Latest updates on Flat_z’s PS5 Exploit chain

PlayStation hacker Flat_z ignited the PS5 hacking scene earlier this week by sharing he has access to the PS5’s PSP (Platform Secure Processor), meaning he has acquired the PS5’s decryption keys. Now that the dust has settled, it has been confirmed that Flat_z does not intend to release this work (or anything copyrighted, obviously), but he has been talking about leveraging the acquired knowledge to provide an equivalent of PS4s fpkgs (unsigned packages that could be installed and run on hackable PS5s), through a writeup.

Secure Processor Access, Hypervisor exploit

Flat_z has access to the PS5’s PSP (Platform Security Processor). This means he has read access among other things to decryption keys on the PS5. Theoretically, the hacker could now in particular decrypt PS5 packages such as games or firmware update. Decrypted Firmwares can be used in particular for reverse engineering, or, in the (long term) future, writing custom firmwares for the console.

Flat_z also confirmed he has a Hypervisor exploit. The hacker is on a lower firmware console, so it’s safe to assume the exploit he got is in earlier versions of the Hypervisor. His exploit chain might still be valid on more recent firmwares, but it is believed Sony have reinforced Hypervisor access in firmwares above 2.50. This might not be as “bad” as it sounds since he has access to decryption keys via the Secure Processor.

In order to chain his exploits, Flat_z started with a gamesave exploit on a disc-based PS4 Game. But this might not be the only entry point that could work for such an exploit chain. The usermode exploit is only the first step, and other entry points such as a webkit hack could work. What the hacker confirmed however is that no hardware hack was involved.

FPKG Work in progress

The hacker has confirmed he will not release his Hypervisor exploit, or any Sony proprietary information. He also stated that the method he found to access the Secure Processor is probably the same that was used by Fail0verflow (and not disclosed) years ago. As such, he declared it’s their choice to release or not (don’t hold your breath).

He implied however that he will use the knowledge to work on Homebrew Enabler solutions (specifically, FPKG support) for the PS5, or provide a detailed writeup on that topic. There is no guarantee any of that will pan out (the hacker has other priorities) but it sounds like an other avenue to get Homebrew support on the PS5, in parallel to Astrelsky’s ongoing effort.

In the context of the PS4, FPKG (Fake Package) are used to trick the PS4’s DRM system into installing and running Homebrew and/or pirated games. It is our understanding that Flat_Z now has acquired sufficient knowledge to build something similar for the PS5, and that he intends to detail the process in a writeup. A big caveat though would be if keys have changed in recent firmwares, which could mean his fake package process wouldn’t work on more recent firmwares (he is on 2.50). The hacker however believes a key change is unlikely.

Statement from Flat_z regarding the PS5 Secure Processor exploit

Although Flat_z himself hasn’t posted any “official” statement (he did however answer a lot of questions on discord), fellow hacker CrazyVoid has given a pretty good summary of the current situation:

The developer known as Flat_z has successfully obtained read access to the PS5 PSP (Platform Security Processor), which contains crucial components such as bootrom and key seeds. Additionally, he has verified he also developed an hypervisor exploit.

As of right now Flat_z has decided not to disclose his exploits or bugs at this time. However, leveraging the knowledge gained from this achievement, he aims to undertake the reverse engineering of secure modules and other relevant information. The ultimate goal is to enable the use of FPKG’s (Fake PKGs) on the PS5 in the future.

If circumstances permit, Flat_z intends to provide a comprehensive write-up detailing the implementation of FPKG’s for the PS5 console. However, it’s important to note that there is currently no specified release date for this write-up, as he must prioritize other commitments before embarking on this endeavor.

For the time being, it is kindly requested that Flat_z not be approached with inquiries about release dates or repeated questions regarding the availability of his work. Your understanding and patience are greatly appreciated.

Last but not least, Modded Warfare has an excellent video that summarizes a lot of the past few days in the PS5 scene and Flat_z’s work in particular, I strongly recommend it: