PlayStation hacker TheFloW has shared the slides (in pdf format, link below) for his presentation on Blu-ray PS4/PS5 attacks. The slides add color and detail to the report he published last week on HackerOne.
Blu-Ray PS4/PS5 exploit
The exploit chain revealed by TheFloW late last week is a new type of exploit entry point, using vulnerabilities in the Java layer of the BD-J interface, both on the PS4 and the PS5 (the PS3 is probably also impacted).
Details of the vulnerabilities can already be found in a report the security researcher filed on PlayStation via the HackerOne bounty program (link below), but these slides bring a new angle to the explanations.
First of all, they show part of the thought process of a hacker looking for vulnerabilities on a console, and in that sense the first third of the slides is the most interesting for me: what are the entry points possible (Webkit, USB, DVD, Blu-ray file systems…)? Which deserve to be investigated (Webkit too hard on PS5, some features removed, PS5 remains black-box,…)? Hacker explains how BD-J makes sense given that the tools are publicly available and there is no need to understand the internal PS4/PS5 structure initially. He then goes on to talk about possible attack vectors in BD-J (the JVM, JNI, and Java classes themselves), and how to tackle each of them.
After detailing this phase of investigation, the slides describe the multiple vulnerabilities that TheFloW found and chained together. These add color to the descriptions he has already given in his HackerOne report, and will no doubt be useful to other hackers trying to replicate his work.
Finally, the Hacker explains how, combined with a Kernel exploit, this can lead to full control of the PS5. He doesn’t share any details about the kernel exploit he’s using, though it’s pretty clear now that’s how he ended up winning the PS5 late last year. , along with a screenshot of the PS5 debug settings.
The PS5 scene also theoretically has access to a Kernel exploit (the PS4 Poobs4 exploit which also impacts the PS5, not to mention more recent reveals), although no progress has been publicly made on this front.
PS5/PS4 Blu-ray Vulnerabilities – Files
There are no proof of concept files yet. Other hackers dig into disclosure, but it can take a while. We give more details about it here
Source: The flow