Well, this is PS5's umtx exploit for BD-J (a part related to the exploit actually): gist.github.com/flatz/89dfe9ed…

I've published a webkit implementation of UMTX exploit for PS5 on 2.xx firmwares. Hoping to add support for 1.xx firmwares soon, higher firmwares will take some changes to make it work. See README for details as always. github.com/PS5Dev/PS5-UMT…

Added 1.xx firmware support to UMTX exploit chain. github.com/PS5Dev/PS5-UMT…

Pushed v1.2, exploit's been updated with an implementation that works on 3.xx-5.xx (heap spray go brrr), also some support for other misc low fw. ELF loader and payloads will not work on 5.00+ for a while due to dlsym changes. Payload SDK needs changes. github.com/PS5Dev/PS5-UMT…

Feels great when an idea can finally be tested and works out after like a year :) Shouts to ChendoChap for working out the ROP chain. Protip: staying < 3.00 is a good idea.

There are a few ways on PS5 to defeat HV. One of methods that I've found was related to APIC: struct apic_ops is located in RW segment of kernel data. With KRW you can overwrite a function pointer inside it like xapic_mode and get into ROP, for example (just need to bypass CFI).

The PS5's hypervisor has kept the system secure for years—now, vulnerabilities are being revealed. What does this mean for gamers? 🕵️‍♂️🚨 Join Specter at #hw_ioNL2024 Know More: hardwear.io/netherlands-20… #ps5 #exploit #hardware

I've published the repo for Byepervisor (we love named vulns out here). Contains exploit implementation for two PS5 hypervisor bugs for 2.xx and lower. Slides from the talk + vod should hopefully be published soon. github.com/PS5Dev/Byeperv…

Slides github.com/PS5Dev/Byeperv…

Inside console security: How innovations shape future hardware protection - helpnetsecurity.com/2024/10/29/gam… - PlayStation hardwear.io #HardwareSecurity #hw_ioNL2024 #PlayStation #gaming #CyberSecurity #netsec #security #InfoSecurity #ITsecurity #CyberSecurityNews #SecurityNews

RE: byepervisor do people care enough about not wanting to use rest mode and resume to switch the primary exploit for byepervisor to the jump table one? its higher maintenance and possibly slightly less stable but would be slightly more convenient to run I guess

github.com/google/securit… Our newest research project is finally public! We can load malicious microcode on Zen1-Zen4 CPUs!

My DAY[0] co-host zi and I are giving our 1st training @ hardwear.io with a focus on attacking security hypervisors! Trainings are something we've wanted to do for a while. Take a look and share to those who would be interested :) hardwear.io/usa-2025/train…

Recon Training 23-26 June 2025: KVM to Mobile Security Platforms - Attacking Hypervisors with Specter and zi from DAY[0] (4 days) For more details recon.cx/2025/trainingF…

I've published a write-up on reversing and analyzing Samsung's H-Arx hypervisor architecture for Exynos devices, which has had a lot of changes in recent years and pretty interesting design. Hope you all enjoy :) dayzerosec.com/blog/2025/03/0…

We have a training by Specter & Zi on Attacking Hypervisors From KVM to Mobile Security Platforms hardwear.io/usa-2025/train…

We have a special episode this week, where we interview John Carse of SquareX. We talk about John's industry experience, history of browser security, and the work SquareX is doing on detecting and mitigating browser-based attacks. Check it out: youtube.com/watch?v=GtFpxB…

Some people already know this, but thought I'd mention here too... unfortunately basically all of my low fw PS5s got stolen recently, so I'm not sure what my future in console research will look like. Replacing this stuff might be too be difficult & expensive to be worth it :(