int payload_hermes(s32 fd) { u64 payload_size = BDEMU_Hermes_SIZE; u8* payload = bdemu_payload(fd, BDEMU_Hermes_OFFSET, payload_size); //Payload. int i; u64 addr, value; for(i = 0; i < payload_size; i += PAYLOAD_MOD) { memcpy(&value, &payload[i], PAYLOAD_MOD); value ^= BDEMU_DECRYPT; addr = LV2_Hermes_ADDR + i; lv2poke(addr, value); } //Patch LV2. lv2poke(0x8000000000017CE0ULL, 0x7C6903A64E800420); //Syscall 9 __asm__("sync"); sleep(1); //Launch payload. lv2launch(LV2_Hermes_ADDR); __asm__("sync"); sleep(1); free(payload); return 0; }
void patch_lv2_protection_355dex() { lv2poke(HV_BASE_355DEX + 0x363a78, 0x0000000000000001ULL); lv2poke(HV_BASE_355DEX + 0x363a80, 0xe0d251b556c59f05ULL); lv2poke(HV_BASE_355DEX + 0x363a88, 0xc232fcad552c80d7ULL); lv2poke(HV_BASE_355DEX + 0x363a90, 0x65140cd200000000ULL); }
void hvsc_redirect(uint8_t hvcall, uint8_t opt) { int x; uint64_t original_syscall_code_1 = lv2peek(HVSC_SYSCALL_ADDR); uint64_t original_syscall_code_2 = lv2peek(HVSC_SYSCALL_ADDR + 8); uint64_t original_syscall_code_3 = lv2peek(HVSC_SYSCALL_ADDR + 16); uint64_t original_syscall_code_4 = lv2peek(HVSC_SYSCALL_ADDR + 24); // Install redirect if(opt == 0) { for (x=0;x<25;x++) { lv2poke(HVSC_SYSCALL_ADDR, 0x7C0802A6F8010010ULL); lv2poke(HVSC_SYSCALL_ADDR + 8, 0x3960000044000022ULL | (uint64_t)hvcall << 32); lv2poke(HVSC_SYSCALL_ADDR + 16, 0xE80100107C0803A6ULL); lv2poke(HVSC_SYSCALL_ADDR + 24, 0x4e80002060000000ULL); __asm__("sync"); } } if(opt == 1) // Remove redirections { for (x=0;x<25;x++) { lv2poke(HVSC_SYSCALL_ADDR, original_syscall_code_1); lv2poke(HVSC_SYSCALL_ADDR + 8, original_syscall_code_2); lv2poke(HVSC_SYSCALL_ADDR + 16, original_syscall_code_3); lv2poke(HVSC_SYSCALL_ADDR + 24, original_syscall_code_4); __asm__("sync"); } } }
int payload_dean(s32 fd) { //Remove LV2 protection. if(remove_protection() == 0) { u64 payload_size = BDEMU_Dean36_SIZE; u8* payload = bdemu_payload(fd, BDEMU_Dean36_OFFSET, payload_size); //Payload. int i; u64 addr, value; for(i = 0; i < payload_size; i += PAYLOAD_MOD) { memcpy(&value, &payload[i], PAYLOAD_MOD); value ^= BDEMU_DECRYPT; addr = LV2_Dean36_ADDR + i; if(i >= LV2_Dean36_PAD_OFFSET) { addr += LV2_Dean36_PAD_SIZE; } lv2poke(addr, value); } //Patch LV2. lv2poke32(0x8000000000055f14ULL, 0x60000000); //Syscall 36 Patches lv2poke32(0x8000000000055f1cULL, 0x48000098); //Syscall 36 Patches lv2poke32(0x800000000007af68ULL, 0x60000000); //Syscall 36 Patches lv2poke32(0x800000000007af7cULL, 0x60000000); //Syscall 36 Patches lv2poke32(0x8000000000055ea4ULL, 0x60000000); //Fix 8001003D error lv2poke32(0x8000000000055f68ULL, 0x3be00000); //Fix 8001003E error lv2poke(0x80000000002b3274ULL, 0x480251ec2ba30420); //Jump Hook lv2poke(0x8000000000346690ULL, 0x80000000002be570); //syscall_map_open_desc - sys36 lv2sc36("/dev_bdvd"); free(payload); return 0; } else { return -1; } }
int payload_sky(s32 fd) { //Remove LV2 protection. if(remove_protection() == 0) { u64 payload_size = BDEMU_Skywalk_SIZE; u8* payload = bdemu_payload(fd, BDEMU_Skywalk_OFFSET, payload_size); //Payload. int i; u64 addr, value; for(i = 0; i < payload_size; i += PAYLOAD_MOD) { memcpy(&value, &payload[i], PAYLOAD_MOD); value ^= BDEMU_DECRYPT; addr = LV2_Skywalk_ADDR + i; if(i >= LV2_Skywalk_PAD_OFFSET) { addr += LV2_Skywalk_PAD_SIZE; } lv2poke(addr, value); } //Patch LV2. lv2poke32(0x8000000000055f14ULL, 0x60000000); //Syscall 36 Patches lv2poke32(0x8000000000055f1cULL, 0x48000098); //Syscall 36 Patches lv2poke32(0x800000000007af68ULL, 0x60000000); //Syscall 36 Patches lv2poke32(0x800000000007af7cULL, 0x60000000); //Syscall 36 Patches lv2poke32(0x8000000000055ea4ULL, 0x60000000); //Fix 8001003D error lv2poke32(0x8000000000055f68ULL, 0x3be00000); //Fix 8001003E error lv2poke(0x80000000002b3298ULL, 0x4bd5bda04bd9b411); //Jump Hook lv2poke(0x80000000003465b0ULL, 0x800000000000f2e0); //syscall_8_desc - sys8 lv2poke(0x8000000000346690ULL, 0x800000000000f010); //syscall_map_open_desc - sys36 free(payload); return 0; } else { return -1; } }
void load_ps3_discless_payload() { u64 *addr= (u64 *) memalign(8, ps3_storage_bin_size + 31); if(!addr) { DrawDialogOK("Shit! full memory"); exit(0); } if(!syscall_base) { DrawDialogOK("syscall_base is empty!"); return; } if(lv2peek(0x80000000000004E8ULL)) goto skip_the_load; write_htab(); PAYLOAD_BASE = 0x80000000007FE000ULL; memcpy((char *) addr, (char *) ps3_storage_bin, ps3_storage_bin_size); addr[1] = syscall_base; addr[2] += PAYLOAD_BASE; // sys 40 addr[3] = lv2peek(syscall_base + (u64) (40 * 8)); addr[4] += PAYLOAD_BASE; addr[5] = lv2peek(syscall_base + (u64) (130 * 8)); addr[6] += PAYLOAD_BASE; addr[7] = lv2peek(syscall_base + (u64) (879 * 8)); addr[8] += PAYLOAD_BASE; addr[9] = lv2peek(syscall_base + (u64) (864 * 8)); addr[10] += PAYLOAD_BASE; addr[11] = lv2peek(syscall_base + (u64) (619 * 8)); addr[12] += PAYLOAD_BASE; addr[13] = lv2peek(syscall_base + (u64) (837 * 8)); addr[14] += PAYLOAD_BASE; addr[15] = lv2peek(syscall_base + (u64) (609 * 8)); int n; for(n=0;n<200;n++) { lv2poke(0x80000000000004E8ULL, PAYLOAD_BASE); sys8_memcpyinstr(PAYLOAD_BASE, (u64) addr, (u64) ((ps3_storage_bin_size + 7) & ~7)); lv2poke(syscall_base + (u64) (40 * 8), PAYLOAD_BASE + 0x10ULL); // syscall management lv2poke(syscall_base + (u64) (130 * 8), PAYLOAD_BASE + 0x20ULL); // sys_event_queue_receive lv2poke(syscall_base + (u64) (879 * 8), PAYLOAD_BASE + 0x30ULL); // sys_ss_media_id lv2poke(syscall_base + (u64) (864 * 8), PAYLOAD_BASE + 0x40ULL); // storage_manager lv2poke(syscall_base + (u64) (619 * 8), PAYLOAD_BASE + 0x50ULL); // sys_storage_async_send_device_command lv2poke(syscall_base + (u64) (837 * 8), PAYLOAD_BASE + 0x60ULL); // sys_fs_mount lv2poke(syscall_base + (u64) (609 * 8), PAYLOAD_BASE + 0x70ULL); // sys_storage_get_device_info usleep(10000); } sleep(1); skip_the_load: free(addr); send_async_data_table(); }
bool load_ps3_mamba_payload() { //DrawDialogOK("Label1"); if(sys8_mamba() == 0x666) return true; // MAMBA is already running if(!syscall_base) { DrawDialogOK("syscall_base is empty!"); return false; } char payload_file[MAXPATHLEN]; sprintf(payload_file, "%s/USRDIR/mamba/mamba_%X.lz.bin", self_path, firmware); #ifdef LASTPLAY_LOADER //DrawDialogOK("Label2"); if(file_exists(payload_file) == false) sprintf(payload_file, "/dev_hdd0/game/IRISMAN00/USRDIR/mamba/mamba_%X.lz.bin", firmware); #endif //DrawDialogOK("Label3"); if(file_exists(payload_file) == false) return false; write_htab(); u64 *addr = (u64 *) memalign(128, 0x20000); //DrawDialogOK("Label4"); if(!addr) { DrawDialogOK("Memory is full"); exit(0); } memset((char *) addr, 0, 0x20000); int out_size; int file_size = 0; char *mamba_payload = LoadFile((char *) payload_file, &file_size); if(file_size < 20000) { if(mamba_payload) free(mamba_payload); free(addr); return false; } zlib_decompress((char *) mamba_payload, (char *) addr, file_size, &out_size); if(mamba_payload) free(mamba_payload); out_size = (out_size + 0x4000) & ~127; u64 lv2_mem = sys8_alloc(out_size, 0x27ULL); // alloc LV2 memory if(!lv2_mem) { free(addr); DrawDialogOK("LV2 memory is full!"); exit(0); } for(int n = 0; n < 100; n++) { lv2poke(lv2_mem, lv2_mem + 0x8ULL); sys8_memcpy(lv2_mem + 8, (u64) addr, out_size); lv2poke(syscall_base + (u64) (40 * 8), lv2_mem); // syscall management lv2poke(0x80000000000004E8ULL, 0); usleep(1000); } free(addr); return true; }
void load_ps3_mamba_payload() { u64 *addr= (u64 *) memalign(128, 0x20000); if(!addr) { DrawDialogOK("Shit! full memory"); exit(0); } if(!syscall_base) { DrawDialogOK("syscall_base is empty!"); free(addr); return; } //PAYLOAD_BASE = 0x80000000007E4000ULL; if(sys8_mamba()==0x666) goto skip_the_load; // MAMBA is running yet write_htab(); memset((char *) addr, 0, 0x20000); int out_size; /* if(firmware == 0x446C) memcpy((char *) addr, (char *) mamba_4_46_bin, mamba_4_46_bin_size); else if(firmware == 0x453C) memcpy((char *) addr, (char *) mamba_4_53_bin, mamba_4_53_bin_size); else { DrawDialogOK("MAMBA is not supported for this CFW"); free(addr); return; } */ if(firmware == 0x446C) zlib_decompress((char *) mamba_4_46_lz_bin, (char *) addr, mamba_4_46_lz_bin_size, &out_size); else if(firmware == 0x453C) zlib_decompress((char *) mamba_4_53_lz_bin, (char *) addr, mamba_4_53_lz_bin_size, &out_size); else { DrawDialogOK("MAMBA is not supported for this CFW"); free(addr); return; } out_size = (out_size + 0x4000) & ~127; u64 lv2_mem = sys8_alloc(out_size, 0x27ULL); // alloc LV2 memory if(!lv2_mem) { DrawDialogOK("Shit! LV2 full memory"); free(addr); exit(0); } int n; for(n=0;n<2000;n++) { lv2poke(lv2_mem, lv2_mem + 0x8ULL); sys8_memcpy(lv2_mem + 8, (u64) addr, out_size); lv2poke(syscall_base + (u64) (40 * 8), lv2_mem); // syscall management lv2poke(0x80000000000004E8ULL, 0); usleep(1000); } // sleep(1); skip_the_load: free(addr); }
int patch_syscall_864(void) { if(c_firmware>4.81f) return -1; uint64_t addr; if(deh_mode) { if(c_firmware==4.81f) addr = 0x800000000032C958ULL; // fw 4.81H else return -1; } else if(dex_mode) { if(c_firmware==3.55f) addr = 0x80000000002EF270ULL; // fw 3.55D else if(c_firmware==4.21f) addr = 0x8000000000302098ULL; // fw 4.21D else if(c_firmware==4.30f) addr = 0x8000000000303940ULL; // fw 4.30D else if(c_firmware==4.41f) addr = 0x8000000000304220ULL; // fw 4.41D else if(c_firmware==4.46f) addr = 0x8000000000304720ULL; // fw 4.46D else if(c_firmware==4.50f) addr = 0x80000000003089C8ULL; // fw 4.50D else if(c_firmware==4.65f) addr = 0x800000000030E480ULL; // fw 4.65D else if(c_firmware==4.80f) addr = 0x800000000030E658ULL; // fw 4.80D else if(c_firmware==4.81f) addr = 0x800000000030E668ULL; // fw 4.81D else return -1; } else { if(c_firmware==3.55f) addr = 0x80000000002D7820ULL; // fw 3.55 else if(c_firmware==4.21f) addr = 0x80000000002E7920ULL; else if(c_firmware==4.30f) addr = 0x80000000002E9218ULL; else if(c_firmware==4.31f) addr = 0x80000000002E9228ULL; else if(c_firmware==4.40f) addr = 0x80000000002E9798ULL; else if(c_firmware==4.41f) addr = 0x80000000002E97A8ULL; else if(c_firmware==4.46f) addr = 0x80000000002E9CE8ULL; else if(c_firmware==4.50f) addr = 0x80000000002E8F10ULL; else if(c_firmware==4.53f) addr = 0x80000000002E90A0ULL; else if(c_firmware==4.55f) addr = 0x80000000002EB8B8ULL; else if(c_firmware==4.60f) addr = 0x80000000002ECB28ULL; else if(c_firmware==4.65f) addr = 0x80000000002ECB38ULL; else if(c_firmware==4.70f) addr = 0x80000000002ECA50ULL; else if(c_firmware==4.75f) addr = 0x80000000002ECAD0ULL; else if(c_firmware==4.80f) addr = 0x80000000002ECAC0ULL; else if(c_firmware==3.41f) addr = 0x80000000002CF880ULL; // fw 3.41 else return -1; } uint64_t access_rights = lv2peek( addr); if (access_rights == 0x2000000000000000ULL) { lv2poke( addr, 0x4000000000000000ULL); } else if (access_rights != 0x4000000000000000ULL) { return -1; } return 0; }