PS4 PPPwn - PlayStation 4 PPPoE RCE - (The First PS4 Kernel RCE - Supporting upto FW 11.00) by TheFlow

Scene Developer & Hacker TheFlow who has been a legend in various PlayStation Scene's, has done it yet again!! This time the developer has released "The first PlayStation 4 Kernel RCE, Supporting FWs upto 11.00".

With the newly released (PoC) jailbreak the community will be able to update popular Homebrew Enabler's (Mira & GoldHEN) to support firmware 11.00 with this new jailbreak that TheFlow has disclosed (CVE-2006-4304) through the bounty program and has been patched in the latest PS4 firmware available

​

via @theflow0

Decided to publish PPPwn early. The first PlayStation 4 Kernel RCE. Supporting FWs upto 11.00.
https://github.com/TheOfficialFloW/PPPwn

(note: video is re-publish of original)​

​

About Official Usage Video Tutorial

• 
  
  PPPwn - PlayStation 4 PPPoE RCE​
  PPPwn is a kernel remote code execution exploit for PlayStation 4 upto FW 11.00. This is a proof-of-concept exploit for CVE-2006-4304 that was reported responsibly to PlayStation.
  Supported versions are:
  
  • FW 9.00
  • FW 11.00
  • more can be added (PRs are welcome)
  The exploit only prints PPPwned on your PS4 as a proof-of-concept. In order to launch Mira or similar homebrew enablers, the stage2.bin payload needs to be adapted.
  
  
  Requirements
  
  • Computer with Ethernet port
    • USB adapter also works
  • Ethernet cable
  • Linux
    • You can use VirtualBox to create a Linux VM with Bridged Adapter as network adapter to use the ethernet port in the VM.
  • Python3 and gcc installed
  
  
• 
  See Readme @:
  
  • https://github.com/TheOfficialFloW/PPPwn
• 
  Modded Warefare has put together a video of the process:
  
  
  

https://twitter.com/theflow0/status/1785349486723698809
https://github.com/TheOfficialFloW/PPPwn​

---

dThe question has been asked by various user's, Can this be adapted to the PS5? via SpecterDev on X answer this question

Since I've seen a lot of ppl asking about it, theflow's latest RCE won't easily be adapted to PS5. PS4 is much weaker in terms of mitigations which played a part in allowing a remote exploit w/o userland code execution. PS5 is different. SMAP+CFI make this much harder to do. 1/2

OM also plays a role, even if CFI were a non-issue, you can't easily get gadgets to ROP with either. It might not be impossible but a new strategy would be needed and you'd need to go for R/W. You'd also likely need userland code exec. I wouldn't expect anything soon.. 2/2

 

I updated console od 11.50 yesterday... Anyway, thank you for everything you do for us!

 

nice. I just listed my 9.51 ps4 slim on craigslist earlier today. Now im gonna keep it lol

 

nice. I just listed my 9.51 ps4 slim on craigslist earlier today. Now im gonna keep it lol

 

I know how to do the exploit with linux and with windows but this is the real question.
Lets say i got a rooted android phone,I have nethunter kali linux installed,i got termux and nethunter terminal, all as root.
If i used my phone with a otg cable and a usb to Ethernet plugged into that otg cable and plug that directly into the ps4 will i be able to do the exploit like this,its just a question.

 

If someone already has a 9.0 PS4, is there any advantage (once it's fully stable and supported etc.) to updating to 11.0 for this exploit? Or just stay on 9 with p00bs?

 

Still struggling with this,Didn't work on mine PS4 Pro 11.

 

I know how to do the exploit with linux and with windows but this is the real question.
Lets say i got a rooted android phone,I have nethunter kali linux installed,i got termux and nethunter terminal, all as root.
If i used my phone with a otg cable and a usb to Ethernet plugged into that otg cable and plug that directly into the ps4 will i be able to do the exploit like this,its just a question.

I don't own a PS4, and I don't know what all is involved with this exploit, but termux is very limited, even with the Ubuntu package.

 

Works flawlessly on 9.03!

 

Works flawlessly on 9.03!

But you can load goldhen?

 

so if I understand correctly currently any firmware between 9.00-11.00 is vulnerable to this exploit?
and can run golndenhen also?

 

But you can load goldhen?

Goldhen isn't ported yet to 9.03. I simply loaded the exploit with a test PPPwned payload.

 

Defeating KASLR stuck there i try to restart VM machine ps4 and nothing ... firmware is 9.0

 

is there anyone who knows the time of porting HEN to new PS4 firmware ? we are all waiting for v11 jailbreak on PS4

 

is there anyone who knows the time of porting HEN to new PS4 firmware ? we are all waiting for v11 jailbreak on PS4

No.

 

Still struggling with this,Didn't work on mine PS4 Pro 11.

Can someone confirm this ? Does it not work on Ps4 pro ? I am on hunt for a ps4!

 

Working on PS4 Pro on firmware 9.0

 

i tried on a couple PS4 Phat and Slim FW 11.0 and it did work but on Pro i dont have it so i havenot tried .

 

Hi, Is there a way to downgrade PS4 from 11.50 in case I do not have fw 11.00 on the second memory slot?
Or is any chance to working RCE for 11.50?

 

Hi, Is there a way to downgrade PS4 from 11.50 in case I do not have fw 11.00 on the second memory slot?
Or is any chance to working RCE for 11.50?

There is no way to downgrade in your case.
There is no chance for 11.50 jailbreak.