Rany Battikh

MechaPwn exploit for PS2

A month after the Playstation 2’s Mechanics-controller, aka Mechacon, ROM has been successfully dumped, developer Triszka Balázs has released a follow-up exploit named MechaPwn (pronounced Mecha-pone) that aims at defeating one of the last security barriers of the PS2.

For the uninitiated, the Mechacon is an IC chip found on all Playstation 2 board revisions that’s basically responsible for applying game disk security. Starting from models SCPH-500XX, Sony opted for an ARM based Mehcacon codenamed Dragon. The MegaPwn exploit runs exclusively on Dragon-based consoles, namely later Fat (removed front i.Link port) and and all Slimline models with series numbers ranging between SCPH-500XX and SCPH-900XX.

The main attraction behind MechaPwn is turning any compatible PS2 into a region-free system that runs original and backup PS1 and PS2 discs.

NB: Region unlocking unfortunately does not work on pre SCPH-700XX NTSC-J and PAL consoles, but can be easily applied to all post SCPH-500XX NTSC-U and ASIA systems. 

In order to access MechaPwn on a PS2, a memory card entry point like FreeMcBoot and Fortuna is required.  The downloaded MechaPwn.elf file must be copied on to a USB stick, and then launched on the console itself via uLaunchELF, or any similar application. During its very first boot-up MechaPwn creates a console-specific nvm.bin (BIOS config) file on the root of the plugged USB stick. (It is highly recommended to store the file safely for later use) Once that’s done, the console must be completely powered down.

After power-cycling the console, and starting MechaPwn again, the user gets to choose between permanently changing the region of the system (CEX) or completely region-unlocking it (Retail-DEX). Unless you only want to run games from a specific region (e.g Japan), I recommend going with the DEX option as it turns a retail PS2 into a dev/debug console.

At this point, there is no need to run the exploit ever again unless the user wishes to revert back to the console’s original state, and that’s where the nvm.bin comes in handy. MechaPwn offers the option to restore the console’s original BIOS configurations by re-applying/installing the aforementioned file.

Make sure to select the subject console’s correct model number and its correspondent counter-part. Example: if the subject console’s model number is SCPH-90001, select DTL-H90XXX from the Retail-DEX menu. 

The MechaPwn-ed console can now read and run original PS2 discs from all regions as well as original and backup PS1 discs from all regions.

Running PS2 backup discs involves a few more steps:

  • Launching MechaPwn again and enabling Force Unlock
  • Power-cylcing the console and starting uLaunchELF
  • Inserting backup disc
  • Navigating to File Browser/Misc
  • Selecting PS2 Disc

Note that enabling Force Unlock might break PS1 and DVD-playback compatibility as the console will now recognize all inserted discs as Playstation 2-specific discs.

Even though PS2 mod-chips have been available for over a decade now, installing them is no walk in the park, regardless of the console’s board revision. The MechaPwn exploit seems to be a perfect software-based replacement for mod-chips, if the subject console is compatible.

Links:

 

 

For further discussion, follow me on Twitter: