Console hacker reveals PS4/PS5 exploit that is “essentially unpatchable”

https://www.youtube.com/watch?v=GIl1mR0HLnc?start=0&wmode=transparent

A proof of concept shows mast1core being used to load an external PS2 ISO into the system’s emulator.

Longtime console hacker CTurt has blasted what he calls an “essentially unpatchable” hole in the security of the PS4 and PS5, detailing a proof-of-concept method that should allow for the installation of arbitrary homebrew applications on the consoles.

CTurt says he disclosed his exploit, dubbed Mast1c0re, to Sony via a bug bounty program a year ago without any sign of a public fix. The method exploits errors in the just-in-time (JIT) compilation used by the emulator that runs certain PS2 games on the PS4 (and PS5). That compilation gives the emulator special permissions to continually write PS4-ready code (based on the original PS2 code) just before the application layer itself executes that code.

By gaining control of both sides of that process, a hacker can write privileged code that the system treats as legitimate and secure. “Since we’re using the JIT system calls for their intended purpose, it’s not really an exploit, just a neat trick,” CTurt said of a since-patched JIT exploit on the PS4’s web browser.

Getting in

To get control of the emulator, a hacker can theoretically make use of any number of known exploits that exist in decades-old PS2 games. While some of these can be activated just with button presses, most require using a known exploitable game to access a specially formatted save file on the memory card, leading to a buffer overflow that gives access to otherwise protected memory (similar exploits have been used in PSP and Nintendo 3DS hacks over the years).

This method is a bit limited, though, by the fact that the PS4 and PS5 can’t natively recognize standard PS2 discs. That means any exploitable game has to be available either as a downloadable PS2-on-PS4 game via PSN or one of the few PS2 games released as physical, PS4-compatible discs via publishers like Limited Run Games.

Getting an exploit-ready PS2 save file onto the PS4 isn’t a simple process, either. CTurt had to use an already-hacked PS4 to digitally sign a modified Okage Shadow King save file, letting it work with his PSN ID. Then CTurt used the system’s USB save import feature to get that file onto the target system.

https://www.youtube.com/watch?v=lyFNHGmbBsU?start=0&wmode=transparent

A previous CTurt hack showing PS2 homebrew running from a DVD-R on unmodified hardware.

With the basics established, CTurt walks through a complicated series of buffer and stack overflows, memory leaks, and RAM exploits that he used to gain control of the PS2 emulator. With that control established, he was able to access built-in loader functions to transfer a separate PS2 ISO file over a local network, then tell the emulator to load that game via a virtual disc.

While loading other PS2 games into an emulator is nice, CTurt’s real goal was to use this entry point as a way to run arbitrary homebrew code on the system. That process will be detailed in a future write-up, CTurt tells Ars over Twitter DM, alongside the privilege escalation necessary to run any code “in the context of a PS4 game.”

Hackers would still need to make use of a separate (and potentially patchable) kernel exploit to gain “full control” of a PS4, CTurt told Ars. But the mast1c0re exploit on its own should be enough to run complex programs “including JIT-optimized emulators and potentially even some pirated commercial PS4 games.” Mast1c0re could also theoretically be used as an entry point to compromise the PS5 hypervisor that controls low-level system security on that console, CTurt said.

Be the first to comment

Leave a Reply

Your email address will not be published.


*