ESP Host PS4 Payloads Guide, and today mallrats let us know of a recent project of his (aka Treyjazz) dubbed ESPS4ExploitServer- a PS4 Exploit Server for ESP8266 Arduino boards.
Download: PS4Exploit.zip / GIT / ESPS4ExploitServer fork by 5u770n
To quote from the README.md: ESPS4ExploitServer
This is a project for ESP8266 Arduino boards. It has been tested on a (cloned?) Wemos D1 board with 4MByte flash. It uses SPIFFS to load files from the flash chip but can easily be ported to use an SD addon board.
Setting up the board:
If you need to add/remove SPIFFS files then always use the Sketch Data Uploader before you upload the sketch. There seems to be a bug that will trash the data in the program area of flash when you upload to the SPIFFS area in flash and the board won't run without the sketch being uploaded again.
- Install the Arduino IDE if you don't already have it
- Start the Arduino IDE Install the ESP8266 library
- Install the ESP8266 Filesystem Uploader - http://www.instructables.com/id/Using-ESP8266-SPIFFS/
- Restart the Arduino IDE Plug in the board and install the drivers for it
- Under Tools: Select the board that is appropriate
- Select the COM port the board is attached to (can be found in the Device Manager in Windows)
- Select the Flash Size - The code is pretty small so you can use the option that has the most memory saved for SPIFFS Ex: 4M (1M/3M SPIFFS)
- Load the .ino from the downloaded directory
- In the /data directory place the payloads that Unplug the board and hold down the Flash button while you plug it back in
- Under Tools, select ESP8266 Sketch Data Uploader
- If there is an error in transferring then unplug the board and hold the Flash button while plugging it back in again
- If there is an error in creating the SPIFFS then you have files adding up to too much memory for what your board so remove some
- Unplug the board and plug it back in Under Sketch, select Upload
It defaults to creating an access point 'ps4exploit' with password 'hackmyps4'. Set your PS4 gateway and DNS to 10.13.37.1 when the board is in AP mode. To change the configuration open a web browser to http://10.13.37.1/settings.
Note that it is an unsecured webpage so the password for a wifi network that is entered in will be saved in plain text, but will only be accessible to those that can log onto the network already. In station mode, the IP for the board will attempt to use the default static IP containing '235'. Ex: 192.168.1.1 with subnet mask 255.255.255.0 will try the static IP of 192.168.1.235
Selection of wifi mode - AP/Station AP - Network name, password Station - Available networks, password, static IP Payload - Selection of available payloads loaded in flash
It creates a web server and fake DNS server that resolves everything back to itself. It defaults back to sending the index.html on any request that doesn't match a file loaded into flash. SPIFFS doesn't allow for directories so the names of the different exploit pages and scripts (and references in their htmls) had to be renamed. Keep this in mind when adding new exploit pages.
If other payload exploit pages are released you must add some code to set JS_MAX to the number of .js files loaded by the page to trigger the automatic payload setting. After the IDC or Specter exploit pages are loaded through a web browser (or user manual on PS4), the payload transfer will automatically start after a 1s wait. If it fails with a not enough memory error then it is best to restart the PS4 because it typically causes a soft-lock on the XMB after repeated attempts.
Failsafes (useful for when you can't reprogram the board): Programmatically - If the board can connect to a wifi station then it will revert back to AP mode If the static IP you select conflicts with the network you connect to then the network will assign one Physically - Bridging D6 to GND while plugging the board into a power source will force it to load up the default AP settings so you can change the network settings (http://10.13.37.1/settings)
Known bugs: The LED doesn't turn on steady after files are transferred (I think the problem is somewhere in the ESP8266 library) Sometimes after a failed payload transfer the board will be stuck in a loop and need to be reset if you can't connect.
Download: ESP8266 ESP32 HTTP OTA server / GIT
Download: Ps4Exploit-455-By-Draqen-v1.2 for esp8266EX.bin (4.0 MB) / nodemcu-pyflasher-v3.0 / Ps4Exploit-455-By-Draqen-v1.3 for esp8266EX.bin (4.0 MB) / Draqen-Esp8266-405.bin (4.0 MB) / Draqen-Esp8266.bin (4.0 MB) / Draqen-Esp8266-405.bin (4.0 MB) / ESP8266_Simple_455.bin (4.0 MB) / ESP8266_Simple_405.bin (4.0 MB) / Draqen-Esp8266-405.bin (4.0 MB) / Draqen-Esp8266.bin (4.0 MB)
Download: ESP8266XploitHost_fixed2.zip (14.2 MB) / c0d3m4st4_ESP8266XploitHost_nodemcu_1.0b4.zip (967 KB) / c0d3m4st4_ESP8266XploitHost_v1_final.zip (865 KB) / c0d3m4st4_ESP8266XploitHost_v2.0b.zip (1.7 MB) / c0d3m4st4_ESP8266XploitHost_v2.0b2.zip (1.7 MB)