AMD Zen 2 Secure Processor Bootrom leaked, (f)TPM compromised & more AMD Vulnerabilities spark PS5 Scene’s interest
AMD’s secure Processor (SP, a.k.a. PSP) bootroms for ZEN and ZEN2 architectures have been recently leaked, sparking interest in the PS5 security Community. Additionally, a few weeks ago, security researchers demonstrated how to compromise AMD’s Trusted Platform Module (TPM). In parallel, AMD have disclosed new vulnerabilities impacting their CPUs. All of these might be of interest to the PS5 hacking scene.
What is AMD SP and why does the PS5 Scene care?
The Secure Processor sits at the top of the Trust Chain for AMD Systems.
Bugs in AMD Ryzen CPUs, its Secure Processor (SP), Trusted Platform Module (TPM), or System Management Unit (SMU) could lead to critical, difficult to patch vulnerabilities for the systems using these CPUs. This is interesting for the PS5 scene because the PS5 APU is a semi-custom processor by AMD, which is known to be based on the Zen 2 architecture. As such, vulnerabilities on AMD’s Ryzen series are likely to impact the PS5 as well.
A Critical, and exploitable bug on such a processor could help hardware hackers to hijack the console at startup, and potentially dump critical information from the PS5, for future hacking. As demonstrated by the Nintendo Switch hack, hardware hacks can be very powerful, and extremely hard to patch for console manufacturers.
Zen 2 Bootrom could be leveraged in PS5 hacks
In other words, the AMD Ryzen ZEN2 architecture is what’s powering the PS5, so any vulnerability or infosec data pertaining to AMD’s architecture is possibly relevant for PS5 Hacking. In this case, the bootrom for the ZEN 2 Architecture is particularly interesting.
The bootrom in itself is not a vulnerability (although it was most likely acquired through some kind of vulnerability, hardware glitch or otherwise), but reverse engineering it would be a gigantic step to understanding how AMD systems, including the PS5, boot. Importantly, once reverse-engineered, the startup code of the system can be analyzed for potential bugs and vulnerabilities.
While this bootrom alone isn’t sufficient to “hack” a console such as the PS5, it’s one more building block for the hacking community to understand the gaming device better, and hopefully can lead to more findings and hacks, combined with previously reported vulnerabilities.
Modded Warfare has a pretty good summary of this leak here:
SpecterDev has confirmed on the PS5 Research Discord server that this is indeed an interesting piece of the PS5 puzzle, even if it will most likely still be “very difficult to reverse”.
The hacker had recently shared some of his research on AMD’s Secure Processor, a very interesting read if you want to know more about the AMD Platform: part 1 – Part 2
(picture by Fritzchens Fritz)
(f)TPM Attack
In his writeup above, SpecterDev mentions that some critical encryption keys are “locked” and secure in the Cryptographic Co-Processor (CCP). The hacker was quick to correct that these keys might not be as secure as initially believed, thanks to a recent hardware attack on on the Trusted Platform Module (TPM), published in May.
Security Researchers Hans Niklas Jacob, Christian Werling, Robert Buhren, and Jean-Pierre Seifert have recently published a paper, and associated code (github source) demonstrating how they leveraged a hardware attack to compromise AMD’s Trusted Platform Module, and, among other things, extracted keys from the CCP. According to the researchers, the hack can be run with about $200 worth of off-the-shelf hardware.
This particular attack, which reuses a hardware glitch that we covered back in 2021 (from same infosec researchers Buhren and Seifert), could be essential for future PS5 hacks. The writers describe that the hack impacts Zen1, Zen2 (which very likely includes the PS5 but is out of scope for the paper), and to some extent Zen 3.
More AMD Vulnerabilities
In parallel, AMD have published a report of recently disclosed vulnerabilities for their clients and server architectures. The client vulnerabilities are typically the “interesting” ones for the PS5 scene as they include Ryzen (Zen 2) vulnerabilities, but it’s worth noting some of these bugs impact both Server and Client.
While none of the reported vulnerabilities in May’s bulletin are “high” or “critical”, it’s always worth looking into some of these, as they could be leveraged in future architecture hacks, combined with more critical flaws of the platform and past vulnerabilities.
Conclusion
All in all, that’s a lot of new information to digest for the PS5 hacking scene. While a lot of these new details do feel like significant breakthroughs, only time will tell if they easily apply to the PS5, and whether the PS5 hacking scene have the resources and skills to actually turn those into useable hacks for the PS5.
But, in the light of these announces, it could turn out that the best way to fully Jailbreak the PS5, will be through hardware attacks.
It’s nice to see potential progress to hacking the PS5.
Ps5 hack on homebrew, big pkg games emulators, app, ps1-ps4, dreamcast, movie films, photos, and more
It’s always a pleasure to read news on wololo.net. I’m visiting this site every 2 days or so. I am a non-native english speaker, but i want to say that your writing style is awesome. Thank you, please, continue!
Thanks!
What about spam comments like “solo” and “00991100” ? They are all over wololo. Will they be purged ?
unless the comments are wildly offensive, generally I don’t delete them.
Excuse me? Where exactly am I spamming? Today was my first comment ever and this is my second.
This is a non offensive spam comment. What about it?
I have the resources, who has the skills?
Your mom
Thanks I know she’s better than yours.
We all do 🙂
Great, let’s hope this works out for the sake of the whole scene. Good luck, guys!
Sounds like RGH, the hack highjacks bootrom by pulsing code injection at the right timing. I’m excited to see homebrew hardware modding making a comeback to Playstation.
that would be fabulous. RGH was awesome.
Not a single mention of xbox one yet again.
yeah, it is really unfortunate :(.
Why would anyone want to hack an Xbox?
Just buy a PC, has pretty much all the same games.
Series S is cheapest solution for homebrew with similar processing power (not graphical) as PS5.
Microsoft blocked all homebrew UWA (Universal Windows Application… I think it’s that) from their respective app store. Not the cheapest homebrew solution any longer.
ps5 jajajaja
Why these hackers who are searching and hacking stuff not in jail? This just confirms us that we are still savages who can’t leave homes without locking the door. Intelligent, human, top on the food chain? We are pathetic envy selfish beings who are unworthy to live on this planet, or any other. It’s truly sad.
Obvious troll but thanks for playing.
Unless you are a Sony guy who designed the security you have no right to be this angry. Hackers do get paid (a lot) for finding flaws in their security. And Sony doesn’t care if people hack their consoles at this point. Because it prevents them from accessing online services and keep the console updated. The only way to achieve these hacks is not updating your console which is very hard thing to persist on for general consumer.
If anything comes from this then it probably going to be soldering hardware mod. Don’t know if I’m ready for that.