RLE decoder in OSDSYS has no boundary check at all. First, Fortuna is based on the exploitation of a buffer overflow vulnerability in OSDSYS. They are similar but have slight differences related to the payload and its load address. įortuna v1 and Fortuna v2 were both reverse engineered. CTurt’s FreeDVDBoot helped me out to polish the exploit implementation as well. His post was the starting point of what I’m about to describe here. The conjectures from were very useful, and they gave some insights however, was the first person that first described some technical details about Fortuna and how it works. Still, in the end, he decided to maintain this exploit in secrecy due to several reasons I'm not going to describe here.įortuna’s magic and the secrecy around it made me very curious, so I started reading posts from krat0s, CTurt, and in order to get some clues to reverse engineer Fortuna. At first, krat0s was willing to prepare a technical write-up about Fortuna’s internals. The vulnerability Fortuna is based on was described first by some years ago, and developer krat0s exploited it around a year ago. As an additional advantage, Fortuna does not require MagicGate Memory Cards (MCs).
Only one specific FAT console model: SCPH-500XX with BIOS v1.90įortuna is the newest MC-based exploit for PS2 consoles, allowing homebrew software to run on consoles with BIOS v2.30, which are incompatible with FreeMCBoot.OpenTuna is now compatible with each PS2 Console starting from SCPH-18000 up to SCPH-90010 and PS2 TV.Since it is open source, it will allow porting it to other hardware versions, including TEST consoles.Thanks to added fat compatibility, some test models can use OpenTuna as MC-based exploit.It allows embedding compressed and uncompressed executables to the exploit icon.
Good news!!, OpenTuna is now compatible with each PS2 Console starting from SCPH-18000 up to SCPH-90010 and PS2 TV (ROM versions ranging from 1.10 to 2.30). OpenTuna is an open source version of "Fortuna", based on reverse engineering!!!.