PS5: EMC Chip decrypted Firmware released, following infosec presentation by Shuffle2

Hacker Shuffle2 has presented a series of vulnerabilities and tools for the PS5 today at the Security Analyst Summit (SAS 2024). The hacker has stated he will be releasing some of the exploit tools he used in his research. Directly following the presentation, a decrypted dump of the PS5’s EMC Firmware (for multiple revisions of the Firmware) has been released on social media.

This release happens as everyone on the PlayStation hacking scene is also eagerly awaiting for a talk by SpecterDev, where the hacker is expected to disclose and release an exploit for the PS5’s Hypervisor.

Shuffle2’s SAS2024 Presentation

From the official SAS site:

The talk will provide a high level overview of the system architecture of the Playstation 5 console, with focus on the efc/eap (“titania”) and emc (“salina”) chips. Exploits allowing code execution on salina and titania will be detailed, along with release of a tool which implements the exploits. The process of initial exploration/discovery will also be briefly covered.

From a security researcher point of view, the exploits are interesting as they cover a hard-to-spot bug in a firmware state machine, and abusing hardware misconfiguration to bypass memory protection measures. The exploits/tooling allow for further research into the system.

Now as it’s been stated in the past for the PS4, it is important to remind everyone that the impacted chips here are not the main APU of the console, but are rather “peripheral” units. This means hacking these chips does not give us direct control over the console. This remains interesting however, as they can be considered as “trusted” peripherals in some cases.

Specifically, EMC is a “peripheral” processor on the PS5, that is mostly used for diagnostics/debug/peripheral control

Here’s what the PlayStation dev wiki has to say about EMC and EAP (for the PS4, but it is assumed their role on the PS5 is equivalent):

EMC could stand for External Micro Controller. EMC was named MediaCon by some people when its name was still unknown.

The role of EMC is to load EMC Initial Program Loader, to be an interface for icc for the main APU kernel and Syscon and to offer a debug interface via UART that does not rely on Syscon or main APU. EMC runs its own FreeBSD kernel.

[…]

The role of EAP is to handle media (online Wireless/GbLAN, Bluray Drive and HDD/SSD) even when the PS4 is in standby mode. EAP runs its own FreeBSD kernel in standby mode, activated to handle tasks such as downloading games updates while the PS4 is in standby.

It handles several tasks to offload the APU:

• Network connections: Wireless and GbLAN, including background downloading and PlayGo
• File handling (Bluray Drive, Harddrive and USB 3.0), including background caching
• Main serial flash handling

At the time of writing, we’re still pending an official release of the tools from the hacker. A live presentation of the talk wasn’t available, but it is possible that a recording will make its way to the SAS youtube channel eventually.

Decrypted EMC Firmware dumped, available for download

although Shuffle2 has yet to release his tools, Following the hacker’s presentation, scene veteran Zecoxao has published some decrypted EMC Firmware files. He has not made it explicit who has provided the archive.

There’s no doubt that these files will be taken down eventually, but at the time of writing, they can be found at https://qiwi.gg/file/vYJm3865-EMCPLAINTEXTFW

Password for the archive is EMC_ERROR_CODES

(source)