New PS5 exploit unlocks root privileges, read/write memory access

Enlarge / Hackers are getting closer to fully unlocking user control of the PS5 hardware.

Sony

Long time console hacker and exploit developer spectrodev has released a PS5 exploit that can give users root privileges and read/write access to large portions of system memory. While this exploit cannot be used to actually run arbitrary code still, represents an important step for homebrew code to run on the console.

the featreleased this weekend, makes use of a FreeBSD vulnerability in the operating system that was reported to PlayStation’s HackerOne bounty program in January (a very similar vulnerability on the PS4 was reported to PlayStation in 2020). Using the exploit relies on setting up a fake DNS server on your local network, so accessing the PS5’s on-screen manual (which is loaded via the system hidden web browser) points to a page on your local PC.

From there, the exploit uses a bug in the way the PS5 browser implementation handles memory locking when setting IPv6 socket headers. While the details get pretty technical, the exploit essentially sets a race condition to access that exposed socket header memory before it is completely blocked. That little bit of access is then used as a hook to start reading and writing arbitrary data to large areas of the PS5’s memory via an RPC server on the host machine.

Limitations

Because this exploit relies on a race condition, SpecterDev warns that it only works about 30 percent of the time and can cause multiple kernel panics (and subsequent long system reboots) before access is successfully gained. reading writing. The exploit is also currently unable to write to low-level “kernel space” (which is still protected by an intact hypervisor) or even execute any code that a user may write to user space (which relies on “Execute” areas). memory only” that are still protected).

Still, the exploit gives access to the PS5 debug menu, like hacker Lance McDonald demonstrated in a tweet last night. It also gives PS5 hackers an entry point to learn more about the PS5’s memory and security systems and could serve as a potential bridgehead for developing a fully homebrew-compatible hack for the console. That said, SpecterDev warns that “home brewing will take a lot of effort” due to the aforementioned security protections still intact.

While this exploit currently works on PS5 firmware version 4.3 (released last October), SpecterDev speculates that some slight changes could make a similar exploit work on firmware version 4.5 (released last December). However, Sony marked the issue as “resolved” on HackerOne in April, suggesting that the same vulnerability likely won’t work on firmware versions released since then.

That makes SpecterDev’s entry point different from a separate, “essentially unpatchable” PS5 exploit. revealed by hacker CTurt earlier this month. That method made use of a separate issue with the PS5’s “just-in-time” compilation of emulated PS2 games on PS4 to get a hook into the console’s “userspace” memory to write and run homebrew code.

While the days of regular PS5 owners being able to install their own homebrew apps on the PS5 may still be a long way off, the hacker community will not rest until that time comes.

Leave a Comment