PlayStation hacker TheFloW electrocuted the scene yesterday by revealing a chain of exploits involving Blu-ray discs on the PS4 and PS5. The security researcher stated in his disclosure that these exploits could lead to “trivial kernel exploitation” on the PS4 and pirated software on the PS5.
After the initial excitement, we are left with many questions, to which answers are slowly bubbling up. Here’s what we’ve understood so far. (As always, if you think we’ve done something wrong, please let us know in the comments!)
I heard there was big news yesterday. Where is the hack for my PS4/PS5?
Legendary PlayStation hacker TheFloW revealed a chain of exploits for the PS4 and PS5 at a conference yesterday, using vulnerabilities in the Blu-Ray drivers of both consoles. In theory, these exploits could result in jailbreaking and potentially pirating PS4 on PS4, but:
Nothing has been released for direct use by end users. At the moment we have a (fairly accurate) explanation of what vulnerabilities are present on the consoles and where in the firmware code. Putting all this information together into a working proof of concept for both consoles is “left as an exercise for the reader”. Assuming someone reproduces what TheFloW described in the report (a kernel panic), this still needs to be coupled with further discoveries (e.g. a kernel exploit) in order to be turned into a full-fledged jailbreak.
In other words: it can take months before it turns into something usable for the end user. As a reminder, it took several months for experienced hackers to release a PS4 7.55 jailbreak following another disclosure from TheFloW in 2021, although the disclosure was quite detailed.
What are the implications of this disclosure for the PS4?
Assuming an actual implementation of the exploit chain is released:
For users with firmware 9.00 or lower, you can already jailbreak your console. One could envision this exploit chain being paired with existing kernel exploits (we assume here that the kernel exploit functions are accessible from the BD context). TheFloW stated that this exploit is 100% reliable, which means people would do it Expect 100% stable jailbreak on PS4. This would be an improvement compared to the current jailbreaks which sometimes require multiple retries due to the randomness of the underlying userland (webkit) exploit.
For people running on firmwares 9.03/9.04: TheFloW has stated that with this successful exploit chain, kernel exploitation “trivial as there is no SMEP and one can just jump to the user with a corrupted function pointer“. As we read this, that’s how it is Implementing a privilege escalation (a PS4 9.03/9.04 jailbreak) in this context could be very simple. Take this with a pinch of salt, what is “trivial” for TheFloW might still require a lot of research for other people.
For people running firmware 9.50 or higher: PlayStation patched the vulnerabilities in 9.50 There’s nothing here for you. Try to get your hands on a PS4 with lower firmware if you get the chance. At least stop updating your console if you expect jailbreak.
Would this exploit mean the return of pirated content on PS4 and the need to burn dozens of Blu-ray discs, e.g. for homebrew or emulators?
Most likely not. The fact that the exploit uses Blu-Ray vulnerabilities to run does not restrict users to this format after successful exploitation: the Blu-Ray vulnerability is the “entry point” to unlock the console. Once a jailbreak is active in RAM, loading homebrew (and yes, pirated ones) would most likely work the same as always: install it on the console either via USB or FTP from your computer, then run it from the PS4 hard drive .
What does this Blu-Ray exploit mean for PS5 hacking and pirating?
TheFloW first noted in its report that this exploit chain could easily lead to pirated software. Since this is not a kernel exploit per se (no full console access), actions in the BD context would be restricted, but in his report the hacker was confident that this could lead to the creation of pirated software. The report didn’t mention whether this was for PS4 or PS5, implying both:
The UDF driver https://github.com/williamdevries/UDF is used on the PS4 and PS5, the one buffer overflow.[…] With these vulnerabilities it is possible Deliver pirated games on Bluray discs. This is also possible without a kernel exploit since we have JIT capabilities.
He has since taken to Twitter to clarify:
I wanted to clarify: without a kernel exploit you can’t run pirated software (which would have only worked on the PS4 anyway) because we don’t have enough RAM in the bd-j process and there are some other limitations. It was just a theoretical implication.
— Andy Nguyen (@theflow0) June 11, 2022
So this is pretty important here for people who thought this would lead to instant piracy: The road to PS5 disc piracy is not easy from this point, and it seems that the hacker meant PS4 games specifically. It could also be that TheFloW is just trying to cover itself legally: Of all the points in the disclosure, the PS5 piracy threat is probably the least interesting on a technical level, but most threatening to Sony’s business.
There may still be a path here that leads to PS5 disc piracy. Whether “entrepreneurs” will find out quickly and start selling pirated copies is questionable.
As far as hacking goes, this opens a pretty important door within the PS5’s security that other hackers could use to break into the PS5’s internals. Once that gap is there, it could lead to more discoveries for tinkerers. How fast depends on how fast people are able to reproduce and disseminate the results of TheFloW.
Is the PS3 affected by these exploits and if so what would that mean for the PS3?
The PS3 is mostly hackable thanks to PS3Xploit, PS3Hen and hybrid firmwares, but more exploits couldn’t hurt and could contribute to a full CFW for the hardware revisions that are still incompatible.
TheFloW has stated that the PS3 is also affected by the exploit, we assume because it uses the same driver as its younger siblings. But it’s possible he wasn’t working on a full-fledged implementation for this console, and those details need to be ironed out. Differences in implementation may mean that the exploit chain doesn’t work or isn’t easy to implement on PS3. Zecoxao told us people are looking into this:
we’re working on it, don’t worry 🙂
— Control_eXecute (@notzecoxao) June 11, 2022
So is it safe to update my PS5/PS4 to X.XX?
Well… although TheFlow states that its exploit chain has been fixed on PS4 9.50 and PS5 5.00, there are other exploits lurking on the console that may prove necessary. A PS5 kernel exploit has been patched in PS5 4.50, according to Zecoxao, and could be the key to full access to the console. The rule of thumb remains the same: Avoid updating your console until something concrete is released. This applies to PS4 and PS5.
Kernel exploit patched in 4.50
— Control_eXecute (@notzecoxao) June 11, 2022