Softmod


A softmod is a method of using software to modify the intended behavior of hardware, such as computer hardware, or video game consoles in a way that can overcome restrictions of the firmware, or install custom firmware.

Function

Many softmods are exploits combined, known as exploit chains. The first requirement is being able to run unsigned code, known as userland exploits. Web browsers are very common vectors for this, most of which use the WebKit browser engine, which is notably open source and as a result, vulnerabilities are widely known. Another common vector of userland exploit are savegame exploits, which are specially crafted savegame files that exploit vulnerabilities in a game's code allowing for unsigned code. The second requirement is privilege escalation, typically compromising the kernel, unlocking secure parts of the system. Depending on the security architecture, additional privilege escalation may be required, such as defeating a hypervisor.
Other examples of softmods are maliciously signed firmware, such as custom firmware on the PlayStation 3, which was made possible due to the master key being released, or gaining control of a process that is very early in the boot cycle, such as the Fusée Gelée Boot ROM vulnerability for the Nintendo Switch.
Softmods may be permanent or temporary that persist until powering off. Softmods are especially popular among video game consoles, in which they usually enable a homebrew environment that allow execution of unsigned code. Compared to installing a modchip, a softmod is generally preferred due to not requiring having to open up the device and perform soldering, which could damage the device hardware. However, attempting to softmod can still damage a device, especially if instructions are not followed correctly. In some cases, it can lead to bricking.
Softmods may be used to install or load an alternative operating system on a device, as well as reinstate functionality that was removed from the official firmware, such as "OtherOS" on the PlayStation 3.
If a softmodded console connects to its online service, the console may be banned from the service permanently. Softmods void warranty due to tampering with device function and as a result, vendors will not honour any existing warranty policy if sent in for repair.

Legality

Due to commonly being used to circumvent digital rights management, softmodding is seen as a tool to enable piracy, although the act of softmodding in itself may not be illegal.
In January 2011, security researcher Geohot and associates of the hacking group known as fail0verflow were sued by Sony for jailbreaking the PlayStation 3. Sony and Geohot later settled the case out of court, with Geohot agreeing not to reverse engineer any Sony product in the future.
In Japan, softmods were outlawed as part of new legislation in 2018 which made savegame editing and console modding illegal.

Softmods for video game consoles

PlayStation/PSOne

The original PlayStation can be softmodded with the TonyHax exploit. The exploit is compatible with all North American and European consoles except the launch model, but is not compatible with Japanese consoles. It is also compatible with early versions of the PlayStation 2, although only for booting PS1 discs. TonyHax can be booted either with a gamesave exploit, or except on the PS2, directly from a specially-flashed memory card. The exploit allows the console to boot homebrew, foreign-region games, and CD-R copies. Some PlayStation models are partially incompatible with phthalocyanine CD-Rs, preferring the older standard cyanine discs. TonyHax is not a permanent exploit; the drive is re-locked when the console is powered off or rebooted, requiring the user to re-load the exploit every time a CD-R or foreign game is booted.
An older method was to boot an original legitimate disc with the lid close sense button held down, quickly swap the disc with a CD-R copy or foreign disc, remove that disc and reinsert the original, and then swap for the CD-R or foreign disc again. This had to be carefully timed, and if done incorrectly could damage the drive or disc.

PlayStation 2

The PlayStation 2 has various methods of achieving a softmod.
Disc swapping was used early on to bypass the PlayStation 2 copy protection, by taking advantage of certain trigger discs such as 007: Agent Under Fire or Swap Magic, homebrew could be loaded. This was done by inserting the trigger disc, blocking the lid open sensor then hotswapping with a homebrew disc. Although difficult to execute correctly, the universality of the method was often used in order to softmod.
One of the earliest softmods developed — the Independence Exploit — allows the PlayStation 2 to run homebrew by exploiting a buffer overflow in the BIOS code responsible for loading original PlayStation games. This method, however, only works on models V10 and lower, excluding the PlayStation 2 slim, while still requiring a disc to be burned.
FreeMcBoot is an exploit that works on all models except the SCPH-9000x series with BIOS v2.30 and up. It requires no trigger disc and is able to directly load ELFs from the memory card.
Fortuna, Funtuna, and Opentuna are another form of memory card exploit. Unlike FreeMcBoot, they will work on the SCPH-9000x model, and they are compatible with third-party memory cards that do not support MagicGate.
HD Loader is an exploit for PS2 models with the hard drive peripheral.
FreeDVDBoot is an exploit discovered in 2020 that requires burning a disc image loaded with a payload onto a DVD-R. It is compatible with a range of PlayStation 2 models and works by exploiting a buffer overflow in the PS2's DVD video functionality.
MechaPwn is an exploit that permanently unlocks the DVD drive of the slim PS2, allowing PS1 and PS2 discs from any region to be booted. PS1 CD-R copies can be booted directly from the PS2's built-in menu; PS2 CD-R/DVD-R copies require additional software to bypass the PlayStation 2 logo check.
In August 2024, a savegame exploit affecting multiple consoles and generations called TonyHawksProStrcpy was released, which is present in multiple Tony Hawk's titles for the PlayStation 2. It can be used to execute unsigned code.

PlayStation 3

The PlayStation 3 has a couple of methods to achieve a softmod. All models of PS3 can be softmodded.
Consoles that have factory installed version 3.55 or lower can install CFW which is unofficial firmware. This includes: all fat models, slim 20xx and 21xx models, and earlier 25xx models - the latter only if the console was manufactured before December 2010. Later slim 25xx, slim 30xx, and all super slim models cannot install CFW.
Installing CFW was made possible with code signing after the PS3's master key was leaked. Sony changed the key with firmware 3.56. If a vulnerable console has official firmware above 3.55 installed, the flash can be patched via a WebKit exploit which allows for a CFW install. Should the patching process be interrupted, it can brick the console.
CFW allows the running of homebrew, load game backups, bypass region checks, enter Factory Service Mode, change fan speed, RSX speed, grant access to root keys, as well as run PS2 ISOs on unsupported backwards compatible models. Some CFW implementations reinstate features Sony removed such as "OtherOS".
The most supported PS3 CFW is Evilnat Cobra.
The other softmod is PS3HEN. HEN is supported by all PS3 models. In order to use HEN, it is required to install HFW, another kind of unofficial firmware. This is a tether softmod, meaning HEN has to be enabled every time the console is powered on.
HEN allows the running of homebrew, load game backups, bypass region checks, change fan speeds, and play installed PS2 Classics PKGs. The hypervisor is still active and periodically checks if the current code being executed is unsigned; there is a small chance it can lead to the console becoming unresponsive or shutting down, making HEN less stable than CFW.

PlayStation 4

The PlayStation 4 has ways to achieve a softmod. Most require a userland exploit as the entry point, which can be either WebKit vulnerabilities in the PS4 Web Browser, a specially crafted Blu-ray disk, a modified media app, or a savegame exploit. All models of PS4 can be softmodded. They are all tether exploits meaning they have to be performed every time the console is powered on, although some exploits may be persisted using rest mode.
Softmodding a PS4 allows for running homebrew, loading game backups, bypass region checks, and change fan and CPU/GPU speeds. Some payloads can boot the PS4 into a Linux distribution, although this is not permanent and the console will revert to Orbis OS on reboot.
Known firmware versions that allow for a softmod are: 1.76, 4.05,, 4.55, 4.74, 5.05/5.07, 6.72, 7.02, 7.55, 9.00, 11.00, 12.02, 12.52, 13.00.

PlayStation 5

The PlayStation 5 has ways to achieve a softmod. They rely on a userland exploit as the entry point, which can be either WebKit vulnerabilities in the PS5 Web Browser, a specially crafted Blu-ray disc, a modified media app, or a savegame exploit. They are all tether exploits meaning they have to be performed every time the console is powered on, although some exploits may be persisted using rest mode.
Softmodding a PS5 allows for running homebrew, load game backups, modify the PS4 backwards compatibility blacklist, install and run PS4 "FPKGs", and change fan speeds. A softmodded PS5 is also capable of playing patched PS4 titles above the PS4 frame rate cap of 60 FPS, such as Bloodborne, at higher frame rates such as 120 FPS.
Known firmware versions that allow for a softmod are: 2.70, 4.51, 5.50, 7.61, 10.01.
It is worth noting the 2.70 exploit compromises the kernel and hypervisor, while the higher firmware exploits only compromise the kernel; the 2.70 exploit is more stable than higher firmware exploits. Besides stability, there are currently no major differences in functionality of either softmod.
The kernel exploit that led to the 6.72 PS4 jailbreak was patched a few months prior to the release of the PS5, which was reintroduced on the PS5 with 3.00 firmware, affecting up to 4.51 firmware. The kernel exploit that led to the 12.02 PS4 jailbreak could also be used to jailbreak the PS5, and affected up to 10.01 firmware.
In June 2023, a payload called libhijacker was disclosed, which allows running homebrew without the need of a HV exploit, which works by creating a new, separate process by interacting with the PS5's Daemon, effectively acting as a background ELF loader. This is notable over previous ELF loaders such as the WebKit or Blu-ray methods since those ELF loaders were terminated when the corresponding process was stopped. Another advantage of this new method is that the newly separate process is not confined to the fixed maximum resource allocation of the WebKit or BD-J processes.
In July 2023, security researcher Flat_z disclosed that they had read access to the PS5's Platform Secure Processor which is one of the most protected parts of the system and contains crucial keys for decryption. In addition, they also confirmed they had successfully exploited the HV via a save game exploit chain. Flat_z said he does not intend to disclose his findings publicly, however he is using these exploits to further reverse engineer the PS5 now that he is able to decrypt more parts of the system.
In October 2024, scene developer SpecterDev disclosed two exploit chains that compromise the hypervisor, which affect all firmware versions up to 2.70.