Security researcher McCaulay Hudson has published part 3 of his Mast1c0re writeup, following part 1 and part 2 a few days ago. This new blog post explains how hackers are now able to run native PS4 code, by escaping the PS2 emulator, we can now run native PS4 code on the PS4 or the PS5 (using ROP gadgets).

What is Mast1c0re for PS5 and PS4?

Mast1c0re is an unpatched exploit for PS4 and PS5, which leverages a vulnerability in the PS2 emulation layer of Sony’s newer consoles. The vulnerability was disclosed, and described with great detail, by PlayStation hacker CTurt in September last year, but no full “user friendly” implementation was released then.

Back then, CTurt stated Sony had no plan to fix the vulnerability, which seems to be confirmed by recent videos, showing that the vulnerability is still here, in the latest PS5 6.50 firmware (and, it is safe to assume, in PS4 10.01 as well)  as of January 2023.

Recently released Beta firmwares PS5 7.00 and PS4 10.50 still need to be confirmed, but there’s good reason to believe they are vulnerable as well.

Mast1c0re Exploit: running native PS4 code on PS4 or PS5

In parts 1 and 2, we have seen how a buffer overflow vulnerability in PS2 Game Okage Shadow King (running in an embedded PS2 emulator on the PS4/PS5) allowed us to run native PS2 code within the constraints of that emulator.

In this recent blog post, McCaulay explains how he triggers a second buffer overflow (thanks to a bug in the PS2 emulator code), this time to write into PS4 memory.

By overwriting a code pointer of the PS2 emulator, the hacker is able to call any PS4 native function that is available to the PS2 emulator (so, in theory, any function available through libraries that are imported by the emulator. Rendering, input, audio, etc…anything required for a regular PS4 game are probably possible).

PS4 memory is protected by ASLR however, so it isn’t possible to “guess” where to point code execution to, as the routines are in semi random locations in memory. McCaulay Hudson describes in his writeup how he is able to overcome this obstacle by using the relative address of a known piece of code within the eboot, to then be able to guess all other entries based on its pointer. (multiple tricks are required here to get the relative position of each library and be able to access each one of those).

When all is said and done, the hacker has access to native usermode code on the PS4.

You can read all the details on McCaulay’s writeup here.

Mast1c0re – what’s next?

At this point, hackers have achieved a usermode PS4 exploit on the latest PS4 and PS5 firmwares with the mast1c0re exploit. This is the equivalent of a webkit exploit that we’re quite familiar with, and would need to be combined with a kernel exploit in order to lead to a Jailbreak on PS4. (And for, the PS5, this would lead to something similar to what we already have with the Kernel exploit, which is, not much but still a lot.

To my knowledge, this is the very first usermode exploit on PS4 9.50 and above (9.03/9.04 technically have the BD-JB exploit), and for PS5, on 5.00 and above. so it’s a pretty big deal of course. But without a Kernel exploit to go with it, there’s a risk that end-user applications will remain limited (until someone decides to create a usermode Homebrew Loader on PS4, a la VHBL).

you can run the exploit and dig into it yourself. We have some tutorial here for the basics (PS2 execution), and at this point you’ll probably have to implement what’s described in this part 3 yourself for PS4 Native code.

Source: McCaulay (thanks to everyone who pinged me on this!)