PS4 release: DroidPPPwn updated to 1.4, adds exploit auto-start
Developer Deviato has updated DroidPPPwn, a port of the PPPwn PS4 exploit to Android phones. It relies on the C++ port of the PPPwn exploit (and therefore is reasonably fast to run).This tool requires a rooted phone to run the exploit, and, of course, a USB to Ethernet adapter (your phone’s usb interface also needs to support OTG).
Version 1.4, released yesterday, has added the ability to auto-run the exploit at start-up via a background service.
What is PPPwn for the PS4?
PPPwn is a Jailbreak chain for the PS4 released by TheFloW. It relies on a surprisingly old public vulnerability in one of the FreeBSD Network drivers (sppp). The vulnerability was apparently never patched for PS4, or incorrectly brought back at some point. Details on how the vulnerability impacts the PS4 in particular can be found on hackerone.
PPPwn is confirmed to work up to Firmware 11.00, with existing implementations now available for Firmwares 7.00 up to 11.00 included. (People on 9.00 or below can still enjoy the previous Jailbreak, pOOBs4).
In its current implementation, PPPwn is a full Jailbreak for PS4 11.00 and below, and with Custom Firmware GoldHEN having been ported recently, people on Firmware 11.00 can now enjoy all the benefits of a Jailbroken PS4. For People running on Firmware 11.02 or 11.50, here’s the current status.
PPPwn has seen various improvements following its release, in particular a port to C++ which has dramatically improved the exploit’s speed, and made it viable to run the exploit from a variety of “attacking” devices, including Raspberry Pi, or even your own TV , router, or the incredibly tiny LuckFox Pico devices, including a way to modchip the PS4 and run the exploit at startup.
PS4 PPPwn Jailbreak from your Android Phone
PPPwn has also, of course, quickly been ported to one of the most popular platforms out there, Android. (when will we be able to hack the PS4 from a ham and cheese sandwich just like we did on the PS3, though?).
Of course this comes with limitations, or rather, constraints: you’ll need a rooted phone, and in order to use an ethernet cable, your USB interface will need to support OTG (using USB as a host. Bottom line, if you can already plug external devices such as mouse or keyboard on your phone via USB, you’re most likely good to go).
DroidPPPwn, what’s new in 1.4
Version 1.4 was released yesterday with the following changelog
- Added an option to automatically run the exploit at start-up as a background service. You can also decide whether the device should be switched off automatically after the exploit has succeeded. NOTE: you may need to grant permission for the app to start automatically, depending on your Android system/device (e.g. for xiaomi go to Settings->Apps->Permissions->Autostart and check DroidPPPwn).
- Cleaned up the code and fixed some minor bugs
A lot of additional features have also been added since version 1.1. Specifically:
1.3.1
- Updated all stage2.bin files for ps4-hen-vtx payload to the latest version of EchoStretch (PPPwn-1.0310).
- Hen support has now been added for 7.0x firmwares too.
1.3
- Added a new pppwn binary build for Android x86_64 architectures.
- Added support to PS4HEN for all the remaining firmwares. Now only the 7.0x versions remain without payload support, but only with the basic PoC.
- Added two options to GUI to set optional parameters -nw (don’t wait one more PADI before starting) and -rs (use CPU for more precise sleep time) for pppwn.
- Fixed wrong build for x86 32bit.
- Unified the installer with a single apk package for both standard and 64-bit-only systems.
1.2.3
- Recompiled all binaries updating them to the latest version of pppwn_cpp, which enables some previously non-working PS4-slim.
- Added support for Linux payload for the 11.00 firmware, through a checkbox that allows you to switch between the standard GoldHen stage2 and the LightningMods version. I preferred to keep the standard payload loader and not incorporate ps4-linux payload into stage2.bin, to leave the choice of 2gb, 3gb, 4gb versions to you. If you want to replace the payload with your own, with preferred hardcoded ps4-linux loader, overwrite the /data/data/it.deviato.droidpppwn/lib/linux.1100 file with your own stage2.
1.2.2
- Updated stage2.bin files to latest version, now you have GoldHen also for 9.60.
- For the other systems, as of now, these are the included stage2.bin for each firmware:
- From 7.00 to 8.52 -> PoC by EchoStretch
- 9.00 -> GoldHen by Sistr0
- 9.03 / 9.04 -> LightningMods + ps4-hen-vtx payload by Sistr0 (NEEDS TESTING)
- 9.50 / 9.51 / 9.60 -> GoldHen by Sistr0 (maybe only 9.60 working?)
- 10.00 / 10.01 -> GoldHen by Sistr0
- 10.50 / 10.70 / 10.71 -> LightningMods + ps4-hen-vtx payload by Sistr0 (NEEDS TESTING)
- 11.00 -> GoldHen by Sistr0
- As usual, you can always put your own stage1.bin and stage2.bin into the root folder of your internal or external storage (/storage/emulated/0 or whatever the symlink /sdcard refers to)
1.2.1
- Changed the method for recognizing the device architecture, which was giving wrong results in some older systems
- Added one more binary for 32bit
armv7
, now you have one for Android 4.4 built with shared libc, and one forarmv7l
/armv8l
for Android 5.0+, static linked - Recompiled all the other binaries with
real
static (there was an error in previous version) - Some minor enhancements
1.2
- Added support for Android x86 and fixed 32bit arm-v7a and 64bit arm-v8a builds (no more bus_error)
- Recompiled all binaries using android NDK instead of Termux environment (cleaner result)
- Added the option to search and select the preferred network interface
- Fixed the issue of binaries not being installed on devices with older Android versions
The developer showcases the effectiveness of the exploit in the video below (this video is running version 1.1):
Download and use DroidPPPwn
You can download the files from the github page at https://github.com/deviato/DroidPPPwn/releases
From the readme :
- Download the latest release from this repository and install to your android phone.
- On your PS4: follow the instructions from the original PPPwn to configure the ethernet connection.
- Start DroidPPPwn application and select your PS4 firmware.
- Press
Start
button on the app and simultaneously X on your controller when you’re on theTest Internet Connection
screen. - Wait until the exploit reaches the stage4 and the message is printed on your monitor
- If exploit fails click
Start
button again to stop it, and repeat again the last step
Thanks to Marco for the tip!