mast1c0re PS4/PS5 Hack: CTurt reveals unpatched userland exploit within the PS2 emulator
PlayStation hacker extraordinaire CTurt has disclosed an unpatched exploit for the PS4 and PS5, using the integrated PS2 emulator as an entry point. In the current state of his disclosure, the hacker explains the vulnerability would allow tinkerers to run pirated PS2 games on the PS4/PS5 (and one can assume, PS2 homebrews). But he also promises more to come, specifically PS4 native homebrew execution (PS4 userland).
Nicknamed mast1c0re, the exploit was disclosed one year ago by CTurt to Sony, but the developer was only allowed to disclosed it publicly now. Nonetheless, The exploit, according to the hacker, is unpatched, meaning recently released PS4 Firmware 10.00 and PS5 Firmware 6.00 are apparently vulnerable.
CTurt sent details of the exploit to PlayStation a year ago, but was only allowed to disclose it publicly now
CTurt shared a full writeup of the exploit, as well as a video showcasing the exploit used to load another PS2 game from within the emulator process. (writeup and video links below)
mast1c0re – What’s the PS4/PS5 userland hack about
Hacking a console typically requires two levels of exploits: an entry point that you can access within the restricted limits you have as a user of the console, and a privilege escalation exploit (jailbreak). In practice things can get much more complicated than that on modern systems with many other security measures to defeat (ASLR, DEP,…), but the basic idea is always: entry point, then privilege escalation.
In this case, the mast1c0re exploit, as it is described in CTurt’s first document, is the entry point: leveraging the fact that the PS4 and PS5 can run PS2 games within an integrated emulator, and using existing PS2 exploits, it is possible to use the PS2 emulator on the PS4 and PS5 as an entry point, through gamesave exploits.
This is a significantly different approach from using Webkit vulnerabilities, something that’s historically been the main entry point on PS4 exploits. But for people who have been on the hacking scene for some time, this is a throwback to good old times: The PSP leveraged savegame exploits a lot as entry points to exploits, and, closer to what’s being achieved here, the PS Vita also used these same PSP exploits to offer limited hack support, specifically enabling PSP Homebrew in the early days.
mast1c0re – PS4 userland homebrew next?
In the current state of his explanations, Cturt describes that the hack allows for arbitrary execution within the PS2 emulator. In other words, it is possible to run PS2 games and PS2 homebrew on a PS4 (or PS5) through this hack. This is very similar to what VHBL allowed back in the PSVita days (PSP Homebrew within the PSP emulator of the PS Vita).
But he promises there is more to come in a “part 2” of his write up, namely a (userland) PS4 homebrew environment. That aspect would require additional exploits to escape the PS2 environment and peel one layer, to go up to PS4 native level. How the hacker achieved this remains to be seen.
mast1c0re – What’s the status right now, and what do I do?
CTurt claims that the vulnerability is in essence “unpatchable”. Specifically, as long as exploitable PS2 games are available to download, leveraging this specific vulnerability should be doable. He states he disclosed the vulnerability to Sony more than a year ago, and they have decided not to patch it.
Assuming this exploit leads to user friendly releases (no doubt it will), this looks like a game of cat and mouse could start between PlayStation and hackers, just like in the VHBL days: a new exploitable PS2 game is found/announced, people rush to buy and download it before Sony remove it (temporarily?) from the PSN. Rinse and repeat.
The game that Cturt has used for his ongoing work is OKAGE: Shadow King, an exploitable PS2 game. Now before you rush to buy the game, the devil’s in the details and there are a few things to understand:
- This game has been announced as leading to an exploit, and is still available on the PSN at the time of writing. How long it will stay on the PSN before Sony pulls it out is anyone’s guess. Could be today, could be next week, could be never. Once it’s pulled, this chance is gone, but it is likely other exploitable games will be revealed in the future.
- Nothing’s technically been released yet. There’s a non null possibility that this could lead to nothing useful for the end user
- Currently what’s being announced is PS2 homebrew, and possibly PS4 Homebrew.
- Nothing about a PS4 full Jailbreak, which would require a privilege escalation exploit (kernel exploit). This means in particular no PS4 piracy
- Although CTurt says the PS2 exploit is basically unpatchable, the next level (PS4 userland) might be. There are actually rumors that a PS4 firmware 10.1 is coming soon, and that could be related to what CTurt will disclose next (mast1c0re part 2)
- Although CTurt mentions the PS5 as being vulnerable, it seems a lot of his work is focused on the PS4. PS5 compatibility might only be theoretical at this point, in particular for end users.
- Crafting the right PS2 savegame for your PS4 console requires a way to encrypt the savegame for your specific PSN ID. This means someone with an already hacked PS4, or more advanced means, needs to do it for you! Although it sounds very likely that the community will be able to provide services for that, this is not as straightforward as your typical hack. Specifically from CTurt: “With one of these exploits, a PS4 save file containing the crafted PS2 memory card can be encrypted and signed for any PSN-ID by anyone with a hacked PS4 on any firmware (or just a PC if they have the decapped SAMU keys), and then imported to the target PS4/PS5 using the USB save import feature in Settings.”
Based on the above, understand that the game is $10. To some, this might be a lot of money for something with no guarantee. Don’t jump the gun and buy a PS2 game expecting something it’s not.
mast1c0re – More details
For more details on the Vulnerability, check CTurt’s writeup, as well as the video below.
Stay tuned here on wololo.net as there will be fast developments on this one for sure!
Source: CTurt
So this requires us to update the console to the latest firmware version? Haven’t touched my ps5 since the beginning of 2021
I wouldn’t upgrade just right now if I were you. A lower firmware PS5 is much more valuable than getting the PS2 exploitable game, in the current state of things.
Well, great, but how to put PS2 save (vmc) on PS4 or PS5 in the first place? PS4 can export it and import it but PFS static keys for USB wasn’t published so we cannot sign “save” to be imported via USB.
Very good point. That’s the “devil’s in the details” part of the article, I do feel there are lots of questions here around signing saves.
I already bought the game a while ago. I have 2 PS4 Pros that are low enough just waiting to be hacked as well as a PS5 that already has my account on it. Can’t wait for more.
Cool that 10.00 is vulnerable.
Uncool how all these hackers keep snitching to *** Sony. I do have to wonder where we’d be if they didn’t do that ***.
They’re getting paid a LOT to do it, and Sony has allowed many of the vulnerabilities to be published. So, I’d say it’s a win on both sides. Hackers get paid to do what they already love doing, and the scene gets the releases after Sony has patched them.
Before hand, hackers would wait to release an exploit AFTER it was already patched, so we wouldn’t see the exploit publicly for a long time anyway.
I wouldn’t call it snitching…. Most of them are getting paid. That was a smart move by $ony.
Not sure I like this.. I get the feeling Sony will be removing the PS2 emulator as a result. Like what they did with otherOS on PS3
Mu PS4Pro still in 9.60. Should I just stay with this FW?
Don’t change anything until something actually usable is released.
$ony can burn in heck.
@Ohno
There is no PSX/PS2/PSP emulator in PS4 and PS5 firmware. Each game developer preparing emulator build for its own, so it is possible that all vulnerable games which don’t get updates, will be deleted from a store.
So the Emulator is build Inside the Game itself?
I m on fw 10.00. ( little *** of a czn updated it)
So it means i m good as it still is vulnerable/not patched i guess as per the article.?
@Alex Yes. Each game, using its own optimized for exactly this game emulator (different build, with patches and resources like trophies, textures, objects etc. depend of game). In case of Sony platforms it is Sony emulator (with powerful scripting engine, far far more than on PS3) but it is standalone distributed with game. All hope for this exploit are emulated games distributed physically (in assumption that PFS keys for USB ever leaked, because currently You have no way to import virtual memory card with hacked emulated game save inside, to the console).