The famous developer TheFloW has just published PPPwn, this is its kernel exploit for PS4 consoles running up to firmware 11.00. This exploit is technically a jailbreak and relies on a fairly old public vulnerability in one of the FreeBSD network drivers (sppp), which was apparently never patched for the PS4 or was reintroduced by mistake at some point.
PPPwn is a remote code execution attack, meaning that someone without physical access to the console could technically trigger the exploit by setting up a “malicious” PPPoE endpoint. However, the target PS4 would need to actually connect to that endpoint for the exploit to be activated.
Advertisement
Currently, PPPwn simply displays a confirmation message once it gains root access. Payloads will need to be adapted to the exploit and firmware 11.00, including custom payloads such as GoldHEN or Mira. Such ports are expected to take a few days.
For those who are on firmware higher than 11.00, PPPwn will not be useful to them, and they will probably have to wait for another jailbreak, however, if you are on firmware 11.00 or lower (this was tested on firmware 9.00 as well), there might be a chance to revert to firmware 11.00 thanks to a backup copy of the previous firmware kept by the PS4 in case of a problematic update. This would however require considerable soldering effort but in theory it could work.
As we say TheFlow, he decided to release PPPwn early. The first RCE kernel for PlayStation 4 supporting firmwares up to 11.00.
Can this be adapted to PS5? via SpecterDev replied on X:
Advertisement
As I've seen a lot of people asking about this, theflow's latest RCE won't be easily adapted to the PS5. The PS4 is much weaker in terms of mitigations and security, which played a role in allowing a remote exploit without code execution in user space. The PS5 is different the SMAP+CFI makes this much more difficult to achieve.
OM also plays a role, even if CFI wasn't an issue, you can't easily bring gadgets into ROP either. It might not be impossible, but a new strategy would be needed and you would have to go for R/W. You would probably also need a user code executable. I wouldn't expect anything anytime soon…