PS5/PS4: Hacker TheFloW discloses Blu-ray Disc exploit toolchain. PS5 piracy not a matter of “if”, but “when”
Hacker TheFloW has disclosed a series of Blu-ray exploits that impact PS4 and PS5. (PS3 likely too). When chained together, the exploits can lead to loading pirated discs on PS5, and a full Jailbreak on PS4, the disclosure says. What’s more, the exploit is “100% reliable”, which could be a huge difference from recent Webkit-based exploit chains on PS4 which require a lot of retries.
Important update: The hacker has taken to Twitter to clarify that PS5 pirated discs are not what was meant. We try to shed some light on the latest info here.
Sony have patched the issues in PS4 9.50 and PS5 5.00, following disclosure by the hacker through their HackerOne bounty program. In other words, PS4 is impacted up to Firmware 9.03 included, and PS5 up to 4.51 included. The PS5 Digital edition is, of course, not impacted by the issue, since the exploit requires inserting a malicious disc in the console.
PS5 and PS4 Blu-Ray exploits
The security researcher has disclosed a series of 5 exploits which impact both PS4 and PS5 (except for one that is PS4 specific and could lead to a Jailbreak), at security conference hardwear.io. Although his slides and the video of his presentation are not up at the time of this writing, we are being told these will make it online eventually.
PlayStation have accepted the request for disclosure by TheFlow, and as such the details of the exploits can be found on HackerOne (no proof of concept file).
The 5 exploits are described as follows:
- The class
com.sony.gemstack.org.dvb.user.UserPreferenceManagerImpl
deserializes theuserprefs
file under privileged context usingreadObject()
which is insecure - The class
com.oracle.security.Service
contains a methodnewInstance
which callsClass.forName
on an arbitrary class name. This allows arbitrary classes, even restricted ones (for example insun.
), to be instantiated. - The class
com.sony.gemstack.org.dvb.io.ixc.IxcProxy
contains the protected methodinvokeMethod
which can call methods under privileged context. Permission checks in methods can be bypassed - (PS4 only) The “compiler receiver thread” receives a structure of size 0x58 bytes from the runtime process. An attacker can simply send an untrusted pointer and the compiler receiver thread will copy data from the request into its memory. In other words, we have a write-what-where primitive
- The UDF driver https://github.com/williamdevries/UDF is used on the PS4 and PS5 which contains a buffer overflow.
PS5 Piracy incoming?
Although this is technically not a kernel exploit, this series of exploits is enough to do significant damage: TheFloW concludes his report stating that shipping pirated discs on the PS5 becomes a possibility. The discs would include the vulnerability and load a pirated copy of the game. On PS4, he states that kernel exploitation (therefore a jailbreak) becomes trivial with this series of exploit.
PS4:
- An ELF loader can be written to load and execute pirated games.
- Kernel exploitation becomes trivial as there is no SMEP and one can simply jump to user with a corrupted function pointer.
PS5/PS4:
- With these vulnerabilities, it is possible to ship pirated games on bluray discs. That is possible even without a kernel exploit as we have JIT capabilities.
The report in itself does not include proof-of-concept code, but probably enough details for other hackers to look into the issue and reproduce the exploit chain. From there, I’m guessing creating elf loaders to load pirated games becomes a possibility, although possibly not as “trivial” for everyone as someone with the mileage of TheFloW.
You can find Blu Ray burners for reasonably cheap on Amazon and other retailers (make sure they support BD-RE and Dual Layer DL). TheFloW has specified he used Rewritable Verbatim discs (BD-RE) in his experiments. (affiliate links). As far as I’m concerned, I’ll go cry in a corner with my PS5 Digital Edition.
Source: TheFloW
Pictures from the hardwear.io conference organizers and/or attendants: @ministraitor, @hardwear_io
No matter what you think of it, or if you care about it, The Flow0 is more than a hacker, more than a genius, he’s a true legend !!
if this bears fruit on the PS3 – 4 – 5 idk if legend is even the right word.
wow this is great news for the scene!
Guessing disc ps5s will be in high demand soon
Holy ***, that’s huge
that’s what she said
Exciting stuff
Bluray writers gonna become popular among the scene soon?
Wow feels like I’m going back in time to burning ISOs to disc for my Xbox 360! Fortunately I have a physical edition PS5 so… time to pick up a BD burner. Bring it on!
The Flow is such a sellout for disclosing this to Sony, I remember when he went by the name total_noob and his and only his version of TNV was the best way of running unofficial copies of PSP games on the PS Vita, now he’s stooping to a new low selling out an exploit to Sony for $$$, he is a fraction of what he once was back in the PS Vita hacking days with his good-guy white-hat hacker disclosing exploits to Sony first so they can patch it before releasing it to the public, either way I’m a PC gamer so I don’t have to worry about Jailbreaking anything, only thing I got to worry about is Denuvo in PC games but we have someone who’s honest for that EMPRESS who is no sellout and would never ever release an exploit to Denuvo even if they paid her millions of $$$
I’m sure he cares about your autistic opinion more than the tens of thousands of dollars he has from Sony.
So he should disclose the hack to you. So you can take the heat and get sued for millions.
achilles613 doesn’t mind getting sued or going to jail. Give him the hack.
yeah because he owes you or the scene anything you entitled ***
most people who jailbreak their console have piracy in mind, booting up an N64 emulator to play legend of zelda ocarina of time on a PS Vita with ARK or TNV is a form of piracy even if it’s legal because the games are considered abandonware it’s still piracy, you’re playing an officially copy of a game taken from a ROM website on a console that Sony doesn’t explicitly allow, also jailbreaking phones and certain devices in the US are legal but doing it on consoles isn’t so you’ve already crossed a threshold, playing a homebrew game that’s basically a port of DOOM on DOS or Quake for the PS Vita is a form of piracy, so it’s the same thing and no different with running an unofficial copy of a PS5 game on a PS5, if you think someone only wishes to jailbreak their PS5 so they can reinvent a homebrew Indie Pong from the 1970s I kid you not, most people who eagerly await their exploit for PS5 wish to use one way or another unofficial copies of games whether their PS5, N64, Gameboy, Retro, Ports, etc., this is why it’s crazy how The Flow decided to be a sellout by selling it to Sony to patch and exploit before releasing it to us, ever wondered why wololo hasn’t had any articles on the Xbox One scene, it’s because Microsoft allows people to develop Homebrew which makes jailbreaking the Xbox One now clear that it’s for piracy purposes, Homebrew is simply a method to legalize and justify being a pirate, you think someone who owns an Xbox One would really care about downloading a Pong homebrew, or would they be more inclined to play emulators which I have no idea if Microsoft allows or not, also many other Homebrew that aren’t ports allow you to use your device or enable extra features that somehow benefit piracy like all these tools for PS Vita and such being released, so kid yourselves not, the only exceptions I can think of where jailbreaking a console wouldn’t be for piracy purposes is to either run a Render Farm or for Cryptomining, otherwise most people when thinking of jailbreaking a PS5 look forward towards playing unofficial games on it, whether it’s actual PS5 games or emulators and ROMS that are copyrighted or native ports of copyrighted games that are Retro
Lmao if you had the opportunity you would too. Let’s be real, either way he said it would work on PS4 FW “< 9.50” so honestly, as long as you took instructions from the latest PS4 Jailbreak, you should still be able to jailbreak as long as a jailbreak comes out. So stop ***
No way anybody is going to be burning BD discs. PS5 games are on multilayer 4K discs too, I don’t even know if such writable discs exist. But maybe it can be used as an entry point.
Bruh he literally said the exact type of disc he used.
I want to bang my head… bought a PS5 Digital Edition and been not playing in the wait of this disclosure…
The only reason this sellout is disclosing and hyping this up is because he’s already made bank from Sony and they both know this won’t ever become a thing in the wild.
He’s just a shill for Sony at this stage – ‘look what you could have had, losers’
No. Just no.
Most people interested in hacking their consoles keep them on low firmwares. If YOU didn’t that is YOUR fault. If you are on a low firmware you wont have any issues. Theflow selling to Sony makes him money yes, but it keeps him on the right side of Sony, AND he is one of the few Bug Bounty folks that disclose their exploits to people other than Sony.
So to recap, people that want to hack get an exploit chain, theflow gets paid for his work, and the only idiots who are mad are those that don’t stay on a low firmware.
Literally everyone wins the way theflow approaches things.
Need to tell that achilles guy this
@achilles613 – (rant). you are jealous he is making money off his talent, you cant blame him for that. you are welcome to exploit these vulnerabilities too.
*** life I`m in 5.02
Good work again from the flow. But PS5 doesn’t even have any games worth pirating right now. At least that means my PS5 doesn’t have to worry about finally being taken out of its box, where its been sat since Dec when it was delivered. Am tempted to leave it sealed forever and sell it for £10k in 30 years time 🙂
@achilles613, what an absolute bell end you really are. I bet you would say “No Sony I don’t want your money, I prefer being bent over in prison.”
Same goes to all the others who are crying that he used his skill and talent to make some $$$, I don’t blame him at all. If only there was a way to stop all these moaning knobs from actually using anything related to this exploit when it becomes useful 🙂
And to all you PS5 owners who just want this to pirate games… Don’t buy a console if you cant afford to buy the games you want to play. You do not have a god given right to be able to play these things 🙂
I see TheFlow as a person who has being doing a big favor to the industry as he is pushing the software limits so the engineers from these companies (Sony, Nintendo, Microsoft, etc …) can improve their products in terms of security.
Certainly Microsoft (and other not games related companies) have an eye on this kind of revelation as Xbox also has a blue ray disc tray.
In the end of the day, TheFlow is the one responsible for helping the industry to improve their security software. That´s a great acomplishment.
I have to agree (though the vitriol doesn’t help your point). All I see here is an entry point that could’ve lasted the community a few months at the very least, being sold for cash while expecting the same applause of a proper scene release. Another fool trying to have their cake and eat it too.
Empress is a bad example to point to. She is illegally monetizing her work, regularly goes on racist and sexist rants (the real deal, not the Twitter kind), doesn’t credit her raw sources, and goes after other elements of the scene without reason. She’s the exact archetype who’d sell out given a big enough paycheck (probably ~$450,000), and blame the scene for it.
As long as EMPRESS delivers cracks I don’t give a *** where he gets his releases, who he hates and/or which colour of humans he doesn’t like. Sellout trashes like the flow who literally sells 0day exploits for pennies which could be earned in less then a month in US is the real problem, yes.
I agree using EMPRESS might not be the best example but think about this, there’s a huge difference between collecting first $500 from pirates to crack a game vs offering her reverse engineering tech and exploits to Denuvo for billions of $$$, if The Flow would only release a hack that’s encrypted so it’s difficult to debug for $500 that would be understandable but selling it to Sony so they can screw over people who don’t want to pay for their games is just a complete form of being a sellout
Honestly $20,000 reward for the exploit isn’t enough pay from SONY. We as a community could’ve gotten more money together for him not to send it via the bounty program and just anonymously release it for the homebrew scene.
So if I purchase a brand new PS5 right now, is it vulnerable to this?
All that hype for “webkit” launched from blu-ray xD
What about his later comment:
“I wanted to clarify: Without a kernel exploit, you won’t be able to run any pirated games (which would have worked on the PS4 only anyways), because we don’t have enough RAM in the bd-j process and there are some other constraints. It was only a theoretical impact.”
Isn´t this the opposite of the info in the article? No backup games will load huh?
Yeah… might have been a misunderstanding (on my end) even though his statement in the report is very clear: “With these vulnerabilities, it is possible to ship pirated games on bluray discs.”
We’re trying to shed some light here: https://wololo.net/2022/06/12/more-details-surface-on-the-ps4-ps5-blu-ray-exploits/
To those uninitiated, Sony has to make a huge buck with the recently released games for now. Afterwards I’m pretty sure they’ll let them exploits and JBs slide like nothing.
@theman the thing you don’t get (and the others complaining don’t get) is an only homebrew release would get you a usable exploit for 1-maybe 2 months before being patched and we would be right back at the same spot.
Wow. First off why and how come. I own a ps4 pro and would be super sad if I rendered my connection into the entire world, disconnected or banned or made *** by some ***. Even the FF7 remake won’t let me pay for a ps5. My wallet is crying at me, ever game now is the next HBO special of drag on and on and then more ***. Interested yes buy way more confused and plainly ***.