PS5: SpecterDev presents Hypervisor “Byepervisor” exploit
presentation pictures by @antriksh_s and @kxynos
PlayStation hacker SpecterDev has presented his “Byepervisor” PS5 exploit today, at the hardwear.io infosec conference. Although his slides and tools haven’t been made public yet, we’re already seeing a few early reports of the presentation. SpecterDev’s hypervisor exploit is working on PS5 firmwares up to 2.50, but it has recently been revealed that other hackers have hypervisor vulnerabilities for higher firmwares.
PS5 Hypervisor and the Byepervisor exploit
The PS5 Hypervisor is a piece of middleware designed to protect the console’s Firmware, notably its kernel, from malicious attacks. The Hypervisor in particular enforces eXecute Only Memory (XOM) rules on the kernel, to avoid attackers from reading/writing critical parts of the system.
Today SpecterDev presented a long awaited explanation of how he managed to hack an early version of the PS5’s hypervisor. The PS5 Hypervisor has received several updates since the PS5 initially launched, but early versions were integrated with the kernel directly, which allowed hackers to look at it, and eventually hack it. Newer revisions are more secure, and SpecterDev’s exploit in particular cannot be leveraged on versions of the Hypervisor that have been moved outside of the PS5 Firmware Kernel.
According to early screenshots and reports of the presentation (thanks in particular to Antriksh Shah of Hardwear.io), it appears Specterdev leveraged 2 bugs in the kernel/hypervisor to bypass it, including unprotected jump tables.
Hacking the Hypervisor would allow the hacking community to deactivate XOM, and ultimately give us read/write access to the PS5 Kernel (currently, arbitrary read/write isn’t possible on the PS5 kernel even on a Jailbroken PS5. We bypass these limitations thanks to Sleirsgoevy‘s “kstuff“, a runtime debugger that modifies registers in real time)
Byepervisor – What’s next
For now, most of us haven’t seen the full presentation and have to rely on pictures and comments shared by the folks at Hardwear.io. But SpecterDev has stated the scripts will be released. The github url https://github.com/PS5Dev/Byepervisor is expected to have the files eventually but, at the time of writing, is still a 404.
Byepervisor in itself, despite being a huge breakthrough for PS5 hacking, will not be directly helpful to end users: technically we already achieve what’s “required” via the existing Jailbreak and Sleirsgoevy’s kstuff, so it will take a while for Byepervisor to be integrated into existing tools, and lead to more stuff. But in the short term, I’m assuming we’ll see significant performance improvement in everything related to PS5 hacking (since running a debugger real-time isn’t the best way to hack your console, performance wise). Deactivating XOM on the PS5 will also let us finally see what the PS5 Kernel contains, so I assume we’ll see decrypted dumps of the Firwmare, and decompilation efforts start soon (which, ultimately, will most likely lead to improvements to PS5 HEN, plugins, and the like)
ETA? Alle this hype and then nothing realesed???
Give the guy some time. He’s abroad, probably massively jetlagged, and the presentation was only a few hours ago
It’s on one of the screenshots. Devs will only pickup on the code on Specterdev’s repo now.
Patience.
“eta” people *** the Devs off, so could everybody just stop asking this.
Glad to see the leecher mentality hasn’t changed since the PSP days.
Wow…relax dude
fingers crossed it leads to a ps5 cfw like my good ol rebug ps3
Repo url is not working
What about 2.70? His tweet said <3.00 but now everyone saying <=2.50. Which is it? Why won’t he clarify?