Skip to content

Commit

Permalink
✨ Debug menu support for FW 10.00/10.01
Browse files Browse the repository at this point in the history
*✨ Debug menu support for FW 10.00/10.01
  • Loading branch information
iMrDJAi authored May 5, 2024
1 parent e4ec351 commit 82db695
Show file tree
Hide file tree
Showing 8 changed files with 890 additions and 28 deletions.
15 changes: 11 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,15 +1,20 @@
# PPPwn - PlayStation 4 PPPoE RCE
PPPwn is a kernel remote code execution exploit for PlayStation 4 upto FW 11.00. This is a proof-of-concept exploit for [CVE-2006-4304](https://hackerone.com/reports/2177925) that was reported responsibly to PlayStation.
PPPwn is a kernel remote code execution exploit for PlayStation 4 up to FW 11.00. This is a proof-of-concept exploit for [CVE-2006-4304](https://hackerone.com/reports/2177925) that was reported responsibly to PlayStation.

Supported versions are:
- FW 8.50
- FW 9.00
- FW 9.03 / 9.04
- FW 9.50 / 9.60
- FW 10.00 / 10.01
- FW 10.50 / 10.70 / 10.71
- FW 11.00
- more can be added (PRs are welcome)

The exploit only prints `PPPwned` on your PS4 as a proof-of-concept. In order to launch Mira or similar homebrew enablers, the `stage2.bin` payload needs to be adapted.

## Requirements
- Computer with Ethernet port
- A computer with an Ethernet port
- USB adapter also works
- Ethernet cable
- Linux
Expand All @@ -22,6 +27,8 @@ The exploit only prints `PPPwned` on your PS4 as a proof-of-concept. In order to
- has code for loading payloads from a USB (WIP)
- Big thanks to ps4debug for the utils

**Note:** Before you compile, copy `payload/payload.bin` to `stage2/` folder.

## Usage

On your computer, clone the repository:
Expand Down Expand Up @@ -64,7 +71,7 @@ On your PS4:
- Go to `Settings` and then `Network`
- Select `Set Up Internet connection` and choose `Use a LAN Cable`
- Choose `Custom` setup and choose `PPPoE` for `IP Address Settings`
- Enter anything for `PPPoE User ID` and `PPPoE Pasword`
- Enter anything for `PPPoE User ID` and `PPPoE Password`
- Choose `Automatic` for `DNS Settings` and `MTU Settings`
- Choose `Do Not Use` for `Proxy Server`
- Click `Test Internet Connection` to communicate with your computer
Expand Down Expand Up @@ -159,7 +166,7 @@ If the exploit works, you should see an output similar to below, and you should
```

## Notes for Mac Apple Silicon Users (arm64 / aarch64)
The code will not compile on Apple Silicon and requires amd64 architecture.
The code will not compile on Apple Silicon and requires AMD64 architecture.
There is a workaround using docker which will build the bin files required.
Clone this repository to your mac system, then from the repo folder run `./build-macarm.sh`.This will build the binaries for PS4 FW 1100 and place the necessary files into the correct folders. To build the binaries for a different version, i.e. 900, run the command as such: `./build-macarm.sh 900`. Once built, copy this folder structure into the Linux VM and execute as instructed above.
This has been tested using VMware Fusion 13.5.1, with the VM Guest as Ubuntu 24.04, and the host machine is MacOS 14.4.1
Loading

0 comments on commit 82db695

Please sign in to comment.