PPPwn is a groundbreaking kernel remote code execution exploit for PlayStation 4, compatible with multiple firmware versions up to 11.00. This proof-of-concept allows advanced users to explore the inner workings of their consoles safely. With simple setup instructions and community support, PPPwn makes it easy to expand your PS4's capabilities.
PPPwn - PlayStation 4 PPPoE Remote Code Execution
PPPwn is an innovative kernel remote code execution exploit specifically designed for the PlayStation 4, compatible with system firmware (FW) versions up to 11.00. This repository serves as a proof-of-concept for CVE-2006-4304, which was reported responsibly to PlayStation.
Supported Firmware Versions
PPPwn currently supports multiple firmware versions, including:
- FW 7.00 / 7.01 / 7.02
- FW 7.50 / 7.51 / 7.55
- FW 8.00 / 8.01 / 8.03
- FW 8.50 / 8.52
- FW 9.00
- FW 9.03 / 9.04
- FW 9.50 / 9.51 / 9.60
- FW 10.00 / 10.01
- FW 10.50 / 10.70 / 10.71
- FW 11.00
- Additional firmware versions can be added through pull requests (PRs are welcome!).
Proof-of-Concept Functionality
This exploit merely displays the message PPPwned on your PS4 as a demonstration of its functionality. To utilize homebrew enablers like Mira, you'll need to adapt the stage2.bin payload accordingly.
Requirements
To successfully execute the exploit, you will need:
- A computer with an Ethernet port (USB adapters are also supported)
- An Ethernet cable
- Linux operating system (you can use VirtualBox with a Bridged Adapter for a Linux VM)
- Python3 and
gccinstalled
Usage Instructions
Begin by cloning the PPPwn repository to your computer:
git clone --recursive https://github.com/TheOfficialFloW/PPPwn
Navigate to the cloned directory:
cd PPPwn
Next, install the requirements:
sudo pip install -r requirements.txt
Compile the payloads as follows:
make -C stage1 FW=1100 clean && make -C stage1 FW=1100
make -C stage2 FW=1100 clean && make -C stage2 FW=1100
For other firmware versions, such as FW 9.00, adjust the command accordingly.
Prepare the following command on your prompt (check the correct interface using ifconfig):
sudo python3 pppwn.py --interface=enp0s3 --fw=1100
PS4 Configuration
On your PS4, follow these steps:
- Navigate to
Settings, thenNetwork. - Select
Set Up Internet Connectionand chooseUse a LAN Cable. - Opt for a
Customsetup and selectPPPoEforIP Address Settings. - Enter any details for
PPPoE User IDandPPPoE Password. - Choose
Automaticfor bothDNS SettingsandMTU Settings. - Select
Do Not UseforProxy Server.
Simultaneously press the 'X' button on your PS4 controller on Test Internet Connection and 'Enter' on your computer after preparing to run the Python script. Ensure to wait for the console to display the message "Cannot connect to network: (NW-31274-7)" before retrying the PPPoE injection. If the exploit fails, simply click Test Internet Connection again after killing the pppwn.py script.
Example Execution
An output similar to the following indicates successful execution:
[+] PPPwn - PlayStation 4 PPPoE RCE by theflow
[+] args: interface=enp0s3 fw=1100 stage1=stage1/stage1.bin stage2=stage2/stage2.bin
[+] STAGE 0: Initialization
...
[+] STAGE 4: Arbitrary payload execution
[*] Sending stage2 payload...
[+] Done!
Apple Silicon Users
For Mac Apple Silicon (arm64 / aarch64) users, be aware that code compilation requires AMD64 architecture. A workaround is available using Docker to build the necessary binaries. For detailed instructions, clone the repository on your Mac and use ./build-macarm.sh to generate binaries for PS4 FW 1100, or run ./build-macarm.sh 900 for other versions.
This has been tested successfully using VMware Fusion with Ubuntu 24.04.