Security consultant McCaulay Hudson has posted a video demonstrating CTurt’s Mast1c0re exploit running on the latest PS5 Firmware, 6.50. In the video (below), we see the Mast1c0re exploit being run through exploitable PS2 Game “Okage Shadow King”, which is then used to remotely load another PS2 Game, Midnight Club 3.
What is Mast1c0re for PS5 and PS4?
Mast1c0re is an unpatched exploit for PS4 and PS5, which leverages a vulnerability in the PS2 emulation layer of Sony’s newer consoles. The vulnerability was disclosed, and described with great detail, by PlayStation hacker CTurt in September last year.
Back then, CTurt stated Sony had no plan to fix the vulnerability, which seems to be confirmed by today’s video, showing that the vulnerability is still here, in the latest PS5 6.50 firmware (and, it is safe to assume, in PS4 10.01 as well) as of January 2023.
From McCaulay Hudson’s showcase video of the Mast1c0re exploit running on PS5 6.50
PS2 Native Execution, PS5/PS4 ROP chain for further exploits
At the very least, the exploit allows some PS2 code execution, meaning loading PS2 “backups” (as demonstrated in McCaulay’s video today, as well as the demo published by Cturt in September), but also PS2 Homebrew.
Furthermore, as described by Cturt, and confirmed by Hudson today, this is a usermode entry point for further hack of the actual PS5/PS4 stack, currently as a ROP Chain. Such an entry point is always required for a Jailbreak console.
We’ve mostly seen Webkit exploits being used as such entry points in recent history, but there are exceptions (such as Blu-Ray vulnerabilities being used as an entry point on PS4/PS5 with BD-JB). In this case, this is leveraged by loading some “malicious” save date in a PS2 game.
As such, it could possibly be used as a starting point for a larger PS4/PS5 hack on recent firmwares, and CTurt has hinted he would actually demonstrate something like that in part2 of his write-up, which has yet to be published.
What’s new with Today’s video?
PS5 (latest firmware) PoC for mast1c0re vulnerabilities.
Arbitrary PS2 code execution and native PS5 ROP chain execution.
Technical details on @CTurtE‘s blog post: https://t.co/J2tPU2zMaU pic.twitter.com/qNQ7Dcevbb
— McCaulay (@_mccaulay) January 24, 2023
And of course, mast1c0re on PS4. Tested on firmware 5.05 however should work on the latest firmware version. https://t.co/oGil9lKr4r pic.twitter.com/EvScY0WG3V
— McCaulay (@_mccaulay) January 24, 2023
Today’s video is exciting to me for two reasons.
First, it shows that the exploit has indeed not been patched, as it runs on the latest PS5 Firmware. Of course, we very well understand that Sony have other ways to prevent the hack from spreading, in particular by removing impacted PS2 games from the PSN. (This would prevent users from buying it, and, therefore, from running the exploit with it). This is a strategy we’re very familiar with, as at some point, running gamesave exploits was the bread and butter of PSP/PS Vita hacking.
Secondly, it shows an independent confirmation of CTurt’s writeup. I don’t think anybody (other than CTurt himself) had confirmed, until now, that his writeup was sufficient to reproduce his results. That question can now be put to rest.
With this being said, lots of questions still remain. In particular, CTurt has stated he would provide details on a native (PS4) Homebrew environment based on this hack, and we’re eagerly waiting for that. As far as PS5 is concerned, the current understanding is that achieving native PS5 execution is another level of difficulty (beyond what we already have).