“Beyond Oberon”: Hacker Shuffle2 releases PS5 EMC/EAP exploit tool “ps5-uart” + security presentation slides

Following his presentation at SAS2024 yesterday, PlayStation hacker Shuffle2 has released the slides for his presentation, as well as ps5-uart, a series of tools that exploit the EMC/EAP chips on the PS5.

Although ps5-uart will not be useful “as is” for the end user trying to tinker with their PS5, no doubt that hackers on the scene will look into this tool, the exploits behind it, and possibilities to interact with the rest of the PS5 system through the freshly exploited chips.

Salina / Titania PS5 exploits

The presentation goes into (limited, due to the format) details on how the components were exploited.

In the case of Salina, a chip in charge of power and clocks on the board, a buffer overflow was found via its UART communication protocol.

Titania is the component in charge of communicating with all media devices on the board (SSD, etc…). It also handles rest-mode downloads via its EAP chip, among other things. In this case, the hacker found a stack buffer overflow which led to exploiting the system.

Downloads

You can find the slides for Shuffle2’s presentation here.

The accompanying tool, ps5-uart, implements those exploits and let you interact with the chips via UART. ps5-uart can be downloaded on the project’s github at https://github.com/symbrkrs/ps5-uart

From the Readme:

From tool.py interactive shell, emc.screset() will perform reset of syscon (EMC) and bring the rest of the board into consistent state. emc.unlock() runs the EMC exploit, which unlocks access to the full set of EMC commands (UCMD protocol).

emc.unlock_efc() will exploit EFC and load bin_blobs/uart_shell.cpp onto it. uart_client.py is used for interacting with uart_shell.cpp.

emc.load_eap() will exploit EAP and load bin_blobs/uart_shell.cpp onto it. uart_client.py is used for interacting with uart_shell.cpp.