Can BD-J lead to a PS4 hack?
Can we use the support of Java on Blu-Ray discs to hack the PS4? The question is pretty much as old as the PS4 itself, but keeps resurfacing regularly. Not so long ago for example, someone claimed they had found a vulnerability in the BD-Live implementation of the PS4 (that one turned out to be pretty much a hoax, though).
BD-J Lets us run homebrew on the PS3 and PS4
Rumors set aside, the PS3 is actually able to run limited homebrew on Blu Rays thanks to BD-J. Unsurprisingly, it was found a while ago that the PS4 has similar functionality. Yes, you can run a NES emulator in Java on your PS4, through the BD-J SDK. Proof of concept videos, and even ISOs everyone can burn on their own Blu Ray to play with, have been around for almost 2 years.
The system is of course not without limitations on the PS4, one of them being that sound doesn’t work (although people have pointed out that sound could be a possibility with some tweaks).
The video below showcases a NES emulator running on the PS4 through BD-J. This was done more than a year ago! This is not technically a hack, but unsigned code execution could lead to more:
Details and tools for BD-J on the PS4 can be found on playstationhax, at least for the links that are not dead (Did I mention this was done 2 years ago?), and I encourage people to keep the discussion alive, there or on our own forums.
Regularly, scene members ask if this could lead to something more. Interestingly, it seems the possibility to investigate BD-J potential flaws on the PS4 hasn’t been looked into very seriously over the past few years by hackers. As scene veteran GregoryRasputin puts it on playstationhax: “The tools are here, but not everyone can be bothered or think it’s worth playing homebrew from a Blu Ray disc with no sound”. Additionally, it’s likely not everyone has a Blu-ray burner lying around, and would be willing to shell the cost of the Blu rays for experiments. (Although you can find those for pretty cheap nowadays)
Can BD-J be exploited?
Of course, the real question here is not what kind of homebrews we could program in the limited BD-J environment, rather if the Java interpreting environment could give us access to more than that, potentially through vulnerabilities in the JVM.
Wikipedia says: “Security in BD-J is based on the Java platform security model. That is, signed applications in JARs can perform more tasks than a non-signed, such as Read/Write access to local storage, network access, selection of other titles on the BD-ROM disc, and control of other running BD-J applications.”
So, we can run unsigned code, but under stricter conditions than if it could be signed.
The question still remains to understand if some level of privilege escalation could be achieved. Blu Ray players have been the target of vulnerabilities involving BD-J recently (see here on Blu-Ray sandbox escape and here on rooting Blu-ray players). Security Research Stephen Tomkinson in particular says:
The Blu-ray specification not only provides superior video quality over the previous generation of DVDs, it also supports a richer interactive user experience, with dynamic menus, embedded games and access to the latest trailers downloaded from the Internet. These rich features are built using BD-J, a variant of Java which allows disc authors to build a range of user interfaces and embedded applications, structured into Xlets. Xlets are analogous to the web’s Applets which have long been a source of security concerns.
Anyway as stated I set out to discover and exploit weakness which could yield a credible threat scenario against both software and hardware Blu-ray players… and I succeeded!
So it’s not impossible to imagine that the software on the PS4 blu-ray player could be exploited as well. It seems what it would take here is a few skilled people with the right amount of time and interest to dig into this.