Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
Status
Not open for further replies.
In PS5 Scene news today, following @CTurt's Mast1c0re Exploit Chain for PS4 / PS5 via PS2 Emulator and How to Play NES Games with PS3Filer via PS5 BD-J Emulation comes some demo videos from Security Consultant _mccaulay (McCaulay's BuyMeACoffee Page :coffee:) on Twitter showcasing a public reimplementation of the mast1c0re vulnerability PoC with arbitrary PS2 code execution and native PS5 ROP chain execution on the latest PlayStation 5 Firmware alongside footage testing it on PS4 Firmware 5.05 as well. :)

In response to his previous Mast1c0re Blog Post last fall, Security Engineer CTurtE replied on Twitter stating, "Very cool to see public reimplementations of the first part of my mast1c0re exploit chain, especially when tested on the latest PS5 firmware."
  • PyPSU v0.1.0 (11.2 KB - pypsu-0.1.0-py2.py3-none-any.whl) - A Python library and command line tool to parse, create, modify and delete files within the PS2 PSU file format.
  • AMD-SP-Loader-main.zip / AMD-SP-Loader GIT - Binary Ninja (Binja) loader for AMD Secure Processor (SP) / Platform Security Processor (PSP) firmware binaries. It will try to load AGESA Bootloader (ABL) and Bootloader blobs and will setup the correct load addresses.
Put out a blog post on some reversing I've been doing on the side of the AMD Platform Security Processor / PSP. Part 1 is an overview of the design and memory-mapped I/O (MMIO), part 2 will be on the Crypto Co-Processor MMIO.
Published part 2 of the AMD PSP reversing stuff. This one focuses on the Crypto Co-Processor (CCP) and looking at the system for loading firmware and decrypting it.
Scratch that "locked/unreadable key slots" idea ;)
zen 1 and zen 2 bootroms. PS5 APU is a custom ZEN 2 ryzen chip. this is extremely important to reverse engineer and find ways to dump the PS5 bootrom
Leak News AMD PSP Bootroms and VMProtect Source
SpecterDev thoughts on the leaked AMD Secure Processor bootroms (for people who don't know what this is about: AMD Zen 2 bootrom has been leaked, the PS5 CPU is also based on Zen 2, reverse engineering the secure processor may lead to a full PS5 jailbreak)
okrager - A Python command line tool to generate an Okage: Shadow King game save leading to arbitrary PS2 code execution.
1/6: Included in samples/ps2-hello-world is pre-built PS2 memory card files for PCSX2, PS4 and PS5. To import game save on a low firmware PS4 do the following:
2/6: Play the game to create a save game file. (See mast1c0re: Part 1 - Modifying PS2 game save files)
3/6: Open Apollo (apollo-ps4) -> HDD Saves -> OKAGE: Shadow King - SCUS-97129 -> Export decrypted save files -> VCM0.card.
4/6: Open FTP and overwrite /data/apollo/<user-id>/CUSA02282_SCUS-97129 with the modified VCM0.card (samples/ps2-hello-world/bin/PS4/VCM0.card).
5/6: In Apollo -> HDD Saves -> OKAGE: Shadow King - SCUS-97129 -> Import decrypted save files -> VCM0.card
6/6: Load OKAGE: Shadow King, PRESS START BUTTON -> RESTORE GAME -> "Hello PS4!" should show.
For testing it on PS5, copy the PS5 VCM0.card to PS4 through FTP, import file with Apollo, copy save to USB. Plug USB into PS5, copy save to PS5. Load Okage on PS5.
You can do offline account activation within Apollo with the user id of your PS5 PSN account - Offline Account activation
Not exactly following what you mean. You can sign a save with a PSN account using Apollo offline activator to use on latest PS4 firmware or PS5 aslong as the account id matches. More info on offline account activator on Apollo git
There is a simple Hello sample VCM0.card file in the repository already, one for PS4 and one for PS5. Check the samples bin directory.
By the way, I created the game save on 5.05 PS4, imported the decrypted file there, copied it to USB then copied directly to PS5. Instead of creating the save on PS5, copying to PS4 and modifying it there. That may not work for you though as your game region codes are different
For me, the Okage Shadow King region was the same on both my 5.05 PS4 and PS5 though which is why my way may not have worked for you.

Spoiler

1/ I plan to release the mast1c0re code shortly. Note that it is not end-user friendly and is targeted for developers. The sample PS2 game loading code does not currently support custom config-emu-ps4.txt or Lua files, therefore functional PS2 games are minimal.
2/ Additionally, the PS2 games are loaded over the network and are not persistent on console storage. So this is not end-user friendly currently. Further research can be done to load games via USB which may be possible.
3/ No kernel exploit is currently included in the mast1c0re repository for any firmware versions, but can be implemented in the future for known kernel exploits on old firmware versions. This would allow homebrew (for PS4).
1/ I would recommend trying Klona 2 first as that is a relatively small game (~1GB uncompresed). And depending on peoples network speed may take a long time to transfer over the network. Also the PS2 game laoder is only supported on PS4 5.05 and PS5 6.50.
2/ If people send me the libkernel.sprx library file for the firmware they want me to add support for, then i can add that to the code base.
mast1c0re - Framework for escaping the PlayStation emulator and executing native code. (For developers)
This project is intended for developers, not end users. There are some basic samples projects included for developers to learn some usage functionality. Pull requests for *** improvements are encouraged. Breakout is not 100% reliable. Re-open the game if it crashes. Have fun!
Nope success rate for me is about 80%, so a crash around 1 in 5 tries.
Btw you have to use the Python script with the PS2 game loader, which requires ISO filepath on PC, and PS4/5 IP address. Use --help for the argument names. I'd recommend trying Klona 2 first.
1/ Some sample projects have moved from mast1c0re to the ELF loader. If you are offline for too long on PlayStation you cannot copy files from USB. Therefore keeping this ELF loader lets you execute ELF files over the network even if you cant copy save files.
2/ You can find the compiled ELF samples and card files under releases. PS4 firmware v10.01 is currently not supported. Still working on that as i'm having issues executing system calls.
3/ The executable "mast1c0re-file-loader.exe" is a GUI which lets you select an ELF file and send it to your PS4/PS5. It also works for sending ISO images to the PS2 game loader sample project.
4/ Alternatively, you can use the Python command line script "scripts/mast1c0re-send-file.py" passing a "--ip" and "--file" argument. You may need to install requirements.txt (or just pip install progress)
mast1c0re PS2 ELF Loader: v0.1.3 - Raw TCP Transfer Support - Small update which allows you to send ELF files directly with tools such as netcat. Also lets you send ELF files repeatedly which do not run indefinitely.
mast1c0re PS2 Network Game Loader: v0.1.1 - Raw TCP Transfer Support - Small update which allows you to send ISO games directly with tools such as netcat. No progress bar is able to be shown when sending directly with netcat.
:arrow: PS4 / PS5 Mast1c0re Payloader

:arrow: Mast1c0re PS2 USB / Network ELF Loader & Game Loader PS4 / PS5 Updates

Mast1c0re Arbitrary PS2 Code & Native PS5 ROP Chain Execution PS4 Demos.png
 

Comments

Status
Not open for further replies.
Back
Top