The proof of concept shows mast1core being used to load an external PS2 ISO into the system’s emulator.

Long time console hacker CTurt It opened a “virtually unpatched” hole in PS4 and PS5 security. proof of concept method this should allow installation of arbitrary homebrew programs on consoles.

CTurt says he disclosed his dubbing exploit Mast1c0reto Sony via wrong rewards program a year ago without any sign of public correction. The method uses errors just-in-time (JIT) compilation Used by an emulator that runs certain PS2 games on PS4 (and PS5). This compilation gives the emulator special permissions to write PS4-ready code (based on the original PS2 code) continuously before the software layer itself executes that code.

By taking control of both sides of this process, a hacker can write privileged code that the system considers legitimate and secure. “Since we’re using JIT system calls for their intended purposes, this isn’t really an exploit, just a neat trick,” CTurt said. spoke of a JIT exploit that has since been patched In the PS4 web browser.

Enter

To gain control of the emulator, a hacker could theoretically use any number of known exploits that have existed in PS2 games for decades. While some of these can only be activated by pressing buttons, most require the use of a known exploit game to access a specially formatted save file on a memory cardleading to a buffer overflow allowing access to otherwise protected memory (similar exploits have been used PSP and Nintendo 3DS hacks over the years).

This method is somewhat limited by the fact that the PS4 and PS5 cannot natively recognize standard PS2 discs. This means that any exploitable game must be available as either PS2-on-PS4 game downloadable via PSN or one of several PS2 games was released whom physicalCompatible with PS4 disks through publishers such as Limited Run Games.

Getting a ready-to-use PS2 save file on PS4 isn’t a simple process either. CTurt had to use an already jailbroken PS4 to digitally sign a modified document Okage Shadow King save the file, let it work with PSN ID. Then CTurt used the system’s USB storage import feature to import that file to the target system.

Previous CTurt hack showing PS2 homebrew running from DVD-R on unmodified hardware.

On established grounds, CTurt passes a complex series of buffer and stack overflows, memory leaks, and RAM exploits that it uses to take control of the PS2 emulator. With this control set up, he was able to access the built-in bootloader functions to transfer a separate PS2 ISO file over the local network, then tell the emulator to load that game via a virtual disk.

While it was nice to load other PS2 games into the emulator, CTurt’s real purpose was to use this entry point to run arbitrary homebrew code on the system. CTurt told Ars via Twitter DM that this process will be detailed in a future post, along with the elevation of privileges needed to run any code “in the context of a PS4 game.”

CTurt told Ars that hackers still need to use a separate (and potentially patchable) kernel exploit to gain “full control” of the PS4. But the mast1c0re exploit should be sufficient to run complex applications “including JIT-optimized emulators and potentially even some pirated commercial PS4 games.” Mast1c0re could also theoretically be used as an entry point to compromise PS5 hypervisor CTurt said it monitors low-level system security on that console.

Leave a Reply

Your email address will not be published.