The long awaited part 2 of CTurt‘s writeup for the Mast1c0re exploit has finally been published by the hacker. Although the hacker never got to finish the implementation, the writeup lays the foundation of potential native code execution on PS5/PS4.
Cturt announced he will be leaving the PlayStation hacking scene, but between 5 recent reports to HackerOne and today’s writeup, it seems he doesn’t intend to leave without wrapping things up nicely.
What is the Mast1c0re exploit for PS4/PS5?
Mast1c0re is an unpatched vulnerability on PS4 and PS5, running through their PS2 emulation layer. The vulnerability was disclosed, and described with great detail, by PlayStation hacker CTurt in September last year, and a public reimplementation was released by McCaulay Hudson early 2023.
Some specific PS2 games for PS4/PS5 are vulnerable to buffer overflows, which allows us to run unsigned code on the PS4 and PS5. The currently only known exploitable game through this vulnerability is Okage: Shadow King, a PS2 game available for PS4 and PS5 on Sony’s PSN. By loading specifically crafted save files into this game, it is possible to trigger an exploit chain on PS4/PS5 running the most recent firmwares, to then enable some (limited) homebrew capability.
So far the most “user friendly” use cases for this vulnerability have been emulators, and PS2 Game ISOs.
Mast1c0re writeup part 2 – PS5 Native execution
So far, Mast1c0re has given us PS2 Native execution and “native” code through ROP Toolchain on PS4/PS5. What today’s writeup is demonstrating, is that exploits in the JIT compilation process of the PS2 emulator can lead to native code execution on the PS4/PS5. To achieve this, CTurt showcases 3 exploits in the PS2 compiler code (there might be more) that allow him to get native code execution, as well as techniques to defeat ASLR.
CTurt unfortunately never fully weaponized the exploit, and has made the decision to leave the scene before fully completing that. He’s however leaving a lot of details ready for anyone who would be willing to push this exploit further. Cturt believes that with the tools he’s leaving behind, there is enough to achieve native code execution on the PS4/PS5.
This would remain a “usermode” exploit, but could allow for a decent Homebrew environment on these consoles.
However, the hacker emphasizes that although Sony have chosen to not patch the vulnerabilities, they have put limitations in how the code can be exploited. In particular, loading PS4 “pirate” games through this mechanism would be tough (albeit not impossible) in its current state, considering that only up to 65MB can be loaded. (a limitation introduced in PS5 Firmware 6.00 and – we believe – PS4 10.00).
I’ll leave you with Cturt’s conclusion which summarizes the status of this writeup pretty nicely. For more, read his full writeup here.
There’s a reasonably good chance that with enough motivation the vulnerabilities described in this post could be exploited to take over the compiler process.
The exploit would allow arbitrary code execution on the latest firmwares of the PS4 and PS5, allowing native homebrew applications to be run off USB storage for example.
Even with the mitigation Sony shipped in response to this research to limit the size of applications that could be run, I still believe it would be possible to to run larger applications albeit with the performance overhead of them being partially emulated or dynamically paged in and out. With the amount of work required, I don’t realistically think we’ll see polished demos of Linux or retail PS4 games running, but it’s fun to think that there’s a good chance that theoretically those things might at least be technically possible.
