Full exploit can be found here :
To make a long story short, the exploit allows anyone with a memory card and a valid, legal PS1 disc to hijack the boot process and run any piece of code.
Absolutely no modification to the system is necessary to use the exploit. All one really needs is a way to send the files to the
memory card to enable the exploit.
PS1DRV parses a file called mc0:/BXDATA-SYSTEM/TITLE.DB (the X represents the PS2's region code) to load graphic parameters for the PS1 game that was loaded from the disc drive. There is a catastrophic buffer overflow in the parsing routine that allows one to overflow the stack and execute arbitrary code by rewriting the $RA register.
If we load up our own TITLE.DB, with an entry for every PS1 disc that we want to trigger the exploit, then we can take over the
PS2 boot process as soon as the disc is recognized and PS1DRV is executed.
If you find another LEGAL exploit , feel free to add it to this topic.