Retail PS2 Games with Debugging Symbols

I think any decent ELF loader shouldn't copy the debug sections to memory, so it wouldn't matter (well, much. There'd be some more seeking on the DVD compared to a stripped file...). No idea what the PS2 is doing though...

 

I don't think so. More likely to do with the disc layout and the actual game ID/logo data.

PS2 discs have two woobles instead of just one. The drive controller checks for the existence of the second wooble. Also, the logo display code needs the second wooble to retrieve a 8bit value which is then used in a XOR operation de-obfuscate the "PlayStation 2" logo bitmap. Without that the thing would hang at a black screen even if a fake disc managed to get that far.

Means it's impossible to make it display anything different of the PlayStation2 logo on a non tampered console during a disc boot. I'd say these are the reasons why they need to reuse bits of original discs. And they likely choose which discs to use based on how it's easy to "attach" a different data groove to the existing index of a licensed game they managed to dupe.

 

How do you find out which version of the PS2SDK a game was developed with?
I have another game to add to the list: 007 Nightfire, the Action.elf has full debug symbols, but I can't find any hint of which version of the SDK.

 

At the spot pointed as start for the .data segment (from elf header) on a PS2 IOP module you have a string such as this:
"PsIImcman 2800" (hypothetic example, in this case MCMAN.IRX) meaning it's the PS II mcman module for SDK 2.8.0.0

It's usual that games do stick to using matching version of SDK for IOP and EE side of code. EE code are embedded on the elf as libraries (.a files) at build time. IRX files would be supplied already compiled as part of the SDK unless they were game specific stuff like sound drivers or other proprietary things (USB drivers for custom controllers, modems or other unusual stuff that isn't part of the SDK)

 

As a result of the IOP kernel modules having to match the SDK used, you can also look at the IOPRP image filename. Unless the game developer renamed the file, it usually has a number in its name. For example, IOPRP280.IMG refers to SDK release 2.8.0.

 

Thank you l_oliveira and sp193, I checked both mcman.irx and the filename of the IOPRP IMG file and they matched perfectly for 007 Nightfire:
MCMAN.IRX has: PsIImcman 2430 = 2.4.3
IOPRP243 = 2.4.3

With this information I can write a script to loop through all my games and find out which version of the SDK they were developed in!

In theory if I can find unstripped binaries for each SDK I could try creating IDA pro FLIRT signatures for each version of the SDK.

 

You can scavenge the internet for official PS2 SDK files and analyze the .a files creating .sig files for IDA. Full symbols even for stripped elfs.

 

Thank you yes that's part of my plan, I have PS2 SDK version 3.0.3 from the amazing pool7 on this forum but I have been unable to find other versions of the SDK with working links.

So I'm hoping that by using unstripped games along with the library files from sdk 3.0.3 (and any other sdks such as Sn Systems ProDG) I can build up a useful library of Flair signatures.

This will hopefully allow for detection of functions that changed in different SDKS, along with any 3rd party middleware libraries.

I have attached the signature I got from 007 Nightfire, I have tested this on a few other games (Jackie Chan Adventures PAL) and it does detect some symbols, but I believe I can improve this by properly handling the signature collisions.

 

Thanks for the kind words
"v3.0 with docs from 2.7" was publicly leaked (not sure where originally or by whom, it was easily foud in torrents), and I think a couple other versions were shared by other members here, but my memory fails.
I'll take a look at my archives and let you know if I find another.
Good luck with this project, definitely interesting!

 

One more game to add to the list:
* LEGO Racers 2 - PS2SDK 2.2.4

Thank you very much! With your 3.0.3 SDK I have created the attached signature files .

If you come across any other SDKs please let me know, I had a look for other versions but links seem to be dead now and not sure where the torrent file was.

Next I will do the same for Renderware, SN systems SDK and Metrowerks SDKs, is there any other PS2 middleware sdks that have been publicly released?

 

The Korean Version of Rayman 3 (SLKA-25078) contains debugging symbols in the ELF. If this would be useful at all, PM me.

 

I have some questions about determining the PS2 SDK version.

1.) Sometimes, particularly in demos, the version numbers in IOPRP*.IMG and MCMAN.IRX don't match. For example, the Shaun Palmer's Pro Snowboarding Demo on this page says SDK Version 2.3.4, and indeed it contains IOPRP234.IMG... but
its MCMAN.IRX says PsIImcman 2300. In cases like this, should I prioritize the IOPRP*.IMG file? In fact, can I just skip the IRX files altogether and trust IOPRP*.IMG every time?

2.) On the same demo disc, there is also a Drakan demo. Instead of IOPRP*.IMG, there is simply IOP.IMG. So no version number... but if I open this file and search for "PsII", it gives me 2200 for the version number. On the other hand, MCMAN.IRX says 2210. Once again, can I trust the IMG file?

 

We're assuming that Sony actually updates the filenames and internal version numbers, but they could have made patch-level releases that did not.
For example, there were SDK 3.0.2 and 3.0.3, but the IOPRP image provided was IOPRP300.IMG.
It is possible that they only update the version numbering for libraries, only when they are either updated or they make a new (minor-level) releases (i.e. from 3.0.0 to 3.1.0).

If we assume that one cannot get IOPRP from release 2.3.4 without using SDK 2.3.4, it should have been built with SDK 2.3.4.
Even if they forgot to replace the MCMAN module, the EE-side libraries might have been linked with the SDK 2.3.4 libraries at compile-time as they made the final compilation. While it is not always possible to verify this because debugging information is often stripped out, you can also find those "PsII" module version strings within the EE ELF.

To know the actual filename of the IOPRP image, you can refer to the strings within its EXTINFO file, which is located near the top of the file.
For example, IOPRP300.IMG has this:

Code:

20031022-190110,conffile,ioprp300.img,xokano@rel-linux/~/tmp_30

 

From the Drakan demo I mentioned earlier:

Code:

20010326-184313,imageconf,ioprpXXX.img,xokano@rel-linux/iop/src/updatekernel/system/lib

"ioprpXXX.img". Guess I'm out of luck there.

That aside... I hope to collect games with debug symbols and have an automated way to scan them for the SDK version. Given the limitations of checking only IOPRP*.IMG or MCMAN.IRX, is there a more reliable way? What if I were to scan through the game's executable(s), the IOPRP*.IMG, and every IRX module for version numbers, then assume the highest number is the SDK version? Would that work reasonably well, or is there a better approach?

Edit:

Oh, does that mean if the debugging information is still present in the executable, I can use that to determine the SDK version? That would be handy, as I only plan to scan unstripped executables.

 

The IOPRP file can actually be named anything, so some developers probably renamed it so that they did not have to edit their code whenever they updated.

Since the highest version number you found was 2.2.1, that might be the answer.

Regarding the PsII strings, it is not debug information. I mixed it up with that.
So you should be able to just scan the ELF for things like that.

 

Does this stuff (debug symbols left in the binary) ever happen for PS3 games or does the PS3 do things in a way that this can't happen?

 

What is a debug symbol though?

 

Information used for the ease of debugging. There may be at least symbol information, which labels functions and variables.

 

I guess the PAL version of Hitman Blood Money has a 100 MB elf file!