PS5: Flat_z dumps PS5 Secure Processor, confirms he has a PS5 Hypervisor exploit (via a PS4 Game Save exploit)
PlayStation hacker flat_z claims he has gained access to the PS5’s Platform Secure Processor (PSP). This means he has access to most decryption keys on the console. The hacker also confirmed he has a Hypervisor exploit, and added the whole chain was triggered via software (no hardware hack) through a Disc-based PS4 game. No details have been given on what Firmware this was achieved on, and there wasn’t any plan announced to release the exploit chain.
Flat_z claims PS5 Hypervisor hack through software means
Hacker Flat_z, known for his past work on the PS4 and his recent involvement with PS5 security, stated he has hacked the PS5 Hypervisor via an exploit chain triggered through a disc-based PS4 savegame exploit.
The security researcher posted a minimal screenshot of what is believed to be PS5’s PSP (Secure Processor) code, as proof that he has gained (read) access to one of the most protected locations on the PS5 System.
PS5 Hypervisor exploit – what’s next
Zecoxao states that flat_z now has access to all PS5 decryption keys. Having access to the keys would at the very least mean a possibility to decrypt Firmware files and game files. This can be useful, at the very least, for hackers looking to reverse engineer the latest and greatest Firmware updates to look for more vulnerabilities.
Generally speaking, there’s not guarantee that flat_z will release anything. Some people believe he has found and leveraged the same exploit that Fail0verflow used almost 2 years ago. They haven’t released anything, and flat_z hasn’t stated he plans to release either.
Unless the hacker plans to release his findings, this doesn’t mean much for the end user at the moment, although it appears you’re in better shape than most if you own a (low firmware) Disc Edition PS5.
On a side note however, a growing number of PS5 hackers believe that fpkgs (or an equivalent) could be achievable without a hypervisor exploit on the PS5. This means (PS4 games for sure, PS5 less likely) piracy could theoretically be a thing with the existing PS5 kernel exploit, although nobody has released anything in that direction so far.
What does it mean for Digital Edition PS5 Owners?
Once again, it appears a disc was involved in the exploit. However, when asked about it, Flat_z stated that probably any usermode exploit could be used as an entry point. This means webkit exploit for example might be on the table, but this remains to be confirmed.
As a reminder, such hacks on modern systems require multiple exploits to be triggered (hence the name “exploit chain”) in order to achieve code execution, privilege escalation, and more. The very first entry point, at the “usermode” level, requires some input from the user, either through a modified save game (which is what was done here in a PS4 game), or a malicious html/javascript page via the console’s browser, for example.
It could be possible to then trigger privilege escalation independently of the initial entry point, which is why webkit might be a viable attack vector even if a PS4 Game was used in this first iteration of the hack. Of course, it seems that hackers tend to like the disc-based hacks more than the rest, meaning Digital consoles might end up being second class citizens of the PS5 hacking scene in the future. Only time will tell
source: flat_z