static inline void install_lv2_memcpy()
{
int n;
restore_syscall = peekq(SYSCALL_BASE + (u64) (9 * 8));
for(n = 0; n < 50; n++) {
pokeq(0x8000000000001820ULL, 0x8000000000001830ULL);
pokeq(0x8000000000001828ULL, peekq(0x8000000000003000ULL));
pokeq(0x8000000000001830ULL, 0x282500004D820020ULL);
pokeq(0x8000000000001838ULL, 0x38A5FFFF7CC428AEULL);
pokeq(0x8000000000001840ULL, 0x7CC329AE7C0006ACULL);
pokeq(0x8000000000001848ULL, 0x7CE32A1470E80003ULL);
pokeq(0x8000000000001850ULL, 0x282500004082000CULL);
pokeq(0x8000000000001858ULL, 0x7CE838504800000CULL);
pokeq(0x8000000000001860ULL, 0x282800004082FFCCULL);
pokeq(0x8000000000001868ULL, 0x7C0038AC7C0004ACULL);
pokeq(0x8000000000001870ULL, 0x7C003FAC4C00012CULL);
pokeq(0x8000000000001878ULL, 0x4BFFFFB800000000ULL);
_poke((u32) (SYSCALL_BASE + 9 * 8), 0x8000000000001820ULL);
usleep(5000);
}
}
static inline void remove_lv2_memcpy()
{
int n;
for(n = 0; n < 50; n++) {
pokeq(0x8000000000001820ULL, 0x0ULL);
pokeq(0x8000000000001828ULL, 0x0ULL);
pokeq(0x8000000000001830ULL, 0x0ULL);
pokeq(0x8000000000001838ULL, 0x0ULL);
pokeq(0x8000000000001840ULL, 0x0ULL);
pokeq(0x8000000000001848ULL, 0x0ULL);
pokeq(0x8000000000001850ULL, 0x0ULL);
pokeq(0x8000000000001858ULL, 0x0ULL);
pokeq(0x8000000000001860ULL, 0x0ULL);
pokeq(0x8000000000001868ULL, 0x0ULL);
pokeq(0x8000000000001870ULL, 0x0ULL);
pokeq(0x8000000000001878ULL, 0x0ULL);
_poke((u32) (SYSCALL_BASE + 9 * 8), restore_syscall);
usleep(5000);
}
}
static inline void _poke(u64 addr, u64 val)
{
pokeq(0x8000000000000000ULL + addr, val);
}
static void pokeq32(u64 addr, uint32_t val)
{
uint32_t next = peekq(addr) & 0xffffffff;
pokeq(addr, (((u64) val) << 32) | next);
}
static int lv2_unpatch_bdvdemu_446(void)
{
int n;
int flag = 0;
char * mem = temp_buffer;
memset(mem, 0, 0x10 * 0x118);
sys8_memcpy((u64) mem, LV2MOUNTADDR_446, 0x10 * 0x118);
sys8_memcpy((u64) (mem + 0x1200), 0x80000000007EF020ULL , LV2MOUNTADDR_446_CSIZE);
for(n = 0; n< 0x116c; n+= LV2MOUNTADDR_446_ESIZE)
{
if(!memcmp(mem + n, "CELL_FS_UTILITY:HDD1", 21) && mem[n-9]== 1 && mem[n-13]== 1)
{
if(!memcmp(mem + n + 0x69, "temp_bdvd", 10))
{
sys8_memcpy(LV2MOUNTADDR_446 + n + 0x69, (u64) "dev_bdvd\0", 10);
flag++;
}
}
if(!memcmp(mem + n, "CELL_FS_IOS:PATA0_BDVD_DRIVE", 29) && mem[n-9]== 1 && mem[n-13]== 1)
{
if(!memcmp(mem + n + 0x69, "temp_bdvd", 10))
{
sys8_memcpy(LV2MOUNTADDR_446 + n + 0x69, (u64) "dev_bdvd\0", 10);
flag++;
}
}
if(!memcmp(mem + n, "CELL_FS_IOS:USB_MASS_STORAGE0", 29) && mem[n-9]== 1 && mem[n-13]== 1)
{
if(!memcmp(mem + n + 0x69, "dev_bdvd", 9) || !memcmp(mem + n + 0x69, "temp_usb", 9))
{
sys8_memcpy(LV2MOUNTADDR_446 + n + 0x69, (u64) (mem + n + 0x79), 11);
sys8_memset(LV2MOUNTADDR_446 + n + 0x79, 0ULL, 12);
flag+=10;
}
}
if(!memcmp(mem + n, "CELL_FS_UTILITY:HDD0", 21) && mem[n-9]== 1 && mem[n-13]== 1)
{
if(!memcmp(mem + n + 0x69, "dev_bdvd", 9)
&& !memcmp(mem + n + 0x79, "esp_bdvd", 9) && peekq(0x80000000007EF000ULL)!=0)
{
mem[0x1200+ 0x10 -1] = mem[n-1];
sys8_memcpy(LV2MOUNTADDR_446 + (u64) (n - 0x10), (u64) (mem + 0x1200) , (u64) LV2MOUNTADDR_446_CSIZE);
flag+=10;
}
}
}
for(n= 0; n < 100; n++) {
_poke32(UMOUNT_SYSCALL_OFFSET, 0xFBA100E8); // UMOUNT RESTORE
usleep(1000);
}
pokeq(0x80000000007EF000ULL, 0ULL);
if((mem[0] == 0) && (flag == 0))
return -1;
else
return flag;
}
void load_payload_446(int mode)
{
//Remove Lv2 memory protection
lv1poke(0x370AA8, 0x0000000000000001ULL);
lv1poke(0x370AA8 + 8, 0xE0D251B556C59F05ULL);
lv1poke(0x370AA8 + 16, 0xC232FCAD552C80D7ULL);
lv1poke(0x370AA8 + 24, 0x65140CD200000000ULL);
install_lv2_memcpy();
/* WARNING!! It supports only payload with a size multiple of 8 */
lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_OFFSET,
(u64) payload_sky_446_bin,
payload_sky_446_bin_size);
lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_UMOUNT_OFFSET, // copy umount routine
(u64) umount_446_bin,
umount_446_bin_size);
restore_syscall8[0]= SYSCALL_BASE + 64ULL; // (8*8)
restore_syscall8[1]= peekq(restore_syscall8[0]);
u64 id[2];
// copy the id
id[0]= 0x534B314500000000ULL | (u64) PAYLOAD_OFFSET;
id[1] = SYSCALL_BASE + 64ULL; // (8*8)
lv2_memcpy(0x80000000000004f0ULL, (u64) &id[0], 16);
u64 inst8 = peekq(0x8000000000003000ULL); // get TOC
lv2_memcpy(0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x28), (u64) &inst8, 8);
inst8 = 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x20); // syscall_8_desc - sys8
lv2_memcpy(SYSCALL_BASE + (u64) (8 * 8), (u64) &inst8, 8);
usleep(1000);
remove_lv2_memcpy();
pokeq(0x80000000007EF000ULL, 0ULL);// BE Emu mount
pokeq(0x80000000007EF220ULL, 0ULL);
/* BASIC PATCHES SYS36 */
// by 2 anonymous people
_poke32(0x56134, 0x60000000); // done
PATCH_JUMP(0x5613C, 0x561D4); // done
_poke32(0x059AF8, 0x60000000); // done
_poke32(0x059B0C, 0x60000000); // done
_poke( 0x0560C0, 0x63FF003D60000000); // fix 8001003D error "ori %r31, %r31, 0x3D\n nop\n" done
_poke32(0x056188, 0x3BE00000); // fix 8001003E error -- 3.55 ok in 0x055F64 "li %r31, 0" done
PATCH_JUMP(0x5618C, 0x56098); // Not present in rebug, anyway..
/** Rancid-o: Fix 0x8001003C error (incorrect version in sys_load_param) - It is present in the new game updates **/
_poke(0x297314, 0x386000007C6307B4); //done
_poke32(0x297314 + 8, 0x4E800020); //done
/*
-002c3cf0 f8 01 00 b0 7c 9c 23 78 7c 7d 1b 78 4b d8 aa 1d |....|.#x|}.xK...|
+002c3cf0 f8 01 00 b0 7c 9c 23 78 4b d4 01 88 4b d8 aa 1d |....|.#xK...K...| (openhook jump - 0x3E80)
*/
PATCH_JUMP(0x2C47D4, (PAYLOAD_OFFSET+0x30)); // patch openhook - done
_poke32(0x2C47B0, 0xF821FF61); // free openhook Rogero 4.30 (put "stdu %sp, -0xA0(%sp)" instead "b sub_2E9F98")
#ifdef CONFIG_USE_SYS8PERMH4
PATCH_JUMP(PERMS_OFFSET, (PAYLOAD_OFFSET+0x18));
#endif
}
void load_payload_421dex(int mode)
{
// Remove lv2 protection
lv1poke(0x370A28, 0x0000000000000001ULL);
lv1poke(0x370A30, 0xe0d251b556c59f05ULL);
lv1poke(0x370A38, 0xc232fcad552c80d7ULL);
lv1poke(0x370A40, 0x65140cd200000000ULL);
install_lv2_memcpy();
/* WARNING!! It supports only payload with a size multiple of 8 */
lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_OFFSET,
(u64) payload_sky_421dex_bin,
payload_sky_421dex_bin_size);
lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_UMOUNT_OFFSET, // copy umount routine
(u64) umount_421dex_bin,
umount_421dex_bin_size);
restore_syscall8[0]= SYSCALL_BASE + 64ULL; // (8*8)
restore_syscall8[1]= peekq(restore_syscall8[0]);
u64 id[2];
// copy the id
id[0]= 0x534B314500000000ULL | (u64) PAYLOAD_OFFSET;
id[1] = SYSCALL_BASE + 64ULL; // (8*8)
lv2_memcpy(0x80000000000004f0ULL, (u64) &id[0], 16);
u64 inst8 = peekq(0x8000000000003000ULL); // get TOC
lv2_memcpy(0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x28), (u64) &inst8, 8);
inst8 = 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x20); // syscall_8_desc - sys8
lv2_memcpy(SYSCALL_BASE + (u64) (8 * 8), (u64) &inst8, 8);
usleep(1000);
remove_lv2_memcpy();
pokeq(0x80000000007EF000ULL, 0ULL); // BE Emu mount
pokeq(0x80000000007EF220ULL, 0ULL);
//Patches from webMAN
pokeq(0x800000000029C8C0ULL, 0x4E80002038600000ULL );
pokeq(0x800000000029C8C8ULL, 0x7C6307B44E800020ULL ); // fix 8001003C error
pokeq(0x800000000005A938ULL, 0x63FF003D60000000ULL ); // fix 8001003D error
pokeq(0x800000000005A9FCULL, 0x3FE080013BE00000ULL ); // fix 8001003E error
pokeq(0x800000000005A9A8ULL, 0x419E00D860000000ULL );
pokeq(0x800000000005A9B0ULL, 0x2F84000448000098ULL );
pokeq(0x800000000005E36CULL, 0x2F83000060000000ULL );
pokeq(0x800000000005E380ULL, 0x2F83000060000000ULL );
/* BASIC PATCHES SYS36 */
// by 2 anonymous people
_poke32(0x05A9AC, 0x60000000); // already set in ps3ita "nop"
PATCH_JUMP(0x05A9B4, 0x5AA4C); // already set in ps3ita "nop"
_poke32(0x05E370, 0x60000000); // already set in ps3ita "nop"
_poke32(0x05E384, 0x60000000); // already set in ps3ita "nop"
_poke( 0x05A938, 0x63FF003D60000000); // already set in ps3ita - fix 8001003D error "ori %r31, %r31, 0x3D\n nop\n"
_poke32(0x05AA00, 0x3BE00000); // already set in ps3ita - fix 8001003E error -- 3.55 ok in 0x055F64 "li %r31, 0"
PATCH_JUMP(0x05AA04, 0x5A910); // already set in ps3ita
/** Rancid-o: Fix 0x8001003C error (incorrect version in sys_load_param) - It is present in the new game updates **/
_poke(0x29C8C4, 0x386000007C6307B4);
_poke32(0x29C8CC, 0x4E800020);
/*
-002c3cf0 f8 01 00 b0 7c 9c 23 78 7c 7d 1b 78 4b d8 aa 1d |....|.#x|}.xK...|
+002c3cf0 f8 01 00 b0 7c 9c 23 78 4b d4 01 88 4b d8 aa 1d |....|.#xK...K...| (openhook jump - 0x3E80)
*/
PATCH_JUMP(0x2D973C, (PAYLOAD_OFFSET+0x30));
#ifdef CONFIG_USE_SYS8PERMH4
PATCH_JUMP(PERMS_OFFSET, (PAYLOAD_OFFSET+0x18));
#endif
}
