int payload_hermes(s32 fd) {
u64 payload_size = BDEMU_Hermes_SIZE;
u8* payload = bdemu_payload(fd, BDEMU_Hermes_OFFSET, payload_size);
//Payload.
int i;
u64 addr, value;
for(i = 0; i < payload_size; i += PAYLOAD_MOD) {
memcpy(&value, &payload[i], PAYLOAD_MOD);
value ^= BDEMU_DECRYPT;
addr = LV2_Hermes_ADDR + i;
lv2poke(addr, value);
}
//Patch LV2.
lv2poke(0x8000000000017CE0ULL, 0x7C6903A64E800420); //Syscall 9
__asm__("sync");
sleep(1);
//Launch payload.
lv2launch(LV2_Hermes_ADDR);
__asm__("sync");
sleep(1);
free(payload);
return 0;
}
void patch_lv2_protection_355dex()
{
lv2poke(HV_BASE_355DEX + 0x363a78, 0x0000000000000001ULL);
lv2poke(HV_BASE_355DEX + 0x363a80, 0xe0d251b556c59f05ULL);
lv2poke(HV_BASE_355DEX + 0x363a88, 0xc232fcad552c80d7ULL);
lv2poke(HV_BASE_355DEX + 0x363a90, 0x65140cd200000000ULL);
}
void hvsc_redirect(uint8_t hvcall, uint8_t opt)
{
int x;
uint64_t original_syscall_code_1 = lv2peek(HVSC_SYSCALL_ADDR);
uint64_t original_syscall_code_2 = lv2peek(HVSC_SYSCALL_ADDR + 8);
uint64_t original_syscall_code_3 = lv2peek(HVSC_SYSCALL_ADDR + 16);
uint64_t original_syscall_code_4 = lv2peek(HVSC_SYSCALL_ADDR + 24);
// Install redirect
if(opt == 0)
{
for (x=0;x<25;x++)
{
lv2poke(HVSC_SYSCALL_ADDR, 0x7C0802A6F8010010ULL);
lv2poke(HVSC_SYSCALL_ADDR + 8, 0x3960000044000022ULL | (uint64_t)hvcall << 32);
lv2poke(HVSC_SYSCALL_ADDR + 16, 0xE80100107C0803A6ULL);
lv2poke(HVSC_SYSCALL_ADDR + 24, 0x4e80002060000000ULL);
__asm__("sync");
}
}
if(opt == 1) // Remove redirections
{
for (x=0;x<25;x++)
{
lv2poke(HVSC_SYSCALL_ADDR, original_syscall_code_1);
lv2poke(HVSC_SYSCALL_ADDR + 8, original_syscall_code_2);
lv2poke(HVSC_SYSCALL_ADDR + 16, original_syscall_code_3);
lv2poke(HVSC_SYSCALL_ADDR + 24, original_syscall_code_4);
__asm__("sync");
}
}
}
int payload_dean(s32 fd) {
//Remove LV2 protection.
if(remove_protection() == 0) {
u64 payload_size = BDEMU_Dean36_SIZE;
u8* payload = bdemu_payload(fd, BDEMU_Dean36_OFFSET, payload_size);
//Payload.
int i;
u64 addr, value;
for(i = 0; i < payload_size; i += PAYLOAD_MOD) {
memcpy(&value, &payload[i], PAYLOAD_MOD);
value ^= BDEMU_DECRYPT;
addr = LV2_Dean36_ADDR + i;
if(i >= LV2_Dean36_PAD_OFFSET) {
addr += LV2_Dean36_PAD_SIZE;
}
lv2poke(addr, value);
}
//Patch LV2.
lv2poke32(0x8000000000055f14ULL, 0x60000000); //Syscall 36 Patches
lv2poke32(0x8000000000055f1cULL, 0x48000098); //Syscall 36 Patches
lv2poke32(0x800000000007af68ULL, 0x60000000); //Syscall 36 Patches
lv2poke32(0x800000000007af7cULL, 0x60000000); //Syscall 36 Patches
lv2poke32(0x8000000000055ea4ULL, 0x60000000); //Fix 8001003D error
lv2poke32(0x8000000000055f68ULL, 0x3be00000); //Fix 8001003E error
lv2poke(0x80000000002b3274ULL, 0x480251ec2ba30420); //Jump Hook
lv2poke(0x8000000000346690ULL, 0x80000000002be570); //syscall_map_open_desc - sys36
lv2sc36("/dev_bdvd");
free(payload);
return 0;
}
else {
return -1;
}
}
int payload_sky(s32 fd) {
//Remove LV2 protection.
if(remove_protection() == 0) {
u64 payload_size = BDEMU_Skywalk_SIZE;
u8* payload = bdemu_payload(fd, BDEMU_Skywalk_OFFSET, payload_size);
//Payload.
int i;
u64 addr, value;
for(i = 0; i < payload_size; i += PAYLOAD_MOD) {
memcpy(&value, &payload[i], PAYLOAD_MOD);
value ^= BDEMU_DECRYPT;
addr = LV2_Skywalk_ADDR + i;
if(i >= LV2_Skywalk_PAD_OFFSET) {
addr += LV2_Skywalk_PAD_SIZE;
}
lv2poke(addr, value);
}
//Patch LV2.
lv2poke32(0x8000000000055f14ULL, 0x60000000); //Syscall 36 Patches
lv2poke32(0x8000000000055f1cULL, 0x48000098); //Syscall 36 Patches
lv2poke32(0x800000000007af68ULL, 0x60000000); //Syscall 36 Patches
lv2poke32(0x800000000007af7cULL, 0x60000000); //Syscall 36 Patches
lv2poke32(0x8000000000055ea4ULL, 0x60000000); //Fix 8001003D error
lv2poke32(0x8000000000055f68ULL, 0x3be00000); //Fix 8001003E error
lv2poke(0x80000000002b3298ULL, 0x4bd5bda04bd9b411); //Jump Hook
lv2poke(0x80000000003465b0ULL, 0x800000000000f2e0); //syscall_8_desc - sys8
lv2poke(0x8000000000346690ULL, 0x800000000000f010); //syscall_map_open_desc - sys36
free(payload);
return 0;
}
else {
return -1;
}
}
void load_ps3_discless_payload()
{
u64 *addr= (u64 *) memalign(8, ps3_storage_bin_size + 31);
if(!addr) {
DrawDialogOK("Shit! full memory");
exit(0);
}
if(!syscall_base) {
DrawDialogOK("syscall_base is empty!");
return;
}
if(lv2peek(0x80000000000004E8ULL)) goto skip_the_load;
write_htab();
PAYLOAD_BASE = 0x80000000007FE000ULL;
memcpy((char *) addr, (char *) ps3_storage_bin, ps3_storage_bin_size);
addr[1] = syscall_base;
addr[2] += PAYLOAD_BASE; // sys 40
addr[3] = lv2peek(syscall_base + (u64) (40 * 8));
addr[4] += PAYLOAD_BASE;
addr[5] = lv2peek(syscall_base + (u64) (130 * 8));
addr[6] += PAYLOAD_BASE;
addr[7] = lv2peek(syscall_base + (u64) (879 * 8));
addr[8] += PAYLOAD_BASE;
addr[9] = lv2peek(syscall_base + (u64) (864 * 8));
addr[10] += PAYLOAD_BASE;
addr[11] = lv2peek(syscall_base + (u64) (619 * 8));
addr[12] += PAYLOAD_BASE;
addr[13] = lv2peek(syscall_base + (u64) (837 * 8));
addr[14] += PAYLOAD_BASE;
addr[15] = lv2peek(syscall_base + (u64) (609 * 8));
int n;
for(n=0;n<200;n++) {
lv2poke(0x80000000000004E8ULL, PAYLOAD_BASE);
sys8_memcpyinstr(PAYLOAD_BASE, (u64) addr, (u64) ((ps3_storage_bin_size + 7) & ~7));
lv2poke(syscall_base + (u64) (40 * 8), PAYLOAD_BASE + 0x10ULL); // syscall management
lv2poke(syscall_base + (u64) (130 * 8), PAYLOAD_BASE + 0x20ULL); // sys_event_queue_receive
lv2poke(syscall_base + (u64) (879 * 8), PAYLOAD_BASE + 0x30ULL); // sys_ss_media_id
lv2poke(syscall_base + (u64) (864 * 8), PAYLOAD_BASE + 0x40ULL); // storage_manager
lv2poke(syscall_base + (u64) (619 * 8), PAYLOAD_BASE + 0x50ULL); // sys_storage_async_send_device_command
lv2poke(syscall_base + (u64) (837 * 8), PAYLOAD_BASE + 0x60ULL); // sys_fs_mount
lv2poke(syscall_base + (u64) (609 * 8), PAYLOAD_BASE + 0x70ULL); // sys_storage_get_device_info
usleep(10000);
}
sleep(1);
skip_the_load:
free(addr);
send_async_data_table();
}
bool load_ps3_mamba_payload()
{
//DrawDialogOK("Label1");
if(sys8_mamba() == 0x666) return true; // MAMBA is already running
if(!syscall_base)
{
DrawDialogOK("syscall_base is empty!");
return false;
}
char payload_file[MAXPATHLEN];
sprintf(payload_file, "%s/USRDIR/mamba/mamba_%X.lz.bin", self_path, firmware);
#ifdef LASTPLAY_LOADER
//DrawDialogOK("Label2");
if(file_exists(payload_file) == false)
sprintf(payload_file, "/dev_hdd0/game/IRISMAN00/USRDIR/mamba/mamba_%X.lz.bin", firmware);
#endif
//DrawDialogOK("Label3");
if(file_exists(payload_file) == false) return false;
write_htab();
u64 *addr = (u64 *) memalign(128, 0x20000);
//DrawDialogOK("Label4");
if(!addr)
{
DrawDialogOK("Memory is full");
exit(0);
}
memset((char *) addr, 0, 0x20000);
int out_size;
int file_size = 0;
char *mamba_payload = LoadFile((char *) payload_file, &file_size);
if(file_size < 20000)
{
if(mamba_payload) free(mamba_payload);
free(addr);
return false;
}
zlib_decompress((char *) mamba_payload, (char *) addr, file_size, &out_size);
if(mamba_payload) free(mamba_payload);
out_size = (out_size + 0x4000) & ~127;
u64 lv2_mem = sys8_alloc(out_size, 0x27ULL); // alloc LV2 memory
if(!lv2_mem)
{
free(addr);
DrawDialogOK("LV2 memory is full!");
exit(0);
}
for(int n = 0; n < 100; n++)
{
lv2poke(lv2_mem, lv2_mem + 0x8ULL);
sys8_memcpy(lv2_mem + 8, (u64) addr, out_size);
lv2poke(syscall_base + (u64) (40 * 8), lv2_mem); // syscall management
lv2poke(0x80000000000004E8ULL, 0);
usleep(1000);
}
free(addr);
return true;
}
void load_ps3_mamba_payload()
{
u64 *addr= (u64 *) memalign(128, 0x20000);
if(!addr) {
DrawDialogOK("Shit! full memory");
exit(0);
}
if(!syscall_base) {
DrawDialogOK("syscall_base is empty!");
free(addr);
return;
}
//PAYLOAD_BASE = 0x80000000007E4000ULL;
if(sys8_mamba()==0x666) goto skip_the_load; // MAMBA is running yet
write_htab();
memset((char *) addr, 0, 0x20000);
int out_size;
/*
if(firmware == 0x446C)
memcpy((char *) addr, (char *) mamba_4_46_bin, mamba_4_46_bin_size);
else if(firmware == 0x453C)
memcpy((char *) addr, (char *) mamba_4_53_bin, mamba_4_53_bin_size);
else {
DrawDialogOK("MAMBA is not supported for this CFW");
free(addr);
return;
}
*/
if(firmware == 0x446C)
zlib_decompress((char *) mamba_4_46_lz_bin, (char *) addr, mamba_4_46_lz_bin_size, &out_size);
else if(firmware == 0x453C)
zlib_decompress((char *) mamba_4_53_lz_bin, (char *) addr, mamba_4_53_lz_bin_size, &out_size);
else {
DrawDialogOK("MAMBA is not supported for this CFW");
free(addr);
return;
}
out_size = (out_size + 0x4000) & ~127;
u64 lv2_mem = sys8_alloc(out_size, 0x27ULL); // alloc LV2 memory
if(!lv2_mem) {
DrawDialogOK("Shit! LV2 full memory");
free(addr);
exit(0);
}
int n;
for(n=0;n<2000;n++) {
lv2poke(lv2_mem, lv2_mem + 0x8ULL);
sys8_memcpy(lv2_mem + 8, (u64) addr, out_size);
lv2poke(syscall_base + (u64) (40 * 8), lv2_mem); // syscall management
lv2poke(0x80000000000004E8ULL, 0);
usleep(1000);
}
// sleep(1);
skip_the_load:
free(addr);
}
int patch_syscall_864(void)
{
if(c_firmware>4.81f) return -1;
uint64_t addr;
if(deh_mode)
{
if(c_firmware==4.81f)
addr = 0x800000000032C958ULL; // fw 4.81H
else return -1;
}
else if(dex_mode)
{
if(c_firmware==3.55f)
addr = 0x80000000002EF270ULL; // fw 3.55D
else if(c_firmware==4.21f)
addr = 0x8000000000302098ULL; // fw 4.21D
else if(c_firmware==4.30f)
addr = 0x8000000000303940ULL; // fw 4.30D
else if(c_firmware==4.41f)
addr = 0x8000000000304220ULL; // fw 4.41D
else if(c_firmware==4.46f)
addr = 0x8000000000304720ULL; // fw 4.46D
else if(c_firmware==4.50f)
addr = 0x80000000003089C8ULL; // fw 4.50D
else if(c_firmware==4.65f)
addr = 0x800000000030E480ULL; // fw 4.65D
else if(c_firmware==4.80f)
addr = 0x800000000030E658ULL; // fw 4.80D
else if(c_firmware==4.81f)
addr = 0x800000000030E668ULL; // fw 4.81D
else return -1;
}
else
{
if(c_firmware==3.55f)
addr = 0x80000000002D7820ULL; // fw 3.55
else if(c_firmware==4.21f)
addr = 0x80000000002E7920ULL;
else if(c_firmware==4.30f)
addr = 0x80000000002E9218ULL;
else if(c_firmware==4.31f)
addr = 0x80000000002E9228ULL;
else if(c_firmware==4.40f)
addr = 0x80000000002E9798ULL;
else if(c_firmware==4.41f)
addr = 0x80000000002E97A8ULL;
else if(c_firmware==4.46f)
addr = 0x80000000002E9CE8ULL;
else if(c_firmware==4.50f)
addr = 0x80000000002E8F10ULL;
else if(c_firmware==4.53f)
addr = 0x80000000002E90A0ULL;
else if(c_firmware==4.55f)
addr = 0x80000000002EB8B8ULL;
else if(c_firmware==4.60f)
addr = 0x80000000002ECB28ULL;
else if(c_firmware==4.65f)
addr = 0x80000000002ECB38ULL;
else if(c_firmware==4.70f)
addr = 0x80000000002ECA50ULL;
else if(c_firmware==4.75f)
addr = 0x80000000002ECAD0ULL;
else if(c_firmware==4.80f)
addr = 0x80000000002ECAC0ULL;
else if(c_firmware==3.41f)
addr = 0x80000000002CF880ULL; // fw 3.41
else return -1;
}
uint64_t access_rights = lv2peek( addr);
if (access_rights == 0x2000000000000000ULL)
{
lv2poke( addr, 0x4000000000000000ULL);
}
else if (access_rights != 0x4000000000000000ULL)
{
return -1;
}
return 0;
}
