Since the PS5 Kernel hack was released a few months ago, the next layer of security has become one of the main targets of research for many hackers: The Hypervisor. Between hack rumors and the hard reality, we try to make it clear for you in this article.
What is PS5 Hypervisor?
Typically, a hypervisor is used to run multiple instances of virtual machines on the same physical machine. It is a piece of software that acts as an intermediate layer between the actual hardware and the code running on it (such as an operating system). It allows multiple instances of operating systems to run on the same hardware, while completely separating them from each other. If you have ever used VMWare Workstation, this is an example of a typical hypervisor.
In the case of the PS5, it appears that the hypervisor is used as an extra layer of security, stripping the hardware away from the games and firmware they’re running on, for virtualization-based security purposes.
It protects the integrity of Control Records (CRs), which includes write protection (WP) and other types of protection such as Supervisor Mode/Access Prevention/Execution (SMAP/SMEP). It also protects kernel page table entries through the use of nested paging over Second Level Address Translation (SLAT). Looking at the super calls documented on psdevwiki, it appears that Sony has also moved the IOMMU to the hypervisor from the kernel. -source
The benefits of this security layer is that it is very narrowly targeted/specific and, as such, there is a very limited amount of code, which in turn limits the amount of potential bugs that can be found and exploited on the PS5. This is unlike older systems where the kernel was responsible for such security, while also having to manage a bunch of other features, which meant it provided a very large attack surface.
Can PS5 Hypervisor Be Hacked?
This is the million dollar question!
Without an exploit in the hypervisor, we’ve seen there are limited things we can do on a hacked PS5 (although, frankly, it’s very likely we’ve only scratched the surface of what’s possible with existing hacks). Kernel patching is usually what is required to enable “Jailbreak” features on a console. And it will not be possible to debug the PS5 kernel without controlling the hypervisor.
There is no publicly known exploit for the hypervisor, although some teams are rumored to have such an exploit.
Zecoxao reignited the discussion yesterday by saying that the hypervisor exploit was exposed to Sony some time ago, and may have been patched with firmware 4.00.
From what I’ve been told, the only hypervisor exploit found on ps5 was actually detected (and patched) in about 4.00 firmware. Take this information with a grain of salt because I have no clue if it is correct or not (no way to verify yet)
– Control_eXecute (notzecoxao) November 29, 2022
As he says himself, this should be taken with a grain of salt, there is no way to check this at the moment. One thing is for sure, the lower the firmware, the higher the chances.
While nothing is public at the moment, it’s still possible that some teams will have access to a lot more than we know publicly. Obviously, if you have access to such an exploit, it makes sense to keep it under wraps, so you can further hack the console.
There is no doubt that computers and gaming consoles are becoming more and more difficult to hack with each generation. A zero-day vulnerability on modern mobile phones can amount to $2.5 million in rewards, not to mention its value on the black market. Of course a device like the PS5 isn’t quite as dangerous as your phone, but the security of all systems is evolving pretty much at the same pace.
In general, hypervisor hacks do exist, but of course in a closed system like PS5 it can be very difficult to find and weaponize them.
#PS5 #Hypervisor #Hacked #Wololo.net