The hacker, who uses the pseudonym CTurt, has long specialized in hacking game consoles, and this week he showed off a fresh Mast1c0re exploit for hacking PS4 and PS5. This PoC exploit is called a “virtually unrecoverable” security hole. Mast1c0re should allow arbitrary applications to be installed and run on Sony consoles.
Let me remind you that we also talked about the fact that Fail0verflow Announces PlayStation VR Hack, and also that New exploit for the PlayStation 4 may be useful for the PS5.CTurt says that he demonstrated Mast1c0re to Sony representatives a year ago, through the bug bounty program, but did not wait for the release of a public fix.
Mast1c0re relies on JIT compilation errors that the emulator uses to run certain PS2 games on PS4 and PS5 consoles. This compilation gives the emulator special permissions to continuously write PS4-ready code (based on the original PS2 sources), just before that code is executed in the application layer. By gaining control of both sides of this process, a hacker can write privileged code that the system ultimately deems legitimate and safe.
The researcher writes that in order to gain control over the emulator, it is theoretically possible to use any known exploits that have existed for a long time for PS2 games. While some of them can be activated literally with the click of a button, most will require the use of some well-known game and access to a specially formatted save file on the memory card, which will lead to a buffer overflow and open access to protected memory. It should be noted that similar exploits have been used to hack the PSP and Nintendo 3DS for many years.
Unfortunately, this method is a little limited due to the fact that PS4 and PS5 cannot recognize standard PS2 discs. This means that any game in production must either be available as a PS2-on-PS4 download via PSN, or be one of the few PS2 games that came out on PS4-compatible physical discs.
Getting a ready-to-play PS2 save file on PS4 isn’t easy either. CTurt reveals that he had to use an already jailbroken PS4 to digitally sign a modified Okage Shadow King save file in order for it to work with his PSN ID. CTurt then used the system’s USB save import feature to load the file onto the target system.
Having laid the groundwork, CTurt finally moved on to a complex series of buffer and stack overflows, memory leaks, and RAM exploits that he used to gain control of the PS2 emulator. He eventually managed to access the built-in bootloader functions to transfer the PS2 ISO file over the local network, and then instruct the emulator to load that game via the virtual drive.
However, while loading other PS2 games into the emulator is fine, but the real purpose of CTurt was to use this entry point to run arbitrary code on the system. The hacker promises to describe this process in detail in his next article, along with the privilege escalation that is necessary to run any code “in the context of PS4 games.”
Essentially, hackers will still have to use a separate (and potentially patchable) kernel exploit to take “full control” of the PS4, explains CTurt. However, Mast1c0re should already be enough to run complex programs, “including JIT-optimized emulators and probably even some pirated commercial PS4 games.”
Also, according to CTurt, Mast1c0re could theoretically be used as an entry point to compromise the PS5 hypervisor, which manages low-level system security on this console.
During a conversation with journalists from ArsTechnica, CTurt emphasized that it is almost impossible to close the hole that Mast1c0re uses. The point is that a running PS2 emulator is packaged with every available PS2-on-PS4 game, rather than stored separately as part of the console’s operating system.
That is, for PS2-on-PS4 physical discs, the exploit will work as long as the user opts out of any online updates before playing. And for digital releases, this means that even if the exploit is fixed, there are methods to go to the saved version, suitable for exploitation, using proxied HTTP traffic from the local server.
In a similar situation, Nintendo has made the decision to remove exploited 3DS games from the Nintendo eShop in an attempt to limit potential damage, and CTurt says Sony has not yet done so with exploited PS2 games on PSN.
Interestingly, in the first version of his article, which has now been deleted (archived copy), the hacker wrote that he received an official response from the PlayStation developers a year after submitting his report. He was told that the company had decided that they would not try to fix the problem.