olo · October 26, 2024
Screenshot by @Andrew2007__
Following his presentation of an exploit for the PS5 Hypervisor at the Hardwear.io infosec conference yesterday (or, specifically, 2 exploits), PlayStation hacker SpecterDev has now published the files for the hypervisor exploit, as well as the slides for the presentation.
For all compatible firmwares (2.xx/1.xx), the exploit includes Kernel dumping code and code to decrypt SELF (Encrypted ELF) files. Furthermore, those of you lucky enough to be on Firmware 2.50 exactly, should be able to enjoy the included HEN (Homebrew Enabler).
What is Byepervisor
The PS5 Hypervisor is a piece of middleware designed to protect the console’s Firmware, notably its kernel, from malicious attacks. The Hypervisor in particular enforces eXecute Only Memory (XOM) rules on the kernel, to avoid attackers from reading/writing critical parts of the system. It is a key component of the PS5’s security, and bypassing or hacking it has forever been considered an essential part of getting full control over the PS5 system.
Byepervisor is such an exploit for earlier versions of the PS5 Hypervisor, which works on Firmwares 2.xx and 1.xx. This is an exploit by SpecterDev, which the PlayStation hacker disclosed in October 2024.
From the readme:
PS5 hypervisor exploit for <= 2.xx firmware. Two vulnerabilities and exploit chains are contained in the repo, they are independent of each other and either can be used. One exploit is provided mainly just for preservation (
/_old_jump_table_exploit), only the primary exploit chain needs to be used (QA flags exploit).
Download and use Byepervisor
You can download the Byepervisor exploit source code at https://github.com/PS5Dev/Byepervisor
You should really build it yourself from the sources (if you can’t/won’t do that, I’ll be bold and say that this kind of tool, in its current state, is probably not for you), but Zecoxao has provided a compiled version here: https://qiwi.gg/file/5j5w6925-byepervisornologger (source)
The slides for SpecterDev’s presentation can also be found at https://github.com/PS5Dev/Byepervisor/blob/main/Byepervisor_%20Breaking%20PS5%20Hypervisor%20Security.pdf
Important notes (from the readme)
- Currently only 2.50 FW is supported for Homebrew Enabler (HEN), support for other firmware versions will be added at a later time.
- The exploit payload (byepervisor.elf) will need to be sent twice, once before suspending the system and again after resuming.
- You will have to put the system into rest mode manually yourself
- Kernel dump from QA flags exploit will not contain hypervisor’s .data region at the moment, if this is important for you, dump using the jump table exploit after porting or disable nested paging first (this is a TODO)
How to use (From the readme)
- Run the UMTX exploit chain in webkit or BD-J and run an ELF loader
- Send
byepervisor.elf - Put the system into rest mode
- Power system back on
- Send
byepervisor.elfagain (if you use John Tornblom’s ELF loader, the ELF loader should continue to accept payloads after resume, if not the UMTX exploit will need to be run again)
PS5 Byepervisor exploit – What’s next?
Although only 2.50 is supported right now for HEN, it is very likely that all firmwares 2.xx/1.xx will get HEN support in the days or weeks to come (work is already ongoing for that). That is obviously still a minority of users even for those among us interested in PS5 hacking, but there’s also hope that this will help discover more vulnerabilities down the line, including on higher Firmwares. Because Kernel dump/decryption is now relatively easy on those firmwares, PS5 Firmware decompilation will be happening more broadly, and this should lead to interesting discoveries for the scene.
Source: SpecterDev