PS4: TheFlow releases PPPwn, Kernel exploit (Jailbreak) for firmware 11.00 (CHEP GAME )

admin

Hacker TheFloW had decided to publish his PS4 Kernel exploit ahead of schedule, and released PPPwn, a kernel exploit for PS4 up to Firmware 11.00 included. The release at this point goes beyond the “proof of concept” level, and technically is a Jailbreak. What’s missing from a user perspective, is for “Custom Firmwares” such as Mira and GoldHEN to be adapted to the new Firmwares, which is most likely a matter of days.

In other words, PS4 Jailbreak for firmware 11.00 is here, rejoice!

What is PPPwn for PS4 11.00?

PPPwn is a Jailbreak chain for the PS4 released by TheFloW. It relies on a surprisingly old public vulnerability in one of the FreeBSD Network drivers (sppp). The vulnerability was apparently never patched for PS4, or incorrectly brought back at some point. Details on how the vulnerability impacts the PS4 in particular can be found on hackerone.

Notably, PPPwn is a remote control execution attack, meaning that someone without physical access to the console could technically trigger the exploit by setting up a “malicious” PPPoE endpoint. (They’d still need the target PS4 to actually connect to it though).

PPPwn is confirmed to work up to Firmware 11.00, with existing implementations for Firmware 9.0 and 11.00 (and probably more to come).

In its current implementation, PPPwn simply displays a confirmation message once the exploit gets root access. More “user friendly” payloads will need to be adapted to the exploit and to Firmware 11.00, in particular Custom Firmwares such as GoldHEN or Mira. I expect such ports will take a few days, possibly a few weeks (but sometimes with these things, the scene can be surprisingly fast).

https://platform.twitter.com/embed/Tweet.html?creatorScreenName=frwololo&dnt=false&embedId=twitter-widget-0&features=eyJ0ZndfdGltZWxpbmVfbGlzdCI6eyJidWNrZXQiOltdLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X2ZvbGxvd2VyX2NvdW50X3N1bnNldCI6eyJidWNrZXQiOnRydWUsInZlcnNpb24iOm51bGx9LCJ0ZndfdHdlZXRfZWRpdF9iYWNrZW5kIjp7ImJ1Y2tldCI6Im9uIiwidmVyc2lvbiI6bnVsbH0sInRmd19yZWZzcmNfc2Vzc2lvbiI6eyJidWNrZXQiOiJvbiIsInZlcnNpb24iOm51bGx9LCJ0ZndfZm9zbnJfc29mdF9pbnRlcnZlbnRpb25zX2VuYWJsZWQiOnsiYnVja2V0Ijoib24iLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X21peGVkX21lZGlhXzE1ODk3Ijp7ImJ1Y2tldCI6InRyZWF0bWVudCIsInZlcnNpb24iOm51bGx9LCJ0ZndfZXhwZXJpbWVudHNfY29va2llX2V4cGlyYXRpb24iOnsiYnVja2V0IjoxMjA5NjAwLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X3Nob3dfYmlyZHdhdGNoX3Bpdm90c19lbmFibGVkIjp7ImJ1Y2tldCI6Im9uIiwidmVyc2lvbiI6bnVsbH0sInRmd19kdXBsaWNhdGVfc2NyaWJlc190b19zZXR0aW5ncyI6eyJidWNrZXQiOiJvbiIsInZlcnNpb24iOm51bGx9LCJ0ZndfdXNlX3Byb2ZpbGVfaW1hZ2Vfc2hhcGVfZW5hYmxlZCI6eyJidWNrZXQiOiJvbiIsInZlcnNpb24iOm51bGx9LCJ0ZndfdmlkZW9faGxzX2R5bmFtaWNfbWFuaWZlc3RzXzE1MDgyIjp7ImJ1Y2tldCI6InRydWVfYml0cmF0ZSIsInZlcnNpb24iOm51bGx9LCJ0ZndfbGVnYWN5X3RpbWVsaW5lX3N1bnNldCI6eyJidWNrZXQiOnRydWUsInZlcnNpb24iOm51bGx9LCJ0ZndfdHdlZXRfZWRpdF9mcm9udGVuZCI6eyJidWNrZXQiOiJvbiIsInZlcnNpb24iOm51bGx9fQ%3D%3D&frame=false&hideCard=false&hideThread=false&id=1785349486723698809&lang=en&origin=https%3A%2F%2Fwololo.net%2F2024%2F05%2F01%2Fps4-theflow-releases-pppwn-kernel-exploit-jailbreak-for-firmware-11-00%2F&sessionId=1f7e766d86110b33dd5b4f4c32ab612a17189f24&siteScreenName=frwololo&theme=light&widgetsVersion=2615f7e52b7e0%3A1702314776716&width=550px

I am on firmware 11.50/11.02 – What can I do?

The short answer is that if you’re on a firmware above 11.00, then PPPwn isn’t for you, and you’ll most likely have to wait for another Jailbreak (which could be years down the road)

With that being said, If you are on a firmware above 11.00, in particular if you are on firmware 11.02, there might be a chance for you to go back to Firmware 11.00. The PS4 holds one “backup” copy of your previous firmware in case an update goes poorly, and it is possible, with a lot of soldering effort, to “revert” your console to that firmware’s backup. Modded Warfare has the most comprehensive video tutorial on the topic, and I’ve covered his video here. If you’re up to the task, that is your only solution (please note that in my opinion this is the point where you should seriously consider buying a secondary PS4 at this point, one that’s hackable, unless you’re in this for the PS4 downgrade learning experience).

Keep in mind that the technique will only let you go back to the Firmware that was previously installed on your console. If you went directly from 11.00 to 11.50, good for you. But if you went from 11.00 to 11.02, then to 11.50, this will only let you go back to 11.02 and is not useful in the context of PPPwn.

I am on Firmware 9.xx / 10.xx – Should I upgrade?

If you are on a lower firmware than 11.00 (and assuming you’re not on 9.00 or below, since those were already Jailbroken a while ago), my advice for now is to stay on your firmware, at least until something “useful” is released from a user’s perspective. If/when goldHEN and/or Mira get released for Firmware 11.00, that will be the right time to upgrade. For now, I’d suggest to stay put and enjoy the show.

I have Firmware 11.00 – How do I download and run PPPwn on my PS4?

You have to follow the Readme on the project’s official repository at: https://github.com/TheOfficialFloW/PPPwn. I replicate it below for convenience:

Requirements

  • Computer with Ethernet port
    • USB adapter also works
  • Ethernet cable
  • Linux
    • You can use VirtualBox to create a Linux VM with Bridged Adapter as network adapter to use the ethernet port in the VM.
  • Python3 and gcc installed

Usage

On your computer, clone the repository:

git clone --recursive https://github.com/TheOfficialFloW/PPPwn

Install the requirements:

sudo pip install -r requirements.txt

Compile the payloads:

make -C stage1 FW=1100 clean && make -C stage1 FW=1100
make -C stage2 FW=1100 clean && make -C stage2 FW=1100

For other firmwares, e.g. FW 9.00, pass FW=900.

Run the exploit (see ifconfig for the correct interface):

sudo python3 pppwn.py --interface=enp0s3 --fw=1100

For other firmwares, e.g. FW 9.00, pass --fw=900.

On your PS4:

  • Go to Settings and then Network
  • Select Set Up Internet connection and choose Use a LAN Cable
  • Choose Custom setup and choose PPPoE for IP Address Settings
  • Enter anything for PPPoE User ID and PPPoE Pasword
  • Choose Automatic for DNS Settings and MTU Settings
  • Choose Do Not Use for Proxy Server
  • Click Test Internet Connection to communicate with your computer

If the exploit fails or the PS4 crashes, you can skip the internet setup and simply click on Test Internet Connection. If the pppwn.py script is stuck waiting for a request/response, abort it and run it again on your computer, and then click on Test Internet Connection on your PS4.

If the exploit works, you should see an output similar to below, and you should see Cannot connect to network. followed by PPPwned printed on your PS4.

As often, Modded Warfare has a great video showing the steps in detail:

https://youtube.com/watch?v=3DyePgij7jk%3Fversion%3D3%26rel%3D1%26showsearch%3D0%26showinfo%3D1%26iv_load_policy%3D1%26fs%3D1%26hl%3Den-US%26autohide%3D2%26wmode%3Dtransparent

Troubleshooting PPPwn

Error Leak is invalid –> it is likely you’re running the exploit on the wrong firmware

Source: TheFloW

Trả lời

Email của bạn sẽ không được hiển thị công khai. Các trường bắt buộc được đánh dấu *