Console hacker reveals PS4/PS5 exploit that is “essentially unpatchable”

A proof of concept shows mast1core being used to load an external PS2 ISO into the system emulator.

Longtime console hacker CTurt has blasted what he calls an “essentially unfixable” hole in the PS4 and PS5’s security, detailing a proof-of-concept method that should allow apps to be installed arbitrary homebrew on consoles.

CTurt says he leaked his exploit, dubbed Mast1c0re, to Sony via a bug bounty program a year ago with no sign of a public fix. The method exploits errors in the just-in-time (JIT) compilation used by the emulator that runs some PS2 games on PS4 (and PS5). This compilation gives the emulator special permissions to continuously write PS4-ready code (based on the original PS2 code) just before the application layer itself executes that code.

By taking control of both sides of this process, a hacker can write privileged code that the system considers legitimate and secure. “Since we’re using JIT system calls for our intended purpose, it’s not really an exploit, just a trick,” CTurt said of a since-patched JIT exploit on the PS4’s web browser.

Getting in

To gain control of the emulator, a hacker can theoretically use any number of known exploits that exist in decades-old PS2 games. While some of these can be activated simply by pressing a button, most require the use of a known exploitable game to access a specially formatted save file on the memory card, resulting in a buffer overflow that grants access to otherwise protected memory (similar exploits have been used in PSP and Nintendo 3DS hacks over the years).

This method is somewhat limited, however, by the fact that the PS4 and PS5 cannot natively recognize standard PS2 discs. This means that any exploitable game must be available either as a downloadable PS2 game on PS4 via PSN, or as one of the few PS2 games released as PS4 compatible physical discs via publishers such as Limited Run Games.

Getting an exploit-ready PS2 save file on the PS4 is also not a simple process. CTurt had to use an already hacked PS4 to digitally sign a modded version Okage Shadow King save the file, letting it run with its PSN ID. Next, CTurt used the system’s USB backup import feature to get this file to the target system.

A previous CTurt hack showing PS2 homebrew running from DVD-R on unmodified hardware.

With the basics established, CTurt navigates through a complicated series of buffer and stack overflows, memory leaks, and RAM exploits that he used to gain control of the PS2 emulator. Once this control was established, he was able to access the built-in loader functions to transfer a separate PS2 ISO file over a local network, and then tell the emulator to load that game via ramdisk.

While loading other PS2 games into an emulator was nice, CTurt’s real goal was to use this entry point as a way to run arbitrary homebrew code on the system. This process will be detailed in a future post, CTurt tells Ars on Twitter DM, alongside the privilege escalation needed to run any code “in the context of a PS4 game.”

Hackers would still need to use a separate (and potentially patchable) kernel exploit to gain “full control” of a PS4, CTurt told Ars. But the mast1c0re exploit alone should be enough to run complex programs “including JIT-optimized emulators and potentially even some pirated commercial PS4 games.” Mast1c0re could also theoretically be used as an entry point to compromise the PS5 hypervisor that controls low-level system security on that console, CTurt said.

Leave a Comment