Long-time console hacker CTurt blew what it calls an “essentially unfixable” hole in the PS4 and PS5’s security, detailing a proof of concept method this should allow installing arbitrary homebrew apps on consoles.
CTurt says he revealed his feat, dubbed Mast1c0reto Sony through a bug bounty program a year ago with no sign of a public solution. The method exploits errors in the just-in-time (JIT) compilation used by the emulator that runs some PS2 games on PS4 (and PS5). This compilation gives the emulator special permissions to continuously write PS4-ready code (based on the original PS2 code) just before the application layer itself executes that code.
By taking control of both sides of this process, a hacker can write privileged code that the system considers legitimate and secure. “Since we’re using JIT system calls for the intended purpose, this isn’t really an exploit, just a trick,” CTurt said. said of a since patched JIT exploit on the PS4’s web browser.
To gain control of the emulator, a hacker can theoretically use any number of known exploits that exist in decades-old PS2 games. While some of them can be activated simply by pressing a button, most require the use of a known exploitable game to access a specially formatted backup file on the memory cardleading to a buffer overflow that provides access to otherwise protected memory (similar exploits have been used in PSP and Nintendo 3DS hacks over the years).
This method is somewhat limited, however, by the fact that the PS4 and PS5 cannot natively recognize standard PS2 discs. This means that any exploitable game must be available either as a PS2 downloadable game on PS4 via PSN or one of the few PS2 games published as physicalPS4 compatible discs through publishers like Limited edition games.
Getting an exploit-ready PS2 save file on the PS4 is also not a simple process. CTurt had to use an already hacked PS4 to digitally sign a modded version Okage Shadow King save the file, letting it run with its PSN ID. Then CTurt used the system’s USB backup import function to get this file on the target system.
Once the basics are established, CTurt crosses a complicated series of buffer and stack overflows, memory leaks, and RAM exploits that he used to take control of the PS2 emulator. Once this control was established, he was able to access the built-in loader functions to transfer a separate PS2 ISO file over a local network, and then tell the emulator to load that game via ramdisk.
While loading other PS2 games into an emulator was nice, CTurt’s real goal was to use this entry point as a way to run arbitrary homebrew code on the system. This process will be detailed in a future post, CTurt tells Ars on Twitter DM, alongside the privilege escalation needed to run any code “in the context of a PS4 game.”
Hackers would still need to use a separate (and potentially patchable) kernel exploit to gain “full control” of a PS4, CTurt told Ars. But the mast1c0re exploit alone should be enough to run complex programs “including JIT-optimized emulators and potentially even some pirated commercial PS4 games.” Mast1c0re could also theoretically be used as an entry point to find a compromise the PS5 hypervisor which controls low-level system security on this console, CTurt said.