Hacking the Sony Playstation 5

I just don’t think it’s possible to create a hack-proof computer system, especially when the system is physically in the hands of the hackers. The Sony Playstation 5 is the latest example:

Hackers may have just made some big strides towards possibly jailbreaking the PlayStation 5 over the weekend, with the hacking group Fail0verflow claiming to have managed to obtain PS5 root keys allowing them to decrypt the console’s firmware.


The two exploits are particularly notable due to the level of access they theoretically give to the PS5’s software. Decrypted firmware ­ which is possible through Fail0verflow’s keys ­ would potentially allow for hackers to further reverse engineer the PS5 software and potentially develop the sorts of hacks that allowed for things like installing Linux, emulators, or even pirated games on past Sony consoles.

In 1999, Adam Shostack and I wrote a paper discussing the security challenges of giving people devices that included embedded secrets that needed to be kept from those people. We were writing about smart cards, but our lessons were general. And they’re no less applicable today.

Posted on November 10, 2021 at 6:17 AM14 Comments


Ted November 10, 2021 7:40 AM

It’s interesting that neither Andy Nguyen (Google security engineer aka “theflow0”) or Fail0verflow (hacking group) have published details of their hacks, presumably to give Sony time to patch things.

According to the article “it’s possible none of this will lead to concrete changes in the PS5 hacking scene.”

Ted November 10, 2021 8:00 AM

Also, Wololo.net has an article that talks about how the hack was achieved. Does anyone know how to enable the Debug Settings Menu on a PS5?

Although typically only present on testkits, the Debug Settings Menu is disabled on “retail” consoles. But it can be enabled on retail consoles by patching some flags, located at specific addresses in the firmware at Runtime.


Ted November 10, 2021 8:58 AM

One more thing… from Bruce’s and Adam’s paper:

The underlying assumption may be that the split between card owner and soft- ware owner is unassailable, and relies on the separa- tion being strong. However, attackers have shown a remarkable ability to get the appropriate hardware sent to them, often gratis, to aid in launching an attack.

Do you think Sony wanted them to find the vulnerabilities on behalf of product security? If so, do you think there was any risk of “theflow0” or Fail0verflow disclosing what they did?

Clive Robinson November 10, 2021 10:50 AM

@ Bruce, ALL,

I just don’t think it’s possible to create a hack-proof computer system, especially when the system is physically in the hands of the hackers.

It all turns on one thing,

“The root of Trust”

If you can keep it out of an attackers hands, then if you have done the rest of the job right, the only option open to the attacker is to brut force the system.

So assuming properly applied strong encryption, as physicall prevention will not be possible, the question then becomes one of,

“How do you prevent an attacker of any level from getting to the root of trust?”

Well we should all know the XKCD $5 wrench -v- 4096-bit RSA encryption comic strip[1] shows the “soft option” that Level III attackers might deem appropriate involving a “black bag job” for “end run attacks” or the so call “wet work” for up close and personal with the plumbing aids.

In reality that’s only ever going to happen for propriatory systems, where other attacks such as those via OS or other Apps are not available and the priority is considered high. Though courts are now nodding through “forced / coerced” bio-metric opening of mobile phones etc, and it’s nolonger news-worthy. So the question becomes a little more complicated,

“How do you prevent an attacker of any level from getting to the root of trust, even when they have access to the legitimate user?”

Well the obvious answer is to not give the legitimate user access to the root of trust at any time, yet get the required access when needed.

Supprisingly to some there are ways this can be done. Which have been discussed on this blog before. However they all involve at some point,

1, Valid perception of time.
2, Verifiably secure communications.

Both of which have significant issues.

But one thing else is needed, which is a way for the legitimate user to be able to demonstrate beyond reasonable doubt that they do not have currently, nor have they ever had access to the root of trust.

[1] For those that don’t but are at least PG-13 for “adult content” 😉


John November 10, 2021 1:49 PM

Hmm… We made a product with all its 8K of code in an EEPROM.

Customers loved it. It worked the same way each time you plugged it in [ if it ran at all! ].

It seems to me that memory that can be changed and remembers… flash verses EEPROM is the basic product problem.

This method does not solve the problem we are talking about though!!


echo November 10, 2021 5:28 PM

I think the biggest part of the problem is governance including the lack of fairness. When you look at things economically there’s a lot of the already rich pulling the ladder up, corporates organised like walled gardens, and the so-called gig economy with some people working three jobs to make ends meet. It’s wholly understandable people find ways and means to entertain themselves or materially “level up”.

A large part of the scandals unfolding in the UK (from Brexit onwards to the latest corruption wheeze) is people who already had power, status, and wealth wanted more.

Those who can will attempt to close every loophole at the bottom while exploiting investment vehicles backed by lawyers and accountants who are also part of the behind closed doors lobbying effort. Many suspect this is why the more puritanal and hypocritical “betters” project so much.

Michael Dell is taking Dell back into private hands. This caused a ripple. What missed most people is Jonathan Harmsworth (4th Viscount Rothermere) is using exactly the same scheme to take DMG (owners of the Daily Mail and Metro) back into private hands. The Dell deal has been described as a rip-off or a legalised fraud by some and I’m of the view the DMG deal isn’t dissimilar.

As for the Sony Playstation 5 thing it’s notable that crime patterns have changed over the years. They used to be more material with high value items like televisions and VCR’s and Sony Walkman’s being targets. Now it is mobile phones (less so now) and movies and games, and more inadequacy and corruption and more lately hate crimes.

No hard conclusions. Mostly some musings.

Yann November 11, 2021 4:27 AM

Thanks for the paper. It is available in PDF and postscript, a simple full text version readble by a browser would be nice too, so it can be read on apps such as Pocket / readitlater, etc.

SpaceLifeForm November 11, 2021 11:22 PM

It’s likely a chain after an ASLR leak.


SpaceLifeForm November 12, 2021 1:26 AM

@ Clive

Dons grey hat

But one thing else is needed, which is a way for the legitimate user to be able to demonstrate beyond reasonable doubt that they do not have currently, nor have they ever had access to the root of trust.

I guess my consternation here, is that I am not clear as to the definition of a ‘legitimate user’, and where the ‘root of trust’ is anchored.

Why does the user have to prove a negative?

Clive Robinson November 12, 2021 7:02 AM

@ SpaceLifeForm,

I guess my consternation here, is that I am not clear as to the definition of a ‘legitimate user’

One who has the owner of the devices autherisation to use the device.

Same principle as being the legitimate driver of a vehicle, but not it’s owner.

Which vrings us to,

Why does the user have to prove a negative?

Because the legislation requires them to do so or end up in jail…

The law requires you to “disclose crypto keys upon lawfull request” it’s not optional[1] you can be sent to jail for upto six years in the UK for not doing so.

In theory there is a defence, which is showing you do not know the crypto keys so can not comply.

As you should be aware to many prosecuters and certain judges trying to claim that defence is just the excuse required to asking for harsher conditions on the defendant. Such as no bail, held in Special Administrative Measures”(SAM) or equivalent, increased tariff or indefinate detention as “contempt” which is beyond a writ of Habeas corpus[2].

Thus you need to have some realistic evidence that you never had need to know the crypto keys, nor could have had access to them in any way.

One such is a “Hardware Security Module”(HSM) where encryption / decryption is done entirely inside the HSM to which by definition of being “the user” not “the administrator” you don’t get access to KeyMat to write or read.

You have thereby switched the “burden of proof” “of a negative” which is theoretically impossible with a binary choice, to the prosecution so that their “burden of proof” is to prove a positive, “beyond reasonable doubt” which is the way the law is supposed to operate.

[1] Apparently it overrides the legal protections on “Privileged communications”…

[2] Sometimes known as a “produce the body writ”. The purpose of the writ is to force a person holding another to bring them to court, where the lawfulness of the detention can be established or disposed of. Unfortunatly when you are in contempt it is “the court” that has put you in confinment so it’s assumed to be lawfull irrespective of if it is or not.


I would say have a look at Graig Murray’s web site where he explained how he was being “rights stripped” by a Scottish judge for very political reasons. Unfortunately you can not because of the “establishment” forcing it to be removed.

So essentially from memory a very senior Scottish Politician has been accused of significant and serious sexual misconduct. There were four witnesses standing against them with apparanatly harrowing accounts. The witnesses names had actually been published in other Main Stream Media. As Craig Murray’s position was very much against the futility of establishment attempts to keep it covered up he mentioned that it was futil because the details had been already published in the MSM.

The court however used the near impossible to refute “jigsaw” argument (ie “prove a negative”), that Craig had committed contempt as he had alledgedly –remember zero proof of the assertion– provided sufficient information to put it together and unmask the witnesses identities. Something that was blatently untrue as it was easier to do a Google Search on the politicians name and “sexual”… And the MSM article that named them was on the first page… Now the MSM has had a very paltry fine for actually naming the witnesses thus doing the establishment a favour, but Graig who is 62 and known to be very unwell has been sentanced to eight months. Most of which you can read in,


Of course this hash treatment does have a lot to do with Graig being just about the only journalist reporting on the establishments atrociius behaviour with regards Julian Assange. (you will even see it being used as consideration for the increased severity of the harsh sentancing in the above court judgment…).

Clive Robinson November 12, 2021 7:19 AM

@ SpaceLifeForm,

Some further information on Craig Murray being found guilty of a crime he did not commit,


Note even the judge was not impressed with the “Crown’s” –ie establishment– behaviour as at the time of publication it was not possible for it to be a “contempt”.

Oh and note the quote at the very top of the page, it sums up what is going on in English Politics. What it does not indicate is why the “Crown” would be so interested in keeping the actual sexuall abuse case covered up.

Well the party the Scottish politician is senior in is of less use than a “chocolate fire guard” and if news stories are true as corrupt as they come. As such they are “Usefull Idiots” for those psychos in London.

Tom Rollins November 14, 2021 5:30 PM

Clive- thank you brother. The persecution of Murray is disgusting, and is solely occurring because he exposed the British regime’s torture of actual human beings in black sites.

Clive Robinson November 15, 2021 11:17 AM

@ Tom Rollins,

The persecution of Murray is disgusting

It is and so is that of other people.

I don’t know how many knew but over the weekend it was Aaron Swartz Day, to commemorate the things he believed in,


There are many more, who get bad treatment we do not hear avout, because even the “trusted in the past” MSM now look the other way

One of the things that came out of the Murray trial is that he had applied to be a member of the UK “National Union of Journalists”(NUJ) but they repeatedly turned him down.

I realy do not know what is going on at the NUJ, but “representative” of modern journalism is apparentlt not one of their considerations.

And their behaviour, alowed the Judge to make an artificial distinction so that she could do what she had been told to do.

Justice as people understand it was not in her court that day and she should be ashamed of her self.

For society to accept justice and not string judges up as happens in increasing numbers of countries, as a minimum three things have to be both clear and believable,

1, Independence of the Judiciary.
2, All proceadings must be both public and decided by members of the public (ie a jury).
3, All proceadings are not just humain but they respect humans.

It’s clear in Craig Murray’s trial none of these esentials were there on the day.

eric November 17, 2021 2:17 PM

Some of us look forward to the day when you don’t have to exploit/root your own device in order to do what you want with it.

If you can’t use your device as you see fit, you don’t “own” it. You rent it from your Big Tech overlords, no matter how much you paid for it.

The incidental fact that you don’t want to do anything “interesting” is irrelevant.

The kind of people that are OK with this are of the same mentality that has encouraged and supported the whole rent-based, top-down, surveillance capitalism model that currently has its boot on our necks.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.