Ever since a Kernel hack was released for the PS5 a few months ago, its next layer of security has become one of the main search targets for several hackers: the hypervisor. Between hacking rumors and harsh reality, we try to enlighten you in this article.
What is the PS5 Hypervisor?
Typically, a hypervisor is used to run multiple instances of virtual machines on the same physical machine. It is a piece of software that acts as an intermediate layer between the real machine and the code that runs on it (eg an operating system). It allows multiple instances of operating systems to run on the same machine, while being completely separate from each other. If you’ve used VMWare Workstation before, this is an example of a typical hypervisor.
In the case of the PS5, it looks like the hypervisor is being used as an additional layer of security, keeping the hardware away from games and the firmware running on it, for virtualization-based security purposes.
It protects the integrity of control registers (CR), which by extension include write protection (WP) and other protections such as supervisor mode access/execution prevention (SMAP/SMEP). It also protects kernel page table entries through the use of nested paging through second-level address translation (SLAT). Looking at the hypercalls documented on the psdevwiki, it looks like Sony also moved the I/O Memory Management Unit (IOMMU) to the hypervisor from the kernel. -The source
The advantages of such a security layer are that it has a very narrow/specific focus, and as such a very limited amount of code, which in turn limits the amount of potential bugs that could be found and exploited on the PS5. This is unlike older systems where the kernel was in charge of this security, while having to handle a bunch of other functionality, which meant it offered quite a large attack surface.
Can the PS5 hypervisor be hacked?
That’s the million dollar question!
Without an exploit in the hypervisor, we’ve seen that there’s little we can do on a hacked PS5 (although, to be fair, it’s very likely that we’ve only scratched the surface of which is possible with current hacks). Patching the kernel is usually what is needed to enable “Jailbreak” features on a console. And it won’t be possible to patch the PS5 core without controlling the hypervisor.
There is no publicly known exploit for the hypervisor, although there are rumors that some teams have such an exploit.
Zecoxao revived the discussion yesterday stating that a Hypervisor exploit was leaked to Sony some time ago, and possibly patched with firmware 4.00
from what i’m told, the only hypervisor exploit that was found on ps5 was already leaked (and patched) at around 4.00 firmware. take this information with a grain of salt as I have no idea if it is correct or not (no way to verify so far)
— Control_eXecute (@notzecoxao) November 29, 2022
As he says himself, it is to be taken with tweezers, there is no way to verify it for the moment. One thing is for sure, the lower the firmware, the higher the chances.
While there’s nothing public at this time, it’s still likely that some teams will have access to a lot more than we know publicly. Obviously, if you have access to such an exploit, it makes sense to keep it secret, so you can hack the console further.
There is no doubt that computers and gaming devices have become harder to hack with each generation. A Zero Day vulnerability on modern mobile phones can fetch up to $2.5 million in bounties, not to mention its black market value. Of course, a device like the PS5 isn’t at the same level of risk as your phone, but the security of all systems is evolving at roughly the same rate.
Generally speaking, hypervisor hacks do exist, but of course on a closed system such as the PS5 they can be extremely difficult to find and weaponize.
#PS5 #hypervisor #hacked #Wololo.net