PPPwn: PlayStation 4 PPPoE RCE PS4 Kernel Exploit to 11.00 by TheOfficialFloW

cyril0234 · Jul 13, 2024 at 10:01 AM

Well, if you don't have a raspberry or a luckfox to automotically run the jailbreak then don't update it's not convenient.

Moreover from my experience jailbreaking on 11.00 takes more time than 9.00 and a usb stick is far cheaper than a raspberry

PS3RX · Jul 14, 2024 at 11:28 AM

Great job and big thanks to theflow0 and other developers. Keep up the good work.

Binkinator · Jul 14, 2024 at 12:45 PM

Thanks to TheOfficialFloW, xfangfang, SiSTR0, Vortex, EchoStrech and stooged for making this even possible!

Here is my small contribution to the PPPwn gang. It’s just a couple shell scripts I use on my rPi to:

1) download files from the one file place (I threw them a couple euros so I can use an account to directly download links you will need to provide)

Code:

#!/bin/bash
MOUNT_POINT="/mnt/data"
WLOG=$MOUNT_POINT"/wget-log"
# Function to print usage and exit
usage() {
    echo "Usage: $0 <https-url>"
    exit 1
}

# Check if an argument has been passed
if [ -z "$1" ]; then
    usage
fi

# Validate that the argument is an HTTPS URL
if [[ ! "$1" =~ ^https:// ]]; then
    echo "Error: The argument must be an HTTPS URL."
    usage
fi

# Check if the thumb drive is mounted
if ! mount | grep -q "$MOUNT_POINT"; then
    echo "Error: The thumb drive is not mounted at $MOUNT_POINT."
    exit 1
fi

# Execute the wget command with the provided URL, saving the file to the root of the thumb drive
wget -c "$1" --method POST --no-check-certificate --auth-no-challenge --content-disposition -P "$MOUNT_POINT" -o $WLOG

echo "Download completed."

2) “upload” the resulting .pkg file to Remote Package Installer by triggering the RPI program running on your PS4 to pull the .pkg file from you Apache web server installed on your raspberry pi. It will also allow you to query stats annd progress and whatever else the API allows.

See here for API details from the original author of the API, flatz himself.

Code:

#!/bin/bash

# Default IP addresses and ports
DEFAULT_PS4_IP="192.168.2.2"
DEFAULT_LOCAL_IP="192.168.2.1"
DEFAULT_PS4_PORT="12800"  # Default port for Remote Package Installer
DEFAULT_LOCAL_PORT="8081"
DEFAULT_DIRECTORY="/data"  # Default directory

# Default values for task type and action
DEFAULT_TASK_TYPE="direct"
DEFAULT_ACTION="install"

# Initialize variables with default values
PS4_IP="$DEFAULT_PS4_IP"
LOCAL_IP="$DEFAULT_LOCAL_IP"
PS4_PORT="$DEFAULT_PS4_PORT"
LOCAL_PORT="$DEFAULT_LOCAL_PORT"
DIRECTORY="$DEFAULT_DIRECTORY"
TASK_TYPE="$DEFAULT_TASK_TYPE"
ACTION="$DEFAULT_ACTION"
FILE_URL=""

# Function to display usage
usage() {
    echo "Usage: $0 [options] [file]"
    echo
    echo "Options:"
    echo "  -h <PS4 IP>               IP address of the PS4 (default: $DEFAULT_PS4_IP)"
    echo "  -p <PS4 Port>             Port of the PS4 Remote Package Installer (default: $DEFAULT_PS4_PORT)"
    echo "  -l <Local IP>             Local IP address (default: $DEFAULT_LOCAL_IP)"
    echo "  -d <Local Port>           Local web server port (default: $DEFAULT_LOCAL_PORT)"
    echo "  -r <Directory>            Directory to serve files from (default: $DEFAULT_DIRECTORY)"
    echo "  -f <File URL>             URL of the file to install"
    echo "  -t <Task Type>            Task type for installation (direct|cdn, default: $DEFAULT_TASK_TYPE)"
    echo "  -i <Title ID>             Title ID for checking or uninstalling"
    echo "  -c <Content ID>           Content ID for uninstalling"
    echo "  -a <Action>               Action to perform (install|uninstall|check|task, default: $DEFAULT_ACTION)"
    echo "  -k <Task ID>              Task ID for task-related actions"
    echo "  -u <Manifest URL>         URL of the manifest for CDN installations"
    echo
    echo "Actions and Required Options:"
    echo "  Check if app exists: -a check -i <Title ID>"
    echo "  Install package:     -a install [-t <Task Type>] [-f <File URL> | -u <Manifest URL>] [file]"
    echo "  Uninstall game:      -a uninstall -t game -i <Title ID>"
    echo "  Uninstall patch:     -a uninstall -t patch -i <Title ID>"
    echo "  Uninstall content:   -a uninstall -t ac -c <Content ID>"
    echo "  Uninstall theme:     -a uninstall -t theme -c <Content ID>"
    echo "  Manage tasks:        -a task -t <start|stop|pause|resume|unregister|progress|find> -k <Task ID>"
    exit 1
}

# Parse command line arguments
while getopts "h:p:l:d:r:f:t:i:c:a:k:u:" opt; do
    case $opt in
        h) PS4_IP="$OPTARG" ;;
        p) PS4_PORT="$OPTARG" ;;
        l) LOCAL_IP="$OPTARG" ;;
        d) LOCAL_PORT="$OPTARG" ;;
        r) DIRECTORY="$OPTARG" ;;
        f) FILE_URL="$OPTARG" ;;
        t) TASK_TYPE="$OPTARG" ;;
        i) TITLE_ID="$OPTARG" ;;
        c) CONTENT_ID="$OPTARG" ;;
        a) ACTION="$OPTARG" ;;
        k) TASK_ID="$OPTARG" ;;
        u) MANIFEST_URL="$OPTARG" ;;
        *) usage ;;
    esac
done

# Shift off the options and optional --.
shift $((OPTIND - 1))

# Handle positional argument for file URL
if [[ -z "$FILE_URL" && -n "$1" ]]; then
    FILE_URL="$1"
fi

# Validate required arguments
if [[ -z "$FILE_URL" && "$ACTION" == "install" && "$TASK_TYPE" == "direct" ]]; then
    echo "File URL is required for direct install."
    usage
fi

# Remove trailing slash from DIRECTORY if present
DIRECTORY="${DIRECTORY%/}"

# Define API URL
API_URL="http://$PS4_IP:$PS4_PORT/api"

# Perform action based on the specified flag
case $ACTION in
    check)
        curl --data "{\"title_id\":\"$TITLE_ID\"}" "$API_URL/is_exists"
        ;;
    install)
        if [[ "$TASK_TYPE" == "direct" ]]; then
            curl -v "$API_URL/install" --data "{\"type\":\"direct\",\"packages\":[\"http://$LOCAL_IP:$LOCAL_PORT$DIRECTORY/$FILE_URL\"]}"
        elif [[ "$TASK_TYPE" == "cdn" ]]; then
            curl -v "$API_URL/install" --data "{\"type\":\"ref_pkg_url\",\"url\":\"$MANIFEST_URL\"}"
        fi
        ;;
    uninstall)
        if [[ "$TASK_TYPE" == "game" ]]; then
            curl -v "$API_URL/uninstall_game" --data "{\"title_id\":\"$TITLE_ID\"}"
        elif [[ "$TASK_TYPE" == "patch" ]]; then
            curl -v "$API_URL/uninstall_patch" --data "{\"title_id\":\"$TITLE_ID\"}"
        elif [[ "$TASK_TYPE" == "ac" ]]; then
            curl -v "$API_URL/uninstall_ac" --data "{\"content_id\":\"$CONTENT_ID\"}"
        elif [[ "$TASK_TYPE" == "theme" ]]; then
            curl -v "$API_URL/uninstall_theme" --data "{\"content_id\":\"$CONTENT_ID\"}"
        fi
        ;;
    task)
        case $TASK_TYPE in
            start)
                curl -v "$API_URL/start_task" --data "{\"task_id\":$TASK_ID}"
                ;;
            stop)
                curl -v "$API_URL/stop_task" --data "{\"task_id\":$TASK_ID}"
                ;;
            pause)
                curl -v "$API_URL/pause_task" --data "{\"task_id\":$TASK_ID}"
                ;;
            resume)
                curl -v "$API_URL/resume_task" --data "{\"task_id\":$TASK_ID}"
                ;;
            unregister)
                curl -v "$API_URL/unregister_task" --data "{\"task_id\":$TASK_ID}"
                ;;
            progress)
                curl -v "$API_URL/get_task_progress" --data "{\"task_id\":$TASK_ID}"
                ;;
            find)
                curl -v "$API_URL/find_task" --data "{\"content_id\":\"$CONTENT_ID\",\"sub_type\":$TASK_TYPE}"
                ;;
        esac
        ;;
    *)
        usage
        ;;
esac

Are these the best, most intuitive, code complete, error free, master hacker products? Not at all, but they work for me on my headless raspberry pi attached to my PS4 and they get the job done from a simple terminal on my phone. If you want a polished product use one of the Windows GUIs! They are much better.

Here they are in action:

Code:

wwiii@pppwn:/mnt/data $ fiecher https://1fichier.com/?idojREDACTEDaqj
^C
wwiii@pppwn:/mnt/data $ fiecher https://1fichier.com/?idojREDACTEDaqj
Download completed.
wwiii@pppwn:/mnt/data $

I did a CTRL-C to show that you can restart the process and it will start downloading where it left off. Great for unstable network/VPN/whathaveyou!

You will need an Apache server running on you Pi! I put mine on port 8081.

Here's a great place to start. I will not help you set up you web server... plenty of resources in the web for that.

Code:

wwiii@pppwn:/mnt/data $ rpi mmou_base.pkg
*   Trying 192.168.2.2:12800...
* Connected to 192.168.2.2 (192.168.2.2) port 12800 (#0)
> POST /api/install HTTP/1.1
> Host: 192.168.2.2:12800
> User-Agent: curl/7.88.1
> Accept: */*
> Content-Length: 75
> Content-Type: application/x-www-form-urlencoded
>
< HTTP/1.1 200 OK
< Content-Type: application/json
< Access-Control-Allow-Origin: *
< Connection: close
<
{ "status": "success", "task_id": 167, "title": "My Memory of Us" }
* Closing connection 0
wwiii@pppwn:/mnt/data $ rpi -a task -t progress -k 167
*   Trying 192.168.2.2:12800...
* Connected to 192.168.2.2 (192.168.2.2) port 12800 (#0)
> POST /api/get_task_progress HTTP/1.1
> Host: 192.168.2.2:12800
> User-Agent: curl/7.88.1
> Accept: */*
> Content-Length: 15
> Content-Type: application/x-www-form-urlencoded
>
< HTTP/1.1 200 OK
< Content-Type: application/json
< Access-Control-Allow-Origin: *
< Connection: close
<
{ "status": "success", "bits": 0x4234358A, "error": 0, "length": 0xF64E0000, "transferred": 0x11620000, "length_total": 0xF64E0000, "transferred_total": 0x11620000, "num_index": 1, "num_total": 1, "rest_sec": 1517, "rest_sec_total": 1517, "preparing_percent": 100, "local_copy_percent": 100 }
* Closing connection 0
wwiii@pppwn:/mnt/data $ rpi
File URL is required for direct install.
Usage: /usr/bin/rpi [options] [file]

Options:
  -h <PS4 IP>               IP address of the PS4 (default: 192.168.2.2)
  -p <PS4 Port>             Port of the PS4 Remote Package Installer (default: 12800)
  -l <Local IP>             Local IP address (default: 192.168.2.1)
  -d <Local Port>           Local web server port (default: 8081)
  -r <Directory>            Directory to serve files from (default: /data)
  -f <File URL>             URL of the file to install
  -t <Task Type>            Task type for installation (direct|cdn, default: direct)
  -i <Title ID>             Title ID for checking or uninstalling
  -c <Content ID>           Content ID for uninstalling
  -a <Action>               Action to perform (install|uninstall|check|task, default: install)
  -k <Task ID>              Task ID for task-related actions
  -u <Manifest URL>         URL of the manifest for CDN installations

Actions and Required Options:
  Check if app exists: -a check -i <Title ID>
  Install package:     -a install [-t <Task Type>] [-f <File URL> | -u <Manifest URL>] [file]
  Uninstall game:      -a uninstall -t game -i <Title ID>
  Uninstall patch:     -a uninstall -t patch -i <Title ID>
  Uninstall content:   -a uninstall -t ac -c <Content ID>
  Uninstall theme:     -a uninstall -t theme -c <Content ID>
  Manage tasks:        -a task -t <start|stop|pause|resume|unregister|progress|find> -k <Task ID>

You can queue up as many installs as the API will allow and then check on them individually via the same API. If you lose network connectivity your PS4 will retry automatically. Very helpful if your WiFi isn’t so great in your gaming area.

PSXHAX · Jul 14, 2024 at 4:32 PM

@Binkinator It appears the 1F link in your post shows 'The requested file does not exist. It could be deleted by its owner.'

If you have an updated URL let me know and I'll replace it above.

thesanji99 · Jul 14, 2024 at 5:56 PM

Well done! Waited for this for a long time. Few tips for those who get payload not found error, look up if your USB has a EFi partition and delete it with diskpart should fix it.

Binkinator · Jul 14, 2024 at 6:16 PM

@PSXHAX much appreciated. I didn't want to break any forum rules so it’s just an example. In practice one simply replaces it with any real 1F link they’d like. At end of day it’s just a quick little script so I don’t have to remember command line flags.

Ratatatpat · Jul 16, 2024 at 1:03 PM

Looks like I chose a good time to jump in, haha. Booted up my semi-dusty PS4 last night and found that half the games I had on it were locked out because of some account switching stuff and I didn't have a quick way to undo it all.

Figured I was never gonna go online again anyways so I took a peek at the state of Jailbreaks and, wouldn't you know it, all of a sudden my 10.01 console was in the clear. I'll have to look into the automatic RPi setup because keeping a laptop handy in case my kid disconnects the PS4 isn't ideal

pk89 · Jul 18, 2024 at 10:14 AM

Love the direction this is going!! PS4 current FW ain’t too far!!! Let’s keep hoping

koolabah71 · Jul 20, 2024 at 1:24 AM

Thank you for all your hard work on this. We hadn't used our PS4 for some time, and seem to have found that it was on FW11 at just the right time to jailbreak it!

Turns out it was trivial to do so using Pi-Pwn and an old Raspberry Pi 3B. Coming from a jailbroken PS3 (where the jailbreak is persistent), I thought that the temporary nature of the patch might be inconvenient; however, it's actually quite useful to be able to go between CFW and OFW.

psxdude · Jul 22, 2024 at 1:43 AM

There is no reason to update from version 9 to 11, right? The USB method is more convenient, correct?

PPPwn: PlayStation 4 PPPoE RCE PS4 Kernel Exploit to 11.00 by TheOfficialFloW

Comments

cyril0234

PS3RX

Binkinator

PSXHAX

thesanji99

Binkinator

Ratatatpat

pk89

koolabah71

psxdude

PSXHAX Categories

Share This Page