CBPS Forums

Console Hacking => PS 2 => Topic started by: teakhanirons on February 03, 2020, 04:28:25 AM

Title: Injecting ELFs via Disc Swapping
Post by: teakhanirons on February 03, 2020, 04:28:25 AM
Silica suggested that we could use the same technique used with the 007: Agent Under Fire method of PS2 hacking with other games.

It's simple, you find a game that loads other ELFs, you swap the DVD (without the system knowing) with a copy of the game but the ELF game calls swapped (preferably with uLaunchELF or wLaunchELF due to their small sizes since you have to keep the Table Of Contents same, more on that later)

This is the earliest record of this technique being public knowledge we could find (aside from 007: Agent Under Fire): https://www.1emulation.com/forums/topic/28441-turn-any-ps2-game-into-a-swap-disc/ (https://www.1emulation.com/forums/topic/28441-turn-any-ps2-game-into-a-swap-disc/)
Then we found a forum post about this used with 007: Nightfire back in 2009, they use the same engine after all: https://forums.afterdawn.com/threads/turn-007-nightfire-into-a-boot-disk.660416/ (https://forums.afterdawn.com/threads/turn-007-nightfire-into-a-boot-disk.660416/)
There's also this: http://web.archive.org/web/20160306121528/http://bootleg.sksapps.com/tutorials/fmcb/swap.php (http://web.archive.org/web/20160306121528/http://bootleg.sksapps.com/tutorials/fmcb/swap.php)
There were even reports of demos like Jak 2 working!

Some things to keep in mind:
You need the disc manipulation software Apache Version 1.1 (newer versions reported not to work)
You need to swap the disc when the system is not reading anything, menus should work.
You can't mess with the Table Of Contents of the disc, more on this later.
You can't load an ELF that's larger than the ELF you want to replace, that'd mess with the TOS.
Games released after 2001 may have checks in place, this is not guaranteed to work.

Here's how it'd go:
Open Apache and load the backup you made.
Highlight the ELF you want replace.
While highlighted click "ISO TOOLS", then "Change TOC For Selected File"
Now DO NOT CHANGE THE LBA!!! Change The SIZE to the EXACT size in bytes as the ELF file you wish to inject (for example, uLE 4.21 is 877420)
Rename the ELF you want to inject to with the ELF you want to replace's name.
Highlight the ELF you want to replace, click "ISO TOOLS" and click "Update Selected File".
Close Apache and burn with either DVDDecryptor, IMGburn or any other software that's capable of raw write.
Swap the disc when the system is not loading anything and make the game load that ELF (for example, you enter a driving stage in 007 games or run the network configuration on netplay games)

Some games with multiple ELFs:
007: Agent Under Fire (duh)
007: Nightfire (second link)
007: From Russia with Love
Jak 2 demo was reported to work
Demo Disc 066 [NTSC-U] [SCUS-97241]
Metal Gear Solid 2: Substance (the one with the skate minigame)
Metal Gear Solid 3: Subsistence Disc 2 has a main.elf, depending on when it's loaded, it may be exploitable.
I think some Splinter Cell games have multiple ELFs too but not too sure.
Silica says any game that has netplay may also be exploitable since they have the network configuration ELF.

As there are some demos reported to work as well as multiple very common games, this means potential free entry points for lots of users.

If you're fast enough to swap the disc right before the system loads the ELF but right after the disc checks are complete, theoretically, any game is exploitable.