Leet hax —

New PS4 homebrew exploit points to similar PS5 hacks to come

WebKit bug allows kernel-level code execution through PS4 firmware 9.00.

Sony's PlayStation 4.
Enlarge / Sony's PlayStation 4.
Andrew Cunningham

Hackers have released details of a new exploit that allows homebrew and custom firmware to be installed on PS4 consoles running relatively recent firmware. What's more, the specifics of the exploit suggest similar homebrew capabilities may soon be available on some versions of the PlayStation 5.

The new exploit builds on a known error in the way that the PS4's WebKit implementation utilizes font-faces. That exploit on the PS4 was publicized in October as a proof of concept after a similar error was found in Apple's Safari WebKit implementation in September.

On the PS4, the full exploit can now be triggered by visiting a website with specially formatted JavaScript via the PS4 web browser, allowing the system to run kernel-level code that bypasses the console's usual security protections. From there, the exploit can read files from an inserted USB stick and install homebrew software, including existing custom PS4 firmware.

Specter, a well-known member of the console hacking scene, released a video of the exploit working on Sunday. By Monday, the files required for the exploit had been posted on GitHub alongside detailed instructions.

Not the first, not the last?

This isn't the first time homebrew code has been executable on the PS4. A previous console exploit released publicly in March worked on consoles running firmware up to version 7.55, which was released by Sony roughly seven months prior in August 2020. This week's exploit release, by contrast, works up to firmware version 9.00, which was released less than three months ago in late September.

Users with a fully updated PS4 won't be able to make use of the exploit, which was already patched out in PS4 firmware version 9.03, released on December 1. In fact, the hackers suggest on GitHub that examining the differences between those two most recent firmware versions helped them figure out how to get the full exploit working.

The young age of that latest firmware patch, though, means fresh-from-retail PS4 consoles purchased today may still have the older version 9.00 firmware. That could be important for homebrew fans because there's currently no known way to downgrade a PS4 to an earlier firmware version to make use of patched exploits.

On Github, the hackers note that the same underlying error "works on certain PS5 firmwares; however, there's no known strategy for exploiting it at the moment." On Twitter, hacker Znullptr (who also contributed to this latest exploit) adds that "the kernel exploit affects Playstation5 as well" but that a full exploit is not ready for that console because "the lead developer does not currently have a PS5 console."

The exploit release follows last week's awarding of two bug bounties on PlayStation's HackerOne account, including a massive $10,000 bounty paid to Andy "TheFlow0" Nguyen (who was recently involved in uncovering the decryption keys for the PS5). While the specifics of that bounty have not been disclosed, the size of the payout suggests the disclosure of a big security hole that could affect recent PlayStation consoles.

Channel Ars Technica