PS4/PS5 Mast1c0re hack: McCaulay publishes Part 2 – Arbitrary PS2 code execution
Following his first blog post 2 days ago, security researcher McCaulay Hudson has now shared his second article (out of an expected 4), where he describes how he achieves PS2 unsigned code execution, after having demonstrated how to modify the PS2 save file in part 1.
What is Mast1c0re for PS5 and PS4?
Mast1c0re is an unpatched exploit for PS4 and PS5, which leverages a vulnerability in the PS2 emulation layer of Sony’s newer consoles. The vulnerability was disclosed, and described with great detail, by PlayStation hacker CTurt in September last year, but no full “user friendly” implementation has been released yet.
Back then, CTurt stated Sony had no plan to fix the vulnerability, which seems to be confirmed by recent videos, showing that the vulnerability is still here, in the latest PS5 6.50 firmware (and, it is safe to assume, in PS4 10.01 as well) as of January 2023.
Recently released Beta firmwares PS5 7.00 and PS4 10.50 still need to be confirmed, but there’s good reason to believe they are vulnerable as well.
Mast1c0re Exploit – what’s new, and what’s next
Hudson keeps digging into CTurt’s exploit, and guides us through all the steps that are required to ultimately being able to load PS2 isos from within the exploit, on a PS4 or a PS5.
In Today’s post we learn that the exploited Game, Okage Shadow King performs an integrity check on the savedata (with a CRC), which means that if you modify e.g. the player’s name to trigger a buffer overflow, the integrity check fails and the savegame won’t be loaded. Hudson (and, presumably, CTurt before him) therefore had to reverse engineer the CRC check for the game, to figure out how to modify the savedata and still pass the game’s integrity check. This is what he explains in the first third of his post today.
The rest of the article is extremely reminiscent of my personal experience of PSP buffer overflows: back in that era, there were little to no protection of the execution pointer, and a simple buffer overflow typically meant usermode access granted. This is what the hacker demonstrates in the second part of his post. The shellcode to execute is also integrated in the savefile, which has been loaded in memory, so it is “reasonably” easy to send the execution pointer there. I appreciate that Hudson goes into great detail for each step even for a “simple” buffer overflow, something that most experienced hackers don’t do typically because that kind of stuff might appear trivial to them.
So far he has demonstrated how to run PS2 arbitrary code within the PS2 emulation layer on the PS4/PS5. The upcoming blog post promises to be more interesting, as it will give us a PS4/PS5 usermode exploit.
Source: McCaulay Hudson (thanks to @mikeyknight84 for the tip!)
I guess I’m one step closer as I bought Okage years ago. Here’s hoping this leads to something.
Is the Okage the only ps2 game that can launch this exploit
There might be others but it’s the only one that’s confirmed so far. We have a potential list here: https://wololo.net/2022/09/16/list-of-ps2-emulated-games-that-got-a-physical-release-on-ps4-discs/
So what you are saying is that he could potentially create an exit from within the PS2 emulator back to the PS4/PS5 layer and create a jailbreak?
What we’re talking about here is the step before that, usermode exploit on PS4, yes. A jailbreak would additionally require a PS4 Kernel exploit.
1st!
hi.how can i hack my ps4. help me
Wololo, contact McCaulay, it seems I cannot access McCaulay/okrager link from his blog post, it returns a 404 error on github. Thanks.
I love well documented code. Most PS4 scene code is hard to understand because of missing comments. Seeing thoroughly documented code is refreshing and will help to learn. Thank you!