Longtime console hacker CTurt has blasted what he calls an “essentially unfixable” hole in the security of the PS4 and PS5, describing a proof-of-concept method that would allow the installation of arbitrary homebrew applications on the consoles.
CTurt says he disclosed his exploit, called Mast1c0re, to Sony via a bug bounty program a year ago with no sign of a public fix. The method exploits flaws in the just-in-time (JIT) compilation used by the emulator that runs certain PS2 games on the PS4 (and PS5). That compilation gives the emulator special permissions to continuously write PS4-ready code (based on the original PS2 code) right before the application layer itself runs that code.
By gaining control of both sides of that process, a hacker can write privileged code that the system treats as legitimate and secure. “Since we’re using JIT system calls for their intended purpose, it’s not really an exploit, just a neat trick,” CTurt said of a side-patched JIT exploit in the PS4’s browser.
To gain control of the emulator, a hacker could theoretically use a number of known exploits found in decades-old PS2 games. While some of these can be activated with just a button press, most require the use of a known game that can be exploited to access a specially formatted save file on the memory card, leading to a buffer overflow that accesses otherwise protected memory (similar exploits have been used in PSP and Nintendo 3DS hacks over the years).
However, this method is somewhat limited by the fact that PS4 and PS5 cannot recognize standard PS2 discs. That means any exploitable game must be available either as a downloadable PS2-on-PS4 game via PSN or one of the few PS2 games released as physical, PS4-compatible discs via publishers such as Limited Run Games.
Getting an exploit-ready PS2 save file on PS4 is also not a simple process. CTurt had to use an already hacked PS4 to digitally sign a modified one Okage Shadow King save the file, let it work with his PSN ID. CTurt then used the system’s USB storage import function to get that file to the target system.
With the basics established, CTurt goes through a complicated series of buffer and stack overflows, memory leaks, and RAM exploits that he used to gain control of the PS2 emulator. With that control established, he accessed built-in loader functions to transfer a separate PS2 ISO file over a local network, then tell the emulator to load that game via a virtual disc.
While it’s nice to load other PS2 games into an emulator, CTurt’s real goal was to use this entry point as a way to run arbitrary homebrew code on the system. That process will be detailed in a future article, CTurt told Ars over Twitter DM, along with the privilege escalation necessary to run any code “in the context of a PS4 game.”
Hackers will still need to use a separate (and potentially patchable) kernel exploit to gain “full control” of a PS4, CTurt told Ars. But the mast1c0re exploit by itself should be enough to run complex programs “including JIT-optimized emulators and potentially even some pirated commercial PS4 games.” Mast1c0re could also theoretically be used as an entry point to compromise the PS5 hypervisor that controls low-level system security on that console, CTurt said.