Zecoxao stories some progress in hacking the SMU (AMD System Management Unit) of PS4s, achieved by reusing a crypto key that was till now believed to solely work on debug firmwares. Turns out the important thing can be utilized to hash retail firmwares as effectively. The scene’s “jack of all trades” believes this might be leveraged to dump per-console crypto keys and fuses on PS4.
What is the SMU on PS4 and PS5?
There is surprisingly little data on the SMU within the PS4 Dev wiki, apart from the HMAC Key in query. The PS4 Dev wiki states:
AMD System Management Unit (SMU) is a thermal and electrical administration unit present in fashionable AMD x86 processors.
In a presentation the place he demonstrated a hack of the AMD SMU, infosec researcher Rudolf Marek outlined it as follows:
The system administration unit (SMU) is a subcomponent of the northbridge that’s liable for quite a lot of system and energy administration duties throughout boot and runtime. The SMU accommodates a microcontroller to help.
The PS5 Dev wiki has extra particulars on what the SMU does on the PS5, and I consider the accountability of the chip is analogous in each consoles (though, in line with Zecoxao, there are some massive variations in privileges, which might be very important. See beneath)
MP1 (System Management Unit or “SMU”) is an xtensa CPU liable for energy administration, clock administration, sampling sensor knowledge, and different energy/thermal-related duties. The /dev/mp1 gadget can be utilized to difficulty instructions to it. Below are identified instructions.
| 0x4068AE01 | MP1_IOCTL_GET_CLK | Get clock frequency |
| 0x8004AE17 | MP1_IOCTL_SET_GFXCLK | Set graphics clock frequency |
| 0xC004AE18 | MP1_IOCTL_REQUEST_MODE_SWITCH | – |
| 0x8008AE1D | MP1_IOCTL_SET_COREPSTATE | Set core energy state? |
| 0xC00CAE1E | MP1_IOCTL_GET_COREPSTATE | Get core energy state? |
Another description, based mostly on the AMD Zen structure, states:
The system administration unit (SMU) is tasked with the job of repeatedly sampling sensory knowledge and making speedy corrections to varied circuits on the chip. One such instance is the management of the increase circuit we detailed earlier. Additional duties embody voltage degree management which is provided as targets to the facility provide displays (PSMs), C-state boosts, thermal administration guaranteeing the chip doesn’t exceed the spec temperatures, and electrical design present administration which ensures the present draw doesn’t exceed the specs of the exterior voltage rails.
It is secure to imagine the SMU on PS4 principally performs comparable duties as described within the “generic” AMD definitions above. In explicit, the PS4 SMU shouldn’t be confused with SAMU (Secure Asset/Access Management Unit), a separate processor that handles numerous the encryption/decryption duties on the PS4.
Could SMU be leveraged to hack the PS4?
Today Zecoxao talked about that progress has been made on SMU hacks, specifically it has been discovered that the crypto key used for debug firmwares can be utilized on retail firmwares. My assumption right here is that some hackers have just about full management on the SMU processor.
Turns out the “debug key” that’s used to hash “debug” firmwares from SMU successfully works on ALL retail variations of the PS4 smu firmware as effectively (the one on the wiki). Which means issues are about to develop into VERY fascinating…
— Jose Coixao (@notnotzecoxao) May 17, 2023
Now, the query that immediately involves thoughts is how a processor in control of energy and followers can actually do a lot injury to the remainder of the console. But Zecoxao’s reply to my query has been: SMU may be very privileged in PS4, not so privileged in PS5. The Scene veteran additionally mentioned “now it’s confirmed that the SMU secret’s probably helpful to run nasty code“.
Looking at Rudolf Marek’s slideshow once more, I feel some PS4-Specific confusion might emanate from his presentation. In explicit, the next slide has led individuals to consider that SMU management might instantly result in PS4 Custom Firmware. I don’t consider this interpretation is smart. As a matter of reality, the entire presentation talks in regards to the SMU Firmware, not the Firmware of another processor on the pc. What the presentation is about, so far as I perceive, is the likelihood to load a customized SMU Firmware, after which use that to speak with the remainder of the system in an effort to extract/leak data.
Therefore I consider the fascinating half (for the PS4 scene) comes subsequent when Zecoxao says “SMU may be very privileged in PS4”. There’s additionally, in Marek’s presentation, a Q&A piece wherein it’s confirmed (across the 45 minutes mark) that the SMU, having privileged entry, might be used to learn/leak different components of the system’s reminiscence. Something that was partially confirmed by Zecoxao:
you may most likely dump your personal keys/fuses with SMU code execution
