search

xfangfang / PPPwn_cpp

C++ rewrite of PPPwn (PlayStation 4 PPPoE RCE)
GNU General Public License v3.0
395 stars 59 forks source link

Automated Payload Injection Post-Jailbreak for Linux Boot #82

Open seuros opened 3 months ago

seuros commented 3 months ago

I've got an idea that could really improve the experience for those of us who use the PS4 mostly for its Linux capabilities. Here's what I'm thinking:

Right now, after we jailbreak the PS4, we have to manually inject additional payloads to get into Linux. It would be awesome if we could modify this app process so that it automatically injects these payloads once the jailbreak is complete.

My idea is to have a folder named payloads where we can store all the necessary payloads. The system would then automatically send these payloads in alphabetical order right after the jailbreak finishes. This way, I could just leave my console on PPP all the time, and it would autoboot into Linux without any extra steps.

This would make the whole process much smoother and more convenient, especially for those of us who use Linux on the PS4 regularly. No more fiddling around with payloads every time we reboot – just jailbreak and go straight into Linux.

What do you think? Would anyone else find this useful?

I could try to give it a stab if there is demand. Right now i just have script that automated payload after this application exit.

Gouster4 commented 2 months ago

I think that's kinda impossible, because PPPoE vourneability is limited in payload size, and even goldhen can't be loaded thought PPPwn itself. That's why GoldHen is loaded first time from USB stick, then from copied to HDD. It's done by pppw 2nd stage shipped by GoldHen. It is possible to load all payloads to USB stick, and make own 2nd stage that loads them from USB or even copy to HDD and then loads from there like GoldHen does. But it's not related to PPPwn itself, as PPPwn is just tool to load that 2nd stage.

Requires new project that aims to do this. Take a look on GoldHen source code, maybe you can modify theyr 2nd stage for your needs.

seuros commented 2 months ago

After injecting stage2, goldenhen is started and the binloader server start listening with the fake ip 42.42.42.42 for about 40 seconds before shut-downing.

If we could push valid payloads in this time period, we could boot linux without user intervention.

Gouster4 commented 2 months ago

After injecting stage2, goldenhen is started and the binloader server start listening with the fake ip 42.42.42.42 for about 40 seconds before shut-downing.

If we could push valid payloads in this time period, we could boot linux without user intervention.

To get internet access on my PS4, after sucesfull pppwn, I'm starting regular pppoe server, where PS4 gets IP I set before, so that is also an option for binloader.

seuros commented 2 months ago

It is an automated process or you have to do it manually ?

Gouster4 commented 2 months ago

It is an automated process or you have to do it manually ?

Manually, using mpd5, or automatically with own script like I did. I can share it with you, but I went with mpd5 because I'm running pppwn on FreeBSD (OPNSense), and I'm using different interface for jailbreak and for providing internet connection using pppoe.

But you can use gateway branch of pppwn to get internet connection on PS4 after jailbreak.

If you mean binloader, then you can make own script that sends payload to binloader after successfull jailbreak. But I think you need enable binloader once on goldhen, and then it stays on after next jailbreak.

But I think using binloader with pppoe server is better option than with pppwn's fake ip. Because you would not be time limited.