A proof of concept shows that mast1core is used to load an external PS2 ISO into the system emulator.
long time console hacker CTurt has criticized what he calls an “essentially irreparable” hole in PS4 and PS5 security, detailing a proof of concept method that should allow installation of arbitrary homebrew applications on consoles.
CTurt says he revealed his exploit, dubbed mast1c0reto Sony via a bug bounty program a year ago without any sign of public arrangement. The method takes advantage of errors in the just-in-time (JIT) compilation used by the emulator that runs certain PS2 games on PS4 (and PS5). That build gives the emulator special permissions to continually write PS4-ready code (based on the original PS2 code) just before the application layer executes that code.
By gaining control of both sides of that process, a hacker can write privileged code that the system treats as legitimate and safe. “Since we’re using JIT system calls for their intended purpose, it’s not really an exploit, just a clever trick,” CTurt said of a since patched JIT exploit in the PS4 web browser.
Entering
To gain control of the emulator, a hacker can theoretically make use of any number of known exploits that exist in decades-old PS2 games. While some of these can be activated by simply pressing a button, most require using a known exploit to access. a specially formatted save file on the memory cardleading to a buffer overflow giving access to otherwise protected memory (similar exploits have been used in PSP Y Nintendo 3DS tricks over the years).
However, this method is somewhat limited by the fact that PS4 and PS5 cannot natively recognize standard PS2 discs. That means any exploitable game has to be available as a downloadable PS2 game on PS4 via PSN or one of the few PS2 games released What physicalCompatible with PS4 discs through publishers like Limited Run Games.
Getting a PS2 save file ready to blast on the PS4 is also not a simple process. CTurt had to use an already hacked PS4 to digitally sign a mod Shadow King Okage save the file, let it work with your PSN ID. then CTurt used system USB save import function to get that file on the target system.
An older CTurt hack showing PS2 homebrew running from a DVD-R on unmodified hardware.
With the basics laid out, CTurt walk through a complicated series of buffer and stack overflows, memory leaks, and RAM exploits that he used to gain control of the PS2 emulator. With that control in place, he was able to access the built-in loader functions to transfer a separate PS2 ISO file over a local network and then tell the emulator to load that game over a virtual drive.
While it’s nice to load other PS2 games into an emulator, the real point of CTurt was to use this entry point as a way to run arbitrary homebrew code on the system. That process will be detailed in a future article, CTurt tells Ars via Twitter DM, along with the privilege escalation required to run any code “in the context of a PS4 game.”
Hackers would still have to make use of a standalone (and potentially patchable) kernel to gain “full control” of a PS4, CTurt told Ars. But the mast1c0re exploit alone should be enough to run complex programs “including JIT-optimized emulators and potentially even some pirated commercial PS4 games.” Mast1c0re could also theoretically be used as an entry point to commit the PS5 hypervisor which controls low-level system security on that console, CTurt said.
