Hackgroup Fail0verflow announced Sunday evening that it had obtained the encrypted “root keys” for the PlayStation 5, an important first step in any attempt to unlock the system and allow users to run homebrew software.
The tweeted announcement includes: A picture of what appears to be the PS5’s decrypted firmware files, with an emphasis on code that references the system’s “safe charger.” By analyzing that decoded firmware, Fail0verflow (or other hackers) can reverse engineer the code and create custom firmware with the ability to load homemade PS5 software (signed by those same symmetric keys to make the PS5 recognize them as authentic†
[Update (Nov. 9): Aside from the symmetric encryption/decryption keys that have apparently been discovered, separate asymmetric keys are needed to validate any homebrew software to be seen as authentic by the system. The private portion of those authentication keys does not seem to have been uncovered yet, and probably won’t be found on the system itself. Still, the symmetric keys in question should prove useful for enabling further analysis of the PS5 system software and discovering other exploits that could lead to the execution of unsigned code. Ars regrets the error.]
Extracting the PS5’s system software and installing a replacement both require some sort of exploit that provides read and/or write access to the PS5’s usually secure kernel. The message from Fail0verflow doesn’t detail the exploit the group used, but the tweet says the keys were “obtained from software”, suggesting the group didn’t have to make any changes to the hardware itself.
Los this weekend tweeted the well-known PlayStation hacker theFlow0 a screenshot with a “Debug Settings” option amid the usual list of PS5 settings. As console hacking news site Wololo explains, this debug setting was previously only seen on development hardware, where the GUI looks significantly different. But TheFlow0’s tweet appears to be coming from a retail PS5’s built-in sharing feature, suggesting he also used an exploit to enable the internal flags that unlock the mode on basic consumer hardware.
TheFlow0 adds that he currently “has no plans to make public” of his PS5 exploit. In recent years, TheFlow0 has participated in Sony bug bounty programs that reward responsible disclosure of security flaws in PlayStation hardware.
A History of Hacking
Fail0verflow’s weekend announcement comes about 11 years after the group announced it had discovered the private keys for the PlayStation 3 by taking advantage of Sony’s faulty cryptography implementation. Sony later sued members of the collective for bypassing the system’s security; hacker George “GeoHot” Hotz independently discovered the same information and published the actual key on his website (the matter was later settled). In 2013, Fail0verflow wrote a blog post suggesting that “we may have reached the point where homebrew on closed game consoles is no longer attractive,” thanks in part to “a very real threat of lawsuits” and the fact that “game pirates aren’t just becoming big users of the result of those efforts, but by far the vast majority (not because there are more pirates, but because there are fewer homebrewers).” But in 2018, Fail0verflow was one of a number of hacking groups that discovered the “unpatchable” exploit that allowed unsigned code to run on the Nintendo Switch.
It remains to be seen if and when similar exploits for the PS5 will become public and whether Sony will be able to temporarily shut them down with firmware updates like in the past.