The following multi-part blog series will cover how I (McCaulay Hudson) developed the mast1c0re exploit on both the PlayStation 4 and PlayStation 5. The initial research on the vulnerabilities used within this blog series were conducted by CTurtE with assistance from flatz, balika011, theflow0, chicken(s). The blog “mast1c0re: Hacking the PS4 / PS5 through the PS2 Emulator – Part 1 – Escape” posted by CTurtE on September 14th, 2022, covers the necessary vulnerabilities to gain userland code execution on the PlayStation 4 and PlayStation 5 and contains the fundamental knowledge required for me to produce this blog series.
For this research, I used Windows 11 for running a PlayStation 2 emulator, a Debian Linux distribution for tooling development in Python, C and C++, a PlayStation 4 (firmware v5.05) for importing save files, testing and debugging purposes, and a PlayStation 5 for testing the vulnerability.
Part 1 – Modifying PS2 game save files
The initial step in developing the mast1c0re exploit is to create a PlayStation 2 game save file for the Okage: Shadow King game and extract the data file containing the profile name. This blog post covers creating the save file, extracting the
.psu file from the
.ps2 file, then developing a tool to extract files from the
Jump directly to part 1 here.
Part 2 – Arbitrary PS2 code execution
The next step is to edit the game save name to exploit a traditional stack-based buffer overflow within the Okage: Shadow King game. This requires constructing two stager shellcode payloads to execute a memory card file that contains a compiled PlayStation 2 ELF executable file
Jump directly to part 2 here.
Part 3 – Escaping the emulator
The final step in gaining userland code execution on the PlayStation 4 and PlayStation 5 involves exploiting an out-of-bounds write vulnerability within the emulator. This allows us to overwrite a read function pointer and leak
.text and stack addresses. Next, we can then overwrite a write function pointer to execute existing
.text instructions with an argument passed to the
Jump directly to part 3 here.
By executing PlayStation 4 and PlayStation 5 code we can download a PS2 .ISO file from the remote network, mount it in the filesystem using the existing
eboot.bin functionality, then load the game using the PS2 function
LoadExecPS2 as shown on Twitter:
We are not limited to loading PlayStation 2 games however, as we can execute anything in userland.
Continue to mast1c0re: Part 1 – Modifying PS2 game save files…