PS5 Hack Arrives Nearly 2 Years After Console’s Release

While the PS5 console was previously privately exploited shortly after its release, it seems that information from a recent agreed disclosure between PlayStation and TheFloW has led to a public PS5 hack, but not without its obstacles.

For those following the PS5 hacking scene, you may have noticed some rather big activity in the last month; specifically from known scene hacker, TheFloW, who recently published a disclosure over on the Hacker One program that PlayStation has partnered with in order to squash bugs, and major security flaws in on their platform. This disclosure, as it turns out, detailed how a vulnerability in BD-J (Blu-ray Disc Java) allowed TheFloW to gain kernel access on the PS5.

The crazy part about this is that this was an exploit that had been previously patched in the PS4, two years ago, right before the PS5 even released as mentioned in TheFloW’s disclosure.

The PS5 is vulnerable to https://hackerone.com/reports/826026 which easily grants kernel access to an attacker. This vulnerability had been reported by me for the PS4 2 years ago when the PS5 did not yet exist, thus this should be considered as a new report and not a duplicate.

I was able to use this vulnerability in conjunction with the bd-j exploit chain to gain kernel access.

See https://www.freebsd.org/security/advisories/FreeBSD-SA-20:20.ipv6.asc for more details.

Impact

Gain kernel access on PS5.

With this info at hand, it didn’t take very long afterwards for scene developer Sleirsgoevy to implement a “work-in-progress” Kernel Exploit based on the recent disclosures. 

However, as the post stated, this was merely a “work-in-progress,” meaning it wasn’t fully ready yet. Well, four days later, and scene dev Specter (and a handful of others who are listed on the Github page,) finally shared the full exploit.

Due note that this exploit is only executable on consoles running on update 4.03, which was released one year ago this month. That means if you have been using your console since then for online gaming, and have been up-to-date with the latest updates, this exploit will not work on your system. Specter also warns of the low stability, and it’s mostly intended for developers to play around, rather than the general public.

The exploit strategy is for the most part based on TheFlow’s BSD/PS4 PoC with some changes to accommodate the annoying PS5 memory layout (for more see Research Notes section). It establishes an arbitrary read / (semi-arbitrary) write primitive. This exploit and its capabilities have a lot of limitations, and as such, it’s mostly intended for developers to play with to reverse engineer some parts of the system.

Also note; stability is fairly low, especially compared to PS4 exploits. This is due to the bug’s nature of being tied to a race condition as well as the mitigations and memory layout of the PS5. This document will contain research info about the PS5, and this exploit

While the unfortunate side effects of this hack/jailbreak is undoubtedly allowing the system to run pirate games (in its current state, the exploit does not allow this,) there are some developers in the scene who may put its vulnerabilities to some good use. 

Take known Soul modder Lance McDonald. If you haven’t heard of him by now, we highly suggest you go check out his Twitter and all his contributions to the Soul franchise he has made, as well as other titles.

However, what has certainly been one of his biggest achievements, was his contribution to finding out how to run Bloodborne, a game locked at 30fps with frame-pacing issues, to run at an unlocked 60fps, with the frame pacing fixed. This has been a long requested feature from PlayStation fans ever since the PS4 Pro first released. And with the PS5 seeing many old games get 60fps patches, some had thought that Bloodborne would eventually be amongst those titles. Sadly, we’re still waiting and the only known way to play Bloodborne at a higher frame-rate is via jailbreaking a PS4 or PS4 Pro, and even that isn’t stable.

There was but a glimmer of hope for the future, however, as Digital Foundry were unexpectedly sent some footage of Bloodborne using Lance’s 60fps patch, and running on the PS5. The result? Well, check it out yourself. 

https://www.youtube.com/watch?v=lOn2ludP6gM?feature=oembed

Bloodborne wouldn’t be the only PS4 title that has yet to be officially patched, but received an unofficial one as developer illusion has been working on unlocked FPS patches for a number of PS4 titles like Gravity Rush, Driveclub, and more.

And then let’s not forget the number of homebrews the PS4 got during its lifespan. There are certainly some positives, though understandably, they probably won’t outweigh the negatives. Which does beg the question — what exactly does this exploit mean for online gaming on PlayStation?

Firmware Updates Should Keep Online Cheaters at Bay

One of the biggest concerns with the PS5 now being publicly hackable is that it will bring an onslaught of online cheaters. This has been such a major concern, especially since the PS3 days where hacking was so widespread. The PS4 drastically saw a reduction to online cheating, though it still existed to some capacity such as save modifications.

However, anyone following the scene would already know that a number of these exploits were only achievable on consoles of a specific firmware, but never the current one required to play online. That means only a small number of people were actually able to hack their consoles due to the limitations of supported firmware.

The same is true for the PS5, as the exploit was apparently fixed back in September of 2021 — a full year ago. It’s also part of the reasoning why these hackers/security researchers are allowed to disclose them now, instead of a year back. 

With the PS5 in high demand, and stock constantly short, chances are very slim that you’ll find a console out there that is capable of being exploited.  And if you were, you wouldn’t have any way of going online with it. Unlike the PS4, the PS5 also locks users out of copying their games saves to and from the console. While hacked consoles will most likely circumvent that, you’re going to have a hard time bringing those modded saves onto a legit PS5 since there is no option to copy PS5 saves back onto a legit console via USB.

Of course users can mod their PS5 saves and games, update their console, and go online, but then they would be locked out completely from jailbreaking since there is no known way to downgrade firmwares, and if there was, no doubt it wouldn’t be an easy process for most users.

So to summarize, PS5 owners shouldn’t have to worry much about encountering an online cheater that is on PS5, unless said title has a PS4 version with cross-gen save support, in which is the point of entry would occur on the PS4 side. This is solely based on current knowledge, and how things ran in the past, so it could all change down the road.

We hope not, as we definitely don’t need anymore cheaters than there already are, especially with cross-play becoming more standard, and including PC into the mix.

Be the first to comment

Leave a Reply

Your email address will not be published.


*