The development of a tool that would allow the loading and execution of custom kernel modules on PS5 is undoubtedly intriguing.This is the project of developer buzzer-re who recently unveiled PS5 kldload, a kernel module loader for the PS5, initially created to understand the security operation of the console. This tool is interesting in several ways, the first point is that it allows you to project yourself onto an alternative launch system on PS5, allowing you to access a kernel without having to go through the hypervisor, which consequently can remain active and without any modification.
And for good reason, unlike what has been done until now, where attacks attempt to enter an object into the kernel with read, write and execute primitives, on PS5, the hypervisor and XOM protection prevent any modification, or insertion for example of .text code. The idea was then born to create PS5_kldload to circumvent these limitations, relying on an alternative kernel without modifying the console’s kernel. Based on Sleirgoevy’s kstuff framework, it allows reading and writing primitives to be launched without direct patching. There are two steps required for PS5_kldload to work properly:
Kekcalls, a user interface and the kernel The concept of kekcalls was introduced by kstuff, calls are encoded in the RAX register during a syscall from Userland. Two new Kekcalls were added by buzzer-re, one named kmalloc to allocate memory in the kernel and another named kproc_create to create kernel threads, also called kthreads.
Kernel Memory Management In order to get executable memory allocation in the PS5 kernel, the kmem_alloc function needs to be modified and manipulated, and PS5-specific breakpoints need to be used, unlike on the PS4 where a direct RWX memory patch is sufficient. On PS5, kmem_alloc needs to be used, and also a second patch that overrides the default permissions. PS5_kldload is required to run Linux on PS5. Currently, the loader only supports version 4.03. It will likely be ported to other supported versions in the coming days/weeks. A tutorial should also be available soon, as this tool is relatively new.
Comments