Why “eggsploit” is random.
July 9th, 2009 silverspringSo, a lot of people have been complaining about the unstability of the TIFF “eggsploit” (and thus the successful booting of HEN). The exploit relies on hardcoded memory addresses to succeed however a piece of code in the firmware ensures that memory addresses can randomly change.
As the vshbridge.prx is loaded and starts, two fixed memory pools are created and used for nothing else but random padding. The size of these mem pools are randomly assigned based on the system time. This can therefore affect the memory addresses of where modules are loaded into ram and therefore affect the hardcoded addresses the TIFF exploit relies on.
The code for the random memory padding (executed on vshbridge module_start):
-
int _vshVshBridgeStart()
-
{
-
_vshPowerCallbackInit();
-
sceImposeSetStatus(4);
-
sceUmdSetSuspendResumeMode(1);
-
-
int size;
-
int time = sceKernelGetSystemTimeLow(); // time since system start
-
-
if (time & 3 == 0)
-
{
-
size = 0×400; // 1 KByte
-
}
-
else if (time & 3 == 1)
-
{
-
size = 0×300; // 768 Bytes
-
}
-
else if (time & 3 == 2)
-
{
-
size = 0×200; // 512 Bytes
-
}
-
else if (time & 3 == 3)
-
{
-
size = 0×100; // 256 Bytes
-
}
-
-
sceKernelCreateFpl("SceVshRandomTopPadding", 2, 0, size, 1, NULL);
-
-
-
if ((time & 0xF)>> 2 == 0)
-
{
-
size = 0×400; // 1 KByte
-
}
-
else if ((time & 0xF)>> 2 == 1)
-
{
-
size = 0×300; // 768 Bytes
-
}
-
else if ((time & 0xF)>> 2 == 2)
-
{
-
size = 0×200; // 512 Bytes
-
}
-
else if ((time & 0xF)>> 2 == 3)
-
{
-
size = 0×100; // 256 Bytes
-
}
-
-
sceKernelCreateFpl("SceVshRandomBottomPadding", 2, 0×4000, size, 1, NULL);
-
-
return 0;
-
}
This bit of random padding code was added in 2.50 firmware and still exists in the latest firmwares.
Because HEN uses the TIFF exploit to run there is nothing the HEN could do to improve it’s chances of booting successfully. It may be that it’s simply random luck.
Note: there is no doubt there are also many other factors which could affect the stability of the TIFF “eggsploit”.
