✨ 9.03/9.04 Support

[iMrDJAi]

Added offsets for FW 9.03. Gadgets are mostly found by @zecoxao.

I dedicate this one to our friend @903jailbreak 😂

[iMrDJAi]

I need testers btw

[dxcool222]

I’ll test here in a bit I have a PS4 Pro on 9.03

[DJTOMATO]

I wanted to test it in 9.03, PS4 pro too Can anyone share the compiled files? I cannot compile on windows, neither on my rpi/arm

[ablixM]

I need testers btw

I can test

[AkoposiNobi]

I would love to test this out but im on 9.04 xD

[W-i-n-7]

I wanted to test it in 9.03, PS4 pro too Can anyone share the compiled files? I cannot compile on windows, neither on my rpi/arm

i can compile it for you

[hydroxideHO21]

I need testers btw

I have a fat 9.03 I can test now

[W-i-n-7]

PPPwn903.zip precompiled by me

[W-i-n-7]

@DJTOMATO here

I wanted to test it in 9.03, PS4 pro too Can anyone share the compiled files? I cannot compile on windows, neither on my rpi/arm

[ablixM]

PPPwn903.zip precompiled by me

will test it now

[DJTOMATO]

Testing as we speak

[UndeadTigerAU]

Am willing to test as well!

[W-i-n-7]

im on 10.50 nobody talking about that :/

[AmineSimcos]

im on 11.50 :(

[MagmaSKV]

I have 10.00, if you need a tester for that one, I could try to help you.

[W-i-n-7]

im on 11.50 :(

you can leave... not to be rude

[DJTOMATO]

[+] args: interface=eth0 fw=903 stage1=stage1/stage1.bin stage2=stage2/stage2.b         
in

[+] STAGE 0: Initialization
[*] Waiting for PADI...
[+] pppoe_softc: 0xffffec1b077b4800
[+] Target MAC: 2c:cc:44:3d:xx:xx <= Double checked and it's ps4 pro MAC, so it finds it properly
[+] Source MAC: 07:48:7b:07:xx:xx
[+] AC cookie length: 0x4e0
[*] Sending PADO...
[*] Waiting for PADR... <= Gets stuck here

CE-33984-7 Cannot obtain an ip adderss within the time limit

[ghost]

Maybe the next one will be 10.71? :)

[se2crid]

how are you getting the offsets? and how are you getting them if you dont have a 9.03 ps4?

[hydroxideHO21]

i got further @iMrDJAi sometimes i get stuck here

[lompaket]

I get to the same place using the 10.01 offsets

[hydroxideHO21]

UPDATE got it to here and froze my PS4 will continue brute forcing lol

[kaz2700]

Also got to the stage1 a couple of times and PS4 froze (9.03 pro) firmware

[hydroxideHO21]

@iMrDJAi Seems to continually get stuck at "Waiting for stage1 to resume..." I've tried probably 50 times and this is as far as it gets

Hope this helps!!

[hydroxideHO21]

what I've seen so far with my console (PS4 Fat)

• 7/10 times fails to find corrupted object
• 2/10 times gets stuck waiting for LCP configure object
• 1/10 times gets stuck waiting for stage 1 to resume after getting to stage 3 (causes ps4 to hard freeze, controllers to disconnect, and must be unplugged to reset)

[hydroxideHO21]

from what I can determine, seems to be an offsets issue. wish I knew how to dump my kernel

[iMrDJAi]

The only thing that I haven't double check is the gadgets. I'm going to search for them again using https://github.com/JonathanSalwan/ROPgadget.

[se2crid]

The only thing that I haven't double check is the gadgets. I'm going to search for them again using https://github.com/JonathanSalwan/ROPgadget.

what are the gadgets?

[JoElH4ck3r2022]

offsets 10.00??

[se2crid]

offsets 10.00??

nobody is working on 10.00 rn but that fw can be jailbroken

[zecoxao]

just a note here that the gadgets from 9.03 are identical to the ones on 9.04

[count0nz]

I have a 9.03 slim ps4 can test later

[Bryan-De]

Doesn't work my console this freeze

[Cracko298]

Just tested, works great

[amraj007]

Please do the 10.70

[HiDeath98]

Just tested, works great

what PS4 version do you have exactly, can you please give the exact steps you did?

[se2crid]

Just tested, works great

HOW?

[hydroxideHO21]

I have B03 FAT PS4

[ablixM]

i got further @iMrDJAi sometimes i get stuck here

same for me fat ps4 9.03

[se2crid]

I have B03 FAT PS4

you mean 9.03 right?

[hydroxideHO21]

I have B03 FAT PS4

you mean 9.03 right?

Yes 😂

[se2crid]

what happens when you run the script

[hydroxideHO21]

what happens when you run the script

what I've seen so far with my console (PS4 Fat)

• 7/10 times fails to find corrupted object
• 2/10 times gets stuck waiting for LCP configure object
• 1/10 times gets stuck waiting for stage 1 to resume after getting to stage 3 (causes ps4 to hard freeze, controllers to disconnect, and must be unplugged to reset)

[UndeadTigerAU]

Hey I want to test it out on my PS4 but I'm unsure how to, any help appreciated.

[Jara1596]

Also got to the stage1 a couple of times and PS4 froze (9.03 pro) firmware

Same for me using ps4 slim (9.03)

[iMrDJAi]

Need testers ^^^^^

[Bryan-De]

Can you send me the decompile files I can't decompile them stage 1 and 2

[Bryan-De]

Need testers ^^^^^

[+] STAGE 0: Initialization [] Waiting for PADI... [+] pppoe_softc: 0xffffb72d07e84a00 [+] Target MAC: 0c:fe:45:45:97:c1 [+] Source MAC: 07:4a:e8:07:2d:b7 [+] AC cookie length: 0x4e0 [] Sending PADO... [] Waiting for PADR... [] Sending PADS... [] Sending LCP configure request... [] Waiting for LCP configure ACK... [] Waiting for LCP configure request... [] Sending LCP configure ACK... [] Sending IPCP configure request... [] Waiting for IPCP configure ACK... [] Waiting for IPCP configure request... [] Sending IPCP configure NAK... [] Waiting for IPCP configure request... [] Sending IPCP configure ACK... [*] Waiting for interface to be ready... [+] Target IPv6: fe80::efe:45ff:fe45:97c1 [+] Heap grooming...done

[+] STAGE 1: Memory corruption [+] Pinning to CPU 0...done [] Sending malicious LCP configure request... [] Waiting for LCP configure reject... [] Sending LCP configure request... [] Waiting for LCP configure ACK... [] Waiting for LCP configure request... [] Sending LCP configure ACK... [] Sending IPCP configure request... [] Waiting for IPCP configure ACK... [] Waiting for IPCP configure request... [] Sending IPCP configure NAK... [] Waiting for IPCP configure request... [] Sending IPCP configure ACK... [+] Scanning for corrupted object...found fe80::092f:4141:4141:4141

[+] STAGE 2: KASLR defeat [*] Defeating KASLR... [+] pppoe_softc_list: 0xffffffffcf7f19f8 [+] kaslr_offset: 0x4b408000

[+] STAGE 3: Remote code execution [] Sending LCP terminate request... [] Waiting for PADI... [+] pppoe_softc: 0xffffb72d07e84a00 [+] Target MAC: 0c:fe:45:45:97:c1 [+] Source MAC: 6f:e8:de:cd:ff:ff [+] AC cookie length: 0x514 [] Sending PADO... [] Waiting for PADR... [] Sending PADS... [] Triggering code execution... [*] Waiting for stage1 to resume...

does not work for me it is completely buggy the console menus impossible to turn it off in part by unplugging the console

[kaz2700]

Can confirm this behaviour

[Jara1596]

I've got the same bug, console menu is buggy, no sound and after a while it crash.