I rewrited the script to using device to pwn PS4 for offline mode, most of the idea and the script from stooged.
Test on PS4 Slim FW 10.50.
It can use with raspberry pi, armbian devices, TV Box and some linux system.
For normal version : no need to install additional software, no root required.
For web server version : need pppoe, nginx, php-fpm 8.1 up (8.2 recommend) and nmap, it requires to connect to internet for installation the package, use my pre-built image make it easier.
The image should no graphic interfaces, CLi, current, default, minimal (at least bookworm or jammy).
What is benifit between normal and web server version? (my opinion)
| Pi-Pwn-Offline | Normal | Web Server |
|---|---|---|
| Installation | easy | required internet |
| How fast | faster | slower around 15-20 seconds |
| PPPwn success rate | better | lower |
| Kernel panic | lower | higher |
| Change config | pc | ps4 browser or pc |
| Payloads loader | Payload Guest | BinLoader or Payload Guest |
| GoldHEN detection | no | yes |
Current PPPwn support (FW) : 7.00 - 11.00
The exploit only prints PPPwned on your PS4 as a proof-of-concept.
Current GoldHEN support (FW) : 9.00, 9.60, 10.00, 10.01, 10.50, 10.70, 10.71, 11.00
You need to place the goldhen.bin file onto the root of a usb drive and plug it into the console.
Once goldhen has been loaded for the first time it will be copied to the consoles internal hdd and the usb is no longer required.
Current HEN support (FW) : 7.00 - 11.00
You need to place the payload.bin file onto the root of a usb drive and plug it into the console.
Once hen has been loaded for the first time it will be copied to the consoles internal hdd and the usb is no longer required.
Current HEN by BestPig support (FW) : 10.50
No need to place any file onto the root of a usb drive.
At PC, Insert SDCARD, create /firmware/PPPwn/ (new raspbian distro /PPPwn/) folder then copy all the files from /PPPwn/ to your SDCARD /PPPwn/ folder.
When boot the device, ssh and installs in terminal with this command :
sudo bash /boot/firmware/PPPwn/install_web.shsudo bash /boot/firmware/PPPwn/install.shDuring the install process you will be asked to set some options.
It will create config.sh, pconfig.sh and auto run script for pwn PS4.
Shut down and connect to ps4 and test your pppwn.
On your PS4:
Settings and then NetworkSet Up Internet connection and choose Use a LAN CableCustom setup and choose PPPoE for IP Address SettingsPPPoE User ID and PPPoE PasswordAutomatic for DNS Settings and MTU SettingsDo Not Use for Proxy Server192.168.2.1 on your PS4 browser when it's not in the pwn process.Normally the pwn process will success on first or second attempt.
Very easy to setup. Write image, change config.sh, pconfig.sh then test your pppwn.
Latest update : 30/08/2024
| Normal offline image | distro | SDCARD | Download |
|---|---|---|---|
| Raspberry pi | buster (php7.3), up to pi4 | 4GB or above | download |
| Armbian amlogic | bookworm, s912 may not work | 4GB or above | download |
| Armbian amlogic | jammy, s905x3 may not work | 2GB or above | download |
Latest update : 30/10/2024
| Web server offline image | distro | SDCARD | Download |
|---|---|---|---|
| Raspberry pi | bookworm (php8.2), up to pi5 | 4GB or above | download |
| Armbian amlogic | bookworm (php8.2), s912 may not work | 4GB or above | download |
| Armbian amlogic | jammy (php8.1), s905x3 may not work | 2GB or above | download |
If you see Ready for console connection it means your device ready for pppwn, please update the latest script in the section How to update.
At PC, Insert SDCARD.
Web server version
Copy and replace the files /update/run_web.sh and /PPPwn/PPPwn.tar to your /PPPwn/ folder.
Copy and replace the files /update/run.sh and /PPPwn/PPPwn.tar to your /PPPwn/ folder.
Please keep in mind that pwn your PS4 with old IPv6 address is faster than new IPv6.
It's better to use it if your PS4 support.
You can manual update GoldHEN if new firmware avialable.
stage2_xxxx.bin to folder /boot/firmware/PPPwn/stage2/goldhen/, if fw=9.03 then xxxx=903 or stage2_903.bin./boot/firmware/PPPwn/.goldhen.bin file onto the root of a usb drive. Config file location : SDCARD/firmware/PPPwn/ (new rasbian distro SDCARD/PPPwn/)
| config.sh | Description |
|---|---|
| CPPMETHOD="3" | 1 = v1 Old IPv6 Only (fastest speed), 2 = stooged binary, 3 = latest xfangfang binary, 4 = nn9dev binary |
| INTERFACE="eth0" | eth0, eth1, end0, etc |
| FIRMWAREVERSION="10.71" | your current firmware |
| USBETHERNET=false | set to true if using external usb ethernet |
| STAGE2METHOD="goldhen" | goldhen, hen, bestpig (10.50 Only) and flow |
| SOURCEIPV6="2" | 1 = Old IPv6, 2 = New IPv6, 3 = Custom IPv6 |
| CUSTOMIPV6="" | Custom IPv6 in xxxx:xxxx:xxxx:xxxx format, SOURCEIPV6="3" |
| DETECTMODE="2" | 1 = Disable, 2 = PS4 Power on, 3 = GoldHEN, 4 = Both Detection |
| For web server version | - |
| PPPOECONN=true | only way to enable it if you accidently disabled in ps4 browser, set to false will enable auto shutdown and auto pwn |
| PWNAUTORUN=true | set to false if you want manually pwn with ps4 web browser |
| TIMEOUT="5m" | a timeout in minutes to restart pppwn if the exploit hangs mid process |
| PPDBG=false | enables debug output from pppwn so you can see the result after exploited |
PPDBG should set to false, it will cause slow down on the pppwn process if enable it.
DETECTMODE 2 = Wait PS4 ready for pwn, useful when the device uses separate power, 3 = GoldHEN detection (Web server version only), useful for rest mode but required addition time (15-20 seconds) to check.
STAGE2METHOD If no stage2 avialable it will use the TheOfficialFloW.
| STAGE2METHOD | Description |
|---|---|
| goldhen | use goldhen, put goldhen.bin to root of usb drive |
| hen | use vtx-hen, put payload.bin to root of usb drive |
| bestpig | use hen by BestPig, FW 10.50 Only |
| flow | anything not in the above list will use the TheOfficialFloW |
CUSTOMIPV6 it will used new ipv6 address if no value, incorrect format may cause ps4 shutdown. Custom ipv6 address may add effect the ps4 shutdown and start problem or cure it, change to old or new ipv6 if encounter the problem.
| SOURCEIPV6 | Description |
|---|---|
| 1 | Old IPv6 = fe80::4141:4141:4141:4141 |
| 2 | New IPv6 = fe80::9f9f:41ff:9f9f:41ff |
| 3 | Custom IPv6 = fe80::xxxx:xxxx:xxxx:xxxx |
CPPMETHOD If incorrect cpp setup it will use the latest xfangfang binary.
Stooged binary (CPPMETHOD="2") had intregrated stage1, stage2 and hen-vtx into the binary, for hen-vtx, no need to place payload.bin onto the root of a usb drive.
Nn9dev binary (CPPMETHOD="4") added new feature it added spray number, corrupt number and pin number.
| CPPMETHOD | 1 | 2 | 3 | 4 |
|---|---|---|---|---|
| Binary | v1.0.0 xfangfang | stooged | latest xfangfang | nn9dev |
| Old IPv6 | o | o | o | o |
| New IPv6 | x | o | o | o |
| Custom IPv6 | x | o | x | o |
| wait-after-pin | x | o | o | o |
| groom-delay | x | o | o | o |
| buffer-size | x | o | o | o |
| no-wait-padi | x | o | o | o |
| spray number | x | x | x | o |
| corrupt number | x | x | x | o |
| pin number | x | x | x | o |
If incorrect pconfig setup it will use default value.
| pconfig.sh | Description |
|---|---|
| XFWAP="1" | wait-after-pin, set value between 1-20 seconds |
| XFGD="4" | groom-delay, set value between 1-4097 ms |
| XFBS="0" | buffer-size, set value between 0-20480 |
| XFNWB=true | no-wait-padi , set to false if encounter a problem |
| For CPPMETHOD="4" | - |
| SPRAY_NUM="1000" | set hex value between 400-1500 (1000, 1050, 1100, 1150,... ) |
| CORRUPT_NUM="10" | set hex value 1, 2, 4, 6, 8, 10, 14, 20, 30, 40 |
| PIN_NUM="1000" | it's fine to leave this at default |
See xfangfang, nn9dev for further details.
There are 2 methods to loading payloads, Payload Guest app or GoldHEN BinLoader by using offline ps4 browser (online host if connect to internet).
Binloader in GoldHEN settings.| PS4 FW | GoldHEN | HEN-VTX | TheOfficialFloW |
|---|---|---|---|
| 11.00 | o |
o | o |
| 10.71 | o |
o | o |
| 10.70 | o |
o | o |
| 10.50 | o |
o | o |
| 10.01 | o |
o | o |
| 10.00 | o |
o | o |
| 9.60 | o |
o | o |
| 9.51 | x | o | o |
| 9.50 | x | o | o |
| 9.04 | x | o | o |
| 9.03 | x | o | o |
| 9.00 | o |
o | o |
| 8.52 | x | o | o |
| 8.50 | x | o | o |
| 8.03 | x | o | o |
| 8.01 | x | o | o |
| 8.00 | x | o | o |
| 7.55 | x | o | o |
| 7.51 | x | o | o |
| 7.50 | x | o | o |
| 7.02 | x | o | o |
| 7.01 | x | o | o |
| 7.00 | x | o | o |
CPPMETHOD to "1".STAGE2METHOD to GoldHEN or HEN depend on your firmware version.Cannot connect to network: (NW-31274-7). It means the program try to injection, sometime the exploit fails or the PS4 crashes.LAN cable not connected. It means the program will try next attempt, if pwn success it turns off Ethernet interface and shutdown the device (if not using web server).CPPMETHOD="4" My PS4 (not cursed) worked great when set Corrupt Number="10" (Decimal=16).LAN cable not connected. prints on PS4 screen or else next detection may fails.