From 47f34183b2bb04e9dcc39389a3f09aad996781c0 Mon Sep 17 00:00:00 2001
From: xfangfang <2553041586@qq.com>
Date: Wed, 22 May 2024 13:52:38 +0800
Subject: [PATCH] Add wait-after-pin option

---
 README.md         | 4 +++-
 include/exploit.h | 3 +++
 src/exploit.cpp   | 6 +++++-
 src/main.cpp      | 7 ++++++-
 4 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 10315f5..f22687e 100644
--- a/README.md
+++ b/README.md
@@ -45,13 +45,15 @@ pppwn --interface en0 --fw 1100 --stage1 "stage1.bin" --stage2 "stage2.bin" --ti
 - `-s1` `--stage1`: the path to the stage1 payload (default: `stage1/stage1.bin`)
 - `-s2` `--stage2`: the path to the stage2 payload (default: `stage2/stage2.bin`)
 - `-t` `--timeout`: the timeout in seconds for ps4 response, 0 means always wait (default: `0`)
+- `-wap` `--wait-after-pin`: the waiting time in seconds after first round CPU pinning (default: `1`)
 - `-a` `--auto-retry`: automatically retry when fails or timeout
 - `-nw` `--no-wait-padi`: don't wait one more [PADI](https://en.wikipedia.org/wiki/Point-to-Point_Protocol_over_Ethernet#Client_to_server:_Initiation_(PADI)) before starting the exploit
 
 Supplement:
 
 1. For `--timeout`, `PADI` is not included, which allows you to start `pppwn_cpp` before the ps4 is launched.
-2. For `--no-wait-padi`, by default, `pppwn_cpp` will wait for two `PADI` request, according to [PPPwn/pull/48](https://github.com/TheOfficialFloW/PPPwn/pull/48) this helps to improve stability. You can turn off this feature with this parameter if you don't need it.
+2. For `--no-wait-padi`, by default, `pppwn_cpp` will wait for two `PADI` request, according to [TheOfficialFloW/PPPwn/pull/48](https://github.com/TheOfficialFloW/PPPwn/pull/48) this helps to improve stability. You can turn off this feature with this parameter if you don't need it.
+3. For `--wait-after-pin`, according to [SiSTR0/PPPwn/pull/1](https://github.com/SiSTR0/PPPwn/pull/1) set this parameter to `20` helps to improve stability (not work for me).
 
 
 # Development
diff --git a/include/exploit.h b/include/exploit.h
index c70615b..6b2749f 100644
--- a/include/exploit.h
+++ b/include/exploit.h
@@ -94,6 +94,8 @@ class Exploit {
 
     void setWaitPADI(bool wait);
 
+    void setWaitAfterPin(int wait);
+
     void closeInterface();
 
     void updateSourceMac(uint64_t value);
@@ -145,4 +147,5 @@ class Exploit {
     bool auto_retry{};
     bool wait_padi{};
     int timeout{};
+    int wait_after_pin{1};
 };
diff --git a/src/exploit.cpp b/src/exploit.cpp
index aaf3b7a..e22f240 100644
--- a/src/exploit.cpp
+++ b/src/exploit.cpp
@@ -201,6 +201,10 @@ void Exploit::setWaitPADI(bool value) {
     this->wait_padi = value;
 }
 
+void Exploit::setWaitAfterPin(int value) {
+    this->wait_after_pin = value;
+}
+
 void Exploit::closeInterface() {
     if (this->dev != nullptr) this->dev->close();
     this->dev = nullptr;
@@ -790,7 +794,7 @@ int Exploit::stage1() {
     std::cout << "\r[+] Pinning to CPU 0...done" << std::endl;
 
     // LCP fails sometimes without the wait
-    pcpp::multiPlatformMSleep(1000);
+    pcpp::multiPlatformMSleep(wait_after_pin * 1000);
 
     // Corrupt in6_llentry object
     {
diff --git a/src/main.cpp b/src/main.cpp
index 9209c98..73e686d 100644
--- a/src/main.cpp
+++ b/src/main.cpp
@@ -114,6 +114,7 @@ int main(int argc, char *argv[]) {
     std::string interface, stage1 = "stage1/stage1.bin", stage2 = "stage2/stage2.bin";
     int fw = 1100;
     int timeout = 0;
+    int wait_after_pin = 1;
     bool retry = false;
     bool no_wait_padi = false;
 
@@ -124,6 +125,8 @@ int main(int argc, char *argv[]) {
             "stage2 binary (default: stage2/stage2.bin)" % option("-s2", "--stage2") & value("STAGE2", stage2), \
             "timeout in seconds for ps4 response, 0 means always wait (default: 0)" %
             option("-t", "--timeout") & integer("seconds", timeout), \
+            "Waiting time in seconds after the first round CPU pinning (default: 1)" %
+            option("-wap", "--wait-after-pin") & integer("seconds", wait_after_pin), \
             "automatically retry when fails or timeout" % option("-a", "--auto-retry").set(retry), \
             "don't wait one more PADI before starting" % option("-nw", "--no-wait-padi").set(no_wait_padi)
             ) | \
@@ -144,7 +147,7 @@ int main(int argc, char *argv[]) {
     }
 
     std::cout << "[+] args: interface=" << interface << " fw=" << fw << " stage1=" << stage1 << " stage2=" << stage2
-              << " timeout=" << timeout
+              << " timeout=" << timeout << " wait-after-pin=" << wait_after_pin
               << " auto-retry=" << (retry ? "on" : "off") << " no-wait-padi=" << (no_wait_padi ? "on" : "off")
               << std::endl;
 
@@ -167,9 +170,11 @@ int main(int argc, char *argv[]) {
     exploit.setTimeout(timeout);
     exploit.setWaitPADI(!no_wait_padi);
 
+    exploit.setWaitAfterPin(wait_after_pin);
     if (!retry) return exploit.run();
 
     while (exploit.run() != 0) {
+        exploit.setWaitAfterPin(1);
         exploit.ppp_byebye();
         std::cerr << "[*] Retry after 5s..." << std::endl;
         std::this_thread::sleep_for(std::chrono::seconds(5));