Cturt has been exploiting PlayStation consoles for years now, and with the release of the PlayStation 5, the scene hacker rose to the challenge of trying to hack it, too. This led to Cturt discovering what he claims to be an "essentially unpatchable" userland exploit, and even submitted it to Sony's bug bounty program a year ago, with no fix in sight. In an in-depth article that details the process and how it works, Cturt explains that the hack, dubbed Mast1c0re, utilizes the PlayStation 2 emulator that both the PS4 and PS5 use, through JIT privileged code.

Having JIT privilege means that fully compromising the emulator, including the compiler co-process, would grant the ability to run fully arbitrary native code (not just ROP) on the PS4/PS5 without the need for a kernel exploit. This would be especially convenient on the PS5 because the newly introduced hypervisor enforces that code pages (both userland and kernel) are not readable, and I don't have the patience to try to write a blind kernel exploit again as I did when I ported BadIRET to the PS4 without a kernel dump.

The reasoning behind the exploit being almost impossible to patch, is due to the fact that if you own any backwards compatible PlayStation 2 title, it'd be difficult for Sony to revoke your access to it, players can easily downgrade the game even if it were to be patched, and PS2 games require using JIT to run, even on the PS5 where most JIT potential attacks have been patched up.

Furthermore, PlayStation has decided to double-down on this security model by not even removing the identified known-exploitable PS2 games from the store. Because of these reasons, I'm comfortable referring to this scenario as "unpatchable", even if it may not technically be fully accurate.

It's a fairly simple process, too; in order to hijack the PS2 game, Cturt needed to find a game that has a save game exploit which was simple enough, choosing Okage Shadow King. Getting the save file that would cause a buffer overflow required an already hacked PS4 console, though, as creating a PS2-on-PS4 memory card with the exploit needed to be encrypted, and signed for use with the right PSN account, and then imported to the target system through USB.

​

The next step was to look into reverse engineering the PS2 emulator, finding the right bug that would be vulnerable. A very technical breakdown explains how Cturt managed this, which in the end, resulted in the ability to run custom PS2 games that aren't normally available on the PS4. That's not all mast1c0re can do, either; Cturt says their next article will explain how to run arbitrary homebrew code, which could lead to even running pirated commercial PS4 games. Once that's written up, you can expect to see it on the blog writeup for the exploit here.

We could technically write "PS4-enhanced" PS2 homebrew applications that could use any native PS4 functionality, and so could behave essentially the same as normal PS4 homebrew (accessing the PS4 controller's touchpad, etc), but I really wanted to achieve fully arbitrary code execution for a more practical homebrew environment. This makes the next step attacking the compiler process

Source

 

[church_foster]

Does this mean the ps4 will eventually be able to run custom ps2 games without lags and glitches?

 

[Zm1231]

They say you need a modded PS4 to get the save file created. PS4 save wizard has been able to resign PS2 saves (Ace combat for example) why couldn't someone make the modified save file needed on a modded PS4 export it with the PS4 to USB then use PS4 save wizard to resign the save file for import onto a different account?

 

[Zm1231]

It can be used to run pirated PS2 games, PS2 homebrew, and maybe some PS4 userland homebrew. Not PS4 or PS5 games atm, that's a really important distinction left out here. Also, some really good points were left in other places like wololo. With what we have on the newest firmware these custom PS2 saves (VMC files) on PS4 or PS5 can't be used. A PS4 can export and import it but PFS static keys for USB weren’t published so the average joe like you and me cannot sign this “save” to be imported via USB and the console won't accept it without that. If these keys aren't published we aren't even getting pirated PS2 games we're getting something nice to analyze in future writeups.

How is PS4 save wizard able to modify the Ace combat PS2 game save file. No one truly knows how PS4 save wizard works but in theory they have exploited consoles running that they're uploading the saves to to take care of the PFS encryption layer.

If that's the case why couldn't someone create the modified save file on a modded system export them to USB and use save wizard to resign them. Save wizard has been able to resign save files from modded systems to work on updated systems and they clearly have been able to resign and modify ace combat being a PS2 game

 

[naddel81]

finding a 4.03 ps5 is nearly impossible at this point

why does it have to be 4.03 when it hasn't been patched, yet?

 

[Daggot]

How is PS4 save wizard able to modify the Ace combat PS2 game save file. No one truly knows how PS4 save wizard works but in theory they have exploited consoles running that they're uploading the saves to to take care of the PFS encryption layer.

If that's the case why couldn't someone create the modified save file on a modded system export them to USB and use save wizard to resign them. Save wizard has been able to resign save files from modded systems to work on updated systems and they clearly have been able to resign and modify ace combat being a PS2 game

Whoever runs PS4 Save Wizard is suspected to have had access to keys that the wider community has lacked for many years and has used them to turn a profit. I've got nothing against that and maybe it could be used for this purpose as long as everyone who needs to re-sign PS2 saves to their account is willing to pay the 50 bucks that the service costs but it's not something everyone with a modded console can do. IIRC if you really wanted to re-sign a save from someone else's PSN account and you had access to a PS4 on 9.00 or lower with a save tool that's freely available and can be used on exploitable PS4s like Save Mounter, the save itself could only be used on consoles that were also on exploitable firmware (<=9.00).

 

[MrVtR]

Wonderful use for my ps5, I'll test it for sure

 

[raxadian]

Hackers will not, and never will be beaten

some times exploits took over a decade to be found and by then they technically were beaten as whatever it was got discontinued.

 

[titan_tim]

Even on torrent sites you will find missing updates and DLCs. It especially sucks that FPKGs only accept FPKG updates, you can't just download the official ones on the console like on PS3 or 3DS.

It is for some games. I could only find the European version of Ace Combat 5, an emulated PS2 game with some PS4 enhancements, and I don't want a crappy 50Hz version.

My point about backports is that it's the only way to play >9.00 games. You have to hope the game you want has a backport, if you want to play it.

The only dlc I've been having trouble finding is the final character pass for SF5. But I own it on PC, so it's not really an issue. But if I'm having issues finding that one, then im sure there are others that are tricky to find.

For ace combat, that's a pretty niche issue it sounds like. But I can see how that would be annoying.

Ah yes, most of the BIG games get a backport pretty quickly, but there are always smaller ones which fall through the cracks. I guess for all these issues, I'm have pretty simplistic needs, so I don't run into most of those issues. And like you, my ps4 is not being used that much even though it's loaded to the tits with popular games.

 

[Plazorn]

some times exploits took over a decade to be found and by then they technically were beaten as whatever it was got discontinued.

But then, my friend, they found more exploits in the discontinued ones place! It is like an endless cat and mouse game.

 

[crossholo]

After I saw what happened to the Switch, I thought that something like that could never happen again in this day and age. But these devs prove me wrong everytime.

 

[LainaGabranth]

Fucked up that people will start buying PS4s and PS5s to pirate games on, only to find out there are no games on them

 

[Nostalgia]

Fucked up that people will start buying PS4s and PS5s to pirate games on, only to find out there are no games on them

no games on the ps4? o shit you heard him boys pack it up

 

[rantex92]

Fucked up that people will start buying PS4s and PS5s to pirate games on, only to find out there are no games on them

its more fucked up that half of the people doesnt understand this isnt a full on exploit or that it magicaly runs ps2 flawlessly(still the same old ps2classic emulator) and its just another entry point i would say its even less impactfull as the bd exploit

 

[LainaGabranth]

its more fucked up that half of the people doesnt understand this isnt a full on exploit or that it magicaly runs ps2 flawlessly(still the same old ps2classic emulator) and its just another entry point i would say its even less impactfull as the bd exploit

Did you uh. Read Chary's full article?

 

[rantex92]

Did you uh. Read Chary's full article?

of course but take a look at the cmnts then you will get it

 

[HarveyHouston]

An exploit that exists within a console is always beneficial for hacking and adding homebrew, but there's also always that danger of piracy, which is the reason that exploits are patched by manufacturers as soon as they are discovered. I think even Sony sees the benefit of exploits (who do you think they were showing the PS5 teardown to?), but they also don't want to be pirated and lose money, which makes sense if you're a business.

This "unpatchable" exploit is an interesting one - this reminds me of something similar that happened with the Nintendo Switch when it first released. One could use a modded cable, or even just some wires, to exploit the Switch and gain access to system files. In a plot twist, PS4 and PS5 have backwards compatibility to PS2 titles, which apparently allow a hacker to gain access, which is actually similar to exploits on the Wii, like Bathaxx, which was one I used to add the Homebrew Channel to my Wii before it was banner-bricked.

Now, a smart hacker would figure out how to use the built-in PS2 emulation to add back these unpatchable games, so that they could proceed to exploit and gain system-level access. Perhaps a properly configured disc or USB stick would be the key - one the PS4 or PS5 could read and then load the game, opening that doorway to "Jailbreak City" (using a popular PlayStation hacking term there). Of all the consoles, it seems that the PlayStation is easiest to mod, however I don't own any PlayStations or other consoles besides Switch to test this theory, so feel free to correct me if you guys think otherwise.

 

[ChibiMofo]

Eh it's half dev mode, half the fact that Xbox has no exclusives so people just pirate PC versions instead. Sony is starting to go that direction too, but only more recently.

Think about how many post 360 Xboxes there are out there. You don't think the 50 or so million owners wouldn't love to pirate games? And exactly how many of them would even bother with an Xbox if they had a (superior) PC? Your logic does not stand scrutiny. Sony simply sucks at security which should surprise no one since:
A. They were subject to the largest hack in human history. (Hello North Korea!)
B. They aren't Microsoft, a software company that has been making secure OSes since the mid-90s and has infinitely more software experience than Sony will ever have.

 

[Clydefrosch]

so its unpatchable except for sony kicking out ps2 emulation like they kicked out linux?

 

[raxadian]

So... When will PS3 and Vita be dead for good? No online services, no more updates? I understand the PS3 is a popular Blue Ray player and the Vita is a fan favorite but honesty Nintendo killed the 3DS way faster despite still doing updates for it for some reason.

 

[Ryab]

View attachment 327395​

Cturt has been exploiting PlayStation consoles for years now, and with the release of the PlayStation 5, the scene hacker rose to the challenge of trying to hack it, too. This led to Cturt discovering what he claims to be an "essentially unpatchable" userland exploit, and even submitted it to Sony's bug bounty program a year ago, with no fix in sight. In an in-depth article that details the process and how it works, Cturt explains that the hack, dubbed Mast1c0re, utilizes the PlayStation 2 emulator that both the PS4 and PS5 use, through JIT privileged code.



The reasoning behind the exploit being almost impossible to patch, is due to the fact that if you own any backwards compatible PlayStation 2 title, it'd be difficult for Sony to revoke your access to it, players can easily downgrade the game even if it were to be patched, and PS2 games require using JIT to run, even on the PS5 where most JIT potential attacks have been patched up.



It's a fairly simple process, too; in order to hijack the PS2 game, Cturt needed to find a game that has a save game exploit which was simple enough, choosing Okage Shadow King. Getting the save file that would cause a buffer overflow required an already hacked PS4 console, though, as creating a PS2-on-PS4 memory card with the exploit needed to be encrypted, and signed for use with the right PSN account, and then imported to the target system through USB.

​

The next step was to look into reverse engineering the PS2 emulator, finding the right bug that would be vulnerable. A very technical breakdown explains how Cturt managed this, which in the end, resulted in the ability to run custom PS2 games that aren't normally available on the PS4. That's not all mast1c0re can do, either; Cturt says their next article will explain how to run arbitrary homebrew code, which could lead to even running pirated commercial PS4 games. Once that's written up, you can expect to see it on the blog writeup for the exploit here.



Source

"The easiest way to stop piracy is not by putting anti-piracy technology to work. It's by giving those people a service that's better than what they're receiving from the pirates." - Gabe Newell