mast1c0re PS4/PS5 Hack: CTurt reveals unpatched userland exploit within the PS2 emulator
PlayStation hacker extraordinaire CTurt has disclosed an unpatched exploit for the PS4 and PS5, using the integrated PS2 emulator as an entry point. In the current state of his disclosure, the hacker explains the vulnerability would allow tinkerers to run pirated PS2 games on the PS4/PS5 (and one can assume, PS2 homebrews). But he also promises more to come, specifically PS4 native homebrew execution (PS4 userland).
Nicknamed mast1c0re, the exploit was disclosed one year ago by CTurt to Sony, but the developer was only allowed to disclosed it publicly now. Nonetheless, The exploit, according to the hacker, is unpatched, meaning recently released PS4 Firmware 10.00 and PS5 Firmware 6.00 are apparently vulnerable.
CTurt shared a full writeup of the exploit, as well as a video showcasing the exploit used to load another PS2 game from within the emulator process. (writeup and video links below)
mast1c0re – What’s the PS4/PS5 userland hack about
Hacking a console typically requires two levels of exploits: an entry point that you can access within the restricted limits you have as a user of the console, and a privilege escalation exploit (jailbreak). In practice things can get much more complicated than that on modern systems with many other security measures to defeat (ASLR, DEP,…), but the basic idea is always: entry point, then privilege escalation.
In this case, the mast1c0re exploit, as it is described in CTurt’s first document, is the entry point: leveraging the fact that the PS4 and PS5 can run PS2 games within an integrated emulator, and using existing PS2 exploits, it is possible to use the PS2 emulator on the PS4 and PS5 as an entry point, through gamesave exploits.
This is a significantly different approach from using Webkit vulnerabilities, something that’s historically been the main entry point on PS4 exploits. But for people who have been on the hacking scene for some time, this is a throwback to good old times: The PSP leveraged savegame exploits a lot as entry points to exploits, and, closer to what’s being achieved here, the PS Vita also used these same PSP exploits to offer limited hack support, specifically enabling PSP Homebrew in the early days.
mast1c0re – PS4 userland homebrew next?
In the current state of his explanations, Cturt describes that the hack allows for arbitrary execution within the PS2 emulator. In other words, it is possible to run PS2 games and PS2 homebrew on a PS4 (or PS5) through this hack. This is very similar to what VHBL allowed back in the PSVita days (PSP Homebrew within the PSP emulator of the PS Vita).
But he promises there is more to come in a “part 2” of his write up, namely a (userland) PS4 homebrew environment. That aspect would require additional exploits to escape the PS2 environment and peel one layer, to go up to PS4 native level. How the hacker achieved this remains to be seen.
mast1c0re – What’s the status right now, and what do I do?
CTurt claims that the vulnerability is in essence “unpatchable”. Specifically, as long as exploitable PS2 games are available to download, leveraging this specific vulnerability should be doable. He states he disclosed the vulnerability to Sony more than a year ago, and they have decided not to patch it.
Assuming this exploit leads to user friendly releases (no doubt it will), this looks like a game of cat and mouse could start between PlayStation and hackers, just like in the VHBL days: a new exploitable PS2 game is found/announced, people rush to buy and download it before Sony remove it (temporarily?) from the PSN. Rinse and repeat.
The game that Cturt has used for his ongoing work is OKAGE: Shadow King, an exploitable PS2 game. Now before you rush to buy the game, the devil’s in the details and there are a few things to understand:
- This game has been announced as leading to an exploit, and is still available on the PSN at the time of writing. How long it will stay on the PSN before Sony pulls it out is anyone’s guess. Could be today, could be next week, could be never. Once it’s pulled, this chance is gone, but it is likely other exploitable games will be revealed in the future.
- Nothing’s technically been released yet. There’s a non null possibility that this could lead to nothing useful for the end user
- Currently what’s being announced is PS2 homebrew, and possibly PS4 Homebrew.
- Nothing about a PS4 full Jailbreak, which would require a privilege escalation exploit (kernel exploit). This means in particular no PS4 piracy
- Although CTurt says the PS2 exploit is basically unpatchable, the next level (PS4 userland) might be. There are actually rumors that a PS4 firmware 10.1 is coming soon, and that could be related to what CTurt will disclose next (mast1c0re part 2)
- Although CTurt mentions the PS5 as being vulnerable, it seems a lot of his work is focused on the PS4. PS5 compatibility might only be theoretical at this point, in particular for end users.
- Crafting the right PS2 savegame for your PS4 console requires a way to encrypt the savegame for your specific PSN ID. This means someone with an already hacked PS4, or more advanced means, needs to do it for you! Although it sounds very likely that the community will be able to provide services for that, this is not as straightforward as your typical hack. Specifically from CTurt: “With one of these exploits, a PS4 save file containing the crafted PS2 memory card can be encrypted and signed for any PSN-ID by anyone with a hacked PS4 on any firmware (or just a PC if they have the decapped SAMU keys), and then imported to the target PS4/PS5 using the USB save import feature in Settings.”
Based on the above, understand that the game is $10. To some, this might be a lot of money for something with no guarantee. Don’t jump the gun and buy a PS2 game expecting something it’s not.
mast1c0re – More details
For more details on the Vulnerability, check CTurt’s writeup, as well as the video below.
Stay tuned here on wololo.net as there will be fast developments on this one for sure!