Proceeding his previous FreeDVDBoot for PS3 / PS4 & Blu-ray BD-J Attacks and Tweet updates, today Security Engineer @CTurt announced on Twitter a new article covering mast1c0re: Hacking the PlayStation 4 / PlayStation 5 through the PS2 emulator utilizing an unpatched PS4 / PS5 userland exploit that allows running PS2 game backups as well!
Below is a mast1c0re PS2 Emulator Escape demonstration video from CTurt's YouTube Channel with an excerpt from his mast1c0re: Hacking the PS4 / PS5 through the PS2 Emulator - Part 1 - Escape article:
"PS2 p!racy is a fun implication, especially being able to disclose it despite there being no patch, but my main goal was getting native homebrew applications running.
Regarding that goal, escaping the emulator is just the first half of the chain; we can't yet write arbitrary native code since our application process only has permission to map JIT shared memory as executable, not writeable.
We could technically write "PS4-enhanced" PS2 homebrew applications that could use any native PS4 functionality, and so could behave essentially the same as normal PS4 homebrew (accessing the PS4 controller's touchpad, etc), but I really wanted to achieve fully arbitrary code execution for a more practical homebrew environment. This makes the next step attacking the compiler process: mast1c0re - Hacking the PS4 / PS5 through the PS2 Emulator - Part 2 - Arbitrary Code Execution."
mast1c0re PS2 Emulator Escape Demo - Backup Loader Scenario
Proof-of-concept demonstration of loading custom PS2 ISO files using the mast1c0re emulator escape exploit: https://cturt.github.io/mast1c0re.html
The lengthy upload time was cut from this demonstration video, but could be improved to more practical speeds in the future by implementing compression support.
Update: Another report by CTurt has now been closed according to the PlayStation Hacktivity on HackerOne for those keeping track, although no further progress updates are currently available.
it's a use after free. if it affects ps4 or ps5 i don't know yet, but it looks promising
the fdescfs bug is not valid on ps4 but can be valid on ps5. the issue lies on the ability to interact with /dev/fd 0 1 2 (ps4 is freebsd 9 so it handles this part properly)
Mast1c0re: Hacking PS4 / PS5 via PS2 Emulator Part 2 by CTurt
[ATTACH type="full" alt="Mast1c0re Hacking PS4 PS5 with Userland Exploit via PS2 Emulator by CTurt.png"]7823[/ATTACH]
Below is a mast1c0re PS2 Emulator Escape demonstration video from CTurt's YouTube Channel with an excerpt from his mast1c0re: Hacking the PS4 / PS5 through the PS2 Emulator - Part 1 - Escape article:
"PS2 p!racy is a fun implication, especially being able to disclose it despite there being no patch, but my main goal was getting native homebrew applications running.
Regarding that goal, escaping the emulator is just the first half of the chain; we can't yet write arbitrary native code since our application process only has permission to map JIT shared memory as executable, not writeable.
We could technically write "PS4-enhanced" PS2 homebrew applications that could use any native PS4 functionality, and so could behave essentially the same as normal PS4 homebrew (accessing the PS4 controller's touchpad, etc), but I really wanted to achieve fully arbitrary code execution for a more practical homebrew environment. This makes the next step attacking the compiler process: mast1c0re - Hacking the PS4 / PS5 through the PS2 Emulator - Part 2 - Arbitrary Code Execution."
mast1c0re PS2 Emulator Escape Demo - Backup Loader Scenario
Proof-of-concept demonstration of loading custom PS2 ISO files using the mast1c0re emulator escape exploit: https://cturt.github.io/mast1c0re.html
The lengthy upload time was cut from this demonstration video, but could be improved to more practical speeds in the future by implementing compression support.
Update: Another report by CTurt has now been closed according to the PlayStation Hacktivity on HackerOne for those keeping track, although no further progress updates are currently available.
it's a use after free. if it affects ps4 or ps5 i don't know yet, but it looks promising
the fdescfs bug is not valid on ps4 but can be valid on ps5. the issue lies on the ability to interact with /dev/fd 0 1 2 (ps4 is freebsd 9 so it handles this part properly)
Mast1c0re: Hacking PS4 / PS5 via PS2 Emulator Part 2 by CTurt
[ATTACH type="full" alt="Mast1c0re Hacking PS4 PS5 with Userland Exploit via PS2 Emulator by CTurt.png"]7823[/ATTACH]