PS4: PPPwn officially ported to Firmwares 9.03, 9.04, 9.50, 9.60, 10.00, 10.01, 10.50, 10.70, 10.71. Payload Loader & GoldHEN work in progress (chep game)

goldHEN running via PPPwn (Firmware 9.00) – screenshot by Dravszoo

A lot of scene members have contributed to digging and implementing the offsets required for PPPwn, to run them on various firmwares. As of today, all compatible firmwares from 9.00 up to 11.00 included are now supported by the latest PS4 Jailbreak. Specifically, PPPwn is now compatible with 9.00, 9.03, 9.04, 9.50, 9.60, 10.00, 10.01, 10.50, 10.70, 10.71, and 11.00.

Perhaps more importantly, developer LightningMods has released a Payload loader for PPPwn, with confirmed GoldHEN compatibility. The catch: this loader is currently only working on 9.00 and needs its own offsets ported to other Firmwares.

What is PPPwn for PS4

PPPwn is a Jailbreak chain for the PS4 released by TheFloW. It relies on a surprisingly old public vulnerability in one of the FreeBSD Network drivers (sppp). The vulnerability was apparently never patched for PS4, or incorrectly brought back at some point. Details on how the vulnerability impacts the PS4 in particular can be found on hackerone.

PPPwn is confirmed to work up to Firmware 11.00, with existing implementations now available for Firmwares 9.00, 9.03, 9.04, 9.50, 9.60, 10.00, 10.01, 10.50, 10.70, 10.71, and 11.00. (People on 9.0 or below can still enjoy the previous Jailbreak, pOOBs4)

In its current implementation, PPPwn simply displays a confirmation message once the exploit gets root access. More “user friendly” payloads will need to be adapted to the exploit and to Firmwares 9.03-11.00, in particular Custom Firmwares such as GoldHEN or Mira. Progress on this front is still ongoing.

PPPwn Payload Loader and GoldHEN

Developer LightningMods has released a Payload Loader for PPPwn. It has been confirmed that this payload Loader runs GoldHEN as expected. This loader is currently only compatibly with Firmware 9.00, but LightningMods has given a list of offsets required to port to other firmwares. This list can be found here.

LightningMods’ fork of PPPwn with the payload loader can be found here. Again, at the time of writing this article, this loader only works on 9.00. This is because 9.00 is already hacked via a previous Jailbreak, and is therefore easier to work with. From there, the scene will progressively add the missing bricks to support newer firmwares.

In parallel, Kameleon has confirmed GoldHEN support for PPPwn is ongoing and looks promising:

https://platform.twitter.com/embed/Tweet.html?creatorScreenName=frwololo&dnt=false&embedId=twitter-widget-0&features=eyJ0ZndfdGltZWxpbmVfbGlzdCI6eyJidWNrZXQiOltdLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X2ZvbGxvd2VyX2NvdW50X3N1bnNldCI6eyJidWNrZXQiOnRydWUsInZlcnNpb24iOm51bGx9LCJ0ZndfdHdlZXRfZWRpdF9iYWNrZW5kIjp7ImJ1Y2tldCI6Im9uIiwidmVyc2lvbiI6bnVsbH0sInRmd19yZWZzcmNfc2Vzc2lvbiI6eyJidWNrZXQiOiJvbiIsInZlcnNpb24iOm51bGx9LCJ0ZndfZm9zbnJfc29mdF9pbnRlcnZlbnRpb25zX2VuYWJsZWQiOnsiYnVja2V0Ijoib24iLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X21peGVkX21lZGlhXzE1ODk3Ijp7ImJ1Y2tldCI6InRyZWF0bWVudCIsInZlcnNpb24iOm51bGx9LCJ0ZndfZXhwZXJpbWVudHNfY29va2llX2V4cGlyYXRpb24iOnsiYnVja2V0IjoxMjA5NjAwLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X3Nob3dfYmlyZHdhdGNoX3Bpdm90c19lbmFibGVkIjp7ImJ1Y2tldCI6Im9uIiwidmVyc2lvbiI6bnVsbH0sInRmd19kdXBsaWNhdGVfc2NyaWJlc190b19zZXR0aW5ncyI6eyJidWNrZXQiOiJvbiIsInZlcnNpb24iOm51bGx9LCJ0ZndfdXNlX3Byb2ZpbGVfaW1hZ2Vfc2hhcGVfZW5hYmxlZCI6eyJidWNrZXQiOiJvbiIsInZlcnNpb24iOm51bGx9LCJ0ZndfdmlkZW9faGxzX2R5bmFtaWNfbWFuaWZlc3RzXzE1MDgyIjp7ImJ1Y2tldCI6InRydWVfYml0cmF0ZSIsInZlcnNpb24iOm51bGx9LCJ0ZndfbGVnYWN5X3RpbWVsaW5lX3N1bnNldCI6eyJidWNrZXQiOnRydWUsInZlcnNpb24iOm51bGx9LCJ0ZndfdHdlZXRfZWRpdF9mcm9udGVuZCI6eyJidWNrZXQiOiJvbiIsInZlcnNpb24iOm51bGx9fQ%3D%3D&frame=false&hideCard=false&hideThread=false&id=1785944544640381199&lang=en&origin=https%3A%2F%2Fwololo.net%2F2024%2F05%2F03%2Fps4-pppwn-officially-ported-to-firmwares-9-03-9-04-9-50-9-60-10-00-10-01-10-50-10-70-10-71-payload-loader-goldhen-work-in-progress%2F&sessionId=22622b370a8f290d68a3b655fe8c246c42228219&siteScreenName=frwololo&theme=light&widgetsVersion=2615f7e52b7e0%3A1702314776716&width=550px

Download and run PPPwn (Firmwares 9.00 to 11.00)

You have to follow the Readme on the project’s official repository at: https://github.com/TheOfficialFloW/PPPwn. I replicate it below for convenience:

Requirements

• Computer with Ethernet port
  • USB adapter also works
• Ethernet cable
• Linux (note from Wololo: Windows should work now)
• Python3 and gcc installed

Usage

On your computer, clone the repository:

git clone --recursive https://github.com/TheOfficialFloW/PPPwn

Install the requirements:

sudo pip install -r requirements.txt

Compile the payloads:

make -C stage1 FW=1100 clean && make -C stage1 FW=1100
make -C stage2 FW=1100 clean && make -C stage2 FW=1100

For other firmwares, e.g. FW 9.00, pass FW=900.

Run the exploit (see ifconfig for the correct interface):

sudo python3 pppwn.py --interface=enp0s3 --fw=1100

For other firmwares, e.g. FW 9.00, pass --fw=900.

On your PS4:

• Go to Settings and then Network
• Select Set Up Internet connection and choose Use a LAN Cable
• Choose Custom setup and choose PPPoE for IP Address Settings
• Enter anything for PPPoE User ID and PPPoE Pasword
• Choose Automatic for DNS Settings and MTU Settings
• Choose Do Not Use for Proxy Server
• Click Test Internet Connection to communicate with your computer

If the exploit fails or the PS4 crashes, you can skip the internet setup and simply click on Test Internet Connection. If the pppwn.py script is stuck waiting for a request/response, abort it and run it again on your computer, and then click on Test Internet Connection on your PS4.

If the exploit works, you should see an output similar to below, and you should see Cannot connect to network. followed by PPPwned printed on your PS4.

As often, Modded Warfare has a great video showing the steps in detail: