PS5 BootROM key leaked, Sony unable to patch

It has been reported that the ROM key for the 'BootROM' code, which is the first code that runs when the PlayStation 5 boots up, before the startup process runs, has been leaked. If this is genuine, it would completely undermine the security of the PS5. However, since the code is written directly into the APU, which is the heart of the PS5, and cannot be changed later, it has become a hot topic.

PS5 ROM Keys Leaked: Sony's Unpatchable Security Nightmare (2026) | The CyberSec Guru

PlayStation 5 ROM keys leaked — jailbreaking could be made easier with BootROM codes | Tom's Hardware

According to The CyberSec Guru, a news site specializing in cybersecurity information, a large data dump appeared on multiple private Discord servers and developer wikis on Wednesday, December 31, 2025. This included the PS5 BootROM key.

'BootROM' is the first code that runs when you turn on your PS5, and its role is to verify that the following boot process is legitimate and signed by Sony.

The PS5's bootloader is unlocked when the BootROM is executed, which then starts the kernel and finally launches the game. PS5s have been hacked in the past, but these attacks exploited software vulnerabilities in the kernel and Webkit browser, so Sony was able to deal with them with firmware updates and other measures.

However, the leak of the BootROM key means hackers can decrypt the bootloader and determine exactly how the PS5's security works. The CyberSec Guru describes it as 'not just knowing how to pick your front door, but like losing the master key to your bank vault.'

While this does not mean that it will have any immediate impact on the average user, in theory it will be a huge benefit to jailbroken users, as developers will be able to create custom boot loaders that will allow them to directly boot modified operating systems and make the jailbroken state permanent.

Even if Sony were to take countermeasures, the BootROM key is engraved into the ROM of the APU installed in the device, so it is impossible to 'change it by applying a patch with an update.' Taking the bold step of changing the APU to one with a new ROM key would make it possible to address the issue for future devices, but devices already on the market would be permanently vulnerable to any vulnerabilities caused by the key leak.

So does that mean Sony can't do anything? It's not like that. It's possible to detect an abnormality when someone connects to the PlayStation Network (PSN) using custom firmware or modified files, and it's possible to permanently suspend the account or console.

The news site Tom's Hardware also suggests a recall to collect all the machines and replace the motherboards, but concludes that this is unlikely to happen due to cost issues.