PlayStation hacker SpecterDev will be doing a presentation on PS5 security on June 3rd (next week), at the Hardwear.io USA conference in California. The upcoming talk, announced just a few hours ago via a not-so-cryptic screenshot, has the scene wondering if a PS5 Hypervisor exploit will be announced.

Important update: SpecterDev has confirmed he will not be releasing a new exploit or bug during this talk:

Just to clarify I won’t be dropping new exploits/bugs it’s mostly a reversing-focused talk and talks about exploitation techniques/mitigations on a whole 😛

SpecterDev to discuss PS5 Security Landscape at Hardwear.io

Hardwear.io posted a “riddle” in the form of a screenshot on Twitter a few hours ago, asking their followers to “explain what’s happening here”. The screenshot shows reverse engineered code from what could possibly be the PS5 Hypervisor.

The hacking scene was quick to point out the mentions of vmexit (typical to Virtual Machines / hypervisors) and SCE_HV_VMM_CALL_ID, with in particular the letters SCE hinting that it’s PlayStation code (SCE stands for Sony Computer Entertainment and is a prefix widely found in PlayStation’s official and unofficial SDKs). Specter has implicitly confirmed this is reverse engineered code from the PS5 Hypervisor (see below).

On vmexit:

The guest code, which is inside a “jail” and thus cannot interfere with the rest of the system, keeps running on the hardware until it encounters a request it cannot handle. Then the processor gives the control back (referred to as “VM-Exit”) either to kernel space, or to the user space to handle the request. Once the request is handled, native execution of guest code on the processor resumes again. And the loop goes on. (source)

The conference organizers and SpecterDev have confirmed the talk will focus on PS5’s multiple layers of security, including its hypervisor.

The PlayStation 5 (PS5) represents a significant leap in technological advancements, particularly in terms of its security measures, which have undergone substantial improvements compared to its predecessor, the PS4. Due to the lack of public documentation around its security hardening techniques, there exists some misunderstanding of the system’s security infrastructure. This conference talk aims to shed light on the PS5’s system architecture, focusing on Sony’s efforts to impede reverse engineering and mitigate the impact of kernel memory corruption.

This presentation will delve into the intricacies of the PS5’s security mechanisms, analyzing the evolving attack surface and ushering in of modern mitigations such as Supervisor Mode Access Prevention (SMAP), Supervisor Mode Execution Protection (SMEP), kernel Control Flow Integrity (kCFI), and eXecute Only Memory (XOM). Furthermore, we’ll investigate the internal workings of the PS5’s hypervisor, and analyze it’s role in safeguarding the system against high-privileged attackers. We’ll also talk about some how these mitigations can be worked around and highlight some avenues and ideas for future research.

Will SpecterDev drop a PS5 Hypervisor exploit?

Although a kernel exploit has been published for the PS5 last year, the Hypervisor is being seen as the biggest obstacle to a full Jailbreak on the console. Naturally, the PS5 scene, myself included, is extremely excited about this upcoming talk, and some are already talking about a potential PS5 Hypervisor exploit.

vmexit…. hmmmm….

— Jose Coixao (@notnotzecoxao) May 23, 2023

I’d love for this to be true, but I’m seeing a few reasons to not get my hopes too high: first of all, assuming SpecterDev has such an exploit, and talks about it (or even showcases it) during the presentation, I personally feel it is unlikely the hacker would drop the implementation details of such a critical exploit at an infosec presentation. Just my gut feeling, obviously. (Update: Specter has confirmed he will not be discussing a new exploit in this talk)

Moreover, the talk abstract is quite precise in their wording, when they say “We’ll also talk about some how these mitigations can be worked around and highlight some avenues and ideas for future research”. Although the “work around mitigations” part could mean a lot of juicy things will be revealed, this is a bit far from “we’ll demonstrate how we broke the console’s security” or something similar.

I do however believe we’ll learn a lot that the hacker hasn’t disclosed publicly so far. The screenshot of the reverse engineered Hypervisor is a clear indication of that. Although SpecterDev has already talked at length about his work on the PS5 Kernel (see here in particular), the upcoming talk will apparently focus on mitigation areas the hacker hasn’t written or talked about yet, such as kCFI and XOM.

SpecterDev hasn’t shared many additional details on the upcoming presentation so far, beyond his own cryptic answer to hardwear.io on Twitter. On Discord, he’s been discussing some additional details about the screenshot and his RE process with Binary Ninja, but nothing super specific yet.

In particular, when asked if he would explain how he obtained the hypervisor code in the first place, Specter Stated he wouldn’t reveal it, as the code was acquired and provided by “a friend”.

PS5 Security discussion – Where to know more?

If the name Hardwear.io rings a bell, that’s because it’s the same event at which TheFloW demonstrated his BD-JB exploit last year.

This year, the Hardwear.io conference will happen next week in California. Details for registration can be found here. For the vast majority of us who can’t attend the event in person, I believe SpecterDev’s talk will be available on their youtube Channel a few days after the event.