A self-hosted PPPwn appliance that runs in a Proxmox LXC container and exposes a browser-based UI for launching the exploit against a PlayStation 4.
The original PPPwn project assumes you have a spare Linux machine, a Raspberry Pi, or one of the Luckfox PPPwn ports. If you already run Proxmox, you don't need any of that — a small LXC with the host's PPP kernel modules works fine, and a tiny Flask app turns the whole thing into a one-click operation.
+----------+ +-------------------+ +----------------+
| PS4 | <----> | switch / vmbr0 | <----> | pwnbox LXC |
| (PPPoE) | L2 | (Proxmox bridge) | L2 | (pppwn binary) |
+----------+ +-------------------+ +----------------+
|
web UI :8080
|
(you)
- The PS4 is configured for a PPPoE internet connection (any username/password).
- The PS4 broadcasts PPPoE discovery frames on its LAN segment.
- The pwnbox LXC, bridged onto the same L2 broadcast domain (vmbr0), answers the discovery and starts a PPP session.
- During PPP negotiation, the
pppwnbinary triggers CVE-2006-4304 in the PS4 kernel and loads a payload that enables homebrew/Goldhen. - The web UI streams
pppwnoutput back to your browser in real time over Server-Sent Events.
Because PPPoE is layer 2, the PS4 must be on the same broadcast domain as the container. With the default bridge=vmbr0 config, that means plugged into your LAN (or anywhere a broadcast frame from the PS4 reaches the Proxmox host).
PPPwn just needs a Linux box with /dev/ppp and the pppoe kernel module. An LXC shares the host kernel and adds maybe 5 MB of RAM overhead — there's no reason to spin up a full VM. The container is privileged because it needs raw sockets and access to /dev/ppp, but it has no other special requirements.
The included pppwn binary supports PS4 firmware versions 7.00 through 11.00 (both inclusive). Stages are bundled in the upstream repo. Select your firmware in the web UI before running.
pwnbox/
├── README.md # this file
├── web/
│ ├── app.py # Flask app, runs in the LXC
│ ├── templates/
│ │ └── index.html # UI: firmware picker + Run button + live log
│ ├── static/
│ │ └── style.css
│ └── requirements.txt
├── scripts/
│ └── install.sh # provisions PPPwn + web app inside the LXC
└── systemd/
└── pwnbox.service # runs the Flask app at boot
The actual Proxmox LXC creation lives in the companion script deployer/deploy_pwnbox.py in the myhome infra repo — this repo is just the runtime artifact that ends up inside the container.
From a checkout of the myhome repo:
python deployer\deploy_pwnbox.pyThe deploy script will:
- Load the
pppoekernel module on the Proxmox host (idempotent). - Create a privileged LXC on smallprox with
/dev/ppppassthrough andNET_RAW/NET_ADMINcaps. - Bridge
eth0tovmbr0so the PS4 can reach it at L2. - Clone PPPwn, compile the fast C version.
- Push this repo's
web/,scripts/, andsystemd/files into the container. - Install Python deps and enable
pwnbox.service. - Print the web UI URL.
After deploy, open the UI, pick your firmware, plug the PS4 into your LAN, set its network to PPPoE, and hit Run PPPwn.
- Browse to
http://<lxc-ip>:8080 - Pick PS4 firmware (e.g.
11.00) - Click Run PPPwn — the page will start streaming the binary's stdout
- On the PS4: Settings → Network → Set Up Internet Connection → Use a LAN Cable → Custom → PPPoE
- PPPoE User ID: anything (
ppp) - PPPoE Password: anything (
ppp) - All other settings: leave defaults
- PPPoE User ID: anything (
- The PS4 will dial; pwnbox answers; the exploit fires; the PS4 reboots into the loaded payload.
If it doesn't land first try, just hit Run PPPwn again — the exploit is famously flaky and 3–5 attempts is normal.
The web UI has no authentication. Anyone on your LAN who can reach port 8080 can trigger PPPoE sessions. This is fine for a home network but don't expose it to Tailscale, the internet, or a guest VLAN without putting something in front of it.
- TheOfficialFloW — original exploit, the actual hard work
- 0x1iii1ii/PPPwn-Luckfox — embedded port that inspired this "but with Proxmox" version