This is the C++ rewrite of PPPwn by xfangfang modified to compile for Android
- The same as xfanfang one
- Can compile from NDK or Termux app
- Supported target Android versions from KitKat 4.4 up
Download your desired NDK version through Android Studio or directly from official github. If you want to compile for Android 4.4.x targets you must download version r25c here, otherwise you can use a more recent one.
Extract the files in your /Android/Sdk/ndk or other preferred folder.
Clone this repository with
git clone --recursive https://github.com/deviato/PPPwn_cpp_android.git
cd PPPwn_cpp_android
Edit CMakeLists.txt
file and change the options to reflect your system and desired target (info inside the file).
Run these commands to build the binary:
cmake -B build
cmake --build build -t pppwn
# Optionally strip debug symbols with:
llvm-strip build/pppwn
The resulting binary will be in build/pppwn
Download Termux app (not GooglePlay but F-Droid version here) and install on your phone. Open the app and run these commands:
apt -y update && apt -y upgrade && apt -y update
# (respond y to every question)
apt install -y git build-essential binutils file ndk-multilib-native-static termux-elf-cleaner tsu
# Clone this repository
git clone --recursive https://github.com/deviato/PPPwn_cpp_android.git
cd PPPwn_cpp_android
# Build for your device
cmake -B build -DTERMUX=1
cmake --build build -t pppwn
# If no errors, your target is in build/pppwn, but you need to realign TLS before running:
termux-elf-cleaner build/pppwn
# Optionally strip debug symbols with:
strip build/pppwn
# You can now try to run the build with root:
tsu
build/pppwn
pppwn
pppwn list
pppwn --interface en0 --fw 1100 --stage1 "stage1.bin" --stage2 "stage2.bin" --timeout 10 --auto-retry
-i
--interface
: the network interface which connected to ps4--fw
: the firmware version of the target ps4 (default:1100
)-s1
--stage1
: the path to the stage1 payload (default:stage1/stage1.bin
)-s2
--stage2
: the path to the stage2 payload (default:stage2/stage2.bin
)-t
--timeout
: the timeout in seconds for ps4 response, 0 means always wait (default:0
)-wap
--wait-after-pin
: the waiting time in seconds after first round CPU pinning (default:1
)-gd
--groom-delay
: wait for 1ms everygroom-delay
rounds during Heap grooming (default:4
)-bs
--buffer-size
: PCAP buffer size in bytes, less than 100 indicates default value (usually 2MB) (default:0
)-a
--auto-retry
: automatically retry when fails or timeout-nw
--no-wait-padi
: don't wait one more PADI before starting the exploit-rs
--real-sleep
: use CPU for more precise sleep time (Only used when execution speed is too slow)-old
--old-ipv6
: use previous IPv6 address to exploit (Only used when the exploit fails)--web
: use the web interface--url
: the url of the web interface (default:0.0.0.0:7796
)
Supplement:
- For
--timeout
, waiting forPADI
is not included, which allows you to startpppwn_cpp
before the ps4 is launched. - For
--no-wait-padi
, by default,pppwn_cpp
will wait for twoPADI
request, according to TheOfficialFloW/PPPwn/pull/48 this helps to improve stability. You can turn off this feature with this parameter if you don't need it. - For
--wait-after-pin
, according to SiSTR0/PPPwn/pull/1 set this parameter to20
helps to improve stability (not work for me), this option not used in web interface. - For
--groom-delay
, This is an empirical value. The Python version of pppwn does not set any wait at Heap grooming, but if the C++ version does not add some wait, there is a probability of kernel panic on my ps4. You can set any value within 1-4097 (4097 is equivalent to not doing any wait). - For
--buffer-size
, When running on low-end devices, this value can be set to reduce memory usage. I tested that setting it to 10240 can run normally, and the memory usage is about 3MB. (Note: A value that is too small may cause some packets to not be captured properly)
Big thanks to xfangfang's magical work, you are my hero. And to FloW's magical work, which is xfangfang's hero (and consequently mine too).