Back to Blog
Easiest to run pcsx2 games7/22/2023 The emulator is divided into 2 separate processes: the main application process ( eboot.bin), and its compiler child process ( lf). Because of these two reasons, I'm comfortable referring to this exploit chain as "unpatchable", even if it may not technically be fully accurate. It's my interpretation that the existence of games with special privileges, like the PS2 emulator's JIT, fundamentally violates their own security model because it leaves privileged code with no readily available mechanisms to patch potential future vulnerabilities.įurthermore, in addition to the gap in their security model that prevents patching existing copies of the games, PlayStation has also decided to not even remove the identified known-exploitable PS2 games for purchase from the store. Their security model instead focuses on securing higher privileged layers of the platform (kernel, and hypervisor on PS5), operating under the assumption that games are compromised. It was designed this way since PlayStation can't be held responsible for the security of third party games (particularly those that statically link to old versions of WebKit). For physical games, you can simply launch them without first checking for updates.įor digital games, you can downgrade them by proxying PSN traffic (which is just HTTP, instead of HTTPS for server-side cost saving reasons).The console was designed to enforce required updates for the Operating System to play the latest games, but the Operating System was not designed with any mechanism to enforce the latest patches for games ie: old versions of games can always be played on the latest version of the Operating System: Once you have access to an exploitable game (digital or physical), it would be extremely difficult for PlayStation to remove your access to it. Under PlayStation's security model it's essentially unpatchable. With arbitrary code execution in a PS4 game process, homebrew software, including JIT optimised emulators, and potentially even some pirated commercial PS4 games could be run under this context. This would be especially convenient on the PS5 because the newly introduced hypervisor enforces that code pages (both userland and kernel) are not readable, and I don't have the patience to try to write a blind kernel exploit again as I did when I ported BadIRET to the PS4 without a kernel dump. Having JIT privilege means that fully compromising the emulator, including the compiler co-process, would grant the ability to run fully arbitrary native code (not just ROP) on the PS4/PS5 without the need for a kernel exploit. Since the PS2 emulator is really a PS4 title that runs due to backwards compatibility, they were unable to make changes to the software, and so its JIT privilege had to be spared. Sony aggressively removed JIT privileged attack surface from the PS5, disabling JIT in both the web browser and the BluRay player. The PS2 emulator is some of the last remaining JIT privileged code on the PS5. This is particularly valuable because access to running just the subset of officially available PS2 games on these platforms is being charged at the highest tier of PlayStation's new subscription service. I settled on attacking the PS2 emulator, which turns out to be a very appealing target for a number of reasons:Įscaping it would grant the ability to run pirated PS2 games on the PS4, PS5, and potentially also the PSN cloud gaming service. It's been a long time since I last worked on any modern PlayStation hacking, but with the release of the PS5 and the introduction of PlayStation's bug bounty program, I was motivated to attempt some kind of exploit chain that would work on the PS5. Note that these vulnerabilities were discovered and reported back in September 2021, but I was only able to publish this now. See also Part 2, covering the next part of the exploit chain, and PlayStation's response to the research.įor the impatient, a demo video for the first part of this chain is presented later in this article. In this article I will discuss how I successfully escaped the PS2 emulator developed for the PlayStation 4. Mast1c0re: Hacking the PS4 / PS5 through the PS2 Emulator - Part 1 - Escape Initial publication: September 14th, 2022
0 Comments
Read More
Leave a Reply. |