This is a script to setup PPPwn and PPPwn_cpp on the raspberry pi.
GoldHen will run on firmware versions
9.00
9.60
10.00, 10.01
10.50, 10.70, 10.71
11.00
ps4-hen-vtx will run on firmware versions
7.00, 7.01, 7.02
7.50, 7.51, 7.55
8.00, 8.01, 8.03
8.50, 8.52
9.00
9.03, 9.04
9.50, 9.51, 9.60
10.00, 10.01
10.50, 10.70, 10.71
11.00
It also supports internet access after pwn and access to ftp, klog and binloader servers launched by goldhen.
A dns blocker is also installed and used to prevent updates.
The Raspberry Pi 4, Raspberry Pi 400 and Raspberry Pi 5 can pass through a usb drive inserted into the pi to the console if the pi is plugged into the console usb port
There is also a webserver to control the pi, change settings and send payloads by accessing http://pppwn.local from the console or your pc if you have internet access enabled.
These are models i have tested with but pi-pwn is not limited to these models.
Raspberry Pi 5
Raspberry Pi 4 Model B
Raspberry Pi 400
Raspberry Pi 3B+
Raspberry Pi 2 Model B
Raspberry Pi Zero 2 W with usb to ethernet adapter
Raspberry Pi Zero W with usb to ethernet adapter
ROCK PI 4C Plus with armbian Image
BIGTREETECH BTT Pi V1.2 with armbian minimal
pcDuino3b with armbian Image
You need to install Raspberry Pi OS Lite or Armbian Cli / Minimal onto a sd card.
Place the sd card into the raspberry pi, boot it and connect it to the internet then run the following commands
sudo apt update
sudo apt install git -y
sudo rm -f -r PI-Pwn
sudo systemctl stop pipwn
git clone https://github.com/stooged/PI-Pwn
sudo mkdir /boot/firmware/
cd PI-Pwn
sudo cp -r PPPwn /boot/firmware/
cd /boot/firmware/PPPwn
sudo chmod 777 *
sudo bash install.sh
During the install process you will be asked to set some options.
If you are using a usb to ethernet adapter for the connection to the console you need to select yes
If your pi has an ethernet port and you are using a usb to ethernet adapter your interface for the usb adapter should be eth1
If you are using something like a pi zero 2 the interface will be eth0
Once the pi reboots pppwn will run automatically.
Settings
and then Network
Set Up Internet connection
and choose Use a LAN Cable
Custom
setup and choose PPPoE
for IP Address Settings
ppp
for PPPoE User ID
and PPPoE Password
ppp
Automatic
for DNS Settings
and MTU Settings
Do Not Use
for Proxy Server
For GoldHen you need to place the goldhen.bin file onto the root of a usb drive and plug it into the console.
Once goldhen has been loaded for the first time it will be copied to the consoles internal hdd and the usb is no longer required.
To update goldhen just repeat the above process and the new version will be copied to the internal hdd
If the pi pwn was setup to allow internet access you can use the ftp, klog, and binloader servers on the console
Your pi must be also connected to your home network via wifi or a second ethernet connection
To connect to the servers from your pc just connect to the raspberry pi ip on your network and all requests will be forwarded to the console
For ftp make sure you set the transfer mode on your ftp client software to Active
not passive.
You can put a usb flash drive in the pi and that will be mounted to the console, you must put a folder on the root of the drive called "payloads"
To use this feature you must plug the raspberry pi 4 / 400 / 5 into the consoles usb port using the usb-c connection on the pi.
If you have power issues you can use a usb Y cable to inject power from another source but in my tests both pi variants ran using a single cable.
You can enable the option to detect if goldhen is running in the options which will cause pi-pwn to check if goldhen is active before running pppwn, this is useful for rest mode
If you have the pi powered from the console usb port you must disable "Supply Power to USB Ports" in the rest mode settings of the console.
The console must also use the PPPoe user and pass set for the "console internet connection" of pi-pwn or the defaults if you never changed them which are ppp for both user and password.
If you install FTP to access the pppwn folder for the exploit files you must use your root login user/pass to access the server.
The ftp server uses the standard ports 21 and 20.
If you setup samba to access the pppwn folder for the exploit files you can access the drive on...
\pppwn.localpppwn
or
smb:\pppwn.localpppwn
The share has no user/password required to access it.
Once everything is setup and the ethernet cable is plugged in between the pi and the console the pi should automatically try and pwn the console.
The exploit may fail many times but the pi will continue to purge the console to keep trying to pwn itself.
Once pwned the process will stop and the pi will shut down if you are not using internet access.
The idea is you boot the console and the pi together and the pi will keep trying to pwn the console without any input from you, just wait on the home screen until the process completes
You can edit the exploit scripts by putting the sd card in your computer and going to the PPPwn folder.
The commands above can also be run again to install updates or change the settings.
You can also click the update button on the web ui.
Interface
- this is the lan interface on the pi that is connected to the console.
Firmware version
- version of firmware running on the console.
Time to restart PPPwn if it hangs
- a timeout in minutes to restart pppwn if the exploit hangs mid process.
Led activity
- on selected pi models this will have the leds flash based on the exploit progress.
Use Python version
- enabling this will force the use of the original python pppwn released by TheOfficialFloW
Use GoldHen if available for selected firmware
- if this is not enabled or your firmware has no goldhen available vtx-hen will be used.
Use original source ipv6
- this will force pppwn to use the original ipv6 address that was used in pppwn as on some consoles it increases the speed of pwn.
Use usb ethernet adapter for console connection
- only enable this if you are using a usb to ethernet adapter to connect to the console.
Detect if goldhen is running
- this will make pi-pwn check if goldhen is loaded on the console and skip running pppwn if it is running.
Detect console shutdown and restart PPPwn
- with this enabled if the link is lost between the pi and the console pppwn will be restarted.
Enable verbose PPPwn
- enables debug output from pppwn so you can see the exploit progress.
Enable console internet access
- enabling this will make pi-pwn setup a connection to the console allowing internet access after pppwn succeeds.
Disable DNS blocker
- enabling this will turn off the dns blocker that blocks certain servers that are used for updates and telemetry.
Shutdown PI after PWN
- if enabled this will make the pi shutdown after pppwn succeeds.
Enable usb drive to console
- on selected pi models this will allow a usb drive in the pi to be passed through to the console.
Ports
- this is a list of ports that are forwarded from the pi to the console, single ports or port ranges can be used.
All credit goes to TheOfficialFloW, xfangfang, SiSTR0, Vortex, EchoStretch and many other people who have made this project possible.