Since a Kernel hack was released for the PS5 a few months ago, its next layer of security has become one of the main targets of research for multiple hackers: The Hypervisor. Between rumors of a hack and the hard reality, we’re trying to make it clearer for you in this article.

What’s the PS5 Hypervisor?

Typically a hypervisor is used to run multiple instances of Virtual Machines on the same physical machine. It’s a piece of software that acts as an intermediate layer between the actual machine, and the code that runs on it (e.g. an OS). It allows multiple instances of Operating systems to run on the same machine, while being completely separated from one another. If you’ve ever used VMWare Workstation, that’s an example of a typical Hypervisor.

In the case of the PS5, it appears the Hypervisor is used as an additional layer of security, abstracting the hardware away from the games and the firmware running on it, for Virtualization Based Security purposes.

It protects the integrity of the Control Registers (CRs), which by extension includes Write Protection (WP) and other protections such as Supervisor Mode Access/Execution Prevention (SMAP/SMEP). It also protects the kernel page table entries through the use of nested paging via Second Level Address Translation (SLAT). By looking at the hypercalls documented on the psdevwiki, it seems Sony has also moved the I/O memory management unit (IOMMU) to the hypervisor from the kernel. —source

The benefits of such a layer of security is that it has a very narrow/specific goal, and as such, a very limited amount of code, which in return limits the amount of potential bugs that could be found and exploited on the PS5. That’s unlike older systems where the kernel was in charge of such security, while also having to manage a bunch of other features, meaning it offered a quite large attack surface.

Can the PS5 Hypervisor be hacked?

That’s the million dollar question!

Without an exploit in the Hypervisor, we’ve seen that there are limited things we can do on a hacked PS5 (although, to be honest, it’s very likely we’ve only scratched the surface of what’s possible with the current hacks). Patching the kernel is typically what is required to enable “Jailbreak” features on a console. And it won’t be possible to patch the PS5 kernel without control of the Hypervisor.

There’s no publicly known exploit for the hypervisor, although rumors state that some teams have such an exploit.

Zecoxao re-kindled the discussion yesterday by stating that an Hypervisor exploit was disclosed to Sony some time ago, and possibly patched with firmware 4.00

from what i’ve been told, the only hypervisor exploit that has been found on ps5 has already been disclosed (and patched) at around 4.00 firmware. take this information with a grain of salt as i have no clue if it is correct or not (no way to check so far)

— Control_eXecute (@notzecoxao) November 29, 2022

As he says himself, this is to take with a grain of salt, there is no way to verify this at the moment. One thing is sure, the lower the firmware, the higher the chances.

Although there is nothing public at the moment, it is still likely that some teams have access to much more than we know publicly. Obviously, if you have access to such an exploit, it makes sense to keep it under wraps, in order to be able to hack the console further.

There’s no question that computers and gaming devices have become harder to hack with each generation. A Zero Day vulnerability on modern mobile phones can reach up to 2.5 Million USD in bounties, let alone its value on the black market. Of course a device such as the PS5 is not at the same level of risk as your phone, but all systems’ security evolves pretty much at the same pace.

Generally speaking, Hypervisor hacks do exist, but of course on a closed system such as the PS5 they might be extremely hard to find and weaponize.