MacOS Guide to hopefully help others
Doyle4 opened this issue · comments
Mac user here, took me a little bit to figure out what was needed etc, and also changing a few things got it working.
https://github.com/xfangfang/PPPwn_cpp?tab=readme-ov-file
Scroll down until you see ‘Nightly Builds’ and press on the Nightly Link
Download the required version for your machine, I used x86_64-macos-none as I use a Intel MacBook Pro.
Create a folder named PPPwn, place downloaded pppwn folder inside.
You also need Stage1.bin and Stage2.bin, I used the files from the RaspberryPi PPPwn.
Link: https://github.com/stooged/PI-Pwn
There are two sets of Stage Files, one for 9.00 (Stage1_900 & Stage2_900)
and a set for 11.00 (Stage1_1100 & Stage2_11.00)
Use the set for your firmware. Rename them Stage1.bin and Stage2.bin and put them in the PPPwn folder with pppwn, You should now have 3 files in PPPwn - pppwn/Stage1.bin/Stage2.bin
Make sure you have goldhen.bin on the root of a USB stick and is inserted into the PS4, goldhen.bin is included in the RaspberryPi PPPwn download. USB Stick should be formatted to either Fat32 or Exfat, make sure if formatting the USB stick, change the partition to Windows and not GUID which is default on a Mac or the the PS4 wont detect the USB stick.
On the PS4, goto Settings - Network - Setup Internet Connection - Use a LAN Cable - Custom - PPPoE, create any user name and password, all other settings set to Automatic.
Run sudo xattr -rd com.apple.quarantine <drag pppwn here, DO NOT DRAG PPPwn folder> press enter, enter password, press enter again. This sort of worked for me, to get around it I had to use Sudo in the Terminal code, so Im making the guide based on my experience and what’s working for me. Try without Sudo, if you get permission denied, Sudo is needed at start of Terminal Code to give permission.
You also must have **SIP enabled**, if unsure, google how to check, make sure its enabled, if not, follow a guide how to re-enable it, if unsure how to disable it, you most likely have it enabled.
If using Little Snitch ot any other network monitoring service, either Allow all connections or disable the program blocking network connection or the exploit will not work.
Install Wireshark and then follow the prompts to install ChmodBPF: Link: https://www.wireshark.org/docs/wsug_html_chunked/ChBuildInstallOSXInstall.html
This will give bpf root access.
To run the exploit for 11.00, copy the following to Terminal:
sudo <Drag pppwn here - NOT THE FOLDER> --interface en0 --fw 1100 --stage1 “Drag Stage1.bin here” --stage2 “Drag Stage2.bin here” --auto-retry
Press enter, enter password, press Enter, Select ‘Test Connection’ on PS4.
Make sure you are using Stage1 and Stage2 for 11.00
Example:
sudo /Volumes/1TB/PS4/PPPwn/pppwn --interface en0 --fw 1100 --stage1 "/Volumes/1TB/PS4/PPPwn/stage1.bin" --stage2 "/Volumes/1TB/PS4/PPPwn/stage2.bin" --auto-retry
To run the exploit for 9.00, copy the following to Terminal:
sudo <Drag pppwn here - NOT THE FOLDER> --interface en0 --fw 900 --stage1 “Drag Stage1.bin here” --stage2 “Drag Stage2.bin here” --auto-retry
Press enter, enter password, press Enter, Select ‘Test Connection’ on PS4.
Make sure you are using Stage1 and Stage2 for 9.00
Example:
sudo /Volumes/1TB/PS4/PPPwn/pppwn --interface en0 --fw 900 --stage1 "/Volumes/1TB/PS4/PPPwn/stage1.bin" --stage2 "/Volumes/1TB/PS4/PPPwn/stage2.bin" --auto-retry
Other Notes:
If using a Ethernet Adapter you will need to change interface en0 to interface enX - Replace X with number Ethernet Adapter is using, to check use WireShark.
Update 14/5/24: Removed Alternative for ChmodBPF, ChmodBPF is much easier.
Update 28/5/24: "bin not found" issue? @serista "Works great on Mac Mini M1 and my PS4 12xx fat model. Tried it 3 times and it worked after 2nd attempt each time judging by the Terminal output.
You actually don't need to "Test internet connection". You just run the command on Mac, and then start your PS4 and wait.
Also the quotes around the bin files in the instruction aren't needed. They will only lead to the "...bin not found" message and the command won't work."
I followed all the steps of yours. I have Macbook M1.
I downloaded my pppwn accordingly (aarch64-macos-none.zip) from nightly builds.
I downloaded stage1 and stage2 files from https://github.com/stooged/PI-Pwn.
I am getting error
@-MacBook-Air ~ % sudo /Users/kiaara/Desktop/PPPwn/pppwn --interface en0 --fw 1100 --stage1 “/Users/kiaara/Desktop/PPPwn/stage1.bin” --stage2 “/Users/kiaara/Desktop/PPPwn/stage2.bin” --auto-retry
[+] PPPwn++ - PlayStation 4 PPPoE RCE by theflow
[+] args: interface=en0 fw=1100 stage1=“/Users/kiaara/Desktop/PPPwn/stage1.bin” stage2=“/Users/*****/Desktop/PPPwn/stage2.bin” auto-retry=on
[-] Cannot open: “/Users/kiaara/Desktop/PPPwn/stage1.bin”
Here is file permission:
-rwxr-xr-x@ 1 kiaara staff 898456 May 12 18:20 pppwn
-rw-rw-rw- 1 kiaara staff 500 May 12 03:08 stage1.bin
-rw-rw-rw- 1 kiaara staff 2603 May 12 03:08 stage2.bin
I tried running sudo xattr -rd com.apple.quarantine for stage1 and stage2 but still same issue.
Any idea?
"[-] Cannot open: “/Users/kiaara/Desktop/PPPwn/stage1.bin”"
It can not find the path to the stage1.bin, make sure the path to the file is correct.
I just realised you are also using an M Series mac, Im guessing you are using an adapter for ethernet.
It could be --interface en0 needs changing, im not 100%, i'll see what I can find.
It's exactly in the same folder as pppwn file. you can see the path of pppwn file.
I guess it is something related to permissions. I tried doing chmod 755 also but same issue.
@Doyle4
Just find a new intel mac and test from beginning. By default, it indeed lacks bpf permissions. Good catch !
The relevant step should change to: Install ChmodBPF. More information can be found at: https://formulae.brew.sh/cask/wireshark-chmodbpf
Alternatively, you could directly install Wireshark and then follow the prompts to install ChmodBPF: https://www.wireshark.org/docs/wsug_html_chunked/ChBuildInstallOSXInstall.html
System Preferences > Security and Privacy > Full disk access > drag pppwn into there.
See if giving pppwn full disk access helps, your error is the stage file can't be located.
@Dakshpro maybe you need to remove the ” around stage.bin path ?
I think what you use is ”, is not a "
@Dakshpro maybe you need to remove the
”around stage.bin path ?I think what you use is
”, is not a"
I never spotted that, also good catch!
@xfangfang Thanks for the WireShark tip! this has made the process much better, if it failed before ChmodBPF was installed, the retry would loop and the Mac would need resetting.
I made the process fail and on 2nd retry it worked fine, thank you.
I think WireShark/ChmodBPF is worth installing, will add to the guide im making for MacOS.
@Dakshpro maybe you need to remove the
”around stage.bin path ?I think what you use is
”, is not a"
Great.. this solution. worked.
But it's stuck at
sudo /Users/kiaara/Desktop/PPPwn/pppwn --interface en0 --fw 1100 --stage1 "/Users/kiaara/Desktop/PPPwn/stage1.bin" --stage2 "/Users/kiaara/Desktop/PPPwn/stage2.bin" --auto-retry
Password:
[+] PPPwn++ - PlayStation 4 PPPoE RCE by theflow
[+] args: interface=en0 fw=1100 stage1=/Users/kiaara/Desktop/PPPwn/stage1.bin stage2=/Users/kiaara/Desktop/PPPwn/stage2.bin auto-retry=on
[+] STAGE 0: Initialization
[*] Waiting for PADI...
I am using ethernet adapter to USB-C with ethernet cable to PS4. Tried sharing internet but not working
Reboot your Mac, Reboot PS4
Once rebooted, On the PS4 go to Settings, Network, Create LAN, Custom - PPPoE, Enter any username and password, use Automatic for the rest.
Don't press "Test Network" yet.
On mac, Run the pppwn, enter password, once pressed enter after password, on the PS4 press "Test Connection".
@Dakshpro maybe you need to remove the
”around stage.bin path ?
I think what you use is”, is not a"Great.. this solution. worked. But it's stuck at sudo /Users/kiaara/Desktop/PPPwn/pppwn --interface en0 --fw 1100 --stage1 "/Users/kiaara/Desktop/PPPwn/stage1.bin" --stage2 "/Users/kiaara/Desktop/PPPwn/stage2.bin" --auto-retry Password: [+] PPPwn++ - PlayStation 4 PPPoE RCE by theflow [+] args: interface=en0 fw=1100 stage1=/Users/kiaara/Desktop/PPPwn/stage1.bin stage2=/Users/kiaara/Desktop/PPPwn/stage2.bin auto-retry=on
[+] STAGE 0: Initialization [*] Waiting for PADI...
I am using ethernet adapter to USB-C with ethernet cable to PS4. Tried sharing internet but not working
If you haven't already, Install WireShark and also install ChmodBPF.pkg, where it says Ethernet, it should say en0, if it doesn't, take note of what it says and change en0 from the command line needed to run pppwn and replace with the name WireShark shows next to Ethernet.
Reboot your Mac, Reboot PS4 Once rebooted, On the PS4 go to Settings, Network, Create LAN, Custom - PPPoE, Enter any username and password, use Automatic for the rest. Don't press "Test Network" yet.
On mac, Run the pppwn, enter password, once pressed enter after password, on the PS4 press "Test Connection".
Not working. Ps4 fails to obtain IP.
This is what WireShark shows for me and shows Ethernet as en0.
I have to get sleep as its now almost 7:30am here, any issues I'll get back to you asap.
I dont own a M Series Mac, but my Macbook Pro 2017 also needs an adapter for Ethernet, when im awake I'll have a test using an adapter and see how it is for myself.
@Dakshpro if you are using USB adapter, then it cannot be en0, check wireshark and find something like: “USB 10/100 LAN: en*”
if you are using a mac mini, then en0 would be the one in the mac mini back, no idea for macbook.
or just simply try from en1 to en20
This is what I have. Which one should I use?
I have Macbook Air M1 which has 2 usb C port. I have used one port out of it.@Dakshpro You can turn on the PS4 and see which curve suddenly shows up (meaning data has been received) that's the one you want. Otherwise something wrong must happened.
It's great and all, thanks for the instructions, but it would be very nice if someone could make a more streamlined solution for macOS, I mean GUI like PPPwnGo etc for Win, without needing to download and install supplementing utils.
@Dakshpro You can turn on the PS4 and see which curve suddenly shows up (meaning data has been received) that's the one you want. Otherwise something wrong must happened.
It finally showed en5. Thanks for the hint.
It's working now. But it always fails at "scanning for corrupted object".
I took stage1.bin and stage2.bin from mentioned sources (https://github.com/stooged/PI-Pwn). Also tried changing these with https://github.com/PSGO/PPPwnGo and https://github.com/PSGO/PPPwn-Lite but still same issue.
I have PS4 Pro.
@Dakshpro You can turn on the PS4 and see which curve suddenly shows up (meaning data has been received) that's the one you want. Otherwise something wrong must happened.
It finally showed en5. Thanks for the hint. It's working now. But it always fails at "scanning for corrupted object". I took stage1.bin and stage2.bin from mentioned sources (https://github.com/stooged/PI-Pwn). Also tried changing these with https://github.com/PSGO/PPPwnGo and https://github.com/PSGO/PPPwn-Lite but still same issue. I have PS4 Pro.
Make sure you are using the set for your Firmware, so if you are on 11.00 you need the 11.00 Stage files and renamed to exactly the same as what the Terminal code is looking for.
EDIT: Spotted you said it was en5... Looking at your screen grab, its either en3 or en4 as thats your Ethernet adapter.
Try with en3, if fails, try with en4.
It's great and all, thanks for the instructions, but it would be very nice if someone could make a more streamlined solution for macOS, I mean GUI like PPPwnGo etc for Win, without needing to download and install supplementing utils.
It will happen, no point just yet as there a few issues and harder to resolve with not many users using Mac.
Once all bugs etc have been cleared one will most likely be made.
@Dakshpro You can turn on the PS4 and see which curve suddenly shows up (meaning data has been received) that's the one you want. Otherwise something wrong must happened.
It finally showed en5. Thanks for the hint. It's working now. But it always fails at "scanning for corrupted object". I took stage1.bin and stage2.bin from mentioned sources (https://github.com/stooged/PI-Pwn). Also tried changing these with https://github.com/PSGO/PPPwnGo and https://github.com/PSGO/PPPwn-Lite but still same issue. I have PS4 Pro.
Make sure you are using the set for your Firmware, so if you are on 11.00 you need the 11.00 Stage files and renamed to exactly the same as what the Terminal code is looking for.
EDIT: Spotted you said it was en5... Looking at your screen grab, its either en3 or en4 as thats your Ethernet adapter. Try with en3, if fails, try with en4.
Using exactly the right stage1 and stage2 files for v11.0
but still the issue.
Screenshot it old. It properly shows en5 now and PS4 also obtains IP.
Its difficult as I have no access to an M Series Mac, I only own Intel.
Hopefully someone can help who has a M series.
for finding correct port you can do this
1.Press and hold Option
2.Select the Apple menu
3.Select System Information
4.Select Network
5.Select Network Interface (Ethernet or Wi-Fi)
6.Find BSD Device Name under the details section(for eg ethernet en5, wifi en0)
for finding correct port you can do one thing hold option on keyboard while holding option click on the apple logo on top left select system information , scroll down to network it will show your device name and the BSD Device Name is your active post
I found the correct port but the issue is, process fails exactly at "scanning for corrupted object".
i am also a m1 mac user i am. running it through VMware fusion ubuntu i have got a pre compiled file which you have run through docker i got it from someone, now i just open the terminal and run it is working for me max it took is 2 attempts
@Akshayraiker11
Just update the code, the command pppwn list will list the interface information.
$ pppwn list
[+] PPPwn++ - PlayStation 4 PPPoE RCE by theflow
[+] interfaces:
en0 Ethernet
en6 USB 10/100 LAN
en4 Ethernet Adapter (en4)
en5 Ethernet Adapter (en5)
en10 USB 10/100/1000 LAN
bridge0 Thunderbolt Bridge
en1 Wi-Fi
en2 Thunderbolt 1
en3 Thunderbolt 2@Dakshpro
If your system version is at or below 11.0, I can only recommend repeated attempts (reboot the ps4). Just bad luck : )
can someone over here make a complete guild m series mac user to run it properly even youtube doesnt have a single video on it @xfangfang @Doyle4
can someone over here make a complete guild m series mac user to run it properly even youtube doesnt have a single video on it @xfangfang @Doyle4
I would if I had access to a M series Mac, without one I can't give advice, my guide is basic Mac and for mainly Intel Macs as thats all I have at hand.
@Dakshpro try with latest PPPwnPi files, https://github.com/stooged/PI-Pwn Its been worked on in the last few hours.
Mac user here, took me a little bit to figure out what was needed etc, and also changing a few things got it working.
https://github.com/xfangfang/PPPwn_cpp?tab=readme-ov-file
Scroll down until you see ‘Nightly Builds’ and press on the Nightly Link
Download the required version for your machine, I used x86_64-macos-none as I use a Intel MacBook Pro.
Create a folder named PPPwn, place pppwn inside.
You also need Stage1.bin and Stage2.bin, I used the files from the RaspberryPi PPPwn, there are two sets, one for 9.00 Stage1_900 & Stage2_900) and a set for 11.00 (Stage1_1100 & Stage2_100) use the set for your firmware. Rename them Stage1.bin and Stage2.bin and put them in the PPPwn folder with pppwn. Link: https://github.com/stooged/PI-Pwn
Make sure you have golden.bin on the root of a USB stick and is inserted into the PS4, I used the golden.bin which is included in the RaspberryPi PPPwn download.
On the PS4, goto Settings - Network - Setup Internet Connection - Use a LAN Cable - Custom - PPPoE, create any user name and password, all other settings set to Automatic.
For macOS users, you need to run sudo xattr -rd com.apple.quarantine <drag pppwn here, DO NOT DRAG PPPwn folder> press enter, enter password, press enter again. This sort of worked for me, to get around it I had to use Sudo in the Terminal code, so Im making the guide based on my experience and what’s working for me.
You also must have SIP enabled, if unsure, google how to check and make sure its enabled, if not, follow a guide how to re-enable it, if unsure how to disable it, you most likely have it enabled. If using Little Snitch, either Allow all connections or disable Little Snitch or the exploit will not work.
Install Wireshark and then follow the prompts to install ChmodBPF: Link: https://www.wireshark.org/docs/wsug_html_chunked/ChBuildInstallOSXInstall.html This will give bpf root access.
Alternative WireShark recommended Make sure /dev/bpf0 is set to ‘staff’ and NOT ‘Wheel’, to check enter ls -l /dev/bpf* in terminal, below is an example if its set to ‘Wheel’.
crw-rw---- 1 root wheel 0x17000000 Sep 9 14:24 /dev/bpf0 crw-rw---- 1 root wheel 0x17000001 Sep 9 14:25 /dev/bpf1
If it is set to ‘Wheel’ to change it to ‘Staff’ enter: sudo chgrp staff /dev/bpf* press enter, enter password and press enter again. Check to see if it has changed by entering ls -l /dev/bpf* again, below is an example of bpf0 changed to ‘Staff’.
crw-rw---- 1 root staff 0x17000000 Sep 9 14:24 /dev/bpf0 crw-rw---- 1 root staff 0x17000001 Sep 9 14:25 /dev/bpf1
To run the exploit for 11.00, copy the following to Terminal: sudo <Drag pppwn here - NOT THE FOLDER> --interface en0 --fw 1100 --stage1 “Drag Stage1.bin here” --stage2 “Drag Stage2.bin here” --auto-retry Press enter, enter password, press Enter, Select ‘Test Connection’ on PS4. Make sure you are using Stage1 and Stage2 for 11.00
Example: sudo /Volumes/1TB/PS4/PPPwn/pppwn --interface en0 --fw 1100 --stage1 "/Volumes/1TB/PS4/PPPwn/stage1.bin" --stage2 "/Volumes/1TB/PS4/PPPwn/stage2.bin" --auto-retry
To run the exploit for 9.00, copy the following to Terminal: sudo <Drag pppwn here - NOT THE FOLDER> --interface en0 --fw 900 --stage1 “Drag Stage1.bin here” --stage2 “Drag Stage2.bin here” --auto-retry Press enter, enter password, press Enter, Select ‘Test Connection’ on PS4. Make sure you are using Stage1 and Stage2 for 9.00
Example: sudo /Volumes/1TB/PS4/PPPwn/pppwn --interface en0 --fw 900 --stage1 "/Volumes/1TB/PS4/PPPwn/stage1.bin" --stage2 "/Volumes/1TB/PS4/PPPwn/stage2.bin" --auto-retry
I Stuck loop at
[+] STAGE 1: Memory corruption
[+] Pinning to CPU 0...done
[] Sending malicious LCP configure request...
[] Waiting for LCP configure reject...
[] Sending LCP configure request...
[] Waiting for LCP configure ACK...
[] Waiting for LCP configure request...
[] Sending LCP configure ACK...
[] Sending IPCP configure request...
[] Waiting for IPCP configure ACK...
[] Waiting for IPCP configure request...
[] Sending IPCP configure NAK...
[] Waiting for IPCP configure request...
[] Sending IPCP configure ACK...
[-] Scanning for corrupted object...failed.
[*] Retry after 5s...
@ThAn0uSin Give Terminal full Disk Access, make sure you have no Firewall/VPN/Little Snitch on, make sure Terminal and pppwn have network access.
Reboot Mac, Reboot PS4, once rebooted both, wait for PS4 to be fully booted, go to settings, network, Then run PPPwn, press Test Internet Connection on PS4.
did anyone got it working on m series macbook
akshay@Akshays-MacBook-Air ~ % sudo /Users/akshay/Downloads/PPPwn/pppwn --interface en5 --fw 1100 --stage1 "/Users/akshay/Downloads/PPPwn/stage1.bin" --stage2"/Users/akshay/Downloads/PPPwn/stage2.bin" --auto-retry
Password:
sudo: /Users/akshay/Downloads/PPPwn/pppwn: command not found
any solution i have given it full disk access also
akshay@Akshays-MacBook-Air ~ % sudo /Users/akshay/Downloads/PPPwn/pppwn --interface en5 --fw 1100 --stage1 "/Users/akshay/Downloads/PPPwn/stage1.bin" --stage2"/Users/akshay/Downloads/PPPwn/stage2.bin" --auto-retry Password: sudo: /Users/akshay/Downloads/PPPwn/pppwn: command not found
any solution i have given it full disk access also
Its not finding the path to pppwn, remove /Users/akshay/Downloads/PPPwn/pppwn and try dragging pppwn again.
Also try without sudo at the start, I had to for me but its not always needed.
did anyone got it working on m series macbook
Hopefully borrowing a friends soon to test.
akshay@Akshays-MacBook-Air ~ % sudo /Users/akshay/Downloads/PPPwn/pppwn --interface en5 --fw 1100 --stage1 "/Users/akshay/Downloads/PPPwn/stage1.bin" --stage2"/Users/akshay/Downloads/PPPwn/stage2.bin" --auto-retry Password: sudo: /Users/akshay/Downloads/PPPwn/pppwn: command not found
any solution i have given it full disk access alsoIts not finding the path to pppwn, remove /Users/akshay/Downloads/PPPwn/pppwn and try dragging pppwn again. Also try without sudo at the start, I had to for me but its not always needed.
tried but still the same
akshay@Akshays-MacBook-Air ~ % sudo /Users/akshay/Downloads/PPPwn/pppwn --interface en5 --fw 1100 --stage1 "/Users/akshay/Downloads/PPPwn/stage1.bin" --stage2"/Users/akshay/Downloads/PPPwn/stage2.bin" --auto-retry Password: sudo: /Users/akshay/Downloads/PPPwn/pppwn: command not found
any solution i have given it full disk access alsoIts not finding the path to pppwn, remove /Users/akshay/Downloads/PPPwn/pppwn and try dragging pppwn again. Also try without sudo at the start, I had to for me but its not always needed.
tried but still the same
Try in terminal: cd < Drag PPPWN folder here > press enter,
Sudo < Drag pppwn file here > followed by the rest of the command after pppwn location
Example:
cd /Users/akshay/Downloads/PPPwn/pppwn
then
sudo /Users/akshay/Downloads/PPPwn/pppwn --interface en5 --fw 1100 --stage1 "/Users/akshay/Downloads/PPPwn/stage1.bin" --stage2"/Users/akshay/Downloads/PPPwn/stage2.bin" --auto-retry
akshay@Akshays-MacBook-Air ~ % sudo /Users/akshay/Downloads/PPPwn/pppwn --interface en5 --fw 1100 --stage1 "/Users/akshay/Downloads/PPPwn/stage1.bin" --stage2"/Users/akshay/Downloads/PPPwn/stage2.bin" --auto-retry Password: sudo: /Users/akshay/Downloads/PPPwn/pppwn: command not found
any solution i have given it full disk access alsoIts not finding the path to pppwn, remove /Users/akshay/Downloads/PPPwn/pppwn and try dragging pppwn again. Also try without sudo at the start, I had to for me but its not always needed.
tried but still the same
Try in terminal: cd < Drag PPPWN folder here > press enter, Sudo < Drag pppwn file here > followed by the rest of the command after pppwn location
Example: cd /Users/akshay/Downloads/PPPwn/pppwn then sudo /Users/akshay/Downloads/PPPwn/pppwn --interface en5 --fw 1100 --stage1 "/Users/akshay/Downloads/PPPwn/stage1.bin" --stage2"/Users/akshay/Downloads/PPPwn/stage2.bin" --auto-retry
i have tried that already , do i have to use " " for pppwn folder location also
can u please make a video about it on YouTube
akshay@Akshays-MacBook-Air ~ % sudo /Users/akshay/Downloads/PPPwn/pppwn --interface en5 --fw 1100 --stage1 "/Users/akshay/Downloads/PPPwn/stage1.bin" --stage2"/Users/akshay/Downloads/PPPwn/stage2.bin" --auto-retry Password: sudo: /Users/akshay/Downloads/PPPwn/pppwn: command not found
any solution i have given it full disk access alsoIts not finding the path to pppwn, remove /Users/akshay/Downloads/PPPwn/pppwn and try dragging pppwn again. Also try without sudo at the start, I had to for me but its not always needed.
tried but still the same
Try in terminal: cd < Drag PPPWN folder here > press enter, Sudo < Drag pppwn file here > followed by the rest of the command after pppwn location
Example: cd /Users/akshay/Downloads/PPPwn/pppwn then sudo /Users/akshay/Downloads/PPPwn/pppwn --interface en5 --fw 1100 --stage1 "/Users/akshay/Downloads/PPPwn/stage1.bin" --stage2"/Users/akshay/Downloads/PPPwn/stage2.bin" --auto-retryi have tried that already , do i have to use " " for pppwn folder location also
I didn't have to, worth a try.
I managed to get it working on MacBook Pro m3 with tplink adapter by following the guide. I initially got stuck on "Scan damaged object". After restarting both Mac and PS4 and after several attempts I finally got it working. Ps4 was already jailbroken with a pc but after a shut down due to a crash I tried to managed the exploit with the MacBook. I hope for an update in order to reduce the tries. THANK YOU
Hello, thanks a lot for that guide !!
I have an Intel Macbook Pro and everything seem to work normaly but the goldhen.bin on my USB stick is not installed on the PS4.
On my Terminal I see the stage 4 of the PPPwn is "done" and on the PS4 I see a notification "PPPwned" but I don't see the notification for the installation of Goldhen.
I tried several times with my USB stick putting it on the front port or the rear port of the PS4. The USB stick is formated on ExFat and the goldhen.bin is on the root of the stick.
Do you have an idea for solving that issue ?
Thanks a lot for your time and your work !
I finaly succeed by :
1- formated the USB stick in ExFat but with the scheme "Master Boot Record" in the Disk Utility application (before I formated with the scheme GUID)
2- inserted in the USB stick a file named "golden.bin" and not "goldhen.bin" (I let the two files on the stick so I don't know which one has been used)
Thank you very much for your help and sorry for my english which is not very good.
I finaly succeed by : 1- formated the USB stick in ExFat but with the scheme "Master Boot Record" in the Disk Utility application (before I formated with the scheme GUID) 2- inserted in the USB stick a file named "golden.bin" and not "goldhen.bin" (I let the two files on the stick so I don't know which one has been used)
Thank you very much for your help and sorry for my english which is not very good.
Added to guide, I over looked this part, GUID is default when formatting on Mac.
Can I just use $ brew install --cask wireshark-chmodbpf in Terminal as instructed at https://formulae.brew.sh/cask/wireshark-chmodbpf without installing the whole Wireshark?
We need some sort of GUI for macOS on x64/ARM ... definitely
Can I just use $ brew install --cask wireshark-chmodbpf in Terminal as instructed at https://formulae.brew.sh/cask/wireshark-chmodbpf without installing the whole Wireshark?
Yeah, I installed Wireshark full so I can use its interface for searching ethernet connections.
@ThAn0uSin Give Terminal full Disk Access, make sure you have no Firewall/VPN/Little Snitch on, make sure Terminal and pppwn have network access.
Reboot Mac, Reboot PS4, once rebooted both, wait for PS4 to be fully booted, go to settings, network, Then run PPPwn, press Test Internet Connection on PS4.
The same it stuck on the loop. I use PC with PPPwn lite and it works.
I am testing this on both MacBook Air 2019 (Intel) and MacBook Air M1, so I will let everyone know how it went.
Also planing to make a detailed video about it.
Edited: I ran it on both of the devices but one common problem I faced was that Mac's wasn't decanting any ethernet I/o from the PS4 and this was reflected in Wireshark, It happened because drivers for the ethernet adapter which was not installed. I tried to install it but the current Mac OS version is not supported (Reference: https://www.technouz.com/p/how-to-use-a-generic-usb-ethernet-adapter-on-mac-os-x | https://github.com/bzapal/usb-2-10-100m-ethernet-adapter-rd9700)
I tied that same thing with multiple adapter but the result was same. At this point I am thinking of getting a new adapter and trying it.
I am testing this on both MacBook Air 2019 (Intel) and MacBook Air M1, so I will let everyone know how it went. Also planing to make a detailed video about it.
Edited: I ran it on both of the devices but one common problem I faced was that Mac's wasn't decanting any ethernet I/o from the PS4 and this was reflected in Wireshark, It happened because drivers for the ethernet adapter which was not installed. I tried to install it but the current Mac OS version is not supported (Reference: https://www.technouz.com/p/how-to-use-a-generic-usb-ethernet-adapter-on-mac-os-x | https://github.com/bzapal/usb-2-10-100m-ethernet-adapter-rd9700)
I tied that same thing with multiple adapter but the result was same. At this point I am thinking of getting a new adapter and trying it.
for me the problem is ,it shows that it is not able to find pppwn on the location even tough it is the correct path and it also has full disk access, but it works on a linux VM with the python flow original version got the compiled from some one else using docker now i just execute it , and for me the adapter is not a problem
Is it really needed to click Test internet connection on PS4? Because some loaders don't require that at all , like https://github.com/PSGO/PPPwn-Lite or Raspberry Pi's.
Is it really needed to click Test internet connection on PS4? Because some loaders don't require that at all , like https://github.com/PSGO/PPPwn-Lite or Raspberry Pi's.
Try and see, the Raspberry Pi's code has been tweaked to search for an connection. I havent tested not testing.
Works great on Mac Mini M1 and my PS4 12xx fat model. Tried it 3 times and it worked after 2nd attempt each time judging by the Terminal output.
You actually don't need to "Test internet connection". You just run the command on Mac, and then start your PS4 and wait.
Also the quotes around the bin files in the instruction aren't needed. They will only lead to the "...bin not found" message and the command won't work.
Doyle, you are an incredible human being. Thank you for existing.
Update: i got it working it works fine on m1 macbook air as per the instructions and the handy thing is the auto try for me on linux in vm ware was having higher success rate max attempts i have got on linux is 3 but its a hasle load the vm check for ethernet if it is showing active run the command and if it fails run it again, on mac c++ version now just copy past the command just wait untill it gets pppwnd😃
2- inserted in the USB stick a file named "golden.bin" and not "goldhen.bin" (I let the two files on the stick so I don't know which one has been used)
The name should be goldhen.bin, not golden ! Should be corrected in the instruction too.
I am getting this error on my M1 macbook air , any ideas ?
[+] STAGE 2: KASLR defeat
[*] Defeating KASLR...
[+] pppoe_softc_list: 0xffffffff874b19f8
[+] kaslr_offset: 0x30c4000
[+] STAGE 3: Remote code execution
[] Sending LCP terminate request...
[] Waiting for PADI...
[+] pppoe_softc: 0xffffa1a62caf3600
[+] Target MAC: 00:d9:d1:e7:de:e9
[+] Source MAC: 03:a6:a5:85:ff:ff
[+] AC cookie length: 41029
[] Sending PADO...
[ERROR: /build/_deps/pcapplusplus-src/Pcap++/src/PcapLiveDevice.cpp: doMtuCheck:580] Payload length [4159] is larger than device MTU [1280]
[] Waiting for PADR...
@s3vo wrong stage1.bin
I have used the precompiled bin from Pi repo, as I had problems compiling my own, I am on 9,00 FW, just testing
UPDATE:
tried stage1 from here :
https://github.com/PSGO/PPPwn-Lite/tree/main/PPPwn%20Loader/PPPwn/stage1/900
and the result is the same:
[+] STAGE 2: KASLR defeat
[*] Defeating KASLR...
[+] pppoe_softc_list: 0xffffffff9d2f99f8
[+] kaslr_offset: 0x18f0c000
[+] STAGE 3: Remote code execution
[] Sending LCP terminate request...
[] Waiting for PADI...
[+] pppoe_softc: 0xfffff503061e3400
[+] Target MAC: 00:d9:d1:e7:de:e9
[+] Source MAC: 03:26:8a:9b:ff:ff
[+] AC cookie length: 418cc
[] Sending PADO...
[ERROR: /build/_deps/pcapplusplus-src/Pcap++/src/PcapLiveDevice.cpp: doMtuCheck:580] Payload length [6370] is larger than device MTU [1280]
[] Waiting for PADR...
[] Triggering code execution...
[] Waiting for stage1 to resume...
Hi everyone,
I'm on an intel macbook pro and this is what I get
Chris@ChristophersMBP ~ % sudo /Users/Chris/Desktop/PPPwn/pppwn/pppwn —interface en5 --fw 1100 --stage1 “/Users/Chris/Desktop/PPPwn/pppwn/Stage1.bin” --stage2 “/Users/Chris/Desktop/PPPwn/pppwn/Stage2.bin”
[+] PPPwn++ - PlayStation 4 PPPoE RCE by theflow
SYNOPSIS
pppwn -i [--fw ] [-s1 ] [-s2 ] [-t ] [-wap
] [-gd <1-4097>] [-bs ] [-a] [-nw] [-rs] [--web] [--url ]
pppwn list
OPTIONS
-i, --interface
network interface
--fw {700,701,702,750,751,755,800,801,803,850,852,900,903,904,950,951,960,1000,1001,1050,1070,1071,1100}
(default: 1100)
-s1, --stage1
stage1 binary (default: stage1/stage1.bin)
-s2, --stage2
stage2 binary (default: stage2/stage2.bin)
-t, --timeout
timeout in seconds for ps4 response, 0 means always wait (default: 0)
-wap, --wait-after-pin
Waiting time in seconds after the first round CPU pinning (default: 1)
-gd, --groom-delay
wait for 1ms every `n` rounds during Heap grooming (default: 4)
-bs, --buffer-size
PCAP buffer size in bytes, less than 100 indicates default value (usually 2MB)
(default: 0)
-a, --auto-retry
automatically retry when fails or timeout
-nw, --no-wait-padi
don't wait one more PADI before starting
-rs, --real-sleep
Use CPU for more precise sleep time (Only used when execution speed is too slow)
--web start a web page
--url url
list list interfaces
akshay@Akshays-MacBook-Air ~ % sudo /Users/akshay/Downloads/PPPwn/pppwn --interface en5 --fw 1100 --stage1 "/Users/akshay/Downloads/PPPwn/stage1.bin" --stage2"/Users/akshay/Downloads/PPPwn/stage2.bin" --auto-retry Password: sudo: /Users/akshay/Downloads/PPPwn/pppwn: command not found
any solution i have given it full disk access alsoIts not finding the path to pppwn, remove /Users/akshay/Downloads/PPPwn/pppwn and try dragging pppwn again. Also try without sudo at the start, I had to for me but its not always needed.
tried but still the same
I think you need a space between stage2"/Users
@bajinmuu2 maybe you need to remove the ” around stage.bin path ?
I think what you use is ”, is not a "
@bajinmuu2 maybe you need to remove the ” around stage.bin path ?
I think what you use is ”, is not a "
Hi thank you for replying. I've tried " (copy and pasted from this thread) as well as removing it completely. I still get the same result
@bajinmuu2 the interface option is wrong, there should be two ”-”
2- inserted in the USB stick a file named "golden.bin" and not "goldhen.bin" (I let the two files on the stick so I don't know which one has been used)
The name should be goldhen.bin, not golden ! Should be corrected in the instruction too.
Updated, thanks.
Also added your reply about quotations not needed, I needed them in my command so I left it in, but let other know to remove if getting the error thanks.
akshay@Akshays-MacBook-Air ~ % sudo /Users/akshay/Downloads/PPPwn/pppwn --interface en5 --fw 1100 --stage1 "/Users/akshay/Downloads/PPPwn/stage1.bin" --stage2"/Users/akshay/Downloads/PPPwn/stage2.bin" --auto-retry Password: sudo: /Users/akshay/Downloads/PPPwn/pppwn: command not found
any solution i have given it full disk access alsoIts not finding the path to pppwn, remove /Users/akshay/Downloads/PPPwn/pppwn and try dragging pppwn again. Also try without sudo at the start, I had to for me but its not always needed.
tried but still the same
I think you need a space between stage2"/Users
He does indeed.
sudo /Users/Chris/Desktop/PPPwn/pppwn/pppwn —interface en5 --fw 1100 --stage1 “/Users/Chris/Desktop/PPPwn/pppwn/Stage1.bin” --stage2 “/Users/Chris/Desktop/PPPwn/pppwn/Stage2.bin”
Looking at your path, it shows PPPwn/pppwn/pppwn
Folder layout I used was a folder named PPPwn that had the pppwn exec inside along with Stage1 and Stage2 bin files.
@bajinmuu2 the interface option is wrong, there should be two ”-”
This worked! Thank you so much. I have a new issue though. At some point during the process, my USB lan adapter became unrecognized. When I check my network settings, it says Connected but no IP address assigned. I've tried renewing the DHCP and assigning an IP manually.
When I started this whole process, I used Wireshark and was able to identify the adapter as en05, but now when I go into Wireshark the adapter is gone. Is it somehow related to SIP?
EDIT: I totally forgot I had a second MBP in the house which worked flawlessly. It turns out when I updated my MBP to the latest OS, it stopped recognizing the usb lan adapter which is really stupid on MAC. Thank you everyone for the help!
Is there a way to pass the internet connection from the Mac to the PS4 like the way it can be done on the Raspberry Pi? The network speed on the Pi 3 is garbage and was hoping going through my Mac would be much faster.
Is there a way to pass the internet connection from the Mac to the PS4 like the way it can be done on the Raspberry Pi? The network speed on the Pi 3 is garbage and was hoping going through my Mac would be much faster.
System Settings > General > Sharing > Internet Sharing > (i) You click on "i" and set which connection you share (Wi-Fi f.e.) with which devices (PS4 connected to Ethernet f.e.)
Is there a way to pass the internet connection from the Mac to the PS4 like the way it can be done on the Raspberry Pi? The network speed on the Pi 3 is garbage and was hoping going through my Mac would be much faster.
System Settings > General > Sharing > Internet Sharing > (i) You click on "i" and set which connection you share (Wi-Fi f.e.) with which devices (PS4 connected to Ethernet f.e.)
I tried that before posting as it didn't work. The PS4 wasn't getting an IP address.
I tried that before posting as it didn't work. The PS4 wasn't getting an IP address.
It works fine for me. You choose internet connection > LAN > Easy on PS4 (after it's jailbroken).
I tried that before posting as it didn't work. The PS4 wasn't getting an IP address.
It works fine for me. You choose internet connection > LAN > Easy on PS4 (after it's jailbroken).
No, I left it on PPPoE like you do on the Raspberry Pi.
If I have to keep switching between PPPoE and regular, I guess I'll have to put up with the Raspberry Pi's slow network speed since you don't have to keep messing with the PS4's Network settings.
If I have to keep switching between PPPoE and regular, I guess I'll have to put up with the Raspberry Pi's slow network speed since you don't have to keep messing with the PS4's Network settings.
It takes about 10 seconds to switch settings from manual/pppoe to auto/easy or back.
If I have to keep switching between PPPoE and regular, I guess I'll have to put up with the Raspberry Pi's slow network speed since you don't have to keep messing with the PS4's Network settings.
It takes about 10 seconds to switch settings from manual/pppoe to auto/easy or back.
I takes several minutes for me to change the settings as I use a DNS to block connections to Sony and the PS4 makes me have to re-enter the DNS address when I change settings. It's not easy.
I takes several minutes for me to change the settings as I use a DNS to block connections to Sony
In the "PPPoE mode" (ready for JB or JBroken) the console connected to Mac won't be able to get any update anyway. When JBroken with enabled internet connection (switched from PPPoE to Easy setup) it won't be able to update firmware too (GoldHEN block) and if you won't run games it won't try to update them. I don't use any DNS blocks.
I have implemented a simple network access function, which has only been tested on the macOS/Windows. Since someone needs it, I will send it out first and welcome anyone to improve the code.
https://github.com/xfangfang/PPPwn_cpp/tree/gateway
At present, the function is very simple. I am not sure if it can be used stably for a long time.
https://github.com/xfangfang/PPPwn_cpp/actions/runs/9335327384
Usage:
en0 connects to ps4, en1 connects to the Internet
pppwn network --interface en0 --interface-net en1I takes several minutes for me to change the settings as I use a DNS to block connections to Sony
In the "PPPoE mode" (ready for JB or JBroken) the console connected to Mac won't be able to get any update anyway. When JBroken with enabled internet connection (switched from PPPoE to Easy setup) it won't be able to update firmware too (GoldHEN block) and if you won't run games it won't try to update them. I don't use any DNS blocks.
I don't want the console to be able to connect to Sony's servers period. The console will try to update games when I go to play them and I don't want that. Plus I don't want the console to send any information such as errors and such to Sony. It is more than not wanting the console to download a firmware update. The PS4 sends all sorts of data back to Sony.
have implemented a simple network access function, which has only been tested on the macOS/Windows. Since someone needs it, I will send it out first and welcome anyone to improve the code.
https://github.com/xfangfang/PPPwn_cpp/tree/gateway
At present, the function is very simple. I am not sure if it can be used stably for a long time.
https://github.com/xfangfang/PPPwn_cpp/actions/runs/9335327384
Usage:
en0connects to ps4,en1connects to the Internet
Sorry, don't quite get it. So if I exchange --interface with --interface-net when I jailbreak, the console will have internet access after jailbreak without any additional actions? Currently, after JB I just change LAN (PPPoE) internet connection to LAN (Easy) in the PS4 internet settings to get internet access (Wi-Fi on Mac shared for Ethernet port), and change it back to PPPoE before I turn off the console so that it would be ready for JB next time.
You run the normal command to JB the console.
sudo pppwn --interface enX --fw XXXX --stage1 stage1.bin --stage2 stage2.bin --auto-retry
Then after it's done and you are back the command prompt you run:
sudo pppwn network --interface enX --interface-net enX
--interface is the connection to the PS4 and --interface-net is Mac's connection to the internet. No need to go to Sharing in System Settings to share internet connection.
EDIT: While this now does get my PS4 online without having to switch between PPPoE and Custom Ethernet, it seems, at least for now, FTP doesn't work which was the only reason I wanted to use something other than the rPI for JB and Internet.
EDIT: While this now does get my PS4 online without having to switch between PPPoE and Custom Ethernet, it seems, at least for now, FTP doesn't work which was the only reason I wanted to use something other than the rPI for JB and Internet.
I can confirm that, it doesn't seem to work for FTP.
I have a PS4 firmware 11.00 model CUH-1001A, trying to jailbreak ona Hackintosh; basically a MacOS that crashes my PS4 on every attempt to jailbreak at Stage 1
[+] STAGE 1: Memory corruption
[+] Pinning to CPU 0...done
[] Sending malicious LCP configure request...
[] Waiting for LCP configure reject...
[] Sending LCP configure request...
[] Waiting for LCP configure ACK...
[] Waiting for LCP configure request...
[] Sending LCP configure ACK...
[] Sending IPCP configure request...
[] Waiting for IPCP configure ACK...
[] Waiting for IPCP configure request...
[] Sending IPCP configure NAK...
[] Waiting for IPCP configure request...
[] Sending IPCP configure ACK...
[-] Scanning for corrupted object...failed.
[] Sending PADT...
[] Retry after 5s...