Sleirsgoevy publishes additional progress on PS4 FPKG Support for PS5
Following his repo commit earlier this week which indicates he’s been working on FPKG support for PS5,Sleirsgoevy keeps pushing through and today published a commit where he added a hooking function for decryptMultipleSelfBlocks in sceSblServiceMailbox.
What’s SBL on the PS4/PS5?
SBL, or Secure Block, refers to a part of PlayStation consoles in charge of the Secure Kernel and Secure Module. Discussions about the Secure Block can be found for the PS Vita here, or in Flatz’s FPKG Writeup for the PS4. Long story short, as you might have guessed, SceSbl* functions generally refer to cryptography related manipulation on the PS4.
In this case, it is safe to assume Sleirsgoevy has found a way to hijack some function in charge of decrypting SELF files. Although I won’t pretend I understand half of what’s going on in the code he pushed, my understanding is that FPKG and FSELF files won’t actually be encrypted, meaning the functions in charge of decrypting them in the kernel need to be either bypassed, or replaced to simply copy the content “as is”. This is, I assume, what the decryptMultipleSelfBlocks hijack does, after confirming the file being loaded is indeed a “fake” SELF file, via a header check.
As Flatz wrote back in the PS4 days:
Because fake versions of executable files (so called FSELFs) don’t use any encryption/signing, we could redirect SM calls that loads their segments to our own functions in a kernel payload. It’s very trivial because all they really do is call
memcpy()at some points in time. All we need is to find the kernel’s methods that I’ll describe below and hook them with our own code (and redirect them to original functions when needed).
The reference to the Mailbox libraries also might ring a bell, because SpecterDev has mentioned that using internal data messages could be a relevant attack vector on the PS5, in his presentation earlier this year.
A list of SceSbl* PS5 functions can be found on the PS5 Dev Wiki here. In pure PlayStation devwiki tradition, it’s an undocumented copy/paste of function names, that I’m sure some people will find useful.
How far are we from PS4 FPKG support on PS5?
Looking from Sleirsgoevy’s recent pushes, we might not be very far from actual support of PS4 FPKG on PS5. PS5 games are, of course, another story. But as far as PS4 games are concerned, it of course depends how hard it is to find the location of all those decryption methods within the kernel (as a reminder, the kernel is theoretically “eXecute Only” so it is impressive that Sleirsgoevy is actually able to find the location of these functions), and whether the PS5 contains additional security (related to loading PS4 SELF files) that the hackers haven’t defused (or seen) yet.
Download Latest PS5 BD-JB code from Sleirsgoevy
You can download the latest code from Sleirsgoevy’s bd-jb repository here. For most people, this will be useless in its current state. Sleirs has mentioned that you can also test it on his Webkit host here: https://sleirsgoevy.github.io/ps4jb2/ps5-403/ (Firmware 4.03 only)