Specter

My @dayzerosec co-host zi and I are giving our 1st training @ hardwear.io with a focus on attacking security hypervisors! Trainings are something we've wanted to do for a while. Take a look and share to those who would be interested :) hardwear.io/usa-2025/train…

I've published a webkit implementation of UMTX exploit for PS5 on 2.xx firmwares. Hoping to add support for 1.xx firmwares soon, higher firmwares will take some changes to make it work. See README for details as always. github.com/PS5Dev/PS5-UMT…

Some people already know this, but thought I'd mention here too... unfortunately basically all of my low fw PS5s got stolen recently, so I'm not sure what my future in console research will look like. Replacing this stuff might be too be difficult & expensive to be worth it :(

We have a special episode this week, where we interview @JohnCarse of @getsquarex. We talk about John's industry experience, history of browser security, and the work SquareX is doing on detecting and mitigating browser-based attacks. Check it out: youtube.com/watch?v=GtFpxB…

We have a training by @SpecterDev & Zi on Attacking Hypervisors From KVM to Mobile Security Platforms hardwear.io/usa-2025/train…

I've published a write-up on reversing and analyzing Samsung's H-Arx hypervisor architecture for Exynos devices, which has had a lot of changes in recent years and pretty interesting design. Hope you all enjoy :) dayzerosec.com/blog/2025/03/0…

Recon Training 23-26 June 2025: KVM to Mobile Security Platforms - Attacking Hypervisors with @SpecterDev and zi from @dayzerosec (4 days) For more details recon.cx/2025/trainingF…

github.com/google/securit… Our newest research project is finally public! We can load malicious microcode on Zen1-Zen4 CPUs!

RE: byepervisor do people care enough about not wanting to use rest mode and resume to switch the primary exploit for byepervisor to the jump table one? its higher maintenance and possibly slightly less stable but would be slightly more convenient to run I guess

Inside console security: How innovations shape future hardware protection - helpnetsecurity.com/2024/10/29/gam… - @PlayStation @hardwear_io #HardwareSecurity #hw_ioNL2024 #PlayStation #gaming #CyberSecurity #netsec #security #InfoSecurity #ITsecurity #CyberSecurityNews #SecurityNews

Slides github.com/PS5Dev/Byeperv…

I've published the repo for Byepervisor (we love named vulns out here). Contains exploit implementation for two PS5 hypervisor bugs for 2.xx and lower. Slides from the talk + vod should hopefully be published soon. github.com/PS5Dev/Byeperv…

The PS5's hypervisor has kept the system secure for years—now, vulnerabilities are being revealed. What does this mean for gamers? 🕵️‍♂️🚨 Join @SpecterDev at #hw_ioNL2024 Know More: hardwear.io/netherlands-20… #ps5 #exploit #hardware

There are a few ways on PS5 to defeat HV. One of methods that I've found was related to APIC: struct apic_ops is located in RW segment of kernel data. With KRW you can overwrite a function pointer inside it like xapic_mode and get into ROP, for example (just need to bypass CFI).

Feels great when an idea can finally be tested and works out after like a year :) Shouts to ChendoChap for working out the ROP chain. Protip: staying < 3.00 is a good idea.

Pushed v1.2, exploit's been updated with an implementation that works on 3.xx-5.xx (heap spray go brrr), also some support for other misc low fw. ELF loader and payloads will not work on 5.00+ for a while due to dlsym changes. Payload SDK needs changes. github.com/PS5Dev/PS5-UMT…

Added 1.xx firmware support to UMTX exploit chain. github.com/PS5Dev/PS5-UMT…

Well, this is PS5's umtx exploit for BD-J (a part related to the exploit actually): gist.github.com/flatz/89dfe9ed…