not really for the PS2 - not natively at least. Rather making a game for YaBasic which can be played on the PS2. I started my geek life when I was 11 years old and got my first computer (486). A few years later I found some games written in QBasic on a gaming magazine's CD. That was the first time I came in contact with programming. I didn't understand much back then, because I wasn't taught before and I didn't speak any English (it's my 3rd language...) so I was just trying to figure out how the games worked by modifying stuff. These games were simple text adventures, where you had to make choices and the game would progress that way. There were no commands like "go left" or "pick up". The game presented you all the options and you had to input the number of the option you chose. And instead of "if-else" there were GOTOs everywhere. This was how I made my first game, a multiple-choice quiz with 10 questions. Since I didn
1 comment
Read more

Building my own arcade cabinet - a photo diary

This has been in the making for 1.5 years and I'm thrilled to share it with you. But instead of writing a long post with boring details, I'll just add short comments to the pictures. Enjoy! The beginning: RasPi3 and RetroPie started for the first time. Buttons & joystick from AliExpress for $20. Neat! Testing the buttons. The first box. Version 2 of the box, much cleaner. Should be something like this, when it's finished Temporary solution: ATX power supply from an old PC. The amplifier arrived, too! Learning to solder: if your tip looks like this, you're doing something wrong. Visual concept number two: controller and speaker box. The messy insides of the controller box. A friend helped me out cutting the wood for the final controller box. That's not the final box, just another test run. This is more like it. Made from an old office desk. Button layout on paper...
Post a Comment
Read more

RE: "Hacking" the PS2 - Game development

Happy 2019 everbody! This is a follow-up to my previous post:  "Hacking" the PS2 This whole thing started basically when I discovered that there is a possibility to write your own programs for the PS2. I didn't have a PS2 back in the day (I started collecting consoles around 2011) so I just found out recently. Finding out how YaBasic worked and "reverse engineering" the checksum in the source code proved to be so entertaining that I basically lost interest in making a game after that. During the holidays I had a lot of time and to make something productive I decided to take it up again and this time actually make a game. I also wanted to "streamline" the development process by not having to use 3 different programs and 2 OS's to test every change in the code I make. My old process was: write the code in Vim run the Bash script (from the previous post) to add the checksum use PS2 Save Builder to make a save file use mymc to a
Post a Comment
Read more