Editing Vulnerabilities

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 139: Line 139:
==== Tested ====
==== Tested ====


Tested and working on PS4 FWs 9.00-9.04 and PS5 FWs 3.00-4.51. Untested: PS5 FWs 2.10-2.70 and >=5.00.
Tested and working on PS4 FWs 9.00-9.04 and PS5 FWs 3.00-4.51. Untested: PS5 FWs 2.10-2.50 and >=5.00.


== Game savedata exploits ==
== Game savedata exploits ==
Line 303: Line 303:
=== Patched ===
=== Patched ===


'''Yes''' in PS5 FW 5.00. Invulnerable in PS5 FW 2.70 and below.
'''Yes''' in PS5 FW 5.00. Invulnerable in PS5 FW 2.50 and below.
----
----


Line 316: Line 316:
=== Exploit Implementation ===
=== Exploit Implementation ===


Edit: it may now be possible to build a valid PS5 exFAThax payload thanks to PS5 kernel .text segment dumps for System Software versions <= 2.70 thanks to Hypervisor exploits.
Edit: it may now be possible to build a valid PS5 exFAThax payload thanks to PS5 kernel .text segment dumps for System Software versions <= 2.50 thanks to Hypervisor exploits.


Not yet because even though there is ChendoChap's method to execute usermode code in WebKit, there is no PS5 kernel .text segment dump to build a kernel ROP chain. Exploiting this kernel vulnerability blind is almost impossible because once the USB device is inserted it corrupts the kernel heap memory and if the offsets in the kernel ROP chain are bad it creates a kernel panic.
Not yet because even though there is ChendoChap's method to execute usermode code in WebKit, there is no PS5 kernel .text segment dump to build a kernel ROP chain. Exploiting this kernel vulnerability blind is almost impossible because once the USB device is inserted it corrupts the kernel heap memory and if the offsets in the kernel ROP chain are bad it creates a kernel panic.
Line 389: Line 389:
* Patched since PS5 FW 5.00.
* Patched since PS5 FW 5.00.


== <=?2.70? - APIC pointers in kernel data segment ==
== <=?2.50? - APIC pointers in kernel data segment ==


=== Credits ===
=== Credits ===
Line 405: Line 405:
* Maybe on PS5 FW 3.00.
* Maybe on PS5 FW 3.00.


== <=2.70 - System Level debug flag in kernel data segment and not wiped after rest mode (Byepervisor bug #2) ==
== <=2.50 - System Level debug flag in kernel data segment and not wiped after rest mode (Byepervisor bug #2) ==


=== Credits ===
=== Credits ===
Line 414: Line 414:
=== Bug description ===
=== Bug description ===


On PS5 System Software version 2.70 and lower, the System Quality Assurance (QA) flags are shared between the Hypervisor and the guest kernel. When the hypervisor initializes, the init code for constructing nested page tables will check QA flags for the System Level (SL) debugging flag. If this flag is set, the nested Page Table Entries (PTEs) will not have the xotext bit set for kernel .text pages, and further the kernel .text pages will also have the write bit set.
On PS5 System Software version 2.50 and lower, the System Quality Assurance (QA) flags are shared between the Hypervisor and the guest kernel. When the hypervisor initializes, the init code for constructing nested page tables will check QA flags for the System Level (SL) debugging flag. If this flag is set, the nested Page Table Entries (PTEs) will not have the xotext bit set for kernel .text pages, and further the kernel .text pages will also have the write bit set.


These flags are not reinitialized by the Secure Loader upon resume from PS5 sleep mode, though the hypervisor is. By setting the SL flag, then putting the system to sleep and resuming, we can edit the guest kernel's page tables to make kernel .text pages readable and writable, allowing kernel dump and patches.
These flags are not reinitialized by the Secure Loader upon resume from PS5 sleep mode, though the hypervisor is. By setting the SL flag, then putting the system to sleep and resuming, we can edit the guest kernel's page tables to make kernel .text pages readable and writable, allowing kernel dump and patches.
Line 431: Line 431:
'''Yes''' since PS5 FW 3.00.
'''Yes''' since PS5 FW 3.00.


== <=2.70 - Hypervisor virtual tables in kernel data segment (Byepervisor bug #1) ==
== <=2.50 - Hypervisor virtual tables in kernel data segment (Byepervisor bug #1) ==


=== Credits ===
=== Credits ===
Line 440: Line 440:
=== Bug description ===
=== Bug description ===


On PS5 System Software version 2.70 and lower, the Hypervisor's [[Hypervisor#Hypercalls]] virtual tables are shared with the guest kernel. It is possible to hijack some entries (for example VMMCALL_HV_SET_CPUID_PS4) in the hypercalls virtual table to jump to a ROP chain. On System Software version 2.70 and lower, this virtual table is stored in the kernel .data segment. By using two ROP chains, one for setting up hypervisor registers and one for executing code in hypervisor. Indeed, the registers used by the Hypervisor are preserved accross Virtual Machine exit boundary. The ROP chain disables Nested Paging (NPT) and Guest Mode Execute Trap (GMET), which allows us to disable eXecute Only Memory (XOM) aka xotext in the kernel Page Table Entries (PTEs) to dump it, as well as enabling write in the PTEs to hook/patch the kernel as well.
On PS5 System Software version 2.50 and lower, the Hypervisor's [[Hypervisor#Hypercalls]] virtual tables are shared with the guest kernel. It is possible to hijack some entries (for example VMMCALL_HV_SET_CPUID_PS4) in the hypercalls virtual table to jump to a ROP chain. On FWs <= 2.50, this virtual table is stored in the kernel .data segment. By using two ROP chains, one for setting up hypervisor registers and one for executing code in hypervisor. Indeed, the registers used by the Hypervisor are preserved accross Virtual Machine exit boundary. The ROP chain disables Nested Paging (NPT) and Guest Mode Execute Trap (GMET), which allows us to disable eXecute Only Memory (XOM) aka xotext in the kernel Page Table Entries (PTEs) to dump it, as well as enabling write in the PTEs to hook/patch the kernel as well.


This method requires a fair number of gadgets and offsets, which is the main reason this exploit is deprecated over the Byepervisor bug #2. This method also currently only breaks the hypervisor on the core the ROP chain runs on. The hypervisor is still active on other cores and would need to be disabled.
This method requires a fair number of gadgets and offsets, which is the main reason this exploit is deprecated over the Byepervisor bug #2. This method also currently only breaks the hypervisor on the core the ROP chain runs on. The hypervisor is still active on other cores and would need to be disabled.
Line 456: Line 456:
'''Yes''' since PS5 FW 3.00.
'''Yes''' since PS5 FW 3.00.


== <=2.70 - Hypervisor integrated as part of the kernel binary ==
== <=2.50 - Hypervisor integrated as part of the kernel binary ==


=== Credits ===
=== Credits ===
Line 464: Line 464:
=== Bug description ===
=== Bug description ===


On PS5 System Software version 2.70 and lower, the Hypervisor is integrated as part of the kernel binary. This makes Hypervisor exploitation easier as it can be triggered by usermode directly without the need of a kernel exploit. Later versions have the Hypervisor as a separately loaded component.
On PS5 System Software version 2.50 and lower, the Hypervisor is integrated as part of the kernel binary. This makes Hypervisor exploitation easier as it can be triggered by usermode directly without the need of a kernel exploit. Later versions have the Hypervisor as a separately loaded component.


* See [[Hypervisor#In-Kernel_Hypervisor_.28.3C.3D_2.70.29]] and [https://wololo.net/2023/07/02/ps5-specterdev-shares-details-on-in-kernel-hypervisor-earlier-versions-of-the-ps5-hypervisor-found-in-firmwares/ wololo article (2023-07-02)].
* See [[Hypervisor#In-Kernel_Hypervisor_.28.3C.3D_2.50.29]] and [https://wololo.net/2023/07/02/ps5-specterdev-shares-details-on-in-kernel-hypervisor-earlier-versions-of-the-ps5-hypervisor-found-in-firmwares/ wololo article (2023-07-02)].


=== Patched ===
=== Patched ===
Line 485: Line 485:
* usermode system [[Modules|modules]]
* usermode system [[Modules|modules]]


== <=2.70 - Software vulnerability leading to Secure Loader dump from Hypervisor ==
== <=2.50 - Software vulnerability leading to Secure Loader dump from Hypervisor ==


=== Credits ===
=== Credits ===
Line 520: Line 520:
=== Patched ===
=== Patched ===


Maybe since 3.00. Vulnerable on PS5 FWs <= 2.70.
Maybe since 3.00. Vulnerable on PS5 FWs <= 2.50.


== Untested - VZEROUPPER Instruction on AMD Zen 2 can Leak Register File State - ZenBleed vulnerability (CVE-2023-20593) ==
== Untested - VZEROUPPER Instruction on AMD Zen 2 can Leak Register File State - ZenBleed vulnerability (CVE-2023-20593) ==
Please note that all contributions to PS5 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS5 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)