void ExecGame(void) { int i; scr_printf(" Installing Engine...\n"); u32 EngineStore = 0x80080000; u32 EngineRead = (void*)Engine; for (i = 0; i < sizeof(Engine); i += 4) { //scr_printf("A"); ee_kmode_enter(); *(u32*)EngineStore = *(u32*)EngineRead; ee_kmode_exit(); EngineStore += 4; EngineRead += 4; } ee_kmode_enter(); *(u32*)0x80081000 = 0x80081010; //Writes the initial storage of the codes ee_kmode_exit(); waitCdReady(); scr_printf(" Loading...\n"); //for (a = 0; a < 40000000; a++) { } if(strlen(bootFileName = parseSystemCnf()) <= 0) { scr_printf(" == Fatal Error ==\n"); SleepThread(); } scr_printf("\n Loaded Game!\n"); u32 HookValue = (0x00080000 / 4) + 0x0C000000; padPortClose(0, 0); //scr_printf(" Shut down PAD, shutting down RPC\n GOODBYE!!!"); SifExitRpc(); ee_kmode_enter(); *(u32*)0x800002FC = HookValue; ee_kmode_exit(); LoadExecPS2((const char *)bootFileName, 0, NULL); SleepThread(); }
int PS2CamReadPacket(int handle) { int *ret; int *iop_addr; WaitSema(sem); ret = (int *)&data[0]; ret[0] = handle; SifCallRpc(&cdata, PS2CAM_RPC_READPACKET, 0, (void*)(&data[0]),4,(void*)(&data[0]),4*2,0,0); if(ret[0] < 0) return ret[0]; DI(); ee_kmode_enter(); iop_addr = (int *)(0xbc000000+ret[1]); memcpy(&campacket[0],iop_addr, ret[0]); ee_kmode_exit(); EI(); //if i add a printf here, the ps2 will exit to sony's explorer SignalSema(sem); return ret[0]; }
/* * Copy statically linked IRX files to kernel RAM. * They will be loaded by the debugger later... */ void install_modules(const config_t *config) { ramfile_t file_tab[IRX_NUM + 1]; ramfile_t *file_ptr = file_tab; ramfile_t *ktab = NULL; u32 addr = IRX_ADDR; D_PRINTF("%s: addr=%08x\n", __FUNCTION__, addr); /* * build RAM file table */ #ifdef _SMS_MODULES if (config_get_bool(config, SET_DEBUGGER_SMS_MODULES)) { ramfile_set(file_ptr++, "ps2ip", _ps2ip_sms_irx_start, _ps2ip_sms_irx_size); ramfile_set(file_ptr++, "ps2smap", _ps2smap_sms_irx_start, _ps2smap_sms_irx_size); } else { #endif ramfile_set(file_ptr++, "ps2ip", _ps2ip_irx_start, _ps2ip_irx_size); ramfile_set(file_ptr++, "ps2smap", _ps2smap_irx_start, _ps2smap_irx_size); #ifdef _SMS_MODULES } #endif ramfile_set(file_ptr++, "ps2dev9", _ps2dev9_irx_start, _ps2dev9_irx_size); ramfile_set(file_ptr++, "debugger", _debugger_irx_start, _debugger_irx_size); ramfile_set(file_ptr++, "memdisk", _memdisk_irx_start, _memdisk_irx_size); ramfile_set(file_ptr++, "eesync", _eesync_irx_start, _eesync_irx_size); ramfile_set(file_ptr, NULL, NULL, 0); /* terminator */ /* * copy modules to kernel RAM * * memory structure at @addr: * |RAM file table|IRX module #1|IRX module #2|etc. */ DI(); ee_kmode_enter(); ktab = (ramfile_t*)addr; addr += sizeof(file_tab); file_ptr = file_tab; while (file_ptr->hash) { memcpy((u8*)addr, file_ptr->addr, file_ptr->size); file_ptr->addr = (u8*)addr; addr += file_ptr->size; file_ptr++; } memcpy(ktab, file_tab, sizeof(file_tab)); ee_kmode_exit(); EI(); FlushCache(0); }
u32 smem_write(void *addr, void *buf, u32 size) { DI(); ee_kmode_enter(); memcpy(addr + SUB_VIRT_MEM, buf, size); ee_kmode_exit(); EI(); return size; }
u32 smem_read(void *addr, void *buf, u32 size) { DI(); ee_kmode_enter(); memcpy(buf, addr + SUB_VIRT_MEM, size); ee_kmode_exit(); EI(); return size; }
int BinRead(char *filename) { int State = 0; u32 Addr = 0x80081010; u32 Addr2 = 0x80081014; char result[5]; FILE *fd; fd = fopen(filename, "r"); while ( fread(result, sizeof fd, 1, fd) == 1) { //scr_printf(" %s\n", result); if (State == 0) //Alternates between writing the address and writing the value { ee_kmode_enter(); *(u32*)Addr = *(u32*)result; ee_kmode_exit(); State = 1; Addr = Addr + 0x00000010; } else if (State == 1) { ee_kmode_enter(); *(u32*)Addr2 = *(u32*)result; ee_kmode_exit(); State = 0; Addr2 = Addr2 + 0x00000010; } } fclose(fd); return 0; }
int sbv_patch_enable_lmb() { u8 buf[256]; slib_exp_lib_t *modload_lib = (slib_exp_lib_t *)buf; smod_mod_info_t *loadfile_info = (smod_mod_info_t *)buf; void *pStartModule, *pLoadModuleBuffer, *lf_text_start, *patch_addr; u32 lf_rpc_dispatch, lf_jump_table, result; int nexps, id, i; memset(&_slib_cur_exp_lib_list, 0, sizeof(slib_exp_lib_list_t)); /* Locate the modload export library - it must have at least 16 exports. */ if ((nexps = slib_get_exp_lib("modload", modload_lib)) < 16) return -1; pStartModule = modload_lib->exports[8]; pLoadModuleBuffer = modload_lib->exports[10]; /* Now we need to find the loadfile module. */ memset(buf, 0, sizeof(smod_mod_info_t)); if (!(id = smod_get_mod_by_name("LoadModuleByEE", loadfile_info))) return -1; /* Locate the loadfile RPC dispatch code, where the first 4 instructions look like: 27bdffe8 addiu $sp, -24 2c820006 sltiu $v0, $a0, 6 14400003 bnez $v0, +12 afbf0010 sw $ra, 0x10($sp) */ lf_text_start = (void *)(loadfile_info->text_start + 0x400); smem_read(lf_text_start, buf, sizeof buf); for (i = 0; i < sizeof buf; i += 4) { if ((*(u32 *)(buf + i) == 0x27bdffe8) && (*(u32 *)(buf + i + 4) == 0x2c820006) && (*(u32 *)(buf + i + 8) == 0x14400003) && (*(u32 *)(buf + i + 12) == 0xafbf0010)) break; } /* This is a special case: if the IOP was reset with an image that contains a LOADFILE that supports LMB, we won't detect the dispatch routine. If we even got this far in the code then we can return success. */ if (i >= sizeof buf) return 0; /* We need to extract the address of the jump table, it's only 40 bytes in. */ lf_rpc_dispatch = (u32)lf_text_start + i; smem_read((void *)lf_rpc_dispatch, buf, 40); lf_jump_table = (*(u16 *)(buf + 0x1c) << 16) + *(s16 *)(buf + 0x24); /* Now we can patch our subversive LoadModuleBuffer RPC call. */ SifInitIopHeap(); if (!(patch_addr = SifAllocIopHeap(sizeof lmb_patch))) return -1; /* result is where the RPC return structure is stored. */ result = (u32)patch_addr + 96; lmb_patch[5] = JAL((u32)pLoadModuleBuffer); lmb_patch[7] = HI16(result); lmb_patch[9] = LO16(result); lmb_patch[15] = JAL((u32)pStartModule); SyncDCache(lmb_patch, (void *)(lmb_patch + 24)); smem_write(patch_addr, lmb_patch, sizeof lmb_patch); /* Finally. The last thing to do is to patch the loadfile RPC dispatch routine so that it will jump to entry #6 in it's jump table, and to patch the jump table itself. */ ee_kmode_enter(); *(u32 *)(SUB_VIRT_MEM + lf_rpc_dispatch + 4) = 0x2c820007; *(u32 *)(SUB_VIRT_MEM + lf_jump_table + 0x18) = (u32)patch_addr; ee_kmode_exit(); return 0; }
static void * sior_rpc_server(u32 funcno, void * data, int size) { int res = 0, c; size_t s; char * p; struct init_arguments_t * i; switch(funcno) { case SIOR_INIT: i = (struct init_arguments_t *) data; sio_init(i->baudrate, i->lcr_ueps, i->lcr_upen, i->lcr_usbl, i->lcr_umode); break; case SIOR_PUTC: c = *((int *) data); res = sio_putc(c); break; case SIOR_GETC: res = sio_getc(); break; case SIOR_GETCBLOCK: res = sio_getc_block(); break; case SIOR_WRITE: p = *((char **) data) + IOP_MEM; s = *(((size_t *) data) + 1); DI(); ee_kmode_enter(); res = sio_write(p, s); ee_kmode_exit(); EI(); break; case SIOR_READ: p = *((char **) data) + IOP_MEM; s = *(((size_t *) data) + 1); DI(); ee_kmode_enter(); res = sio_read(p, s); ee_kmode_exit(); EI(); break; case SIOR_PUTS: p = *((char **) data) + IOP_MEM; DI(); ee_kmode_enter(); res = sio_puts(p); ee_kmode_exit(); EI(); break; case SIOR_PUTSN: p = *((char **) data) + IOP_MEM; DI(); ee_kmode_enter(); res = sio_putsn(p); ee_kmode_exit(); EI(); break; case SIOR_GETS: p = *((char **) data) + IOP_MEM; DI(); ee_kmode_enter(); (char*)res = sio_gets(p); ee_kmode_exit(); EI(); break; case SIOR_FLUSH: sio_flush(); break; } *((int *) data) = res; return data; }