PlayStation hacker TheFloW has shared the slides (in pdf format, link below) for his presentation on the PS4/PS5 Blu-ray attacks. The slides add color and details to the report he published last week on HackerOne.
PS4/PS5 Blu-Ray exploit
The chain of exploits revealed by TheFloW late last week are a new kind of exploit entry point, using vulnerabilities in the Java layer the BD-J interface, on both the PS4 and the PS5 (PS3 most likely impacted too).
Details on the vulnerabilities can already be found on a report the security researcher filed to PlayStation through the HackerOne bounty program (link below), but these slides bring a new angle to the explanations.
First of all, they show some of the thinking process of a hacker looking for vulnerabilities on a console, and in that sense, the first third of the slides are the most interesting to me: what possible entry points are there (Webkit, USB, DVD, Blu-ray file systems…)? Which ones are worth investigating (Webkit too hard on PS5, some functionality removed, PS5 remains black-box,…)? The hacker explains how BD-J makes sense given that tools are publicly available and there is no need to understand the internal PS4/PS5 structure initially. He then proceeds to talk about the possible attack vectors in BD-J (the JVM, JNI classes, and Java classes themselves), and how to approach each one of them.
After detailing this investigation phase, the slides proceed to describe the multiple vulnerabilities TheFloW has found and chained together. These add color to the descriptions he already gave in his HackerOne report, and will undoubtedly be useful to other hackers trying to replicate his work.
Last but not least, the Hacker explains how, combined with a Kernel exploit, this can lead to full control of the PS5. He doesn’t share details on the Kernel exploit he’s using, although it’s pretty clear now that this is how he ended up claiming victory on the PS5 late last year, with a screenshot of the PS5 Debug settings.
The PS5 scene has theoretically access to a Kernel exploit as well (the PS4 Poobs4 exploit which also impacts the PS5, not to mention more recent disclosures), although no progress has been publicly made on that front.
PS5/PS4 Blu-ray vulnerabilities – Files
There are no proof-of-concept files yet. Other hackers are digging into the disclosure but it might take some time. We give additional details on this here