This repository contains buildroot external tree for building a minimal Linux image to host pOOBs4 web server and emulate its exfathax USB.
Clone the repository and download/clone buildroot 2022.02:
git clone --recurse-submodules https://github.com/Shivelight/pOOBs4-buildroot
git clone -b 2022.02 --depth 1 https://github.com/buildroot/buildroot
Alternatively, you can shallow clone:
git clone --depth 1 --recurse-submodules --shallow-submodules https://github.com/Shivelight/pOOBs4-buildroot.git
git clone -b 2022.02 --depth 1 https://github.com/buildroot/buildroot
Configure buildroot to use BR2_EXTERNAL tree and start building. Replace <your_board_defconfig>
with your board defconfig available in configs/ directory or from the Supported Board section:
cd buildroot
make BR2_EXTERNAL=../pOOBs4-buildroot/ <your_board_defconfig>
make
The final image is saved here output/images/sdcard.img
.
Below is the currently supported board with defconfig ready to use.
- Banana Pi M2 Zero [
bananapi_m2_zero_poobs4_defconfig
] - Orange Pi Zero / Orange Pi Zero LTS [
orangepi_zero_poobs4_defconfig
] - Orange Pi Zero Plus2 [
orangepi_zero_plus2_poobs4_defconfig
] - Raspberry Pi 4 Model B [
raspberrypi4_poobs4_defconfig
] - Raspberry Pi Zero W [
raspberrypi0w_poobs4_defconfig
] - Raspberry Pi Zero 2 W [
raspberrypizero2w_poobs4_defconfig
] - your board?
Note: You need a board with a USB OTG port for exfathax emulation. All boards listed should have a built-in USB OTG port unless stated otherwise.
Download the image for your board from the release page or build it yourself. Then write the image to your SD card using dd
:
sudo dd if=output/images/sdcard.img of=/dev/sdX bs=4M
Alternatively, you can use:
- USBImager on Windows/Mac/Linux
- balenaEtcher on Windows/Mac/Linux
- Rufus on Windows
This section is here to warn you to backup any customization you made or, better yet, fork this repo and do your customization there. Writing image to SD card destroy its existing content.
To update see Installing.
Insert SD card and plug the board into PS4 using the USB OTG port. You don't need another power cable; your board will draw power from PS4. It may take 30 seconds to boot up for the first time. Afterward, it should only take ≤5 seconds.
Note: SuperSpeed USB (USB 3.1 Gen 1), which PS4 uses, has a maximum power output of 5V/0.9A. Consider this.
Follow these steps to connect your PS4 to the board:
- On your PS4 go to
Settings
->Network
->Set Up Internet Connection
->Use Wi-Fi
->Custom
- Select pOOBs4 on the list
- When asked for the password, input: 12345678
- Now, for each step, select:
- IP Address Settings: Automatic
- DHCP Host Name: Do Not Specify
- DNS Settings: Automatic
- MTU Settings: Automatic
- Proxy Server: Do Not Use
- You are set!
You can run the actual pOOBs4 exploit either by visiting http://10.0.0.1/ from the PS4 browser or from Settings
-> User's Guide/Helpful Info
-> User's Guide
. The host is based on Leeful's 9v4 (w/ GoldHEN v2.0b2), slightly modified to use the USB emulation.
Use Payload Guest.
You can SSH/SFTP to the board using the root
user; the board IP is set to 10.0.0.1
(wlan) by default.
The root
user does not have a password. You can set a new password if you want using passwd
.
If the default host is not your taste, you are free to use your favorite host. All you need to do is to include this snippet and call the right script at the right time, usually before alert();
and after the exploit is done.
function CallCgi(script) {
var xmlHttpRequest = new XMLHttpRequest();
// GET request is not working on PS4?
xmlHttpRequest.open("POST", "/cgi-bin/" + script, true);
xmlHttpRequest.send();
}
Example:
...
chain.run();
// Load exfathax emulation
CallCgi("load_mass_storage");
alert("\n\n⚠⚠⚠ Emulating exfathax USB ⚠⚠⚠\nClick OK when you see the 'USB unsupported' popup notification.");
{
for (var i = 1; i < NUM_KQUEUES; i += 2) {
chain.fcall(window.syscalls[6], kqueues[i]);
}
}
chain.run();
// Unload exfathax emulation
CallCgi("unload_mass_storage");
if (chain.syscall(23, 0).low == 0) {
return;
}
alert("Exploit Failed! You can try again but it is advisable to reboot instead.");
p.write8(0, 0);
return;
...
Delete everything inside the httpd
root directory (default: /var/www/html
) but keep:
cgi-bin
directoryexfathax.img
/exfathax_pico.img
404.html
redirect.manifest
then copy your custom host. That's it.
Alternatively, you can keep the default host intact by changing httpd
root directory in /etc/httpd.conf
. Copy the files and directory listed above to your new httpd
root. You may need to update the scripts for it to be working on the new root directory.
load_mass_storage
unload_mass_storage
You can add your own, the scripts are located at /var/www/html/cgi-bin
Inspired by semver major.minor.patch
, I decided to use core.board.patch
.
core
: core functionality, increase when a new function is introduced.board
: total supported board, does not reset whencore
is incremented.patch
: incremented when core function or board specific bug fix/change is introduced.
- PS4RaspberryPi: Similar project with more features, only Raspberry Pi boards are supported.
- ESP32-Server-900u: pOOBs4 on ESP32-S2 / ESP32-S3.
This project is licensed under the GPL-2.0 license.
See LICENSE for more information.