CTurt reveals new PS4 and PS5 exploit "Mast1c0re" that can be used to run pirated games, and is unpatchable

PS2PS4.jpg

Cturt has been exploiting PlayStation consoles for years now, and with the release of the PlayStation 5, the scene hacker rose to the challenge of trying to hack it, too. This led to Cturt discovering what he claims to be an "essentially unpatchable" userland exploit, and even submitted it to Sony's bug bounty program a year ago, with no fix in sight. In an in-depth article that details the process and how it works, Cturt explains that the hack, dubbed Mast1c0re, utilizes the PlayStation 2 emulator that both the PS4 and PS5 use, through JIT privileged code.

Having JIT privilege means that fully compromising the emulator, including the compiler co-process, would grant the ability to run fully arbitrary native code (not just ROP) on the PS4/PS5 without the need for a kernel exploit. This would be especially convenient on the PS5 because the newly introduced hypervisor enforces that code pages (both userland and kernel) are not readable, and I don't have the patience to try to write a blind kernel exploit again as I did when I ported BadIRET to the PS4 without a kernel dump.

The reasoning behind the exploit being almost impossible to patch, is due to the fact that if you own any backwards compatible PlayStation 2 title, it'd be difficult for Sony to revoke your access to it, players can easily downgrade the game even if it were to be patched, and PS2 games require using JIT to run, even on the PS5 where most JIT potential attacks have been patched up.

Furthermore, PlayStation has decided to double-down on this security model by not even removing the identified known-exploitable PS2 games from the store. Because of these reasons, I'm comfortable referring to this scenario as "unpatchable", even if it may not technically be fully accurate.

It's a fairly simple process, too; in order to hijack the PS2 game, Cturt needed to find a game that has a save game exploit which was simple enough, choosing Okage Shadow King. Getting the save file that would cause a buffer overflow required an already hacked PS4 console, though, as creating a PS2-on-PS4 memory card with the exploit needed to be encrypted, and signed for use with the right PSN account, and then imported to the target system through USB.



The next step was to look into reverse engineering the PS2 emulator, finding the right bug that would be vulnerable. A very technical breakdown explains how Cturt managed this, which in the end, resulted in the ability to run custom PS2 games that aren't normally available on the PS4. That's not all mast1c0re can do, either; Cturt says their next article will explain how to run arbitrary homebrew code, which could lead to even running pirated commercial PS4 games. Once that's written up, you can expect to see it on the blog writeup for the exploit here.

We could technically write "PS4-enhanced" PS2 homebrew applications that could use any native PS4 functionality, and so could behave essentially the same as normal PS4 homebrew (accessing the PS4 controller's touchpad, etc), but I really wanted to achieve fully arbitrary code execution for a more practical homebrew environment. This makes the next step attacking the compiler process

:arrow: Source
 

Daggot

Well-Known Member
Member
Joined
Aug 3, 2015
Messages
727
Trophies
0
XP
2,717
Country
United States
It can be used to run pirated PS2 games, PS2 homebrew, and maybe some PS4 userland homebrew. Not PS4 or PS5 games atm, that's a really important distinction left out here. Also, some really good points were left in other places like wololo. With what we have on the newest firmware these custom PS2 saves (VMC files) on PS4 or PS5 can't be used. A PS4 can export and import it but PFS static keys for USB weren’t published so the average joe like you and me cannot sign this “save” to be imported via USB and the console won't accept it without that. If these keys aren't published we aren't even getting pirated PS2 games we're getting something nice to analyze in future writeups.
 

CoolMe

That's the way she goes..
Member
Joined
Apr 16, 2019
Messages
7,282
Trophies
1
Age
28
XP
31,707
Country
United States
Nice! I still don't understand if with this exploit you can take (some form of) control of the system (PS4 or 5), like running homebrew etc.
 

MikaDubbz

Well-Known Member
Member
Joined
Dec 12, 2017
Messages
3,829
Trophies
1
Age
36
XP
7,126
Country
United States
Damn fuckin impressive.

Ya know, ya gotta give Microsoft some credit, ever since opening up dev mode to the common consumer with the Xbox One, I do believe they found a way to successfully combat modern pirating. Like yeah, opening up dev mode, leaves you open to emulators and homebrew, but that's what the majority of homebrewers seem to want. Pirating (of modern games for that system) seems to be in the minority, so when you leave the tools open for every consumer, you kinda kill the desire for many in the scene to look deeply into hacking your system to begin with. Which I believe is a large reason why the Xbone and now the Series X haven't seen major exploits that allow the ability for the common consumer to run pirated games on the system (unless I've missed something, I could be wrong, but from what I've seen, these last 2 gens of Xbox have not been unlocked for us to easily run pirated copies on the systems).
 

Xzi

Time to fly, 621
Member
Joined
Dec 26, 2013
Messages
17,617
Trophies
3
Location
The Lands Between
Website
gbatemp.net
XP
8,144
Country
United States
Damn fuckin impressive.

Ya know, ya gotta give Microsoft some credit, ever since opening up dev mode to the common consumer with the Xbox One, I do believe they found a way to successfully combat modern pirating. Like yeah, opening up dev mode, leaves you open to emulators and homebrew, but that's what the majority of homebrewers seem to want. Pirating seems to be in the minority, so when you leave the tools open for every consumer, you kinda kill the desire for many in the scene to look deeply into hacking your system to begin with. Which I believe is a large reason why the Xbone and now the Series X haven't seen major exploits that allow the ability for the common consumer to run pirated games on the system (unless I've missed something, I could be wrong, but from what I've seen, these last 2 gens of Xbox have not been unlocked for us to easily run pirated copies on the systems).
Eh it's half dev mode, half the fact that Xbox has no exclusives so people just pirate PC versions instead. Sony is starting to go that direction too, but only more recently.
 

MikaDubbz

Well-Known Member
Member
Joined
Dec 12, 2017
Messages
3,829
Trophies
1
Age
36
XP
7,126
Country
United States
Eh it's half dev mode, half the fact that Xbox has no exclusives so people just pirate PC versions instead.
Yeah, probably a fair amount of it being that Game Pass is such a solid deal too. No matter what amount of what contributed to it, it's hard to deny that there really isn't much of an Xbox modding scene, at least compared to Nintendo and Playstation systems.
 
  • Like
Reactions: Nightcat and Xzi

N7Kopper

Lest we forget... what Nazi stood for.
Member
Joined
Aug 24, 2014
Messages
975
Trophies
0
Age
30
XP
1,289
Country
United Kingdom
Yeah, probably a fair amount of it being that Game Pass is such a solid deal too. No matter what amount of what contributed to it, it's hard to deny that there really isn't much of an Xbox modding scene, at least compared to Nintendo and Playstation systems.
Piracy is a service issue, as GabeN says. If the fancy Xbone Series servers go kaput, piracy for those gens will jump through the roof.
 

Jayro

MediCat USB Dev
Developer
Joined
Jul 23, 2012
Messages
12,791
Trophies
4
Location
WA State
Website
ko-fi.com
XP
16,548
Country
United States
I have a PS4 Pro fully updated to snag the monthly Plus games, and I'm more than willing to try this hack out. Is there a tutorial for the everyday modder we can follow? Maybe a GitHub with files ready to use?
 

Acid_Snake

Developer
Developer
Joined
Aug 20, 2019
Messages
671
Trophies
0
Age
30
XP
1,900
Country
Spain
This is very similar in nature to the PS1 exploits on PSP/Vita that I, qwik and thefl0w cooked a while back.
A crafted Virtual PS1 Memory Card that caused a buffer overflow on a PS1 game, allowing us to take control of the emulator and from there escalate into kernel. This opened up the posibility to play custom PS1 games on Vita with full working sound, something that was previously impossible to do since we only had access to the PSP emulator that lacked some importants parts for PS1 emulation.
Now those were the good old times, I'm glad to see these sort of masterpieces are still being developed by very talented devs.
 

eyeliner

Has an itch needing to be scratched.
Member
Joined
Feb 17, 2006
Messages
2,861
Trophies
2
Age
43
XP
5,371
Country
Portugal
I'd like to know how much piracy the PS4 has.
Considering how much of a behemoth of downloads the games are, is anyone hoarding pirate copies on their hard drives to play?

Is there even any point in doing so, considering the amount of time you have to devote to most games, today?

Sony should also give a dev mode to users. Heck, let users work for them and develop decent emulators for the system.
 

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
    Xdqwerty @ Xdqwerty: What does the h stand for?