// Create a code wrapper based on TAP_GetTime. The function allocates a buffer and copies
// TAP_GetTime into it except for the actual call of the getTime() firmware function.
// The address of getTime() is replaced with the provided address.
// The wrapped function call supports up to 4 parameters and returns a short value.
// Parameters:
// functionAddress - address of the FW function to be wrapped
// Returns:
// Address of the new wrapper
dword* CreateAPIWrapper( dword functionAddress )
{
int i;
// TAP_GetTime provides a template for wrapper code. The only thing to be
// changed is the address of the wrapped function.
dword *src = (dword*)TAP_GetTime;
dword *buffer;
int bufferSize = 0;
// find the return statement
while ( src[bufferSize] != JR_CMD )
{
++bufferSize;
}
// the buffer should include the return statement and the command following
// the return statement
bufferSize += 2;
// allocate memory
buffer = malloc( sizeof(dword) * bufferSize );
if ( buffer == NULL )
{
TAP_Print( "malloc failed\n" );
return NULL;
}
for ( i = 0; i < bufferSize; ++i, ++src )
{
if ( (*src & JAL_MASK) == JAL_CMD )
{
// this is the wrapped call to the actual firmware implementation
// replace it with the call to the provided address
buffer[i] = JAL(functionAddress);
}
else
{
buffer[i] = *src;
}
}
return buffer;
}
int sbv_patch_enable_lmb()
{
u8 buf[256];
slib_exp_lib_t *modload_lib = (slib_exp_lib_t *)buf;
smod_mod_info_t *loadfile_info = (smod_mod_info_t *)buf;
void *pStartModule, *pLoadModuleBuffer, *lf_text_start, *patch_addr;
u32 lf_rpc_dispatch, lf_jump_table, result;
int nexps, id, i;
memset(&_slib_cur_exp_lib_list, 0, sizeof(slib_exp_lib_list_t));
/* Locate the modload export library - it must have at least 16 exports. */
if ((nexps = slib_get_exp_lib("modload", modload_lib)) < 16)
return -1;
pStartModule = modload_lib->exports[8];
pLoadModuleBuffer = modload_lib->exports[10];
/* Now we need to find the loadfile module. */
memset(buf, 0, sizeof(smod_mod_info_t));
if (!(id = smod_get_mod_by_name("LoadModuleByEE", loadfile_info)))
return -1;
/* Locate the loadfile RPC dispatch code, where the first 4 instructions look like:
27bdffe8 addiu $sp, -24
2c820006 sltiu $v0, $a0, 6
14400003 bnez $v0, +12
afbf0010 sw $ra, 0x10($sp)
*/
lf_text_start = (void *)(loadfile_info->text_start + 0x400);
smem_read(lf_text_start, buf, sizeof buf);
for (i = 0; i < sizeof buf; i += 4) {
if ((*(u32 *)(buf + i) == 0x27bdffe8) &&
(*(u32 *)(buf + i + 4) == 0x2c820006) &&
(*(u32 *)(buf + i + 8) == 0x14400003) &&
(*(u32 *)(buf + i + 12) == 0xafbf0010))
break;
}
/* This is a special case: if the IOP was reset with an image that contains a
LOADFILE that supports LMB, we won't detect the dispatch routine. If we
even got this far in the code then we can return success. */
if (i >= sizeof buf)
return 0;
/* We need to extract the address of the jump table, it's only 40 bytes in. */
lf_rpc_dispatch = (u32)lf_text_start + i;
smem_read((void *)lf_rpc_dispatch, buf, 40);
lf_jump_table = (*(u16 *)(buf + 0x1c) << 16) + *(s16 *)(buf + 0x24);
/* Now we can patch our subversive LoadModuleBuffer RPC call. */
SifInitIopHeap();
if (!(patch_addr = SifAllocIopHeap(sizeof lmb_patch)))
return -1;
/* result is where the RPC return structure is stored. */
result = (u32)patch_addr + 96;
lmb_patch[5] = JAL((u32)pLoadModuleBuffer);
lmb_patch[7] = HI16(result);
lmb_patch[9] = LO16(result);
lmb_patch[15] = JAL((u32)pStartModule);
SyncDCache(lmb_patch, (void *)(lmb_patch + 24));
smem_write(patch_addr, lmb_patch, sizeof lmb_patch);
/* Finally. The last thing to do is to patch the loadfile RPC dispatch routine
so that it will jump to entry #6 in it's jump table, and to patch the jump
table itself. */
ee_kmode_enter();
*(u32 *)(SUB_VIRT_MEM + lf_rpc_dispatch + 4) = 0x2c820007;
*(u32 *)(SUB_VIRT_MEM + lf_jump_table + 0x18) = (u32)patch_addr;
ee_kmode_exit();
return 0;
}
void MIPSEmitter::JAL(const void *func, std::function<void ()> delaySlot) {
SetJumpTarget(JAL(delaySlot), func);
}
