// 0x000003D8 int myKernelStartThread(SceUID thid, SceSize arglen, void *argp) { if(g_SceNpUmdMount_thid == thid) { SceModule2 *pMod; pMod = (SceModule2*) sceKernelFindModuleByName("sceNp9660_driver"); g_sceNp9660_driver_text_addr = pMod->text_addr; // 6.30: 0x00003C34 // 6.20: move to 0x00003BD8: jal InitForKernel_29DAA63F _sw(0x3C028000, g_sceNp9660_driver_text_addr + g_offs->InitForKernelCall); // jal InitForKernel_23458221 to lui $v0, 0x00008000 // 6.30: 0x00003C4C // 6.20: move to 0x00003BF0: jal sub_00000000 _sw(MAKE_CALL(sub_00000588), g_sceNp9660_driver_text_addr + g_offs->Func1); // 6.30: 0x000043B4 // 6.20: move to 0x00004358: jal sub_00004388 _sw(MAKE_CALL(sub_00000054), g_sceNp9660_driver_text_addr + g_offs->Func2); // jal sub_3948 to jal sub_00000054 // 6.30: 0x0000590C // 6.20: move to 0x0000582C: jal sub_00004388 _sw(MAKE_CALL(sub_00000054), g_sceNp9660_driver_text_addr + g_offs->Func3); // jal sub_3948 to jal sub_00000054 // 6.30: 0x00007D08 // 6.20: move to 0x00007C28 _sw(MAKE_JUMP(sub_00000514), g_sceNp9660_driver_text_addr + g_offs->sceIoClose); // hook sceIoClose import // 6.30: 0x00003680 // 6.20: move to 0x00003624 g_func_1200 = pMod->text_addr + g_offs->Func4; printk("g_func_1200 0x%08X\n", (uint)g_func_1200); // sub_2f30 // 6.30: 0x00004F8C // 6.20: move to 0x00004EAC g_func_1208 = pMod->text_addr + g_offs->Func5; printk("g_func_1208 0x%08X\n", (uint)g_func_1208); // sub_4494 // 6.30: 0x00004FFC // 6.20: move to 0x00004F1C g_func_121C = pMod->text_addr + g_offs->Func6; printk("g_func_121C 0x%08X\n", (uint)g_func_121C); // sub_44ec clear_cache(); } return sceKernelStartThread(thid, arglen, argp); }
static void patch_scePops_Manager(void) { SceModule2 *mod; u32 text_addr; size_t i; mod = (SceModule2*) sceKernelFindModuleByName("scePops_Manager"); text_addr = mod->text_addr; for(i=0; i<NELEMS(g_io_hooks); ++i) { hook_import_bynid((SceModule*)mod, "IoFileMgrForKernel", g_io_hooks[i].nid, g_io_hooks[i].fp, 0); } if(g_offs->popsman_patch.get_rif_path != 0xDEADBEEF) { _get_rif_path = (void*)(text_addr + g_offs->popsman_patch.get_rif_path); _sw(MAKE_CALL(&get_rif_path), text_addr + g_offs->popsman_patch.get_rif_path_call1); _sw(MAKE_CALL(&get_rif_path), text_addr + g_offs->popsman_patch.get_rif_path_call2); } sceNpDrmGetVersionKey = (void*)sctrlHENFindFunction("scePspNpDrm_Driver", "scePspNpDrm_driver", 0x0F9547E6); scePspNpDrm_driver_9A34AC9F = (void*)sctrlHENFindFunction("scePspNpDrm_Driver", "scePspNpDrm_driver", 0x9A34AC9F); if(g_offs->popsman_patch.sceNpDrmGetVersionKeyCall != 0xDEADBEEF) { _sw(MAKE_CALL(_sceNpDrmGetVersionKey), text_addr + g_offs->popsman_patch.sceNpDrmGetVersionKeyCall); } if(g_offs->popsman_patch.scePspNpDrm_driver_9A34AC9F_Call != 0xDEADBEEF) { _sw(MAKE_CALL(_scePspNpDrm_driver_9A34AC9F), text_addr + g_offs->popsman_patch.scePspNpDrm_driver_9A34AC9F_Call); } // remove the check in scePopsManLoadModule that only allows loading module below the FW 3.XX if(g_offs->popsman_patch.scePopsManLoadModuleCheck != 0xDEADBEEF) { _sw(NOP, text_addr + g_offs->popsman_patch.scePopsManLoadModuleCheck); } if (g_is_custom_ps1) { for(i=0; i<NELEMS(g_amctrl_hooks); ++i) { hook_import_bynid((SceModule*)mod, "sceAmctrl_driver", g_amctrl_hooks[i].nid, g_amctrl_hooks[i].fp, 0); } } }
int hook_global_module_jal(SceModule2 * mod, uint32_t oldcall, uint32_t newcall) { // Invalid Arguments if(mod == NULL) return -1; // Hook Counter int counter = 0; // Machine Code of Module uint32_t * asmtext = (uint32_t *)mod->text_addr; // Machine Code Segment Size uint32_t asmsize = mod->text_size; // ASM Iterator uint32_t i = 0; // Iterate Machine Code for(; i < asmsize / 4; i ++) { // Get Instruction uint32_t inst = asmtext[i]; // JAL Instruction if((inst & 0xFC000000) == 0x0C000000) { // Matching JAL found if(GET_CALL_ADDR(inst) == oldcall) { // Overwrite JAL asmtext[i] = MAKE_CALL(newcall); // Log Overwrite counter++; } } } // Hooked Calls if(counter > 0) { // Synchronize Cache sceKernelDcacheWritebackAll(); sceKernelIcacheInvalidateAll(); } // Return Hook Counter return counter; }
// mode: 0 - OFW 1 - CFW void patch_sceLoadExec(int mode) { SceModule2 * loadexec = (SceModule2*)sctrlKernelFindModuleByName("sceLoadExec"); u32 text_addr; struct sceLoadExecPatch *patch; if (loadexec == NULL) { return; } text_addr = loadexec->text_addr; if(psp_model == PSP_GO) { // PSP-N1000 patch = &g_offs->loadexec_patch_05g; } else { patch = &g_offs->loadexec_patch_other; } //save LoadReboot function LoadReboot = (void*)loadexec->text_addr; if(mode == 0) { //restore LoadReboot _sw(MAKE_CALL(LoadReboot), loadexec->text_addr + patch->LoadRebootCall); //restore jmp to 0x88600000 _sw(0x3C018860, loadexec->text_addr + patch->RebootJump); } else if(mode == 1) { //replace LoadReboot function _sw(MAKE_CALL(load_reboot), loadexec->text_addr + patch->LoadRebootCall); //patch Rebootex position to 0x88FC0000 _sw(0x3C0188FC, loadexec->text_addr + patch->RebootJump); // lui $at, 0x88FC } sync_cache(); }
static obj_t *expand(obj_t *expr, env_t *env) { PUSH_ROOT(expr); PUSH_ROOT(env); AUTO_ROOT(proc, expander()); AUTO_ROOT(args, make_pair(env, NIL)); args = make_pair(expr, args); //printf_unchecked("proc = %O\n", proc); //printf_unchecked("args = %O\n", args); FRAME = NIL; FRAME = MAKE_CALL(b_eval, make_boolean(false), env); apply_procedure(proc, args); POP_FUNCTION_ROOTS(); return eval_frame(FRAME); }
static int patch_decompress_data(u32 text_addr) { int ret; void *stub_addr, *patch_addr; stub_addr = (void*)(text_addr + g_offs->pops_patch.decomp[psp_model].stub_offset); patch_addr = (void*)(text_addr + g_offs->pops_patch.decomp[psp_model].patch_offset); ret = place_syscall_stub(decompress_data, stub_addr); if (ret != 0) { printk("%s: place_syscall_stub -> 0x%08X\n", __func__, ret); return -1; } _sw(MAKE_CALL(stub_addr), (u32)patch_addr); return 0; }
obj_t *eval_expanded(obj_t *expr, env_t *env) { FRAME = NIL; FRAME = MAKE_CALL(b_eval, expr, env); return eval_frame(FRAME); }
//our 6.35 kernel permission call int kernel_permission_call(void) { struct sceLoadExecPatch *patch; //cache invalidation functions void (* _sceKernelIcacheInvalidateAll)(void) = (void *)(SYSMEM_TEXT_ADDR + g_offs->sysmem_patch.sceKernelIcacheInvalidateAll); void (* _sceKernelDcacheWritebackInvalidateAll)(void) = (void *)(SYSMEM_TEXT_ADDR + g_offs->sysmem_patch.sceKernelDcacheWritebackInvalidateAll); #ifdef CONFIG_639 if(psp_fw_version == FW_639) { recovery_sysmem_639(); } #endif #ifdef CONFIG_635 if(psp_fw_version == FW_635) { recovery_sysmem_635(); } #endif #ifdef CONFIG_620 if(psp_fw_version == FW_620) { recovery_sysmem_620(); } #endif //sync cache _sceKernelIcacheInvalidateAll(); _sceKernelDcacheWritebackInvalidateAll(); //LoadCoreForKernel_EF8A0BEA SceModule2 * (* _sceKernelFindModuleByName)(const char * libname) = (void *)g_offs->sceKernelFindModuleByName; //find LoadExec module SceModule2 * loadexec = _sceKernelFindModuleByName("sceLoadExec"); //SysMemForKernel_458A70B5 int (* _sceKernelGetModel)(void) = (void *)(SYSMEM_TEXT_ADDR + g_offs->sysmem_patch.sceKernelGetModel); psp_model = _sceKernelGetModel(); if(psp_model == PSP_GO) { patch = &g_offs->loadexec_patch_05g; } else { patch = &g_offs->loadexec_patch_other; } //replace LoadReboot function _sw(MAKE_CALL(_LoadReboot), loadexec->text_addr + patch->LoadRebootCall); //patch Rebootex position to 0x88FC0000 _sw(0x3C0188FC, loadexec->text_addr + patch->RebootJump); // lui $at, 0x88FC //save LoadReboot function LoadReboot = (void*)loadexec->text_addr + patch->LoadReboot; _sceKernelIcacheInvalidateAll(); _sceKernelDcacheWritebackInvalidateAll(); //return success return 0xC01DB15D; }
void patch_sceLoaderCore(void) { //find module SceModule2 * loadcore = (SceModule2 *)sctrlKernelFindModuleByName("sceLoaderCore"); //patch sceKernelCheckExecFile (sub_0C10) _sw((unsigned int)_sceKernelCheckExecFile, loadcore->text_addr + g_offs->loadercore_patch.sceKernelCheckExecFilePtr); _sw(MAKE_CALL(_sceKernelCheckExecFile), loadcore->text_addr + g_offs->loadercore_patch.sceKernelCheckExecFileCall1); _sw(MAKE_CALL(_sceKernelCheckExecFile), loadcore->text_addr + g_offs->loadercore_patch.sceKernelCheckExecFileCall2); _sw(MAKE_CALL(_sceKernelCheckExecFile), loadcore->text_addr + g_offs->loadercore_patch.sceKernelCheckExecFileCall3); //6.35 relocation fix for rt7 //fake relocation type 7 to be treated like 0 //patches handler table so jr $t5 returns properly on type 7 ;) u32 faketype = 0; u32 origtype = 7; _sw(*(u32 *)(loadcore->text_addr + g_offs->loadercore_patch.ReloactionTable + faketype * 4), loadcore->text_addr + g_offs->loadercore_patch.ReloactionTable + origtype * 4); //patch ProbeExec1 (sub_001AC) ProbeExec1 = (void*)loadcore->text_addr + g_offs->loadercore_patch.ProbeExec1; //dword_6248 _sw(MAKE_CALL(_ProbeExec1), loadcore->text_addr + g_offs->loadercore_patch.ProbeExec1Call); //patch ProbeExec2 (sub_004E8) ProbeExec2 = (void*)loadcore->text_addr + g_offs->loadercore_patch.ProbeExec2; //dword_6364 _sw(MAKE_CALL(_ProbeExec2), loadcore->text_addr + g_offs->loadercore_patch.ProbeExec2Call1); _sw(MAKE_CALL(_ProbeExec2), loadcore->text_addr + g_offs->loadercore_patch.ProbeExec2Call2); //enable syscall exports (?) _sw(0x3C090000, loadcore->text_addr + g_offs->loadercore_patch.EnableSyscallExport); //undo check #1 _sw(0, loadcore->text_addr + g_offs->loadercore_patch.LoaderCoreCheck1); //bnez //undo check #2 _sw(0, loadcore->text_addr + g_offs->loadercore_patch.LoaderCoreCheck2); //beqzl _sw(0, loadcore->text_addr + g_offs->loadercore_patch.LoaderCoreCheck2 + 4); //lui (likely branch instruction) //undo check #3 _sw(0, loadcore->text_addr + g_offs->loadercore_patch.LoaderCoreCheck3); //beqzl _sw(0, loadcore->text_addr + g_offs->loadercore_patch.LoaderCoreCheck3 + 4); //lui (likely branch instruction) // pops version check _sw(0x1000FFCB, loadcore->text_addr + g_offs->loadercore_patch.pops_version_check); // b loc_000075B4 //undo rebootex patches void * memlmd_323366CA = (void*)sctrlHENFindFunction("sceMemlmd", "memlmd", g_offs->loadercore_patch.memlmd_323366CA_NID); _sw(MAKE_CALL(memlmd_323366CA), loadcore->text_addr + g_offs->loadercore_patch.LoaderCoreUndo1Call1); _sw(MAKE_CALL(memlmd_323366CA), loadcore->text_addr + g_offs->loadercore_patch.LoaderCoreUndo1Call2); _sw(MAKE_CALL(memlmd_323366CA), loadcore->text_addr + g_offs->loadercore_patch.LoaderCoreUndo1Call3); void * memlmd_7CF1CD3E = (void*)sctrlHENFindFunction("sceMemlmd", "memlmd", g_offs->loadercore_patch.memlmd_7CF1CD3E_NID); _sw(MAKE_CALL(memlmd_7CF1CD3E), loadcore->text_addr + g_offs->loadercore_patch.LoaderCoreUndo2Call1); _sw(MAKE_CALL(memlmd_7CF1CD3E), loadcore->text_addr + g_offs->loadercore_patch.LoaderCoreUndo2Call2); /* undo my own patches */ _sw(0x1040002C, loadcore->text_addr + 0x58E0); _sw(0x0040F809, loadcore->text_addr + 0x58E8); void * sub_3E80 = (void*)loadcore->text_addr + 0x3E80; _sw(MAKE_CALL(sub_3E80), loadcore->text_addr + 0x3E00); _sw(MAKE_CALL(sub_3E80), loadcore->text_addr + 0x3F58); _sw(MAKE_CALL(sub_3E80), loadcore->text_addr + 0x58F8); _sw(MAKE_CALL(sub_3E80), loadcore->text_addr + 0x5908); _sw(0x10400009, loadcore->text_addr + 0x5944); _sw(0x0040F809, loadcore->text_addr + 0x5950); setup_nid_resolver(); #ifdef DEBUG hook_import_bynid((SceModule*)loadcore, "KDebugForKernel", 0x84F370BC, printk, 0); #endif patch_sceKernelStartModule(loadcore->text_addr); }