Andy Nguyen, a security researcher at Google, announced a Linux port for the Sony PlayStation 5 and demonstrated how the console can be transformed into a fully-fledged gaming PC running Ubuntu 24.04.4, capable of running Steam and modern 3D games. The Linux environment was powerful enough to run GTA 5 with ray tracing enabled (High RT mode) at 1440p resolution and 60 frames per second.
The prepared system, based on Linux kernel 6.19, fully supports 4K audio and video via HDMI, and all USB ports are supported. The working configuration was launched with the CPU frequency set to 3.2 GHz and the GPU to 2.0 GHz. It is noted that the frequency can be further overclocked to 3.5 GHz for the CPU and 2.23 GHz for the GPU, but in this case, the PS5 Slim gaming console quickly overheated.
To bypass bootloader verification and boot a Linux distribution instead of the stock firmware, the Byepervisor exploit is used. It only works with firmware versions two years old (1.xx-2xx) and exploits two vulnerabilities in the hypervisor. A patch for Mesa has been prepared to support the AMD GPU specific to the PlayStation 5 and is proposed for inclusion in the main Mesa distribution.
The Sony PlayStation 5 uses an AMD APU with an integrated PSP (Platform Security Processor) coprocessor, which manages keys. During the first stage of boot, read-only code from the BootROM is launched, using root keys to verify the bootloader against a digital signature, hardcoded during chip production. If verification is successful, the bootloader is launched during the second stage, which is responsible for launching and verifying the OS kernel or hypervisor.
When using the Byepervisor exploit, Linux is tampered with at the hypervisor stage. In the first stage, the UMTX exploit, which exploits WebKit when processing web content, or an exploit that exploits a vulnerability in the BD-J handler when inserting a specially designed Blu-ray disc, is used to launch custom executable files in ELF format at the core firmware level. In the second stage, the byepervisor.elf exploit is launched via the bootloader, putting the system into a firmware recovery state.
Source: opennet.ru
