int unpatch_lv1_ss_services(void) { if(c_firmware==3.55f) { install_new_poke(); // Try to map lv1 if (!map_lv1()) { remove_new_poke(); return -1; } lv1poke(0x0016f3b8, 0x7f83e378f8010098ULL); lv1poke(0x0016f3dc, 0x7f85e3784bfff0e5ULL); lv1poke(0x0016f454, 0x7f84e37838a10070ULL); lv1poke(0x0016f45c, 0x9be1007048005fa5ULL); remove_new_poke(); // unmap lv1 unmap_lv1(); } else if((c_firmware>=4.75f) && (deh_mode)) { if(lv1peek2( 0x177A60) == 0x7f83e37860000000ULL) { lv1poke2( 0x177A60, 0x7f83e378f8010098ULL); lv1poke2( 0x177A84, 0x7f85e3784bfff0e5ULL); lv1poke2( 0x177AFC, 0x7f84e37838a10070ULL); lv1poke2( 0x177B04, 0x9be1007048006065ULL); } } else if(c_firmware==4.21f) { if(lv1peek2( 0x16f758) == 0x7f83e37860000000ULL) { lv1poke2( 0x16f758, 0x7f83e378f8010098ULL); lv1poke2( 0x16F77C, 0x7f85e3784bfff0e5ULL); lv1poke2( 0x16F7F4, 0x7f84e37838a10070ULL); lv1poke2( 0x16F7FC, 0x9be1007048006065ULL); } } else if(c_firmware>=4.30f) { if(lv1peek2( 0x16FA60) == 0x7f83e37860000000ULL) { lv1poke2( 0x16FA60, 0x7f83e378f8010098ULL); lv1poke2( 0x16FA84, 0x7f85e3784bfff0e5ULL); lv1poke2( 0x16FAFC, 0x7f84e37838a10070ULL); lv1poke2( 0x16FB04, 0x9be1007048006065ULL); } } return 0; }
void load_payload_446(int mode) { //Remove Lv2 memory protection lv1poke(0x370AA8 , 0x0000000000000001ULL); lv1poke(0x370AA8 + 8 , 0xE0D251B556C59F05ULL); lv1poke(0x370AA8 + 16, 0xC232FCAD552C80D7ULL); lv1poke(0x370AA8 + 24, 0x65140CD200000000ULL); install_lv2_memcpy(); /* WARNING!! It supports only payload with a size multiple of 8 */ lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_OFFSET, (u64) payload_sky_446_bin, payload_sky_446_bin_size); lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_UMOUNT_OFFSET, // copy umount routine (u64) umount_446_bin, umount_446_bin_size); restore_syscall8[0]= SYSCALL_BASE + (u64) (SYSCALL_SK1E * 8ULL); // (8*8) restore_syscall8[1]= peekq(restore_syscall8[0]); u64 id[2]; // copy the id id[0]= 0x534B314500000000ULL | (u64) PAYLOAD_OFFSET; id[1] = SYSCALL_BASE + (u64) (SYSCALL_SK1E * 8ULL); // (8*8) lv2_memcpy(0x80000000000004f0ULL, (u64) &id[0], 16); u64 inst8 = peekq(0x8000000000003000ULL); // get TOC lv2_memcpy(0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x28), (u64) &inst8, 8); inst8 = 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x20); // syscall_8_desc - sys8 lv2_memcpy(SYSCALL_BASE + (u64) (SYSCALL_SK1E * 8ULL), (u64) &inst8, 8); usleep(1000); remove_lv2_memcpy(); pokeq(0x80000000007EF000ULL, 0ULL);// BE Emu mount pokeq(0x80000000007EF220ULL, 0ULL); //Patches from webMAN pokeq(0x8000000000297310ULL, 0x4E80002038600000ULL ); // fix 8001003C error pokeq(0x8000000000297318ULL, 0x7C6307B44E800020ULL ); // fix 8001003C error pokeq(0x80000000000560C0ULL, 0x63FF003D60000000ULL ); // fix 8001003D error pokeq(0x8000000000056184ULL, 0x3FE080013BE00000ULL ); // fix 8001003E error pokeq(0x8000000000056130ULL, 0x419E00D860000000ULL ); pokeq(0x8000000000056138ULL, 0x2F84000448000098ULL ); pokeq(0x8000000000059AF4ULL, 0x2F83000060000000ULL ); pokeq(0x8000000000059B08ULL, 0x2F83000060000000ULL ); /* BASIC PATCHES SYS36 */ // by 2 anonymous people _poke32(0x56134, 0x60000000); // done PATCH_JUMP(0x5613C, 0x561D4); // done _poke32(0x059AF8, 0x60000000); // done _poke32(0x059B0C, 0x60000000); // done _poke( 0x0560C0, 0x63FF003D60000000); // fix 8001003D error "ori %r31, %r31, 0x3D\n nop\n" done _poke32(0x056188, 0x3BE00000); // fix 8001003E error -- 3.55 ok in 0x055F64 "li %r31, 0" done PATCH_JUMP(0x5618C, 0x56098); // Not present in rebug, anyway.. /** Rancid-o: Fix 0x8001003C error (incorrect version in sys_load_param) - It is present in the new game updates **/ _poke(0x297314, 0x386000007C6307B4); //done _poke32(0x297314 + 8, 0x4E800020); //done /* -002c3cf0 f8 01 00 b0 7c 9c 23 78 7c 7d 1b 78 4b d8 aa 1d |....|.#x|}.xK...| +002c3cf0 f8 01 00 b0 7c 9c 23 78 4b d4 01 88 4b d8 aa 1d |....|.#xK...K...| (openhook jump - 0x3E80) */ PATCH_JUMP(0x2C47D4, (PAYLOAD_OFFSET+0x30)); // patch openhook - done _poke32(0x2C47B0, 0xF821FF61); // free openhook Rogero 4.30 (put "stdu %sp, -0xA0(%sp)" instead "b sub_2E9F98") _poke(0x2C47B8, 0xFB810080FBA10088ULL); // skip stupid new Rogero patch for ToolBox }:/ (must I restore all LV2 patches to skip this shit?) #ifdef CONFIG_USE_SYS8PERMH4 PATCH_JUMP(PERMS_OFFSET, (PAYLOAD_OFFSET+0x18)); #endif }
void load_payload_421dex(int mode) { // Remove lv2 protection lv1poke(0x370A28, 0x0000000000000001ULL); lv1poke(0x370A30, 0xe0d251b556c59f05ULL); lv1poke(0x370A38, 0xc232fcad552c80d7ULL); lv1poke(0x370A40, 0x65140cd200000000ULL); install_lv2_memcpy(); /* WARNING!! It supports only payload with a size multiple of 8 */ lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_OFFSET, (u64) payload_sky_421dex_bin, payload_sky_421dex_bin_size); lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_UMOUNT_OFFSET, // copy umount routine (u64) umount_421dex_bin, umount_421dex_bin_size); restore_syscall8[0]= SYSCALL_BASE + 64ULL; // (8*8) restore_syscall8[1]= peekq(restore_syscall8[0]); u64 id[2]; // copy the id id[0]= 0x534B314500000000ULL | (u64) PAYLOAD_OFFSET; id[1] = SYSCALL_BASE + 64ULL; // (8*8) lv2_memcpy(0x80000000000004f0ULL, (u64) &id[0], 16); u64 inst8 = peekq(0x8000000000003000ULL); // get TOC lv2_memcpy(0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x28), (u64) &inst8, 8); inst8 = 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x20); // syscall_8_desc - sys8 lv2_memcpy(SYSCALL_BASE + (u64) (8 * 8), (u64) &inst8, 8); usleep(1000); remove_lv2_memcpy(); pokeq(0x80000000007EF000ULL, 0ULL); // BE Emu mount pokeq(0x80000000007EF220ULL, 0ULL); /* BASIC PATCHES SYS36 */ // by 2 anonymous people _poke32(0x05A9AC, 0x60000000); // already set in ps3ita "nop" PATCH_JUMP(0x05A9B4, 0x5AA4C); // already set in ps3ita "nop" _poke32(0x05E370, 0x60000000); // already set in ps3ita "nop" _poke32(0x05E384, 0x60000000); // already set in ps3ita "nop" _poke( 0x05A938, 0x63FF003D60000000); // already set in ps3ita - fix 8001003D error "ori %r31, %r31, 0x3D\n nop\n" _poke32(0x05AA00, 0x3BE00000); // already set in ps3ita - fix 8001003E error -- 3.55 ok in 0x055F64 "li %r31, 0" PATCH_JUMP(0x05AA04, 0x5A910); // already set in ps3ita /** Rancid-o: Fix 0x8001003C error (incorrect version in sys_load_param) - It is present in the new game updates **/ _poke(0x29C8C4, 0x386000007C6307B4); _poke32(0x29C8CC, 0x4E800020); /* -002c3cf0 f8 01 00 b0 7c 9c 23 78 7c 7d 1b 78 4b d8 aa 1d |....|.#x|}.xK...| +002c3cf0 f8 01 00 b0 7c 9c 23 78 4b d4 01 88 4b d8 aa 1d |....|.#xK...K...| (openhook jump - 0x3E80) */ PATCH_JUMP(0x2D973C, (PAYLOAD_OFFSET+0x30)); #ifdef CONFIG_USE_SYS8PERMH4 PATCH_JUMP(PERMS_OFFSET, (PAYLOAD_OFFSET+0x18)); #endif }
void load_payload_480(int mode) { //Remove Lv2 memory protection, NOT needed for REBUG 4.7x lv1poke(0x370F28 + 0x00, 0x0000000000000001ULL); // Original: 0x0000000000351FD8ULL lv1poke(0x370F28 + 0x08, 0xE0D251B556C59F05ULL); // Original: 0x3B5B965B020AE21AULL lv1poke(0x370F28 + 0x10, 0xC232FCAD552C80D7ULL); // Original: 0x7D6F60B118E2E81BULL lv1poke(0x370F28 + 0x18, 0x65140CD200000000ULL); // Original: 0x315D8B7700000000ULL install_lv2_memcpy(); /* WARNING!! It supports only payload with a size multiple of 8 */ lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_OFFSET, (u64) payload_sky_480_bin, payload_sky_480_bin_size); lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_UMOUNT_OFFSET, // copy umount routine (u64) umount_480_bin, umount_480_bin_size); restore_syscall8[0]= SYSCALL_BASE + (u64) (SYSCALL_SK1E * 8ULL); // (8*8) restore_syscall8[1]= peekq(restore_syscall8[0]); u64 id[2]; // copy the id id[0]= 0x534B314500000000ULL | (u64) PAYLOAD_OFFSET; id[1] = SYSCALL_BASE + (u64) (SYSCALL_SK1E * 8ULL); // (8*8) lv2_memcpy(0x80000000000004f0ULL, (u64) &id[0], 16); u64 inst8 = peekq(0x8000000000003000ULL); // get TOC lv2_memcpy(0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x28), (u64) &inst8, 8); inst8 = 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x20); // syscall_8_desc - sys8 lv2_memcpy(SYSCALL_BASE + (u64) (SYSCALL_SK1E * 8ULL), (u64) &inst8, 8); usleep(1000); remove_lv2_memcpy(); pokeq(0x80000000007EF000ULL, 0ULL);// BD Emu mount pokeq(0x80000000007EF220ULL, 0ULL); //patches by deank for webMAN, I left them here just in case someone wants to play with, but basically the same thing with SYS36 patches below pokeq(0x8000000000267144ULL, 0x4E80002038600000ULL ); // fix 8001003C error Original: 0x4E8000208003026CULL pokeq(0x800000000026714CULL, 0x7C6307B44E800020ULL ); // fix 8001003C error Original: 0x3D201B433C608001ULL /* pokeq(0x800000000005688CULL, 0x63FF003D60000000ULL ); // fix 8001003D error Original: 0x63FF003D419EFFD4ULL pokeq(0x800000000005664CULL, 0x3FE080013BE00000ULL ); // fix 8001003E error Original: 0x3FE0800163FF003EULL pokeq(0x80000000000565F8ULL, 0x419E00D860000000ULL ); // Original: 0x419E00D8419D00C0ULL pokeq(0x8000000000056600ULL, 0x2F84000448000098ULL ); // Original: 0x2F840004409C0048ULL //PATCH_JUMP pokeq(0x800000000005A6DCULL, 0x2F83000060000000ULL ); // fix 80010009 error Original: 0x2F830000419E00ACULL pokeq(0x800000000005A6F0ULL, 0x2F83000060000000ULL ); // fix 80010009 error Original: 0x2F830000419E00ACULL */ pokeq(0x800000000005622CULL, 0x386000012F830000ULL ); // ignore LIC.DAT check pokeq(0x80000000002275ECULL, 0x38600000F8690000ULL ); // fix 0x8001002B / 80010017 errors //pokeq(0x8000000000055C58ULL, 0xF821FE917C0802A6ULL ); // just restore the original //pokeq(0x8000000000058E18ULL, 0x419E0038E8610098ULL ); // just restore the original /* BASIC PATCHES SYS36 */ // by 2 anonymous people _poke32(0x565FC, 0x60000000); // PATCH_JUMP(0x56604, 0x5669C); // _poke32(0x5A6E0, 0x60000000); // fix 80010009 error _poke32(0x5A6F4, 0x60000000); // fix 80010019 error _poke( 0x56588, 0x63FF003D60000000); // fix 8001003D error "ori %r31, %r31, 0x3D\n nop\n" done _poke32(0x56650, 0x3BE00000); // fix 8001003E error -- 3.55 ok in 0x055F64 "li %r31, 0" done //Fix 0x8001003C error (incorrect version in sys_load_param) - It is present in the new game updates **/ //_poke(0x267148, 0x386000007C6307B4); // //_poke32(0x267148 + 0x8, 0x4E800020); // /* -002c3cf0 f8 01 00 b0 7c 9c 23 78 7c 7d 1b 78 4b d8 aa 1d |....|.#x|}.xK...| +002c3cf0 f8 01 00 b0 7c 9c 23 78 4b d4 01 88 4b d8 aa 1d |....|.#xK...K...| (openhook jump - 0x3E80) */ PATCH_JUMP(0x297650, (PAYLOAD_OFFSET+0x30)); // patch openhook - done //_poke32(0x29762C, 0xF821FF61); // free openhook Rogero 4.30 (put "stdu %sp, -0xA0(%sp)" instead "b sub_2E9F98") #ifdef CONFIG_USE_SYS8PERMH4 PATCH_JUMP(PERMS_OFFSET, (PAYLOAD_OFFSET+0x18)); #endif }
void load_payload_450dex(int mode) { //Remove Lv2 memory protection if( file_exists("/dev_flash/ps3ita") == 0 ) // is not necessary on cfw ps3ita it don't has lv2 memory protection { lv1poke(0x370AA8, 0x0000000000000001ULL); lv1poke(0x370AA8 + 8, 0xE0D251B556C59F05ULL); lv1poke(0x370AA8 + 16, 0xC232FCAD552C80D7ULL); lv1poke(0x370AA8 + 24, 0x65140CD200000000ULL); } install_lv2_memcpy(); /* WARNING!! It supports only payload with a size multiple of 8 */ lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_OFFSET, (u64) payload_sky_450dex_bin, payload_sky_450dex_bin_size); lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_UMOUNT_OFFSET, // copy umount routine (u64) umount_450dex_bin, umount_450dex_bin_size); restore_syscall8[0]= SYSCALL_BASE + 64ULL; // (8*8) restore_syscall8[1]= peekq(restore_syscall8[0]); u64 id[2]; // copy the id id[0]= 0x534B314500000000ULL | (u64) PAYLOAD_OFFSET; id[1] = SYSCALL_BASE + 64ULL; // (8*8) lv2_memcpy(0x80000000000004f0ULL, (u64) &id[0], 16); u64 inst8 = peekq(0x8000000000003000ULL); // get TOC lv2_memcpy(0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x28), (u64) &inst8, 8); inst8 = 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x20); // syscall_8_desc - sys8 lv2_memcpy(SYSCALL_BASE + (u64) (8 * 8), (u64) &inst8, 8); usleep(1000); remove_lv2_memcpy(); pokeq(0x80000000007EF000ULL, 0ULL);// BE Emu mount pokeq(0x80000000007EF220ULL, 0ULL); //Patches from webMAN pokeq(0x8000000000275D38ULL, 0x4E80002038600000ULL ); // fix 8001003C error pokeq(0x8000000000275D40ULL, 0x7C6307B44E800020ULL ); // fix 8001003C error pokeq(0x8000000000059A8CULL, 0x63FF003D60000000ULL ); // fix 8001003D error pokeq(0x8000000000059B50ULL, 0x3FE080013BE00000ULL ); // fix 8001003E error pokeq(0x8000000000059AFCULL, 0x419E00D860000000ULL ); pokeq(0x8000000000059B04ULL, 0x2F84000448000098ULL ); pokeq(0x800000000005D4C0ULL, 0x2F83000060000000ULL ); pokeq(0x800000000005D4D4ULL, 0x2F83000060000000ULL ); /* BASIC PATCHES SYS36 */ // by 2 anonymous people _poke32(0x59B00, 0x60000000); // done PATCH_JUMP(0x59B08, 0x59BA0); // done _poke32(0x5D4C4, 0x60000000); // done _poke32(0x5D4D8, 0x60000000); // done _poke( 0x59A8C, 0x63FF003D60000000); // fix 8001003D error "ori %r31, %r31, 0x3D\n nop\n" done _poke32(0x59B54, 0x3BE00000); // fix 8001003E error -- 3.55 ok in 0x055F64 "li %r31, 0" done // PATCH_JUMP(0x, 0x56098); /** Rancid-o: Fix 0x8001003C error (incorrect version in sys_load_param) - It is present in the new game updates **/ _poke(0x275D3C, 0x386000007C6307B4); // is still patched in rebug, anyway.. _poke32(0x275D3C + 8, 0x4E800020); /* -002c3cf0 f8 01 00 b0 7c 9c 23 78 7c 7d 1b 78 4b d8 aa 1d |....|.#x|}.xK...| +002c3cf0 f8 01 00 b0 7c 9c 23 78 4b d4 01 88 4b d8 aa 1d |....|.#xK...K...| (openhook jump - 0x3E80) */ PATCH_JUMP(0x2B820C, (PAYLOAD_OFFSET+0x30)); // patch openhook #ifdef CONFIG_USE_SYS8PERMH4 PATCH_JUMP(PERMS_OFFSET, (PAYLOAD_OFFSET+0x18)); #endif }
void load_payload_450(int mode) { //Remove Lv2 memory protection lv1poke(0x370AA8, 0x0000000000000001ULL); lv1poke(0x370AA8 + 8, 0xE0D251B556C59F05ULL); lv1poke(0x370AA8 + 16, 0xC232FCAD552C80D7ULL); lv1poke(0x370AA8 + 24, 0x65140CD200000000ULL); install_lv2_memcpy(); /* WARNING!! It supports only payload with a size multiple of 8 */ lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_OFFSET, (u64) payload_sky_450_bin, payload_sky_450_bin_size); lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_UMOUNT_OFFSET, // copy umount routine (u64) umount_450_bin, umount_450_bin_size); restore_syscall8[0]= SYSCALL_BASE + 64ULL; // (8*8) restore_syscall8[1]= peekq(restore_syscall8[0]); u64 id[2]; // copy the id id[0]= 0x534B314500000000ULL | (u64) PAYLOAD_OFFSET; id[1] = SYSCALL_BASE + 64ULL; // (8*8) lv2_memcpy(0x80000000000004f0ULL, (u64) &id[0], 16); u64 inst8 = peekq(0x8000000000003000ULL); // get TOC lv2_memcpy(0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x28), (u64) &inst8, 8); inst8 = 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x20); // syscall_8_desc - sys8 lv2_memcpy(SYSCALL_BASE + (u64) (8 * 8), (u64) &inst8, 8); usleep(1000); remove_lv2_memcpy(); pokeq(0x80000000007EF000ULL, 0ULL);// BE Emu mount pokeq(0x80000000007EF220ULL, 0ULL); /* BASIC PATCHES SYS36 */ // by 2 anonymous people _poke32(0x56130, 0x60000000); // done PATCH_JUMP(0x56138, 0x561D0); // done _poke32(0x059AF4, 0x60000000); // done _poke32(0x059B08, 0x60000000); // done _poke( 0x0560BC, 0x63FF003D60000000); // fix 8001003D error "ori %r31, %r31, 0x3D\n nop\n" done _poke32(0x056184, 0x3BE00000); // fix 8001003E error -- 3.55 ok in 0x055F64 "li %r31, 0" done PATCH_JUMP(0x56188, 0x56094); // Not present in rebug, anyway.. _poke(0x26F620, 0x386000007C6307B4); //done _poke32(0x26F620 + 8, 0x4E800020); //done /* -002c3cf0 f8 01 00 b0 7c 9c 23 78 7c 7d 1b 78 4b d8 aa 1d |....|.#x|}.xK...| +002c3cf0 f8 01 00 b0 7c 9c 23 78 4b d4 01 88 4b d8 aa 1d |....|.#xK...K...| (openhook jump - 0x3E80) */ PATCH_JUMP(0x29DD44, (PAYLOAD_OFFSET+0x30)); // patch openhook - done _poke32(0x29DD20, 0xF821FF61); // free openhook Rogero 4.30 (put "stdu %sp, -0xA0(%sp)" instead "b sub_2E9F98") #ifdef CONFIG_USE_SYS8PERMH4 PATCH_JUMP(PERMS_OFFSET, (PAYLOAD_OFFSET+0x18)); #endif }
void load_payload_465(int mode) { if(bEnableLv2_memprot_patch) // changed offset: 0x377828 -> 0x370F28 { //Remove Lv2 memory protection lv1poke(0x370F28 + 0x00, 0x0000000000000001ULL); // Original: 0x0000000000351FD8ULL lv1poke(0x370F28 + 0x08, 0xE0D251B556C59F05ULL); // Original: 0x3B5B965B020AE21AULL lv1poke(0x370F28 + 0x10, 0xC232FCAD552C80D7ULL); // Original: 0x7D6F60B118E2E81BULL lv1poke(0x370F28 + 0x18, 0x65140CD200000000ULL); // Original: 0x315D8B7700000000ULL } install_lv2_memcpy(); /* WARNING!! It supports only payload with a size multiple of 8 */ lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_OFFSET, (u64) payload_sky_465_bin, payload_sky_465_bin_size); lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_UMOUNT_OFFSET, // copy umount routine (u64) umount_465_bin, umount_465_bin_size); restore_syscall8[0]= SYSCALL_BASE + 64ULL; // (8*8) restore_syscall8[1]= peekq(restore_syscall8[0]); u64 id[2]; // copy the id id[0]= 0x534B314500000000ULL | (u64) PAYLOAD_OFFSET; id[1] = SYSCALL_BASE + 64ULL; // (8*8) lv2_memcpy(0x80000000000004f0ULL, (u64) &id[0], 16); u64 inst8 = peekq(0x8000000000003000ULL); // get TOC lv2_memcpy(0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x28), (u64) &inst8, 8); inst8 = 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x20); // syscall_8_desc - sys8 lv2_memcpy(SYSCALL_BASE + (u64) (8 * 8), (u64) &inst8, 8); usleep(1000); remove_lv2_memcpy(); pokeq(0x80000000007EF000ULL, 0ULL);// BD Emu mount pokeq(0x80000000007EF220ULL, 0ULL); //Patches from webMAN if(bEnableLv2_webman_patch) { //patches by deank pokeq(0x800000000026FDDCULL, 0x4E80002038600000ULL ); // fix 8001003C error Original: 0x4E80002038600000ULL pokeq(0x800000000026FDE4ULL, 0x7C6307B44E800020ULL ); // fix 8001003C error Original: 0x7C6307B44E800020ULL pokeq(0x800000000005658CULL, 0x63FF003D60000000ULL ); // fix 8001003D error Original: 0x63FF003D419EFFD4ULL pokeq(0x8000000000056650ULL, 0x3FE080013BE00000ULL ); // fix 8001003E error Original: 0x3FE0800163FF003EULL pokeq(0x80000000000565FCULL, 0x419E00D860000000ULL ); // Original: 0x419E00D8419D00C0ULL pokeq(0x8000000000056604ULL, 0x2F84000448000098ULL ); // Original: 0x2F840004409C0048ULL //PATCH_JUMP pokeq(0x800000000005A658ULL, 0x2F83000060000000ULL ); // fix 80010009 error Original: 0x2F830000419E00ACULL pokeq(0x800000000005A66CULL, 0x2F83000060000000ULL ); // fix 80010009 error Original: 0x2F830000419E00ACULL pokeq(0x8000000000056230ULL, 0x386000012F830000ULL ); // ignore LIC.DAT check pokeq(0x80000000002302F0ULL, 0x38600000F8690000ULL ); // fix 0x8001002B / 80010017 errors (2015-01-03) pokeq(0x8000000000055C5CULL, 0xF821FE917C0802A6ULL ); // just restore the original pokeq(0x8000000000058DB0ULL, 0x419E0038E8610098ULL ); // just restore the original /* if(file_exists("/dev_flash/rebug")==false || bEnableLv2_webman_patch==3) { //anti-ode patches by deank //pokeq(0x8000000000055C5CULL, 0xF821FE917C0802A6ULL ); //replaced by deank's patch (2015-01-03) pokeq(0x8000000000055C84ULL, 0x6000000060000000ULL ); pokeq(0x8000000000055C8CULL, 0x600000003BA00000ULL ); } */ if(bEnableLv2_webman_patch>=2 || bEnableLv2_habib_patch == 2) bEnableLv2_habib_patch=0; } //Patches by Habib ported to 4.65 (habib_patch = 0=disabled, 1=new patch, 2=new patch except 4.65 Habib Cobra, 3=old patch, 4=no boot speedup patch) if(bEnableLv2_habib_patch == 2 && is_cobra_based() && file_exists("/dev_flash/habib")) ; else if((bEnableLv2_habib_patch == 11) || (bEnableLv2_habib_patch == 2)) { // enable new habib patches (now obsolete) //replaced by deank's patch (2015-01-03) pokeq(0x8000000000058DB0ULL + 0x00, 0x60000000E8610098ULL); pokeq(0x8000000000058DB0ULL + 0x08, 0x2FA30000419E000CULL); pokeq(0x8000000000058DB0ULL + 0x10, 0x388000334800BE15ULL); pokeq(0x8000000000058DB0ULL + 0x18, 0xE80100F07FE307B4ULL); pokeq(0x8000000000055C5CULL + 0x00, 0x386000004E800020ULL); pokeq(0x8000000000055C5CULL + 0x08, 0xFBC10160FBE10168ULL); pokeq(0x8000000000055C5CULL + 0x10, 0xFB610148FB810150ULL); pokeq(0x8000000000055C5CULL + 0x18, 0xFBA10158F8010180ULL); //patch to prevent blackscreen on usb games in jb format pokeq(0x8000000000055C84ULL, 0x386000002F830001ULL); //Original: 0x481DA6692F830001ULL pokeq(0x8000000000055C8CULL, 0x419E00303BA00000ULL); //Original: 0x419E00303BA00000ULL } else if(bEnableLv2_habib_patch == 10) { // disable new habib patches pokeq(0x8000000000058DB0ULL + 0x00, 0x419E0038E8610098ULL); pokeq(0x8000000000058DB0ULL + 0x08, 0x2FA30000419E000CULL); pokeq(0x8000000000058DB0ULL + 0x10, 0x388000334800BE15ULL); pokeq(0x8000000000058DB0ULL + 0x18, 0xE80100F07FE307B4ULL); pokeq(0x8000000000055C5CULL + 0x00, 0xF821FE917C0802A6ULL); pokeq(0x8000000000055C5CULL + 0x08, 0xFBC10160FBE10168ULL); pokeq(0x8000000000055C5CULL + 0x10, 0xFB610148FB810150ULL); pokeq(0x8000000000055C5CULL + 0x18, 0xFBA10158F8010180ULL); } else { if(bEnableLv2_habib_patch >= 1) { if(bEnableLv2_habib_patch == 3) pokeq32(0x8000000000058DB0ULL, 0x60000000); // old fix 0x80010017 error Original: 0x7C7F1B78419E0038ULL else pokeq(0x80000000002A1060ULL, 0x386000014E800020ULL); // fix 0x80010017 error Original: 0xFBC1FFF0EBC225B0ULL // Booting of game discs and backups speed increased if(bEnableLv2_habib_patch != 4) { pokeq32(0x8000000000058DA4ULL, 0x38600001); pokeq32(0x800000000005A970ULL, 0x38600000); } pokeq(0x8000000000055C5CULL, 0x386000004E800020ULL); // fix 0x8001002B error Original: 0xF821FE917C0802A6ULL } } /* BASIC PATCHES SYS36 */ // by 2 anonymous people _poke32(0x56600, 0x60000000); // Original: 0x419E00D8419D00C0ULL -> 0x419E00D860000000ULL PATCH_JUMP(0x56608, 0x566A0); // Original: 0x2F840004409C0048ULL -> 0x2F84000448000098ULL _poke32(0x05A65C, 0x60000000); // fix 80010009 error _poke32(0x05A670, 0x60000000); // fix 80010019 error _poke( 0x05658C, 0x63FF003D60000000); // fix 8001003D error "ori %r31, %r31, 0x3D\n nop\n" done _poke32(0x056654, 0x3BE00000); // fix 8001003E error -- 3.55 ok in 0x055F64 "li %r31, 0" done PATCH_JUMP(0x56658, 0x56564); // Not present in rebug, anyway.. _poke(0x26FDE0, 0x386000007C6307B4); //fix 8001003C error _poke32(0x26FDE0 + 8, 0x4E800020); // /* -002c3cf0 f8 01 00 b0 7c 9c 23 78 7c 7d 1b 78 4b d8 aa 1d |....|.#x|}.xK...| +002c3cf0 f8 01 00 b0 7c 9c 23 78 4b d4 01 88 4b d8 aa 1d |....|.#xK...K...| (openhook jump - 0x3E80) */ PATCH_JUMP(0x2A02EC, (PAYLOAD_OFFSET+0x30)); // patch openhook - done _poke32(0x2A02C8, 0xF821FF61); // free openhook Rogero 4.30 (put "stdu %sp, -0xA0(%sp)" instead "b sub_2E9F98") #ifdef CONFIG_USE_SYS8PERMH4 PATCH_JUMP(PERMS_OFFSET, (PAYLOAD_OFFSET+0x18)); #endif }
void load_payload_441dex(int mode) { //Remove Lv2 memory protection lv1poke(0x370AA8, 0x0000000000000001ULL); lv1poke(0x370AA8 + 8, 0xE0D251B556C59F05ULL); lv1poke(0x370AA8 + 16, 0xC232FCAD552C80D7ULL); lv1poke(0x370AA8 + 24, 0x65140CD200000000ULL); install_lv2_memcpy(); /* WARNING!! It supports only payload with a size multiple of 8 */ lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_OFFSET, (u64) payload_sky_441dex_bin, payload_sky_441dex_bin_size); lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_UMOUNT_OFFSET, // copy umount routine (u64) umount_441dex_bin, umount_441dex_bin_size); restore_syscall8[0]= SYSCALL_BASE + (u64) (SYSCALL_SK1E * 8ULL); // (8*8) restore_syscall8[1]= peekq(restore_syscall8[0]); u64 id[2]; // copy the id id[0]= 0x534B314500000000ULL | (u64) PAYLOAD_OFFSET; id[1] = SYSCALL_BASE + (u64) (SYSCALL_SK1E * 8ULL); // (8*8) lv2_memcpy(0x80000000000004f0ULL, (u64) &id[0], 16); u64 inst8 = peekq(0x8000000000003000ULL); // get TOC lv2_memcpy(0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x28), (u64) &inst8, 8); inst8 = 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x20); // syscall_8_desc - sys8 lv2_memcpy(SYSCALL_BASE + (u64) (SYSCALL_SK1E * 8ULL), (u64) &inst8, 8); usleep(1000); remove_lv2_memcpy(); pokeq(0x80000000007EF000ULL, 0ULL);// BE Emu mount pokeq(0x80000000007EF220ULL, 0ULL); //Patches from webMAN pokeq(0x800000000029D44CULL, 0x4E80002038600000ULL ); pokeq(0x800000000029D454ULL, 0x7C6307B44E800020ULL ); // fix 8001003C error pokeq(0x80000000000599D8ULL, 0x63FF003D60000000ULL ); // fix 8001003D error pokeq(0x8000000000059A9CULL, 0x3FE080013BE00000ULL ); // fix 8001003E error pokeq(0x8000000000059A48ULL, 0x419E00D860000000ULL ); pokeq(0x8000000000059A50ULL, 0x2F84000448000098ULL ); pokeq(0x800000000005D40CULL, 0x2F83000060000000ULL ); pokeq(0x800000000005D420ULL, 0x2F83000060000000ULL ); /* BASIC PATCHES SYS36 */ // by 2 anonymous people _poke32(0x59A4C, 0x60000000); // done PATCH_JUMP(0x59A54, 0x59AEC); // done _poke32(0x5D410, 0x60000000); // done _poke32(0x5D424, 0x60000000); // done _poke( 0x599D8, 0x63FF003D60000000); // fix 8001003D error "ori %r31, %r31, 0x3D\n nop\n" done _poke32(0x59AA0, 0x3BE00000); // fix 8001003E error -- 3.55 ok in 0x055F64 "li %r31, 0" done // PATCH_JUMP(0x, 0x56098); /** Rancid-o: Fix 0x8001003C error (incorrect version in sys_load_param) - It is present in the new game updates **/ _poke(0x29D450, 0x386000007C6307B4); _poke32(0x29D450 + 8, 0x4E800020); /* -002c3cf0 f8 01 00 b0 7c 9c 23 78 7c 7d 1b 78 4b d8 aa 1d |....|.#x|}.xK...| +002c3cf0 f8 01 00 b0 7c 9c 23 78 4b d4 01 88 4b d8 aa 1d |....|.#xK...K...| (openhook jump - 0x3E80) */ PATCH_JUMP(0x2DB760, (PAYLOAD_OFFSET+0x30)); // patch openhook // _poke32(0x2C4290, 0xF821FF61); // free openhook Rogero 4.30 (put "stdu %sp, -0xA0(%sp)" instead "b sub_2E9F98") - is still present in Rogero 4.41? #ifdef CONFIG_USE_SYS8PERMH4 PATCH_JUMP(PERMS_OFFSET, (PAYLOAD_OFFSET+0x18)); #endif }
void load_payload_430dex(int mode) { //Remove lv2 memory protection ( only for cfw Rebug 4.30) if(peekq(0x8000000000001748ULL) == 0x4400002238600000ULL); // if lv1poke is present... { // Thanks cyberskunk! :) lv1poke(0x370AA8 + 0, 0x0000000000000001ULL); lv1poke(0x370AA8 + 8, 0xe0d251b556c59f05ULL); lv1poke(0x370AA8 + 16, 0xc232fcad552c80d7ULL); lv1poke(0x370AA8 + 24, 0x65140cd200000000ULL); } //fix for memcpy syscall on use pokeq(0x800000000037E048ULL,0x8000000000001500ULL); pokeq(0x8000000000001500ULL,0x8000000000001510ULL); install_lv2_memcpy(); /* WARNING!! It supports only payload with a size multiple of 8 */ lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_OFFSET, (u64) payload_sky_430dex_bin, payload_sky_430dex_bin_size); lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_UMOUNT_OFFSET, // copy umount routine (u64) umount_430dex_bin, umount_430dex_bin_size); restore_syscall8[0]= SYSCALL_BASE + 64ULL; // (8*8) restore_syscall8[1]= peekq(restore_syscall8[0]); u64 id[2]; // copy the id id[0]= 0x534B314500000000ULL | (u64) PAYLOAD_OFFSET; id[1] = SYSCALL_BASE + 64ULL; // (8*8) lv2_memcpy(0x80000000000004f0ULL, (u64) &id[0], 16); u64 inst8 = peekq(0x8000000000003000ULL); // get TOC lv2_memcpy(0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x28), (u64) &inst8, 8); inst8 = 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x20); // syscall_8_desc - sys8 lv2_memcpy(SYSCALL_BASE + (u64) (8 * 8), (u64) &inst8, 8); usleep(1000); remove_lv2_memcpy(); pokeq(0x80000000007EF000ULL, 0ULL);// BE Emu mount pokeq(0x80000000007EF220ULL, 0ULL); //Patches from webMAN pokeq(0x800000000029E034ULL, 0x4E80002038600000ULL ); pokeq(0x800000000029E03CULL, 0x7C6307B44E800020ULL ); // fix 8001003C error pokeq(0x800000000005AA88ULL, 0x63FF003D60000000ULL ); // fix 8001003D error pokeq(0x800000000005AB4CULL, 0x3FE080013BE00000ULL ); // fix 8001003E error pokeq(0x800000000005AAF8ULL, 0x419E00D860000000ULL ); pokeq(0x800000000005AB00ULL, 0x2F84000448000098ULL ); pokeq(0x800000000005E4BCULL, 0x2F83000060000000ULL ); pokeq(0x800000000005E4D0ULL, 0x2F83000060000000ULL ); /* BASIC PATCHES SYS36 */ // by 2 anonymous people _poke32(0x05AAFC, 0x60000000); PATCH_JUMP(0x05AB00, 0x5AB9C); _poke32(0x05E4C0, 0x60000000); // already set in E3 "nop" _poke32(0x05E4D4, 0x60000000); // already set in E3 "nop" _poke( 0x05AA88, 0x63FF003D60000000); // fix 8001003D error "ori %r31, %r31, 0x3D\n nop\n" _poke32(0x05AB50, 0x3BE00000); // fix 8001003E error -- 3.55 ok in 0x055F64 "li %r31, 0" PATCH_JUMP(0x05AB54, 0x5AA60); // fix E3 4.30 added error /** Rancid-o: Fix 0x8001003C error (incorrect version in sys_load_param) - It is present in the new game updates **/ _poke(0x29E038, 0x386000007C6307B4); _poke32(0x29E038 + 8, 0x4E800020); /* -002c3cf0 f8 01 00 b0 7c 9c 23 78 7c 7d 1b 78 4b d8 aa 1d |....|.#x|}.xK...| +002c3cf0 f8 01 00 b0 7c 9c 23 78 4b d4 01 88 4b d8 aa 1d |....|.#xK...K...| (openhook jump - 0x3E80) */ PATCH_JUMP(0x2DAE70, (PAYLOAD_OFFSET+0x30)); // patch openhook // _poke32(0x2DAE40, 0xF821FF61); // free openhook Rogero 4.30 (put "stdu %sp, -0xA0(%sp)" instead "b sub_2E9F98") #ifdef CONFIG_USE_SYS8PERMH4 PATCH_JUMP(PERMS_OFFSET, (PAYLOAD_OFFSET+0x18)); #endif }