PPLGPwn

PPLGPwn v1.3.1

A method of running PPPwn on rooted LG TV (potentially any jailbroken WebOS system) This method uses the C++ version of PPPwn, made by xfangfang, the link to the repo it’s this one: https://github.com/xfangfang/PPPwn_cpp

It provides a new way to jailbreak your PS4, using a rooted LG TV. For more information on which firmwares are supported, check out the link above.

Se vc é brasileiro, tem um canal do youtube e gostaria de gravar uma video tutorial, entre em contato comigo aqui pelo github ou pelo discord LLBRANCO

If you liked my project and want to help me, consider buying me a coffee

Changes compared to zauceee/PPLGPwn and FabulosoDev/PPLGPwn

• use curl instead of wget to download files
• automatic download of stage1.bin & stage2.bin based on chosen PS4 firmware version (thx to FabulosoDev for that)
• Sistro’s stage2
• PS4Hen-VTX support (new/WIP/test version)
• alternative installer using USB and no SSH required
• compatible with GoldHEN 2.4B18

Special thanks to @TheOfficialFloW @SiSTR0 @xfangfang @zauceee @FabulosoDev @EchoStretch @LightningMods and all contributors.

Requirements

• Rooted LG TV
• Ethernet cable
• Device to connect to the TV through SSH (PC: PuTTY or WebOS Dev Manager / Android: ConnectBot])
• default ssh password: alpine
• follow this if you can’t log in

Video Guides (outdated but still work) thx to Michael Crump and Modded Warfare to sharing our project

Jailbreaking your LG TV

To run PPLGPwn you’ll need to root your LG TV, the root itself it supported by a couple of models, check both exploits to see if your TV is capable of doing so, more steps on how to root it and enable SSH aswell are available there:

Dejavuln

Root my TV All firmware released since mid-2022 is patched to this method.

Install & run PPLGPwn

After jailbreaking your own TV (ironically, we are using a jailbroken TV to jailbreak another device 😁), you need to connect to your TV via SSH and download and run install.sh using this command:

curl -fsSLO https://github.com/llbranco/PPLGPwn/raw/main/install.sh && chmod +x ./install.sh && ./install.sh

Install & run the PS4HEN-VTX version

choose between GoldHen and HEN-VTX, you can’t do both I intend to merge the installers in the next updates

curl -fsSLO https://github.com/llbranco/PPLGPwn/raw/main/install_vtx.sh && chmod +x ./install_vtx.sh && ./install_vtx.sh

On your PS4:

1. Connect your PS4 to your TV using the Ethernet port

2. Go to Settings and then Network

3. Select Set Up Internet connection and choose Use a LAN Cable

4. Choose Custom setup and choose PPPoE for IP Address Settings

5. Enter anything for PPPoE User ID and PPPoE Password

6. Choose Automatic for DNS Settings and MTU Settings

7. Choose Do Not Use for Proxy Server

8. Press the X button on your controller on Test Internet Connection

ALWAYS wait for your console to display the message Cannot connect to network: (NW-31274-7) before attempting this PPPOE injection again.

If the exploit fails or the PS4 crashes, you can skip the internet setup and just click on Test Internet Connection.

If the exploit works, you should see an output via SSH similar to the following. In addition you should see Cannot connect to network followed by PPPwned displayed as notification on your PS4, or vice versa.

[+] PPPwn - PlayStation 4 PPPoE RCE by theflow
[+] args: interface=eth0 fw=1100 stage1=stage1/stage1.bin stage2=stage2/stage2.bin

[+] STAGE 0: Initialization
[*] Waiting for PADI...
[+] pppoe_softc: 0xffffabd634beba00
[+] Target MAC: xx:xx:xx:xx:xx:xx
[+] Source MAC: 07:ba:be:34:d6:ab
[+] AC cookie length: 0x4e0
[*] Sending PADO...
[*] Waiting for PADR...
[*] Sending PADS...
[*] Waiting for LCP configure request...
[*] Sending LCP configure ACK...
[*] Sending LCP configure request...
[*] Waiting for LCP configure ACK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure NAK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure ACK...
[*] Sending IPCP configure request...
[*] Waiting for IPCP configure ACK...
[*] Waiting for interface to be ready...
[+] Target IPv6: fe80::2d9:d1ff:febc:83e4
[+] Heap grooming...done

[+] STAGE 1: Memory corruption
[+] Pinning to CPU 0...done
[*] Sending malicious LCP configure request...
[*] Waiting for LCP configure request...
[*] Sending LCP configure ACK...
[*] Sending LCP configure request...
[*] Waiting for LCP configure ACK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure NAK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure ACK...
[*] Sending IPCP configure request...
[*] Waiting for IPCP configure ACK...
[+] Scanning for corrupted object...found fe80::0fdf:4141:4141:4141

[+] STAGE 2: KASLR defeat
[*] Defeating KASLR...
[+] pppoe_softc_list: 0xffffffff884de578
[+] kaslr_offset: 0x3ffc000

[+] STAGE 3: Remote code execution
[*] Sending LCP terminate request...
[*] Waiting for PADI...
[+] pppoe_softc: 0xffffabd634beba00
[+] Target MAC: xx:xx:xx:xx:xx:xx
[+] Source MAC: 97:df:ea:86:ff:ff
[+] AC cookie length: 0x511
[*] Sending PADO...
[*] Waiting for PADR...
[*] Sending PADS...
[*] Triggering code execution...
[*] Waiting for stage1 to resume...
[*] Sending PADT...
[*] Waiting for PADI...
[+] pppoe_softc: 0xffffabd634be9200
[+] Target MAC: xx:xx:xx:xx:xx:xx
[+] AC cookie length: 0x0
[*] Sending PADO...
[*] Waiting for PADR...
[*] Sending PADS...
[*] Waiting for LCP configure request...
[*] Sending LCP configure ACK...
[*] Sending LCP configure request...
[*] Waiting for LCP configure ACK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure NAK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure ACK...
[*] Sending IPCP configure request...
[*] Waiting for IPCP configure ACK...

[+] STAGE 4: Arbitrary payload execution
[*] Sending stage2 payload...
[+] Done!

Run PPLGPwn when the TV boot

1. edit this file to make the script runs on boot using vi

   /var/lib/webosbrew/startup.sh
   

   2. insert this lines in the last line save and reboot the tv (VTX version use a different path)

   cd /media/internal/downloads/PPLGPwn
   ./run.sh
   

   If you updated from my previous version, I noticed that you must update the start path

Run PPLGPwn with a single press on your TV remote

1. Head to the Homebrew Store app and download LG Input Hook

2. Open the LG Input Hook and go to the link the app gives you in a device that has a web browser (you can also do this on your TV, but it will take longer) (for vtx version just change the location)

3. Set this custom Execute action on any button you’d like:

cd /media/internal/downloads/PPLGPwn && chmod +x ./run.sh && ./run.sh

1. Save your changes

And done! The button you set up with the custom action will now execute the exploit every time you press it!

Start using your PS4 browser (may not work properly)

1. edit the run.sh and insert --web
2. in your ps4 browser go to http://YOUR_TV_IP:7796 and press START

How to run GoldHEN on PS4 9.00 / 11.00 using PPLGPwn

1. Download goldhen.bin from goldhen directory

2. Copy it to the root of an USB stick (formatted as FAT32 or exFAT)
   (Do NOT rename it! The name should be exactly goldhen.bin)

3. Plug the USB stick into your PS4

4. Run the PPPwn exploit
   At this point this should automatically:

   1. run PPPwn stage1.bin

   2. trigger stage2.bin from SiSTR0 which will look for goldhen.bin on the inserted USB stick

   3. stage2.bin will (automaticaly) copy goldhen.bin from the USB stick to /data/GoldHEN/payloads/goldhen.bin to your console’s hard drive. (again: it’s auto, u don’t need to do it manually)

      Note: From this point on, you shouldn’t need the USB stick the next time you want to run the exploit, as you now have a local copy of goldhen on your hard drive.
      (If you use the USB stick in the future, it will overwrite the local copy again. Probably useful for updates of goldhen etc.)

   4. GoldHEN should start at this point

How to run PS4HEN-VTX on PS4 7.00 / 11.00 using PPLGPwn

1. Copy the payload file ps4-hen-xxxx-PPPwn-vtx-1.0xxx.bin corresponding to the PS4 firmware to the root directory of USB drive exFAT. PS4hen-vtx directory

2. and Rename the payload file to payload.bin.

3. Plug the USB stick into your PS4

4. Run the PPPwn exploit
   At this point this should automatically:

   1. run PPPwn stage1.bin

   2. trigger the stage2.bin vtx which will look for payload.bin on the inserted USB stick

   3. I’m not sure if vtx stage2.bin copy anything to your console’s hard drive.

5. VTXHEN should start at this point

Articles

Wololo, Tom’s Hardware, Hackaday, Adrenaline, Tudo Celular, Guru3d, Hackster, Kotaku

Plans

• better sh installer, web installer or usb installer (need a lot of research)
• an option on the installer to choose between: “Start on boot”, “web server”, “mapped key on your remote” or “manual start”
• Notifications on your tv on/off (config on install)
• Route TV WiFi to PS4 ( 10% done )
• option to choose between: GoldHen, VTX-Hen and/or GoldHen Lite

NOTES

!! This exploit is made for LG TV’s or Fox TV’s with the armv7/aarch64 architecture, I’m not sure if it works on other architectures or brands !!

To find out your TV chip architecture connect to your TV via SSH and run uname -m

Thanks to the OpenLGTV and RootMyTV communities for giving us this LG TV jailbreak.
Thanks also to everyone in the PS4 jailbreaking community who gave us the exploits! And also thanks to all the contributors!

This site is open source. Improve this page.