// 0x000003D8
int myKernelStartThread(SceUID thid, SceSize arglen, void *argp)
{
if(g_SceNpUmdMount_thid == thid) {
SceModule2 *pMod;
pMod = (SceModule2*) sceKernelFindModuleByName("sceNp9660_driver");
g_sceNp9660_driver_text_addr = pMod->text_addr;
// 6.30: 0x00003C34
// 6.20: move to 0x00003BD8: jal InitForKernel_29DAA63F
_sw(0x3C028000, g_sceNp9660_driver_text_addr + g_offs->InitForKernelCall); // jal InitForKernel_23458221 to lui $v0, 0x00008000
// 6.30: 0x00003C4C
// 6.20: move to 0x00003BF0: jal sub_00000000
_sw(MAKE_CALL(sub_00000588), g_sceNp9660_driver_text_addr + g_offs->Func1);
// 6.30: 0x000043B4
// 6.20: move to 0x00004358: jal sub_00004388
_sw(MAKE_CALL(sub_00000054), g_sceNp9660_driver_text_addr + g_offs->Func2); // jal sub_3948 to jal sub_00000054
// 6.30: 0x0000590C
// 6.20: move to 0x0000582C: jal sub_00004388
_sw(MAKE_CALL(sub_00000054), g_sceNp9660_driver_text_addr + g_offs->Func3); // jal sub_3948 to jal sub_00000054
// 6.30: 0x00007D08
// 6.20: move to 0x00007C28
_sw(MAKE_JUMP(sub_00000514), g_sceNp9660_driver_text_addr + g_offs->sceIoClose); // hook sceIoClose import
// 6.30: 0x00003680
// 6.20: move to 0x00003624
g_func_1200 = pMod->text_addr + g_offs->Func4;
printk("g_func_1200 0x%08X\n", (uint)g_func_1200); // sub_2f30
// 6.30: 0x00004F8C
// 6.20: move to 0x00004EAC
g_func_1208 = pMod->text_addr + g_offs->Func5;
printk("g_func_1208 0x%08X\n", (uint)g_func_1208); // sub_4494
// 6.30: 0x00004FFC
// 6.20: move to 0x00004F1C
g_func_121C = pMod->text_addr + g_offs->Func6;
printk("g_func_121C 0x%08X\n", (uint)g_func_121C); // sub_44ec
clear_cache();
}
return sceKernelStartThread(thid, arglen, argp);
}
static void patch_scePops_Manager(void)
{
SceModule2 *mod;
u32 text_addr;
size_t i;
mod = (SceModule2*) sceKernelFindModuleByName("scePops_Manager");
text_addr = mod->text_addr;
for(i=0; i<NELEMS(g_io_hooks); ++i) {
hook_import_bynid((SceModule*)mod, "IoFileMgrForKernel", g_io_hooks[i].nid, g_io_hooks[i].fp, 0);
}
if(g_offs->popsman_patch.get_rif_path != 0xDEADBEEF) {
_get_rif_path = (void*)(text_addr + g_offs->popsman_patch.get_rif_path);
_sw(MAKE_CALL(&get_rif_path), text_addr + g_offs->popsman_patch.get_rif_path_call1);
_sw(MAKE_CALL(&get_rif_path), text_addr + g_offs->popsman_patch.get_rif_path_call2);
}
sceNpDrmGetVersionKey = (void*)sctrlHENFindFunction("scePspNpDrm_Driver", "scePspNpDrm_driver", 0x0F9547E6);
scePspNpDrm_driver_9A34AC9F = (void*)sctrlHENFindFunction("scePspNpDrm_Driver", "scePspNpDrm_driver", 0x9A34AC9F);
if(g_offs->popsman_patch.sceNpDrmGetVersionKeyCall != 0xDEADBEEF) {
_sw(MAKE_CALL(_sceNpDrmGetVersionKey), text_addr + g_offs->popsman_patch.sceNpDrmGetVersionKeyCall);
}
if(g_offs->popsman_patch.scePspNpDrm_driver_9A34AC9F_Call != 0xDEADBEEF) {
_sw(MAKE_CALL(_scePspNpDrm_driver_9A34AC9F), text_addr + g_offs->popsman_patch.scePspNpDrm_driver_9A34AC9F_Call);
}
// remove the check in scePopsManLoadModule that only allows loading module below the FW 3.XX
if(g_offs->popsman_patch.scePopsManLoadModuleCheck != 0xDEADBEEF) {
_sw(NOP, text_addr + g_offs->popsman_patch.scePopsManLoadModuleCheck);
}
if (g_is_custom_ps1) {
for(i=0; i<NELEMS(g_amctrl_hooks); ++i) {
hook_import_bynid((SceModule*)mod, "sceAmctrl_driver", g_amctrl_hooks[i].nid, g_amctrl_hooks[i].fp, 0);
}
}
}
int hook_global_module_jal(SceModule2 * mod, uint32_t oldcall, uint32_t newcall)
{
// Invalid Arguments
if(mod == NULL)
return -1;
// Hook Counter
int counter = 0;
// Machine Code of Module
uint32_t * asmtext = (uint32_t *)mod->text_addr;
// Machine Code Segment Size
uint32_t asmsize = mod->text_size;
// ASM Iterator
uint32_t i = 0;
// Iterate Machine Code
for(; i < asmsize / 4; i ++)
{
// Get Instruction
uint32_t inst = asmtext[i];
// JAL Instruction
if((inst & 0xFC000000) == 0x0C000000)
{
// Matching JAL found
if(GET_CALL_ADDR(inst) == oldcall)
{
// Overwrite JAL
asmtext[i] = MAKE_CALL(newcall);
// Log Overwrite
counter++;
}
}
}
// Hooked Calls
if(counter > 0)
{
// Synchronize Cache
sceKernelDcacheWritebackAll();
sceKernelIcacheInvalidateAll();
}
// Return Hook Counter
return counter;
}
// mode: 0 - OFW 1 - CFW
void patch_sceLoadExec(int mode)
{
SceModule2 * loadexec = (SceModule2*)sctrlKernelFindModuleByName("sceLoadExec");
u32 text_addr;
struct sceLoadExecPatch *patch;
if (loadexec == NULL) {
return;
}
text_addr = loadexec->text_addr;
if(psp_model == PSP_GO) { // PSP-N1000
patch = &g_offs->loadexec_patch_05g;
} else {
patch = &g_offs->loadexec_patch_other;
}
//save LoadReboot function
LoadReboot = (void*)loadexec->text_addr;
if(mode == 0) {
//restore LoadReboot
_sw(MAKE_CALL(LoadReboot), loadexec->text_addr + patch->LoadRebootCall);
//restore jmp to 0x88600000
_sw(0x3C018860, loadexec->text_addr + patch->RebootJump);
} else if(mode == 1) {
//replace LoadReboot function
_sw(MAKE_CALL(load_reboot), loadexec->text_addr + patch->LoadRebootCall);
//patch Rebootex position to 0x88FC0000
_sw(0x3C0188FC, loadexec->text_addr + patch->RebootJump); // lui $at, 0x88FC
}
sync_cache();
}
static obj_t *expand(obj_t *expr, env_t *env)
{
PUSH_ROOT(expr);
PUSH_ROOT(env);
AUTO_ROOT(proc, expander());
AUTO_ROOT(args, make_pair(env, NIL));
args = make_pair(expr, args);
//printf_unchecked("proc = %O\n", proc);
//printf_unchecked("args = %O\n", args);
FRAME = NIL;
FRAME = MAKE_CALL(b_eval, make_boolean(false), env);
apply_procedure(proc, args);
POP_FUNCTION_ROOTS();
return eval_frame(FRAME);
}
static int patch_decompress_data(u32 text_addr)
{
int ret;
void *stub_addr, *patch_addr;
stub_addr = (void*)(text_addr + g_offs->pops_patch.decomp[psp_model].stub_offset);
patch_addr = (void*)(text_addr + g_offs->pops_patch.decomp[psp_model].patch_offset);
ret = place_syscall_stub(decompress_data, stub_addr);
if (ret != 0) {
printk("%s: place_syscall_stub -> 0x%08X\n", __func__, ret);
return -1;
}
_sw(MAKE_CALL(stub_addr), (u32)patch_addr);
return 0;
}
obj_t *eval_expanded(obj_t *expr, env_t *env)
{
FRAME = NIL;
FRAME = MAKE_CALL(b_eval, expr, env);
return eval_frame(FRAME);
}
//our 6.35 kernel permission call
int kernel_permission_call(void)
{
struct sceLoadExecPatch *patch;
//cache invalidation functions
void (* _sceKernelIcacheInvalidateAll)(void) = (void *)(SYSMEM_TEXT_ADDR + g_offs->sysmem_patch.sceKernelIcacheInvalidateAll);
void (* _sceKernelDcacheWritebackInvalidateAll)(void) = (void *)(SYSMEM_TEXT_ADDR + g_offs->sysmem_patch.sceKernelDcacheWritebackInvalidateAll);
#ifdef CONFIG_639
if(psp_fw_version == FW_639) {
recovery_sysmem_639();
}
#endif
#ifdef CONFIG_635
if(psp_fw_version == FW_635) {
recovery_sysmem_635();
}
#endif
#ifdef CONFIG_620
if(psp_fw_version == FW_620) {
recovery_sysmem_620();
}
#endif
//sync cache
_sceKernelIcacheInvalidateAll();
_sceKernelDcacheWritebackInvalidateAll();
//LoadCoreForKernel_EF8A0BEA
SceModule2 * (* _sceKernelFindModuleByName)(const char * libname) = (void *)g_offs->sceKernelFindModuleByName;
//find LoadExec module
SceModule2 * loadexec = _sceKernelFindModuleByName("sceLoadExec");
//SysMemForKernel_458A70B5
int (* _sceKernelGetModel)(void) = (void *)(SYSMEM_TEXT_ADDR + g_offs->sysmem_patch.sceKernelGetModel);
psp_model = _sceKernelGetModel();
if(psp_model == PSP_GO) {
patch = &g_offs->loadexec_patch_05g;
} else {
patch = &g_offs->loadexec_patch_other;
}
//replace LoadReboot function
_sw(MAKE_CALL(_LoadReboot), loadexec->text_addr + patch->LoadRebootCall);
//patch Rebootex position to 0x88FC0000
_sw(0x3C0188FC, loadexec->text_addr + patch->RebootJump); // lui $at, 0x88FC
//save LoadReboot function
LoadReboot = (void*)loadexec->text_addr + patch->LoadReboot;
_sceKernelIcacheInvalidateAll();
_sceKernelDcacheWritebackInvalidateAll();
//return success
return 0xC01DB15D;
}
void patch_sceLoaderCore(void)
{
//find module
SceModule2 * loadcore = (SceModule2 *)sctrlKernelFindModuleByName("sceLoaderCore");
//patch sceKernelCheckExecFile (sub_0C10)
_sw((unsigned int)_sceKernelCheckExecFile, loadcore->text_addr + g_offs->loadercore_patch.sceKernelCheckExecFilePtr);
_sw(MAKE_CALL(_sceKernelCheckExecFile), loadcore->text_addr + g_offs->loadercore_patch.sceKernelCheckExecFileCall1);
_sw(MAKE_CALL(_sceKernelCheckExecFile), loadcore->text_addr + g_offs->loadercore_patch.sceKernelCheckExecFileCall2);
_sw(MAKE_CALL(_sceKernelCheckExecFile), loadcore->text_addr + g_offs->loadercore_patch.sceKernelCheckExecFileCall3);
//6.35 relocation fix for rt7
//fake relocation type 7 to be treated like 0
//patches handler table so jr $t5 returns properly on type 7 ;)
u32 faketype = 0;
u32 origtype = 7;
_sw(*(u32 *)(loadcore->text_addr + g_offs->loadercore_patch.ReloactionTable + faketype * 4), loadcore->text_addr + g_offs->loadercore_patch.ReloactionTable + origtype * 4);
//patch ProbeExec1 (sub_001AC)
ProbeExec1 = (void*)loadcore->text_addr + g_offs->loadercore_patch.ProbeExec1; //dword_6248
_sw(MAKE_CALL(_ProbeExec1), loadcore->text_addr + g_offs->loadercore_patch.ProbeExec1Call);
//patch ProbeExec2 (sub_004E8)
ProbeExec2 = (void*)loadcore->text_addr + g_offs->loadercore_patch.ProbeExec2; //dword_6364
_sw(MAKE_CALL(_ProbeExec2), loadcore->text_addr + g_offs->loadercore_patch.ProbeExec2Call1);
_sw(MAKE_CALL(_ProbeExec2), loadcore->text_addr + g_offs->loadercore_patch.ProbeExec2Call2);
//enable syscall exports (?)
_sw(0x3C090000, loadcore->text_addr + g_offs->loadercore_patch.EnableSyscallExport);
//undo check #1
_sw(0, loadcore->text_addr + g_offs->loadercore_patch.LoaderCoreCheck1); //bnez
//undo check #2
_sw(0, loadcore->text_addr + g_offs->loadercore_patch.LoaderCoreCheck2); //beqzl
_sw(0, loadcore->text_addr + g_offs->loadercore_patch.LoaderCoreCheck2 + 4); //lui (likely branch instruction)
//undo check #3
_sw(0, loadcore->text_addr + g_offs->loadercore_patch.LoaderCoreCheck3); //beqzl
_sw(0, loadcore->text_addr + g_offs->loadercore_patch.LoaderCoreCheck3 + 4); //lui (likely branch instruction)
// pops version check
_sw(0x1000FFCB, loadcore->text_addr + g_offs->loadercore_patch.pops_version_check); // b loc_000075B4
//undo rebootex patches
void * memlmd_323366CA = (void*)sctrlHENFindFunction("sceMemlmd", "memlmd", g_offs->loadercore_patch.memlmd_323366CA_NID);
_sw(MAKE_CALL(memlmd_323366CA), loadcore->text_addr + g_offs->loadercore_patch.LoaderCoreUndo1Call1);
_sw(MAKE_CALL(memlmd_323366CA), loadcore->text_addr + g_offs->loadercore_patch.LoaderCoreUndo1Call2);
_sw(MAKE_CALL(memlmd_323366CA), loadcore->text_addr + g_offs->loadercore_patch.LoaderCoreUndo1Call3);
void * memlmd_7CF1CD3E = (void*)sctrlHENFindFunction("sceMemlmd", "memlmd", g_offs->loadercore_patch.memlmd_7CF1CD3E_NID);
_sw(MAKE_CALL(memlmd_7CF1CD3E), loadcore->text_addr + g_offs->loadercore_patch.LoaderCoreUndo2Call1);
_sw(MAKE_CALL(memlmd_7CF1CD3E), loadcore->text_addr + g_offs->loadercore_patch.LoaderCoreUndo2Call2);
/* undo my own patches */
_sw(0x1040002C, loadcore->text_addr + 0x58E0);
_sw(0x0040F809, loadcore->text_addr + 0x58E8);
void * sub_3E80 = (void*)loadcore->text_addr + 0x3E80;
_sw(MAKE_CALL(sub_3E80), loadcore->text_addr + 0x3E00);
_sw(MAKE_CALL(sub_3E80), loadcore->text_addr + 0x3F58);
_sw(MAKE_CALL(sub_3E80), loadcore->text_addr + 0x58F8);
_sw(MAKE_CALL(sub_3E80), loadcore->text_addr + 0x5908);
_sw(0x10400009, loadcore->text_addr + 0x5944);
_sw(0x0040F809, loadcore->text_addr + 0x5950);
setup_nid_resolver();
#ifdef DEBUG
hook_import_bynid((SceModule*)loadcore, "KDebugForKernel", 0x84F370BC, printk, 0);
#endif
patch_sceKernelStartModule(loadcore->text_addr);
}
