In PS5 Scene news today, following @CTurt's Mast1c0re Exploit Chain for PS4 / PS5 via PS2 Emulator and How to Play NES Games with PS3Filer via PS5 BD-J Emulation comes some demo videos from Security Consultant _mccaulay (McCaulay's BuyMeACoffee Page 
) on Twitter showcasing a public reimplementation of the mast1c0re vulnerability PoC with arbitrary PS2 code execution and native PS5 ROP chain execution on the latest PlayStation 5 Firmware alongside footage testing it on PS4 Firmware 5.05 as well.
In response to his previous Mast1c0re Blog Post last fall, Security Engineer CTurtE replied on Twitter stating, "Very cool to see public reimplementations of the first part of my mast1c0re exploit chain, especially when tested on the latest PS5 firmware."
Published part 2 of the AMD PSP reversing stuff. This one focuses on the Crypto Co-Processor (CCP) and looking at the system for loading firmware and decrypting it.
Scratch that "locked/unreadable key slots" idea
Leak News AMD PSP Bootroms and VMProtect Source
SpecterDev thoughts on the leaked AMD Secure Processor bootroms (for people who don't know what this is about: AMD Zen 2 bootrom has been leaked, the PS5 CPU is also based on Zen 2, reverse engineering the secure processor may lead to a full PS5 jailbreak)
okrager - A Python command line tool to generate an Okage: Shadow King game save leading to arbitrary PS2 code execution.
2/6: Play the game to create a save game file. (See mast1c0re: Part 1 - Modifying PS2 game save files)
3/6: Open Apollo (apollo-ps4) -> HDD Saves -> OKAGE: Shadow King - SCUS-97129 -> Export decrypted save files -> VCM0.card.
4/6: Open FTP and overwrite /data/apollo/<user-id>/CUSA02282_SCUS-97129 with the modified VCM0.card (samples/ps2-hello-world/bin/PS4/VCM0.card).
5/6: In Apollo -> HDD Saves -> OKAGE: Shadow King - SCUS-97129 -> Import decrypted save files -> VCM0.card
6/6: Load OKAGE: Shadow King, PRESS START BUTTON -> RESTORE GAME -> "Hello PS4!" should show.
For testing it on PS5, copy the PS5 VCM0.card to PS4 through FTP, import file with Apollo, copy save to USB. Plug USB into PS5, copy save to PS5. Load Okage on PS5.
You can do offline account activation within Apollo with the user id of your PS5 PSN account - Offline Account activation
Not exactly following what you mean. You can sign a save with a PSN account using Apollo offline activator to use on latest PS4 firmware or PS5 aslong as the account id matches. More info on offline account activator on Apollo git
There is a simple Hello sample VCM0.card file in the repository already, one for PS4 and one for PS5. Check the samples bin directory.
For me, the Okage Shadow King region was the same on both my 5.05 PS4 and PS5 though which is why my way may not have worked for you.
1/ I plan to release the mast1c0re code shortly. Note that it is not end-user friendly and is targeted for developers. The sample PS2 game loading code does not currently support custom config-emu-ps4.txt or Lua files, therefore functional PS2 games are minimal.
2/ Additionally, the PS2 games are loaded over the network and are not persistent on console storage. So this is not end-user friendly currently. Further research can be done to load games via USB which may be possible.
3/ No kernel exploit is currently included in the mast1c0re repository for any firmware versions, but can be implemented in the future for known kernel exploits on old firmware versions. This would allow homebrew (for PS4).
1/ I would recommend trying Klona 2 first as that is a relatively small game (~1GB uncompresed). And depending on peoples network speed may take a long time to transfer over the network. Also the PS2 game laoder is only supported on PS4 5.05 and PS5 6.50.
2/ If people send me the libkernel.sprx library file for the firmware they want me to add support for, then i can add that to the code base.
Nope success rate for me is about 80%, so a crash around 1 in 5 tries.
Btw you have to use the Python script with the PS2 game loader, which requires ISO filepath on PC, and PS4/5 IP address. Use --help for the argument names. I'd recommend trying Klona 2 first.
2/ You can find the compiled ELF samples and card files under releases. PS4 firmware v10.01 is currently not supported. Still working on that as i'm having issues executing system calls.
3/ The executable "mast1c0re-file-loader.exe" is a GUI which lets you select an ELF file and send it to your PS4/PS5. It also works for sending ISO images to the PS2 game loader sample project.
4/ Alternatively, you can use the Python command line script "scripts/mast1c0re-send-file.py" passing a "--ip" and "--file" argument. You may need to install requirements.txt (or just pip install progress)
PS4 / PS5 Mast1c0re Payloader
Mast1c0re PS2 USB / Network ELF Loader & Game Loader PS4 / PS5 Updates
) on Twitter showcasing a public reimplementation of the mast1c0re vulnerability PoC with arbitrary PS2 code execution and native PS5 ROP chain execution on the latest PlayStation 5 Firmware alongside footage testing it on PS4 Firmware 5.05 as well. In response to his previous Mast1c0re Blog Post last fall, Security Engineer CTurtE replied on Twitter stating, "Very cool to see public reimplementations of the first part of my mast1c0re exploit chain, especially when tested on the latest PS5 firmware."
- PyPSU v0.1.0 (11.2 KB - pypsu-0.1.0-py2.py3-none-any.whl) - A Python library and command line tool to parse, create, modify and delete files within the PS2 PSU file format.
- AMD-SP-Loader-main.zip / AMD-SP-Loader GIT - Binary Ninja (Binja) loader for AMD Secure Processor (SP) / Platform Security Processor (PSP) firmware binaries. It will try to load AGESA Bootloader (ABL) and Bootloader blobs and will setup the correct load addresses.
Published part 2 of the AMD PSP reversing stuff. This one focuses on the Crypto Co-Processor (CCP) and looking at the system for loading firmware and decrypting it.
Scratch that "locked/unreadable key slots" idea
- 2304.14717.pdf
- ftpm_attack (Code and data artifacts for our paper: "faulTPM: Exposing AMD fTPMs’ Deepest Secrets") via PSPReverse
- bootroms (AMD Zen 2 SP (Secure Processor) Bootroms aka AMD PSP Bootroms) via anonpsp
- VMProtect Source (Partial) via Alukym
Leak News AMD PSP Bootroms and VMProtect Source
SpecterDev thoughts on the leaked AMD Secure Processor bootroms (for people who don't know what this is about: AMD Zen 2 bootrom has been leaked, the PS5 CPU is also based on Zen 2, reverse engineering the secure processor may lead to a full PS5 jailbreak)
okrager - A Python command line tool to generate an Okage: Shadow King game save leading to arbitrary PS2 code execution.
- Okrager - The "okrager" console application allows you to generate an exploitable Okage: Shadow King game save. Okrager v0.1.0 (Latest Version):
2/6: Play the game to create a save game file. (See mast1c0re: Part 1 - Modifying PS2 game save files)
3/6: Open Apollo (apollo-ps4) -> HDD Saves -> OKAGE: Shadow King - SCUS-97129 -> Export decrypted save files -> VCM0.card.
4/6: Open FTP and overwrite /data/apollo/<user-id>/CUSA02282_SCUS-97129 with the modified VCM0.card (samples/ps2-hello-world/bin/PS4/VCM0.card).
5/6: In Apollo -> HDD Saves -> OKAGE: Shadow King - SCUS-97129 -> Import decrypted save files -> VCM0.card
6/6: Load OKAGE: Shadow King, PRESS START BUTTON -> RESTORE GAME -> "Hello PS4!" should show.
For testing it on PS5, copy the PS5 VCM0.card to PS4 through FTP, import file with Apollo, copy save to USB. Plug USB into PS5, copy save to PS5. Load Okage on PS5.
You can do offline account activation within Apollo with the user id of your PS5 PSN account - Offline Account activation
Not exactly following what you mean. You can sign a save with a PSN account using Apollo offline activator to use on latest PS4 firmware or PS5 aslong as the account id matches. More info on offline account activator on Apollo git
There is a simple Hello sample VCM0.card file in the repository already, one for PS4 and one for PS5. Check the samples bin directory.
- CUSA02199-CUSA02282-PS4-HELLO.TEST.zip (36.51 MB - includes SCUS-97129.bin)
- CUSA02199-CUSA02282-PS5-HELLO.TEST.zip (36.51 MB - includes SCUS-97129.bin)
- SAVEDATA.zip (16.5 MB - includes PS4 / PS5 VMC0.card)
For me, the Okage Shadow King region was the same on both my 5.05 PS4 and PS5 though which is why my way may not have worked for you.
1/ I plan to release the mast1c0re code shortly. Note that it is not end-user friendly and is targeted for developers. The sample PS2 game loading code does not currently support custom config-emu-ps4.txt or Lua files, therefore functional PS2 games are minimal.
2/ Additionally, the PS2 games are loaded over the network and are not persistent on console storage. So this is not end-user friendly currently. Further research can be done to load games via USB which may be possible.
3/ No kernel exploit is currently included in the mast1c0re repository for any firmware versions, but can be implemented in the future for known kernel exploits on old firmware versions. This would allow homebrew (for PS4).
1/ I would recommend trying Klona 2 first as that is a relatively small game (~1GB uncompresed). And depending on peoples network speed may take a long time to transfer over the network. Also the PS2 game laoder is only supported on PS4 5.05 and PS5 6.50.
2/ If people send me the libkernel.sprx library file for the firmware they want me to add support for, then i can add that to the code base.
- libkernel.sprx (438 KB - 9.00)
- mast1c0re-master.zip / ps-load-game-net / send-game.py / mast1c0re GIT - Develop payloads that can be executed on the PlayStation 4 or PlayStation 5 through a game save file.
- libkernel.sprx (422.51 KB - 10.01)
Nope success rate for me is about 80%, so a crash around 1 in 5 tries.
Btw you have to use the Python script with the PS2 game loader, which requires ISO filepath on PC, and PS4/5 IP address. Use --help for the argument names. I'd recommend trying Klona 2 first.
- CUSA02199-CUSA02282-900-PS4-LOAD-GAME.zip (36.51 MB - EU / US ps-load-game-net save file for Okage on PS4 9.00)
- CUSA02199-CUSA02282-650-PS5-LOAD-GAME.zip (36.51 MB - EU / US ps-load-game-net save file for Okage on PS5 6.50)
- Mast1c0re PS2 ELF Loader Game Save - Okage: Shadow King game save which loads PS2 ELF files (previously PS2 ELF Loader for PS4 / uLaunchELF PKG released for PS2 on PS4) built with mast1c0re. mast1c0re - PS2 ELF Loader v0.1.0 (Initial Release for PS4 5.05, 6.72, 9.00 and PS5 6.50):
- mast1c0re-file-loader.exe
- ps-dialog-PS4-0-00.elf
- ps-dialog-PS5-0-00.elf
- ps-lightbar-PS4-0-00.elf
- ps-lightbar-PS5-0-00.elf
- ps-load-game-net-PS4-5-05.elf
- ps-load-game-net-PS4-6-72.elf
- ps-load-game-net-PS4-9-00.elf
- ps-load-game-net-PS5-6-50.elf
- ps-notification-PS4-5-05.elf
- ps-notification-PS4-6-72.elf
- ps-notification-PS4-9-00.elf
- ps-notification-PS5-6-50.elf
- VMC0-PS4-5-05.card
- VMC0-PS4-6-72.card
- VMC0-PS4-9-00.card
- VMC0-PS5-6-50.card
- Source code (zip)
2/ You can find the compiled ELF samples and card files under releases. PS4 firmware v10.01 is currently not supported. Still working on that as i'm having issues executing system calls.
3/ The executable "mast1c0re-file-loader.exe" is a GUI which lets you select an ELF file and send it to your PS4/PS5. It also works for sending ISO images to the PS2 game loader sample project.
4/ Alternatively, you can use the Python command line script "scripts/mast1c0re-send-file.py" passing a "--ip" and "--file" argument. You may need to install requirements.txt (or just pip install progress)
- CUSA02199-CUSA02282-900-PS4-LOAD-GAME.zip (36.51 MB - PS2 ELF Loader Game Save Update for PS4 9.00)
- CUSA02199-CUSA02282-650-PS5-LOAD-GAME.zip (36.51 MB - PS2 ELF Loader Game Save Update for PS5 6.50)
- mast1c0re - PS2 ELF Loader v0.1.1 (For PS4 5.05, 6.72, 9.00, 10.01 and PS5 6.50)
- mast1c0re-file-loader.exe
- mast1c0re-file-loader.py
- mast1c0re-send-file.py
- ps-dialog-PS4-0-00.elf
- ps-dialog-PS4-10-01.elf
- ps-dialog-PS5-0-00.elf
- ps-lightbar-PS4-0-00.elf
- ps-lightbar-PS5-0-00.elf
- ps-load-game-net-PS4-10-01.elf
- ps-load-game-net-PS4-5-05.elf
- ps-load-game-net-PS4-6-72.elf
- ps-load-game-net-PS4-9-00.elf
- ps-load-game-net-PS5-6-50.elf
- ps-notification-PS4-10-01.elf
- ps-notification-PS4-5-05.elf
- ps-notification-PS4-6-72.elf
- ps-notification-PS4-9-00.elf
- ps-notification-PS5-6-50.elf
- VMC0-PS4-10-01.card
- VMC0-PS4-5-05.card
- VMC0-PS4-6-72.card
- VMC0-PS4-9-00.card
- VMC0-PS5-6-50.card
- Source code (zip)
- CUSA02199-CUSA02282-900-PS4-LOAD-GAME.zip (36.53 MB - PS-Load-Game-Net Save File for Okage for PS4 9.00)
- CUSA02199-CUSA02282-1001-PS4-LOAD-GAME.zip (36.53 MB - PS-Load-Game-Net Save File for Okage for PS4 10.01)
- CUSA02199-CUSA02282-650-PS5-LOAD-GAME.zip (36.53 MB - PS-Load-Game-Net Save File for Okage for PS5 6.50)
- mast1c0re - PS2 ELF Loader v0.1.2 (Reliability improvements)
- mast1c0re-file-loader.exe
- mast1c0re-file-loader.py
- mast1c0re-send-file.py
- ps-dialog-PS4-0-00.elf
- ps-dialog-PS4-10-01.elf
- ps-dialog-PS5-0-00.elf
- ps-lightbar-PS4-0-00.elf
- ps-lightbar-PS5-0-00.elf
- ps-notification-PS4-10-01.elf
- ps-notification-PS4-5-05.elf
- ps-notification-PS4-6-72.elf
- ps-notification-PS4-9-00.elf
- ps-notification-PS5-6-50.elf
- VMC0-PS4-10-01.card
- VMC0-PS4-5-05.card
- VMC0-PS4-6-72.card
- VMC0-PS4-9-00.card
- VMC0-PS5-6-50.card
- Source code (zip)
- CUSA02199-CUSA02282-505-PS4-SAVE-0.1.2.zip (36.74 MB - PS4 OKage Updated Save v0.1.2 for 5.05 Firmware)
- CUSA02199-CUSA02282-672-PS4-SAVE-0.1.2.zip (36.74 MB - PS4 OKage Updated Save v0.1.2 for 6.72 Firmware)
- CUSA02199-CUSA02282-900-PS4-SAVE-0.1.2.zip (36.74 MB - PS4 OKage Updated Save v0.1.2 for 9.00 Firmware)
- CUSA02199-CUSA02282-1001-PS4-SAVE-0.1.2.zip (36.74 MB - PS4 OKage Updated Save v0.1.2 for 10.01 Firmware)
- CUSA02199-CUSA02282-650-PS5-SAVE-0.1.2.zip (36.74 MB - PS5 OKage Updated Save v0.1.2 for 6.50 Firmware)
- mast1c0re-file-loader.exe
- mast1c0re-file-loader.py
- mast1c0re-send-file.py
- ps-dialog-PS4-0-00.elf
- ps-dialog-PS4-10-01.elf
- ps-dialog-PS5-0-00.elf
- ps-lightbar-PS4-0-00.elf
- ps-lightbar-PS5-0-00.elf
- ps-notification-PS4-10-01.elf
- ps-notification-PS4-5-05.elf
- ps-notification-PS4-6-72.elf
- ps-notification-PS4-9-00.elf
- ps-notification-PS5-6-50.elf
- VMC0-PS4-10-01.card
- VMC0-PS4-5-05.card
- VMC0-PS4-6-72.card
- VMC0-PS4-9-00.card
- VMC0-PS5-6-50.card
- Source code (zip)
- mast1c0re-ps2-network-game-loader-PS4-10-01.elf
- mast1c0re-ps2-network-game-loader-PS4-5-05.elf
- mast1c0re-ps2-network-game-loader-PS4-6-72.elf
- mast1c0re-ps2-network-game-loader-PS4-9-00.elf
- mast1c0re-ps2-network-game-loader-PS5-6-50.elf
- Source code (zip)
PS4 / PS5 Mast1c0re Payloader- CUSA02199-CUSA02282-505-PS4-SAVE-0.1.3.zip (36.74 MB - PS4 OKage Updated Save v0.1.3 for 5.05 Firmware)
- CUSA02199-CUSA02282-672-PS4-SAVE-0.1.3.zip (36.74 MB - PS4 OKage Updated Save v0.1.3 for 6.72 Firmware)
- CUSA02199-CUSA02282-900-PS4-SAVE-0.1.3.zip (36.74 MB - PS4 OKage Updated Save v0.1.3 for 9.00 Firmware)
- CUSA02199-CUSA02282-1001-PS4-SAVE-0.1.3.zip (36.74 MB - PS4 OKage Updated Save v0.1.3 for 10.01 Firmware)
- CUSA02199-CUSA02282-650-PS5-SAVE-0.1.3.zip (36.74 MB - PS5 OKage Updated Save v0.1.3 for 6.50 Firmware)
- CUSA02282-CUSA02199-PS5-6.50-PS2-ELF-LOADER-v0.1.3.7z (36.5 MB - includes SCUS-97129.bin)
Mast1c0re PS2 USB / Network ELF Loader & Game Loader PS4 / PS5 Updates
