PPPwn: new day, new firmware ports and payloads for the PS4 11.00 exploit. GoldHEN right around the corner? (chep game)

GoldHEN running on PS4 11.00, Screenshot by mbcrump

Following 8.50 compatibility added a couple of days ago, PPPwn is now compatible with new firmwares: FW 7.50 / 7.51 / 7.55 / 8.00 / 8.01 / 8.03 / 8.50 / 8.52 have been added thanks to Al-Azif, kameleon, and EchoStretch. Older Firmwares are being added in particular for people who are stuck on specific older firmwares due to the infamous NoBD problem, so that they can eventually upgrade out of their misery.

I also haven’t credited other devs who have ben committing changes to the PPPwn github. In particular maatthc submitted a change that could improve reliability of the exploit, and rafaelflromao who added 10.50 / 10.70 / 10.71 and 9.50 / 9.60 support a few days ago. I apologize for any other people I might have missed during this crazy, crazy week for the PS4 scene.

The scene is still of course eagerly waiting for a “HEN” solution (the closest we have to a Custom Firmware on the PS4). GoldHEN has been making some progress and is being tested by a few trusted folks. Earlier today Michael Crump shared a video showcasing GoldHEN running on 11.00 (video below). Again, this is not released yet at the time of publishing this article, but it seems release is right around the corner.

What is PPPwn for the PS4 and why does multiple firmware support matter?

PPPwn is a Jailbreak chain for the PS4 released by TheFloW. It relies on a surprisingly old public vulnerability in one of the FreeBSD Network drivers (sppp). The vulnerability was apparently never patched for PS4, or incorrectly brought back at some point. Details on how the vulnerability impacts the PS4 in particular can be found on hackerone.

PPPwn is confirmed to work up to Firmware 11.00, with existing implementations now available for Firmwares 7.50 up to 11.00 included. (People on 9.00 or below can still enjoy the previous Jailbreak, pOOBs4).

Some folks are stuck on a given firmware, and cannot upgrade their consoles due to the “NoBD” issue:

Your PS4 is said to be “NoBD” if its BluRay drive is missing or has been damaged. If you have such a “NoBD” console, you probably already know (or will soon discover) that you cannot update your PS4 Firmware anymore. This is annoying for multiple reasons, if only for the fact that there is no legit technical reason for this limitation on the PS4 firmware. You could still technically use the PS4 for a lot of other things, including digital game downloads, but the PlayStation gods have decided otherwise.

It’s up to the community to fix this mess, and make it technically possible to update your firmware to the latest and greatest, by bypassing a few checks during installation of the firmware. These techniques are typically referred to as “NoBD updaters”.

Adding a kernel exploit for lower firmwares, including 8.50, gives users additional ways to eventually upgrade their console if they need to. This is just one of the benefits of porting a given exploit to multiple firmwares.

In its current implementation, PPPwn is a full Jailbreak for PS4 11.00 and below, but a lot of existing tools from the scene still need to be adapted to run on Firmware 11.00. In particular, the scene is eagerly waiting for Custom Firmwares such as GoldHEN or Mira. Progress on this front is still ongoing.

Payloads for PPPwn

In parallel to the Firmware ports, LightningMods has been publishing a growing list of payloads compatible with Firmware 11.00 on the PPPwn exploit:

Stage2 has been updated for support for Debug settings on FW 10.00, Some patches have also been disabled by default but can be re-enabled via the EXTRA_PATCHES flag

Payloads

• ps4-module-dumper: needs stage2 compiled with the MODULE_DUMPER flag set to 1, decrypts and dumps all the system files to the USB connected
• Update blocker: blocks updates by manually creating the required files in /update then forcefully unmounts it
• Pup_decrypter: Decrypts the outer layer of the PUP at /mnt/usb0/safe.PS4UPDATE.PUP the decrypted PUPs will be saved to USB root with the suffix .dec

to use them simply rename them to payload.bin and put them on your USB

These use a fork of the PPPwn project, where lightningMods has replaced stage2.bin with a payload loader. To install and run those, you basically:

• Install PPPwn following the instructions at https://github.com/TheOfficialFloW/PPPwn?tab=readme-ov-file#usage
• replace stage2.bin with the payload loader from LightningMods https://github.com/LightningMods/PPPwn/releases/download/payloads/stage2.bin
• Download any of the payloads you want to run ( https://github.com/LightningMods/PPPwn/releases/tag/payloads ), rename it as payload.bin, and put it on the root of your usb key.
  • You’ll want to have the usb key inserted into your PS4 when you run the exploit, obviously

GoldHEN on PPPwn

Sistr0‘s Custom Firmware for the PS4 has been making progress for being ported to Firmware 11.00. Michael Crump is among the few lucky and trusted folks who could test an early build, and has a video showcasing what we’re all waiting for:

Troubleshooting PPPwn

If you’re having issues running PPPwn in general, you might want to try one of the numerous GUI tools that have been released. I mentioned Modded Warfare’s PPPwn GUI here.