static inline void install_lv2_memcpy() { int n; restore_syscall = peekq(SYSCALL_BASE + (u64) (9 * 8)); for(n = 0; n < 50; n++) { pokeq(0x8000000000001820ULL, 0x8000000000001830ULL); pokeq(0x8000000000001828ULL, peekq(0x8000000000003000ULL)); pokeq(0x8000000000001830ULL, 0x282500004D820020ULL); pokeq(0x8000000000001838ULL, 0x38A5FFFF7CC428AEULL); pokeq(0x8000000000001840ULL, 0x7CC329AE7C0006ACULL); pokeq(0x8000000000001848ULL, 0x7CE32A1470E80003ULL); pokeq(0x8000000000001850ULL, 0x282500004082000CULL); pokeq(0x8000000000001858ULL, 0x7CE838504800000CULL); pokeq(0x8000000000001860ULL, 0x282800004082FFCCULL); pokeq(0x8000000000001868ULL, 0x7C0038AC7C0004ACULL); pokeq(0x8000000000001870ULL, 0x7C003FAC4C00012CULL); pokeq(0x8000000000001878ULL, 0x4BFFFFB800000000ULL); _poke((u32) (SYSCALL_BASE + 9 * 8), 0x8000000000001820ULL); usleep(5000); } }
static inline void remove_lv2_memcpy() { int n; for(n = 0; n < 50; n++) { pokeq(0x8000000000001820ULL, 0x0ULL); pokeq(0x8000000000001828ULL, 0x0ULL); pokeq(0x8000000000001830ULL, 0x0ULL); pokeq(0x8000000000001838ULL, 0x0ULL); pokeq(0x8000000000001840ULL, 0x0ULL); pokeq(0x8000000000001848ULL, 0x0ULL); pokeq(0x8000000000001850ULL, 0x0ULL); pokeq(0x8000000000001858ULL, 0x0ULL); pokeq(0x8000000000001860ULL, 0x0ULL); pokeq(0x8000000000001868ULL, 0x0ULL); pokeq(0x8000000000001870ULL, 0x0ULL); pokeq(0x8000000000001878ULL, 0x0ULL); _poke((u32) (SYSCALL_BASE + 9 * 8), restore_syscall); usleep(5000); } }
static inline void _poke(u64 addr, u64 val) { pokeq(0x8000000000000000ULL + addr, val); }
static void pokeq32(u64 addr, uint32_t val) { uint32_t next = peekq(addr) & 0xffffffff; pokeq(addr, (((u64) val) << 32) | next); }
static int lv2_unpatch_bdvdemu_446(void) { int n; int flag = 0; char * mem = temp_buffer; memset(mem, 0, 0x10 * 0x118); sys8_memcpy((u64) mem, LV2MOUNTADDR_446, 0x10 * 0x118); sys8_memcpy((u64) (mem + 0x1200), 0x80000000007EF020ULL , LV2MOUNTADDR_446_CSIZE); for(n = 0; n< 0x116c; n+= LV2MOUNTADDR_446_ESIZE) { if(!memcmp(mem + n, "CELL_FS_UTILITY:HDD1", 21) && mem[n-9]== 1 && mem[n-13]== 1) { if(!memcmp(mem + n + 0x69, "temp_bdvd", 10)) { sys8_memcpy(LV2MOUNTADDR_446 + n + 0x69, (u64) "dev_bdvd\0", 10); flag++; } } if(!memcmp(mem + n, "CELL_FS_IOS:PATA0_BDVD_DRIVE", 29) && mem[n-9]== 1 && mem[n-13]== 1) { if(!memcmp(mem + n + 0x69, "temp_bdvd", 10)) { sys8_memcpy(LV2MOUNTADDR_446 + n + 0x69, (u64) "dev_bdvd\0", 10); flag++; } } if(!memcmp(mem + n, "CELL_FS_IOS:USB_MASS_STORAGE0", 29) && mem[n-9]== 1 && mem[n-13]== 1) { if(!memcmp(mem + n + 0x69, "dev_bdvd", 9) || !memcmp(mem + n + 0x69, "temp_usb", 9)) { sys8_memcpy(LV2MOUNTADDR_446 + n + 0x69, (u64) (mem + n + 0x79), 11); sys8_memset(LV2MOUNTADDR_446 + n + 0x79, 0ULL, 12); flag+=10; } } if(!memcmp(mem + n, "CELL_FS_UTILITY:HDD0", 21) && mem[n-9]== 1 && mem[n-13]== 1) { if(!memcmp(mem + n + 0x69, "dev_bdvd", 9) && !memcmp(mem + n + 0x79, "esp_bdvd", 9) && peekq(0x80000000007EF000ULL)!=0) { mem[0x1200+ 0x10 -1] = mem[n-1]; sys8_memcpy(LV2MOUNTADDR_446 + (u64) (n - 0x10), (u64) (mem + 0x1200) , (u64) LV2MOUNTADDR_446_CSIZE); flag+=10; } } } for(n= 0; n < 100; n++) { _poke32(UMOUNT_SYSCALL_OFFSET, 0xFBA100E8); // UMOUNT RESTORE usleep(1000); } pokeq(0x80000000007EF000ULL, 0ULL); if((mem[0] == 0) && (flag == 0)) return -1; else return flag; }
void load_payload_446(int mode) { //Remove Lv2 memory protection lv1poke(0x370AA8, 0x0000000000000001ULL); lv1poke(0x370AA8 + 8, 0xE0D251B556C59F05ULL); lv1poke(0x370AA8 + 16, 0xC232FCAD552C80D7ULL); lv1poke(0x370AA8 + 24, 0x65140CD200000000ULL); install_lv2_memcpy(); /* WARNING!! It supports only payload with a size multiple of 8 */ lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_OFFSET, (u64) payload_sky_446_bin, payload_sky_446_bin_size); lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_UMOUNT_OFFSET, // copy umount routine (u64) umount_446_bin, umount_446_bin_size); restore_syscall8[0]= SYSCALL_BASE + 64ULL; // (8*8) restore_syscall8[1]= peekq(restore_syscall8[0]); u64 id[2]; // copy the id id[0]= 0x534B314500000000ULL | (u64) PAYLOAD_OFFSET; id[1] = SYSCALL_BASE + 64ULL; // (8*8) lv2_memcpy(0x80000000000004f0ULL, (u64) &id[0], 16); u64 inst8 = peekq(0x8000000000003000ULL); // get TOC lv2_memcpy(0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x28), (u64) &inst8, 8); inst8 = 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x20); // syscall_8_desc - sys8 lv2_memcpy(SYSCALL_BASE + (u64) (8 * 8), (u64) &inst8, 8); usleep(1000); remove_lv2_memcpy(); pokeq(0x80000000007EF000ULL, 0ULL);// BE Emu mount pokeq(0x80000000007EF220ULL, 0ULL); /* BASIC PATCHES SYS36 */ // by 2 anonymous people _poke32(0x56134, 0x60000000); // done PATCH_JUMP(0x5613C, 0x561D4); // done _poke32(0x059AF8, 0x60000000); // done _poke32(0x059B0C, 0x60000000); // done _poke( 0x0560C0, 0x63FF003D60000000); // fix 8001003D error "ori %r31, %r31, 0x3D\n nop\n" done _poke32(0x056188, 0x3BE00000); // fix 8001003E error -- 3.55 ok in 0x055F64 "li %r31, 0" done PATCH_JUMP(0x5618C, 0x56098); // Not present in rebug, anyway.. /** Rancid-o: Fix 0x8001003C error (incorrect version in sys_load_param) - It is present in the new game updates **/ _poke(0x297314, 0x386000007C6307B4); //done _poke32(0x297314 + 8, 0x4E800020); //done /* -002c3cf0 f8 01 00 b0 7c 9c 23 78 7c 7d 1b 78 4b d8 aa 1d |....|.#x|}.xK...| +002c3cf0 f8 01 00 b0 7c 9c 23 78 4b d4 01 88 4b d8 aa 1d |....|.#xK...K...| (openhook jump - 0x3E80) */ PATCH_JUMP(0x2C47D4, (PAYLOAD_OFFSET+0x30)); // patch openhook - done _poke32(0x2C47B0, 0xF821FF61); // free openhook Rogero 4.30 (put "stdu %sp, -0xA0(%sp)" instead "b sub_2E9F98") #ifdef CONFIG_USE_SYS8PERMH4 PATCH_JUMP(PERMS_OFFSET, (PAYLOAD_OFFSET+0x18)); #endif }
void load_payload_421dex(int mode) { // Remove lv2 protection lv1poke(0x370A28, 0x0000000000000001ULL); lv1poke(0x370A30, 0xe0d251b556c59f05ULL); lv1poke(0x370A38, 0xc232fcad552c80d7ULL); lv1poke(0x370A40, 0x65140cd200000000ULL); install_lv2_memcpy(); /* WARNING!! It supports only payload with a size multiple of 8 */ lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_OFFSET, (u64) payload_sky_421dex_bin, payload_sky_421dex_bin_size); lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_UMOUNT_OFFSET, // copy umount routine (u64) umount_421dex_bin, umount_421dex_bin_size); restore_syscall8[0]= SYSCALL_BASE + 64ULL; // (8*8) restore_syscall8[1]= peekq(restore_syscall8[0]); u64 id[2]; // copy the id id[0]= 0x534B314500000000ULL | (u64) PAYLOAD_OFFSET; id[1] = SYSCALL_BASE + 64ULL; // (8*8) lv2_memcpy(0x80000000000004f0ULL, (u64) &id[0], 16); u64 inst8 = peekq(0x8000000000003000ULL); // get TOC lv2_memcpy(0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x28), (u64) &inst8, 8); inst8 = 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x20); // syscall_8_desc - sys8 lv2_memcpy(SYSCALL_BASE + (u64) (8 * 8), (u64) &inst8, 8); usleep(1000); remove_lv2_memcpy(); pokeq(0x80000000007EF000ULL, 0ULL); // BE Emu mount pokeq(0x80000000007EF220ULL, 0ULL); //Patches from webMAN pokeq(0x800000000029C8C0ULL, 0x4E80002038600000ULL ); pokeq(0x800000000029C8C8ULL, 0x7C6307B44E800020ULL ); // fix 8001003C error pokeq(0x800000000005A938ULL, 0x63FF003D60000000ULL ); // fix 8001003D error pokeq(0x800000000005A9FCULL, 0x3FE080013BE00000ULL ); // fix 8001003E error pokeq(0x800000000005A9A8ULL, 0x419E00D860000000ULL ); pokeq(0x800000000005A9B0ULL, 0x2F84000448000098ULL ); pokeq(0x800000000005E36CULL, 0x2F83000060000000ULL ); pokeq(0x800000000005E380ULL, 0x2F83000060000000ULL ); /* BASIC PATCHES SYS36 */ // by 2 anonymous people _poke32(0x05A9AC, 0x60000000); // already set in ps3ita "nop" PATCH_JUMP(0x05A9B4, 0x5AA4C); // already set in ps3ita "nop" _poke32(0x05E370, 0x60000000); // already set in ps3ita "nop" _poke32(0x05E384, 0x60000000); // already set in ps3ita "nop" _poke( 0x05A938, 0x63FF003D60000000); // already set in ps3ita - fix 8001003D error "ori %r31, %r31, 0x3D\n nop\n" _poke32(0x05AA00, 0x3BE00000); // already set in ps3ita - fix 8001003E error -- 3.55 ok in 0x055F64 "li %r31, 0" PATCH_JUMP(0x05AA04, 0x5A910); // already set in ps3ita /** Rancid-o: Fix 0x8001003C error (incorrect version in sys_load_param) - It is present in the new game updates **/ _poke(0x29C8C4, 0x386000007C6307B4); _poke32(0x29C8CC, 0x4E800020); /* -002c3cf0 f8 01 00 b0 7c 9c 23 78 7c 7d 1b 78 4b d8 aa 1d |....|.#x|}.xK...| +002c3cf0 f8 01 00 b0 7c 9c 23 78 4b d4 01 88 4b d8 aa 1d |....|.#xK...K...| (openhook jump - 0x3E80) */ PATCH_JUMP(0x2D973C, (PAYLOAD_OFFSET+0x30)); #ifdef CONFIG_USE_SYS8PERMH4 PATCH_JUMP(PERMS_OFFSET, (PAYLOAD_OFFSET+0x18)); #endif }