Cturt has been exploiting PlayStation consoles for years now, and with the release of the PlayStation 5, the scene hacker rose to the challenge of trying to hack it, too. This led to Cturt discovering what he claims to be an "essentially unpatchable" userland exploit, and even submitted it to Sony's bug bounty program a year ago, with no fix in sight. In an in-depth article that details the process and how it works, Cturt explains that the hack, dubbed Mast1c0re, utilizes the PlayStation 2 emulator that both the PS4 and PS5 use, through JIT privileged code.

Having JIT privilege means that fully compromising the emulator, including the compiler co-process, would grant the ability to run fully arbitrary native code (not just ROP) on the PS4/PS5 without the need for a kernel exploit. This would be especially convenient on the PS5 because the newly introduced hypervisor enforces that code pages (both userland and kernel) are not readable, and I don't have the patience to try to write a blind kernel exploit again as I did when I ported BadIRET to the PS4 without a kernel dump.

The reasoning behind the exploit being almost impossible to patch, is due to the fact that if you own any backwards compatible PlayStation 2 title, it'd be difficult for Sony to revoke your access to it, players can easily downgrade the game even if it were to be patched, and PS2 games require using JIT to run, even on the PS5 where most JIT potential attacks have been patched up.

Furthermore, PlayStation has decided to double-down on this security model by not even removing the identified known-exploitable PS2 games from the store. Because of these reasons, I'm comfortable referring to this scenario as "unpatchable", even if it may not technically be fully accurate.

It's a fairly simple process, too; in order to hijack the PS2 game, Cturt needed to find a game that has a save game exploit which was simple enough, choosing Okage Shadow King. Getting the save file that would cause a buffer overflow required an already hacked PS4 console, though, as creating a PS2-on-PS4 memory card with the exploit needed to be encrypted, and signed for use with the right PSN account, and then imported to the target system through USB.

​

The next step was to look into reverse engineering the PS2 emulator, finding the right bug that would be vulnerable. A very technical breakdown explains how Cturt managed this, which in the end, resulted in the ability to run custom PS2 games that aren't normally available on the PS4. That's not all mast1c0re can do, either; Cturt says their next article will explain how to run arbitrary homebrew code, which could lead to even running pirated commercial PS4 games. Once that's written up, you can expect to see it on the blog writeup for the exploit here.

We could technically write "PS4-enhanced" PS2 homebrew applications that could use any native PS4 functionality, and so could behave essentially the same as normal PS4 homebrew (accessing the PS4 controller's touchpad, etc), but I really wanted to achieve fully arbitrary code execution for a more practical homebrew environment. This makes the next step attacking the compiler process

Source

 

[KitChan]

Finally, time to buy a PS5.

 

[Plazorn]

Hackers will not, and never will be beaten

 

[Daggot]

It can be used to run pirated PS2 games, PS2 homebrew, and maybe some PS4 userland homebrew. Not PS4 or PS5 games atm, that's a really important distinction left out here. Also, some really good points were left in other places like wololo. With what we have on the newest firmware these custom PS2 saves (VMC files) on PS4 or PS5 can't be used. A PS4 can export and import it but PFS static keys for USB weren’t published so the average joe like you and me cannot sign this “save” to be imported via USB and the console won't accept it without that. If these keys aren't published we aren't even getting pirated PS2 games we're getting something nice to analyze in future writeups.

 

[Xzi]

Very impressive. Now it's just a matter of whether Sony starts releasing enough PS5 exclusives to make it worth the hassle or not, because all the best PS4 exclusives are super cheap by now.

 

[CoolMe]

Nice! I still don't understand if with this exploit you can take (some form of) control of the system (PS4 or 5), like running homebrew etc.

 

[DarkCoffe64]

Was just a matter of time, soon these consoles too will be wide open for all sorts of fun stuff, heh.
Patience is the virtue of the strong after all.

 

[MikaDubbz]

Damn fuckin impressive.

Ya know, ya gotta give Microsoft some credit, ever since opening up dev mode to the common consumer with the Xbox One, I do believe they found a way to successfully combat modern pirating. Like yeah, opening up dev mode, leaves you open to emulators and homebrew, but that's what the majority of homebrewers seem to want. Pirating (of modern games for that system) seems to be in the minority, so when you leave the tools open for every consumer, you kinda kill the desire for many in the scene to look deeply into hacking your system to begin with. Which I believe is a large reason why the Xbone and now the Series X haven't seen major exploits that allow the ability for the common consumer to run pirated games on the system (unless I've missed something, I could be wrong, but from what I've seen, these last 2 gens of Xbox have not been unlocked for us to easily run pirated copies on the systems).

 

[Xzi]

Damn fuckin impressive.

Ya know, ya gotta give Microsoft some credit, ever since opening up dev mode to the common consumer with the Xbox One, I do believe they found a way to successfully combat modern pirating. Like yeah, opening up dev mode, leaves you open to emulators and homebrew, but that's what the majority of homebrewers seem to want. Pirating seems to be in the minority, so when you leave the tools open for every consumer, you kinda kill the desire for many in the scene to look deeply into hacking your system to begin with. Which I believe is a large reason why the Xbone and now the Series X haven't seen major exploits that allow the ability for the common consumer to run pirated games on the system (unless I've missed something, I could be wrong, but from what I've seen, these last 2 gens of Xbox have not been unlocked for us to easily run pirated copies on the systems).

Eh it's half dev mode, half the fact that Xbox has no exclusives so people just pirate PC versions instead. Sony is starting to go that direction too, but only more recently.

 

[MikaDubbz]

Eh it's half dev mode, half the fact that Xbox has no exclusives so people just pirate PC versions instead.

Yeah, probably a fair amount of it being that Game Pass is such a solid deal too. No matter what amount of what contributed to it, it's hard to deny that there really isn't much of an Xbox modding scene, at least compared to Nintendo and Playstation systems.

 

[ZeroFX]

Nice job to the dude!

 

[eriol33]

Yeah, very useful if we could find a ps5 with normal price

 

[N7Kopper]

Yeah, probably a fair amount of it being that Game Pass is such a solid deal too. No matter what amount of what contributed to it, it's hard to deny that there really isn't much of an Xbox modding scene, at least compared to Nintendo and Playstation systems.

Piracy is a service issue, as GabeN says. If the fancy Xbone Series servers go kaput, piracy for those gens will jump through the roof.

 

[lolcatzuru]

Very impressive. Now it's just a matter of whether Sony starts releasing enough PS5 exclusives to make it worth the hassle or not, because all the best PS4 exclusives are super cheap by now.

they already did

 

[Jayro]

I have a PS4 Pro fully updated to snag the monthly Plus games, and I'm more than willing to try this hack out. Is there a tutorial for the everyday modder we can follow? Maybe a GitHub with files ready to use?

 

[Bladexdsl]

Finally, time to buy a PS5.

if you can find one

 

[Purple_Shyguy]

Sony: "No more PS2 games for you!"

 

[M7L7NK7]

Sony: "No more PS2 games for you!"

Did you even read it? They haven't taken them down and don't care

 

[Acid_Snake]

This is very similar in nature to the PS1 exploits on PSP/Vita that I, qwik and thefl0w cooked a while back.
A crafted Virtual PS1 Memory Card that caused a buffer overflow on a PS1 game, allowing us to take control of the emulator and from there escalate into kernel. This opened up the posibility to play custom PS1 games on Vita with full working sound, something that was previously impossible to do since we only had access to the PSP emulator that lacked some importants parts for PS1 emulation.
Now those were the good old times, I'm glad to see these sort of masterpieces are still being developed by very talented devs.

 

[eyeliner]

I'd like to know how much piracy the PS4 has.
Considering how much of a behemoth of downloads the games are, is anyone hoarding pirate copies on their hard drives to play?

Is there even any point in doing so, considering the amount of time you have to devote to most games, today?

Sony should also give a dev mode to users. Heck, let users work for them and develop decent emulators for the system.