More details surface on the PS4/PS5 Blu-ray exploits
PlayStation hacker TheFloW gave the scene an electroshock yesterday by revealing an exploit chain using Blu-Ray discs on the PS4 and the PS5. The security researcher stated in his disclosure that these exploits could lead to “trivial kernel exploitation” on the PS4, and pirated discs on the PS5.
Past the initial excitement, we’re left with a lot of questions, for which answers are slowly bubbling up. Here’s what we understand so far. (As always, if there’s something that you feel we got wrong, please let us know in the comments!)
I heard there was big news yesterday. Where’s the hack for my PS4/PS5?
Legendary PlayStation hacker TheFloW revealed a chain of exploits for the PS4 and the PS5 yesterday at a conference, using vulnerabilities in the Blu-Ray driver used by both consoles. Theoretically, these exploits could lead to a Jailbreak on PS4 and possibly pirated discs on the PS5, but:
Nothing’s been released that could be directly leveraged by end users. At this moment, what we have is a (quite precise) explanation of what vulnerabilities exist on the consoles, and where in the code of the firmware. Compiling all of this information into a working proof of concept for either console is “left as an exercise to the reader”. Then, assuming someone reproduces what TheFloW has described in the report (a kernel panic), this still needs to be associated with more discoveries (such as a kernel exploit) to be turned into a full fledged Jailbreak.
In other words: it could be months before something usable by the end-user comes out of this. As a good reminder, it took multiple months for seasoned hackers to release a PS4 7.55 Jailbreak after another disclosure from TheFloW back in 2021, despite the disclosure being fairly detailed.
What are the implications of this disclosure for the PS4?
Assuming an actual implementation of the exploit chain gets released:
For people running on Firmware 9.00 or lower, you can already Jailbreak your console. One could imagine that this exploit chain gets paired with existing Kernel exploits (we’re assuming here that the kernel exploit functions can be accessed from within the BD context). TheFloW has stated this exploit is 100% reliable, meaning people would expect a 100% stable Jailbreak on PS4. This would be an improvement compared to the current Jailbreaks, which sometimes require multiple retries due to the randomness of the underlying userland exploit (Webkit exploit).
For people running on Firmwares 9.03/9.04: TheFloW has stated that with this exploit chain successful, Kernel Exploitation is “trivial, as there is no SMEP and one can simply jump to user with a corrupted function pointer“. The way we’re reading this here is that implementing privilege escalation (a Jailbreak for PS4 9.03/9.04) in this context could be very easy. Take this with a pinch of salt here, what’s “trivial” to TheFloW might still require a lot of research for other people.
For people running on Firmware 9.50 or above: PlayStation have patched the security holes in 9.50 so there’s nothing for you here. Try to get your hands on a lower firmware PS4 when you get the chance. At the very least, stop updating your console if you expect to Jailbreak it.
Would this exploit mean the return of pirated discs on the PS4, and the need to burn dozens of Blu-Ray discs e.g. for homebrew or emulators?
Most likely not. The fact that the exploit uses Blu-Ray vulnerabilities to run does not limit users to this format after successful exploitation: the Blu-Ray vulnerability is the “entry point” to unlocking the console. Once a Jailbreak is active in RAM, loading homebrew (and yes, pirated games) would most likely work the same way it always has: install it on the console either via USB or FTP from one’s computer, then run it from the PS4 Hard drive.
What does this Blu-Ray exploit mean for PS5 hacking and piracy?
TheFloW initially stated in his report that this exploit chain could easily lead to pirated discs. Because this is a not a kernel exploit per se (no full access to the console), actions within the BD context would be limited, but in his report the hacker was confident that this could lead to the creation of pirated discs. The report didn’t mention whether this was for PS4 or PS5, implying both:
The UDF driver https://github.com/williamdevries/UDF is used on the PS4 and PS5 which contains a buffer overflow.[…] With these vulnerabilities, it is possible to ship pirated games on bluray discs. That is possible even without a kernel exploit as we have JIT capabilities.
He has since taken to Twitter in order to clarify this:
I wanted to clarify: Without a kernel exploit, you won’t be able to run any pirated games (which would have worked on the PS4 only anyways), because we don’t have enough RAM in the bd-j process and there are some other constraints. It was only a theoretical impact.
— Andy Nguyen (@theflow0) June 11, 2022
So, this is pretty important here, for people who thought this was going to lead to instant piracy: the path to PS5 disc piracy is not straightforward from this point, and it seems the hacker meant specifically PS4 games. It could also be that TheFloW might simply just try to cover himself legally speaking: of all the points in the disclosure, the threat of PS5 piracy is probably the least interesting from a technical level, but the most threatening for Sony’s business.
There still possibly exists a path that leads to disc piracy for the PS5 here. Whether “entrepreneurs” will figure it out quickly and start selling pirated games is anyone’s guess.
As far as hacking goes, this unlocks a pretty significant door inside the PS5’s security, that other hackers might start using to dig into the PS5’s internals. Once that breach is here, this could lead to more discoveries for tinkerers. How soon, depends on how quickly people are able to reproduce, and distribute TheFloW’s findings.
Is the PS3 impacted by these exploits, and if so what would it mean for the PS3?
The PS3 is pretty much hackable for the most part, thanks to PS3Xploit,PS3Hen, and Hybrid Firmwares, but more exploits couldn’t hurt, and might help toward full CFW for the hardware revisions that are still incompatible.
TheFloW has stated the PS3 is impacted by the exploit as well, we imagine because it uses the same driver as its younger sisters. But it’s possible he hasn’t worked on a full fledged implementation for that console, and that details need to be ironed out. Differences of implementations could mean the exploit chain isn’t working, or not easy to implement on the PS3. Zecoxao has told us people are looking into it:
we’re working on it, don’t worry 🙂
— Control_eXecute (@notzecoxao) June 11, 2022
So it’s safe to update my PS5/PS4 to X.XX then?
Well… Although TheFloW states his exploit chain was fixed on PS4 9.50 and PS5 5.00, there are other exploits lurking around on the console, that could prove to be required. A PS5 kernel exploit was patched in PS5 4.50 according to Zecoxao, and it could be key to full access to the console. The rule of thumbs remains the same: until something concrete is released, avoid updating your console. This is true for PS4 and PS5.
kernel exploit got patched in 4.50
— Control_eXecute (@notzecoxao) June 11, 2022