PS4 PPPwn Exploit: DroidPPPwn port to Android phones (version 1.1)

Developer Deviato has released DroidPPPwn, a port of the PPPwn PS4 exploit to Android phones. It relies on the C++ port of the PPPwn exploit (and therefore is reasonably fast to run). As one might expect, you will need a rooted phone to run the exploit, and, of course, a USB to Ethernet adapter (your phone’s usb interface also needs to support OTG).

Version 1.1, released yesterday, brings support for more android devices, some bugfixes, and makes the tool more flexible to use, generally speaking.

What is PPPwn for the PS4?

PPPwn is a Jailbreak chain for the PS4 released by TheFloW. It relies on a surprisingly old public vulnerability in one of the FreeBSD Network drivers (sppp). The vulnerability was apparently never patched for PS4, or incorrectly brought back at some point. Details on how the vulnerability impacts the PS4 in particular can be found on hackerone.

PPPwn is confirmed to work up to Firmware 11.00, with existing implementations now available for Firmwares 7.00 up to 11.00 included. (People on 9.00 or below can still enjoy the previous Jailbreak, pOOBs4).

In its current implementation, PPPwn is a full Jailbreak for PS4 11.00 and below, and with Custom Firmware GoldHEN having been ported recently, people on Firmware 11.00 can now enjoy all the benefits of a Jailbroken PS4. For People running on Firmware 11.02 or 11.50, here’s the current status.

PPPwn has seen various improvements following its release, in particular a port to C++ which has dramatically improved the exploit’s speed, and made it viable to run the exploit from a variety of “attacking” devices, including Raspberry Pi, or even your own TV or router.

PS4 PPPwn Jailbreak from your Android Phone

It was therefore just a matter of time before we saw PPPwn being ported to one of the most popular platforms out there, Android. (when will we be able to hack the PS4 from a ham and cheese sandwich just like we did on the PS3, though?).

Of course this comes with limitations, or rather, constraints: you’ll need a rooted phone, and in order to use an ethernet cable, your USB interface will need to support OTG (using USB as a host. Bottom line, if you can already plug external devices such as mouse or keyboard on your phone via USB, you’re most likely good to go).

DroidPPPwn, what’s new in 1.1

Version 1.1 was released yesterday with the following changelog

• Added support for 32bit arm-v7a with separated binary of pppwn
• Refactored the whole project lowering minSdk to version 19, so now it can run on Android KitKat 4.4+
• Replaced stage2.bin for supported firmwares with those ones from Sistr0 repo to allow loading payloads
• Added the possibility to use your own stage2.bin
• Other small fixes

The developer showcases the effectiveness of the exploit in the video below:

Download and use DroidPPPwn

You can download the files from the github page at https://github.com/deviato/DroidPPPwn/releases

From the readme :

• Download the latest release from this repository and install to your android phone.
• On your PS4: follow the instructions from the original PPPwn to configure the ethernet connection.
• Start DroidPPPwn application and select your PS4 firmware.
• Press Start button on the app and simultaneously X on your controller when you’re on the Test Internet Connection screen.
• Wait until the exploit reaches the stage4 and the message is printed on your monitor
• If exploit fails click Start button again to stop it, and repeat again the last step

Thanks to Marco for the tip!