static int lv2_patch_storage_355(void)
{
install_new_poke();
if (!map_lv1()) {
remove_new_poke();
return -1;
}
//search bin "5F 6F 66 5F 70 72 6F 64 75 63 74 5F 6D 6F 64 65" to find
// LV2 enable syscall storage
save_lv2_storage_patch= peekq(0x80000000002D7820ULL);
save_lv1_storage_patches[0] = peekq(HV_BASE + 0x16f3b8);
save_lv1_storage_patches[1] = peekq(HV_BASE + 0x16f3dc);
save_lv1_storage_patches[2] = peekq(HV_BASE + 0x16f454);
save_lv1_storage_patches[3] = peekq(HV_BASE + 0x16f45c);
int n;
for(n = 0; n < 20; n++) {
pokeq32(0x80000000002D7820ULL, 0x40000000);
pokeq7(HV_BASE + 0x16f3b8, 0x7f83e37860000000ULL);
pokeq7(HV_BASE + 0x16f3dc, 0x7f85e37838600001ULL);
pokeq7(HV_BASE + 0x16f454, 0x7f84e3783be00001ULL);
pokeq7(HV_BASE + 0x16f45c, 0x9be1007038600000ULL);
usleep(5000);
}
remove_new_poke(); /* restore pokes */
unmap_lv1();
is_patched = 1;
return 0;
}
static int lv2_patch_storage_421(void)
{
lv1_reg regs_i, regs_o;
// test if LV1 Peek is supported
memset(®s_i, 0, sizeof(regs_i));
regs_i.reg11 = 0xB6;
sys8_lv1_syscall(®s_i, ®s_o);
if(((int) regs_o.reg3) <0) {
return -1;
}
//search bin "5F 6F 66 5F 70 72 6F 64 75 63 74 5F 6D 6F 64 65" to find
// LV2 enable syscall storage
save_lv2_storage_patch= peekq(0x80000000002E7920ULL);
pokeq32(0x80000000002E7920ULL, 0x40000000);
regs_i.reg3 = 0x16f758; regs_i.reg4 = 0x7f83e37860000000ULL;
regs_i.reg11 = 0xB6;
sys8_lv1_syscall(®s_i, ®s_o); save_lv1_storage_patches[0]= regs_o.reg4;
regs_i.reg11 = 0xB7; sys8_lv1_syscall(®s_i, ®s_o);
regs_i.reg3 = 0x16f77c; regs_i.reg4 = 0x7f85e37838600001ULL;
regs_i.reg11 = 0xB6;
sys8_lv1_syscall(®s_i, ®s_o); save_lv1_storage_patches[1]= regs_o.reg4;
regs_i.reg11 = 0xB7; sys8_lv1_syscall(®s_i, ®s_o);
regs_i.reg3 = 0x16f7f4; regs_i.reg4 = 0x7f84e3783be00001ULL;
regs_i.reg11 = 0xB6;
sys8_lv1_syscall(®s_i, ®s_o); save_lv1_storage_patches[2]= regs_o.reg4;
regs_i.reg11 = 0xB7; sys8_lv1_syscall(®s_i, ®s_o);
regs_i.reg3 = 0x16f7fc; regs_i.reg4 = 0x9be1007038600000ULL;
regs_i.reg11 = 0xB6;
sys8_lv1_syscall(®s_i, ®s_o); save_lv1_storage_patches[3]= regs_o.reg4;
regs_i.reg11 = 0xB7; sys8_lv1_syscall(®s_i, ®s_o);
is_patched = 1;
return 0;
}
static inline void _poke32(u64 addr, uint32_t val)
{
pokeq32(0x8000000000000000ULL + addr, val);
}
void load_payload(void)
{
char *ptr, *ptr2;
unsigned long long addr, value;
int patches = 0;
#ifdef USE_MEMCPY_SYSCALL
/* This does not work on some PS3s */
pokeq(NEW_POKE_SYSCALL_ADDR, 0x4800000428250000ULL);
pokeq(NEW_POKE_SYSCALL_ADDR + 8, 0x4182001438a5ffffULL);
pokeq(NEW_POKE_SYSCALL_ADDR + 16, 0x7cc428ae7cc329aeULL);
pokeq(NEW_POKE_SYSCALL_ADDR + 24, 0x4bffffec4e800020ULL);
#ifdef WITH_PL3
system_call_3(NEW_POKE_SYSCALL, 0x800000000000ef48ULL, (unsigned long long) &&_binary_payload_pl3_payload_bin_start,
(uint64_t) & _binary_payload_pl3_payload_bin_size);
#else
system_call_3(new_poke_syscall, 0x80000000002be4a0ULL,
(unsigned long long) &_binary_payload_syscall36_payload_bin_start,
(uint64_t) & _binary_payload_syscall36_payload_bin_size);
#endif
/* restore syscall */
remove_new_poke();
pokeq(NEW_POKE_SYSCALL_ADDR + 16, 0xebc2fe287c7f1b78);
pokeq(NEW_POKE_SYSCALL_ADDR + 24, 0x3860032dfba100e8);
#else
/* WARNING!! It supports only payload with a size multiple of 4 */
uint32_t i;
#ifdef WITH_PL3
uint64_t *pl64 = (uint64_t *) (uint64_t) & _binary_payload_pl3_payload_bin_start;
for (i = 0; i < (uint64_t) & _binary_payload_pl3_payload_bin_size / sizeof(uint64_t); i++) {
pokeq(0x800000000000ef48ULL + i * sizeof(uint64_t), *pl64++);
}
if ((uint64_t) & _binary_payload_pl3_payload_bin_size % sizeof(uint64_t)) {
pokeq32(0x800000000000ef48ULL + i * sizeof(uint64_t), (uint32_t) * pl64);
}
#else
uint64_t *pl64 = (uint64_t *) (uint64_t) & _binary_payload_syscall36_payload_bin_start;
for (i = 0; i < (uint64_t) & _binary_payload_syscall36_payload_bin_size / sizeof(uint64_t); i++) {
pokeq(0x80000000002be4a0ULL + i * sizeof(uint64_t), *pl64++);
}
if ((uint64_t) & _binary_payload_syscall36_payload_bin_size % sizeof(uint64_t)) {
pokeq(0x80000000002be4a0ULL + i * sizeof(uint64_t), (uint32_t) * pl64);
}
#endif
#endif
#ifdef WITH_PL3
char *tmp = strtok((char *) &_binary_payload_pl3_patch_txt_start, "\n");
#else
char *tmp = strtok((char *) &_binary_payload_syscall36_patch_txt_start, "\n");
#endif
do {
ptr = strchr(tmp, '#');
if (ptr)
*ptr = 0;
ptr = tmp;
while (*ptr == ' ' || *ptr == '\t')
ptr++;
if (!strchr("0123456789abcdefABCDEF", *ptr))
continue;
addr = strtoull(ptr, &ptr, 16);
if (*ptr != ':')
continue;
else
ptr++;
while (*ptr == ' ' || *ptr == '\t')
ptr++;
if (!strchr("0123456789abcdefABCDEF", *ptr))
continue;
ptr2 = ptr;
value = strtoull(ptr, &ptr, 16);
patches++;
if (ptr - ptr2 == 8) {
_poke32(addr, value);
} else if (ptr - ptr2 == 16) {
_poke(addr, value);
} else
patches--;
}
while ((tmp = strtok(NULL, "\n")));
}
void load_payload_465(int mode)
{
if(bEnableLv2_memprot_patch) // changed offset: 0x377828 -> 0x370F28
{ //Remove Lv2 memory protection
lv1poke(0x370F28 + 0x00, 0x0000000000000001ULL); // Original: 0x0000000000351FD8ULL
lv1poke(0x370F28 + 0x08, 0xE0D251B556C59F05ULL); // Original: 0x3B5B965B020AE21AULL
lv1poke(0x370F28 + 0x10, 0xC232FCAD552C80D7ULL); // Original: 0x7D6F60B118E2E81BULL
lv1poke(0x370F28 + 0x18, 0x65140CD200000000ULL); // Original: 0x315D8B7700000000ULL
}
install_lv2_memcpy();
/* WARNING!! It supports only payload with a size multiple of 8 */
lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_OFFSET,
(u64) payload_sky_465_bin,
payload_sky_465_bin_size);
lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_UMOUNT_OFFSET, // copy umount routine
(u64) umount_465_bin,
umount_465_bin_size);
restore_syscall8[0]= SYSCALL_BASE + 64ULL; // (8*8)
restore_syscall8[1]= peekq(restore_syscall8[0]);
u64 id[2];
// copy the id
id[0]= 0x534B314500000000ULL | (u64) PAYLOAD_OFFSET;
id[1] = SYSCALL_BASE + 64ULL; // (8*8)
lv2_memcpy(0x80000000000004f0ULL, (u64) &id[0], 16);
u64 inst8 = peekq(0x8000000000003000ULL); // get TOC
lv2_memcpy(0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x28), (u64) &inst8, 8);
inst8 = 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x20); // syscall_8_desc - sys8
lv2_memcpy(SYSCALL_BASE + (u64) (8 * 8), (u64) &inst8, 8);
usleep(1000);
remove_lv2_memcpy();
pokeq(0x80000000007EF000ULL, 0ULL);// BD Emu mount
pokeq(0x80000000007EF220ULL, 0ULL);
//Patches from webMAN
if(bEnableLv2_webman_patch)
{
//patches by deank
pokeq(0x800000000026FDDCULL, 0x4E80002038600000ULL ); // fix 8001003C error Original: 0x4E80002038600000ULL
pokeq(0x800000000026FDE4ULL, 0x7C6307B44E800020ULL ); // fix 8001003C error Original: 0x7C6307B44E800020ULL
pokeq(0x800000000005658CULL, 0x63FF003D60000000ULL ); // fix 8001003D error Original: 0x63FF003D419EFFD4ULL
pokeq(0x8000000000056650ULL, 0x3FE080013BE00000ULL ); // fix 8001003E error Original: 0x3FE0800163FF003EULL
pokeq(0x80000000000565FCULL, 0x419E00D860000000ULL ); // Original: 0x419E00D8419D00C0ULL
pokeq(0x8000000000056604ULL, 0x2F84000448000098ULL ); // Original: 0x2F840004409C0048ULL //PATCH_JUMP
pokeq(0x800000000005A658ULL, 0x2F83000060000000ULL ); // fix 80010009 error Original: 0x2F830000419E00ACULL
pokeq(0x800000000005A66CULL, 0x2F83000060000000ULL ); // fix 80010009 error Original: 0x2F830000419E00ACULL
pokeq(0x8000000000056230ULL, 0x386000012F830000ULL ); // ignore LIC.DAT check
pokeq(0x80000000002302F0ULL, 0x38600000F8690000ULL ); // fix 0x8001002B / 80010017 errors (2015-01-03)
pokeq(0x8000000000055C5CULL, 0xF821FE917C0802A6ULL ); // just restore the original
pokeq(0x8000000000058DB0ULL, 0x419E0038E8610098ULL ); // just restore the original
/*
if(file_exists("/dev_flash/rebug")==false || bEnableLv2_webman_patch==3)
{
//anti-ode patches by deank
//pokeq(0x8000000000055C5CULL, 0xF821FE917C0802A6ULL ); //replaced by deank's patch (2015-01-03)
pokeq(0x8000000000055C84ULL, 0x6000000060000000ULL );
pokeq(0x8000000000055C8CULL, 0x600000003BA00000ULL );
}
*/
if(bEnableLv2_webman_patch>=2 || bEnableLv2_habib_patch == 2) bEnableLv2_habib_patch=0;
}
//Patches by Habib ported to 4.65 (habib_patch = 0=disabled, 1=new patch, 2=new patch except 4.65 Habib Cobra, 3=old patch, 4=no boot speedup patch)
if(bEnableLv2_habib_patch == 2 && is_cobra_based() && file_exists("/dev_flash/habib")) ;
else if((bEnableLv2_habib_patch == 11) || (bEnableLv2_habib_patch == 2))
{ // enable new habib patches (now obsolete) //replaced by deank's patch (2015-01-03)
pokeq(0x8000000000058DB0ULL + 0x00, 0x60000000E8610098ULL);
pokeq(0x8000000000058DB0ULL + 0x08, 0x2FA30000419E000CULL);
pokeq(0x8000000000058DB0ULL + 0x10, 0x388000334800BE15ULL);
pokeq(0x8000000000058DB0ULL + 0x18, 0xE80100F07FE307B4ULL);
pokeq(0x8000000000055C5CULL + 0x00, 0x386000004E800020ULL);
pokeq(0x8000000000055C5CULL + 0x08, 0xFBC10160FBE10168ULL);
pokeq(0x8000000000055C5CULL + 0x10, 0xFB610148FB810150ULL);
pokeq(0x8000000000055C5CULL + 0x18, 0xFBA10158F8010180ULL);
//patch to prevent blackscreen on usb games in jb format
pokeq(0x8000000000055C84ULL, 0x386000002F830001ULL); //Original: 0x481DA6692F830001ULL
pokeq(0x8000000000055C8CULL, 0x419E00303BA00000ULL); //Original: 0x419E00303BA00000ULL
}
else if(bEnableLv2_habib_patch == 10)
{ // disable new habib patches
pokeq(0x8000000000058DB0ULL + 0x00, 0x419E0038E8610098ULL);
pokeq(0x8000000000058DB0ULL + 0x08, 0x2FA30000419E000CULL);
pokeq(0x8000000000058DB0ULL + 0x10, 0x388000334800BE15ULL);
pokeq(0x8000000000058DB0ULL + 0x18, 0xE80100F07FE307B4ULL);
pokeq(0x8000000000055C5CULL + 0x00, 0xF821FE917C0802A6ULL);
pokeq(0x8000000000055C5CULL + 0x08, 0xFBC10160FBE10168ULL);
pokeq(0x8000000000055C5CULL + 0x10, 0xFB610148FB810150ULL);
pokeq(0x8000000000055C5CULL + 0x18, 0xFBA10158F8010180ULL);
}
else
{
if(bEnableLv2_habib_patch >= 1)
{
if(bEnableLv2_habib_patch == 3)
pokeq32(0x8000000000058DB0ULL, 0x60000000); // old fix 0x80010017 error Original: 0x7C7F1B78419E0038ULL
else
pokeq(0x80000000002A1060ULL, 0x386000014E800020ULL); // fix 0x80010017 error Original: 0xFBC1FFF0EBC225B0ULL
// Booting of game discs and backups speed increased
if(bEnableLv2_habib_patch != 4)
{
pokeq32(0x8000000000058DA4ULL, 0x38600001);
pokeq32(0x800000000005A970ULL, 0x38600000);
}
pokeq(0x8000000000055C5CULL, 0x386000004E800020ULL); // fix 0x8001002B error Original: 0xF821FE917C0802A6ULL
}
}
/* BASIC PATCHES SYS36 */
// by 2 anonymous people
_poke32(0x56600, 0x60000000); // Original: 0x419E00D8419D00C0ULL -> 0x419E00D860000000ULL
PATCH_JUMP(0x56608, 0x566A0); // Original: 0x2F840004409C0048ULL -> 0x2F84000448000098ULL
_poke32(0x05A65C, 0x60000000); // fix 80010009 error
_poke32(0x05A670, 0x60000000); // fix 80010019 error
_poke( 0x05658C, 0x63FF003D60000000); // fix 8001003D error "ori %r31, %r31, 0x3D\n nop\n" done
_poke32(0x056654, 0x3BE00000); // fix 8001003E error -- 3.55 ok in 0x055F64 "li %r31, 0" done
PATCH_JUMP(0x56658, 0x56564); // Not present in rebug, anyway..
_poke(0x26FDE0, 0x386000007C6307B4); //fix 8001003C error
_poke32(0x26FDE0 + 8, 0x4E800020); //
/*
-002c3cf0 f8 01 00 b0 7c 9c 23 78 7c 7d 1b 78 4b d8 aa 1d |....|.#x|}.xK...|
+002c3cf0 f8 01 00 b0 7c 9c 23 78 4b d4 01 88 4b d8 aa 1d |....|.#xK...K...| (openhook jump - 0x3E80)
*/
PATCH_JUMP(0x2A02EC, (PAYLOAD_OFFSET+0x30)); // patch openhook - done
_poke32(0x2A02C8, 0xF821FF61); // free openhook Rogero 4.30 (put "stdu %sp, -0xA0(%sp)" instead "b sub_2E9F98")
#ifdef CONFIG_USE_SYS8PERMH4
PATCH_JUMP(PERMS_OFFSET, (PAYLOAD_OFFSET+0x18));
#endif
}
