Skip to content

stooged/PI-Pwn

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 

Repository files navigation

PI Pwn

This is a script to setup PPPwn and PPPwn_cpp on the raspberry pi.

GoldHen will run on firmware versions

9.00
9.60
10.00, 10.01
10.50, 10.70, 10.71
11.00


ps4-hen-vtx will run on firmware versions

7.00, 7.01, 7.02
7.50, 7.51, 7.55
8.00, 8.01, 8.03
8.50, 8.52
9.00
9.03, 9.04
9.50, 9.51, 9.60
10.00, 10.01
10.50, 10.70, 10.71
11.00


It also supports internet access after pwn and access to ftp, klog and binloader servers launched by goldhen.
A dns blocker is also installed and used to prevent updates.

The Raspberry Pi 4, Raspberry Pi 400 and Raspberry Pi 5 can pass through a usb drive inserted into the pi to the console if the pi is plugged into the console usb port

There is also a webserver to control the pi, change settings and send payloads by accessing http://pppwn.local from the console or your pc if you have internet access enabled.


Tested PI Models

These are models i have tested with but pi-pwn is not limited to these models.
Raspberry Pi 5
Raspberry Pi 4 Model B
Raspberry Pi 400
Raspberry Pi 3B+
Raspberry Pi 2 Model B
Raspberry Pi Zero 2 W with usb to ethernet adapter
Raspberry Pi Zero W with usb to ethernet adapter
ROCK PI 4C Plus with armbian Image
BIGTREETECH BTT Pi V1.2 with armbian minimal
pcDuino3b with armbian Image

Install


You need to install Raspberry Pi OS Lite or Armbian Cli / Minimal onto a sd card.

Place the sd card into the raspberry pi, boot it and connect it to the internet then run the following commands


sudo apt update
sudo apt install git -y
sudo rm -f -r PI-Pwn
sudo systemctl stop pipwn
git clone https://github.com/stooged/PI-Pwn
sudo mkdir /boot/firmware/
cd PI-Pwn
sudo cp -r PPPwn /boot/firmware/
cd /boot/firmware/PPPwn
sudo chmod 777 *
sudo bash install.sh

During the install process you will be asked to set some options.

If you are using a usb to ethernet adapter for the connection to the console you need to select yes
If your pi has an ethernet port and you are using a usb to ethernet adapter your interface for the usb adapter should be eth1
If you are using something like a pi zero 2 the interface will be eth0

Once the pi reboots pppwn will run automatically.

On your PS4:

  • Go to Settings and then Network
  • Select Set Up Internet connection and choose Use a LAN Cable
  • Choose Custom setup and choose PPPoE for IP Address Settings
  • Enter ppp for PPPoE User ID and PPPoE Password
  • NOTE if you enable internet access you must match the username and password entered during the install or use the default ppp
  • Choose Automatic for DNS Settings and MTU Settings
  • Choose Do Not Use for Proxy Server

For GoldHen you need to place the goldhen.bin file onto the root of a usb drive and plug it into the console.
Once goldhen has been loaded for the first time it will be copied to the consoles internal hdd and the usb is no longer required.
To update goldhen just repeat the above process and the new version will be copied to the internal hdd

Console FTP / Binload

If the pi pwn was setup to allow internet access you can use the ftp, klog, and binloader servers on the console
Your pi must be also connected to your home network via wifi or a second ethernet connection
To connect to the servers from your pc just connect to the raspberry pi ip on your network and all requests will be forwarded to the console

For ftp make sure you set the transfer mode on your ftp client software to Active not passive.

USB pass through drive

You can put a usb flash drive in the pi and that will be mounted to the console, you must put a folder on the root of the drive called "payloads"
To use this feature you must plug the raspberry pi 4 / 400 / 5 into the consoles usb port using the usb-c connection on the pi.
If you have power issues you can use a usb Y cable to inject power from another source but in my tests both pi variants ran using a single cable.

Rest Mode

You can enable the option to detect if goldhen is running in the options which will cause pi-pwn to check if goldhen is active before running pppwn, this is useful for rest mode
If you have the pi powered from the console usb port you must disable "Supply Power to USB Ports" in the rest mode settings of the console.
The console must also use the PPPoe user and pass set for the "console internet connection" of pi-pwn or the defaults if you never changed them which are ppp for both user and password.

PI FTP

If you install FTP to access the pppwn folder for the exploit files you must use your root login user/pass to access the server.
The ftp server uses the standard ports 21 and 20.

PI Samba

If you setup samba to access the pppwn folder for the exploit files you can access the drive on...
\\pppwn.local\pppwn
or
smb:\\pppwn.local\pppwn

The share has no user/password required to access it.

What it does

Once everything is setup and the ethernet cable is plugged in between the pi and the console the pi should automatically try and pwn the console.
The exploit may fail many times but the pi will continue to purge the console to keep trying to pwn itself.
Once pwned the process will stop and the pi will shut down if you are not using internet access.

The idea is you boot the console and the pi together and the pi will keep trying to pwn the console without any input from you, just wait on the home screen until the process completes

Updating

You can edit the exploit scripts by putting the sd card in your computer and going to the PPPwn folder.
The commands above can also be run again to install updates or change the settings.
You can also click the update button on the web ui.

Options

Interface - this is the lan interface on the pi that is connected to the console.

Firmware version - version of firmware running on the console.

Time to restart PPPwn if it hangs - a timeout in minutes to restart pppwn if the exploit hangs mid process.

Led activity - on selected pi models this will have the leds flash based on the exploit progress.

Use Python version - enabling this will force the use of the original python pppwn released by TheOfficialFloW

Use GoldHen if available for selected firmware - if this is not enabled or your firmware has no goldhen available vtx-hen will be used.

Use original source ipv6 - this will force pppwn to use the original ipv6 address that was used in pppwn as on some consoles it increases the speed of pwn.

Use usb ethernet adapter for console connection - only enable this if you are using a usb to ethernet adapter to connect to the console.

Detect if goldhen is running - this will make pi-pwn check if goldhen is loaded on the console and skip running pppwn if it is running.

Detect console shutdown and restart PPPwn - with this enabled if the link is lost between the pi and the console pppwn will be restarted.

Enable verbose PPPwn - enables debug output from pppwn so you can see the exploit progress.

Enable console internet access - enabling this will make pi-pwn setup a connection to the console allowing internet access after pppwn succeeds.

Disable DNS blocker - enabling this will turn off the dns blocker that blocks certain servers that are used for updates and telemetry.

Shutdown PI after PWN - if enabled this will make the pi shutdown after pppwn succeeds.

Enable usb drive to console - on selected pi models this will allow a usb drive in the pi to be passed through to the console.

Ports - this is a list of ports that are forwarded from the pi to the console, single ports or port ranges can be used.

Credits

All credit goes to TheOfficialFloW, xfangfang, SiSTR0, Vortex, EchoStretch and many other people who have made this project possible.