void load_payload_341(int mode)
{
install_lv2_memcpy();
/* WARNING!! It supports only payload with a size multiple of 8 */
lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_OFFSET,
(u64) payload_groove_hermes_bin,
payload_groove_hermes_bin_size);
lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_UMOUNT_OFFSET, // copy umount routine
(u64) umount_341_bin,
umount_341_bin_size);
u64 data= 0x7C6903A64E800420ULL;
lv2_memcpy(0x8000000000017CE0ULL, (u64) &data, 8);
// copy the id
u64 id= 0x534B314500000000ULL;
lv2_memcpy(0x80000000000004f0ULL, (u64) &id, 8);
remove_lv2_memcpy();
pokeq(0x80000000007EF000ULL, 0ULL);// BE Emu mount
pokeq(0x80000000007EF220ULL, 0ULL);
usleep(250000);
__asm__("sync");
lv2_call_payload(0x80000000007e0000ULL);
usleep(250000);
/** Rancid-o: Fix 0x8001003C error (incorrect version in sys_load_param) - It is present in the new game updates **/
_poke(0x2821FC, 0x386000007C6307B4);
_poke32(0x282204, 0x4E800020);
}
void load_payload_355(int mode)
{
install_lv2_memcpy();
/* WARNING!! It supports only payload with a size multiple of 8 */
lv2_memcpy(0x800000000000ef48ULL,
(u64) payload_sky_355_bin,
payload_sky_355_bin_size);
is_sky = 1;
remove_lv2_memcpy();
/* BASIC PATCHES SYS36 */
// by 2 anonymous people
_poke32(0x55f14, 0x60000000);
_poke32(0x55f1c, 0x48000098);
_poke32(0x7af68, 0x60000000);
_poke32(0x7af7c, 0x60000000);
_poke(0x55EA0, 0x63FF003D60000000); // fix 8001003D error
_poke(0x55F64, 0x3FE080013BE00000); // fix 8001003E error
/*
-002b3290 f8 01 00 b0 7c 9c 23 78 7c 7d 1b 78 4b d9 b4 11 |....|.#x|}.xK...|
+002b3290 f8 01 00 b0 7c 9c 23 78 4b d5 bf 40 4b d9 b4 11 |....|.#xK..@K...| (openhook jump - 0xF1D8)
*/
_poke(0x2b3298, 0x4bd5bda04bd9b411ULL); //jump hook
/** Rancid-o: Fix 0x8001003C error (incorrect version in sys_load_param) - It is present in the new game updates **/
_poke(0x28A404, 0x386000007C6307B4);
_poke32(0x28A40C, 0x4E800020);
/*
00346690 80 00 00 00 00 32 49 68 80 00 00 00 00 32 49 68 Ç....2IhÇ....2Ih
*/
_poke(0x346690, 0x800000000000F010ULL); // syscall_map_open_desc - sys36
_poke(0x3465b0, 0x800000000000F2E0ULL); // syscall_8_desc - sys8
#ifdef CONFIG_USE_SYS8PERMH4
PATCH_JUMP(PERMS_OFFSET, (PAYLOAD_OFFSET+0x2a8));
#endif
}
void load_payload_355dex(int mode)
{
install_lv2_memcpy();
/* WARNING!! It supports only payload with a size multiple of 8 */
lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_OFFSET,
(u64) payload_sky_355dex_bin,
payload_sky_355dex_bin_size);
remove_lv2_memcpy();
/* BASIC PATCHES SYS36 */
// by 2 anonymous people
_poke32(0x059800, 0x60000000);
PATCH_JUMP(0x059808, 0x598A0);
_poke32(0x7EF60, 0x60000000);
_poke32(0x7EF74, 0x60000000);
_poke( 0x5978C, 0x63FF003D60000000); // fix 8001003D error "ori %r31, %r31, 0x3D\n nop\n"
_poke32(0x59854, 0x3BE00000); // fix 8001003E error -- 3.55 ok in 0x055F64 "li %r31, 0"
PATCH_JUMP(0x059858, 0x59764);
/** Rancid-o: Fix 0x8001003C error (incorrect version in sys_load_param) - It is present in the new game updates **/
_poke(0x2909E8, 0x386000007C6307B4);
_poke32(0x2909F0, 0x4E800020);
/*
-002c3cf0 f8 01 00 b0 7c 9c 23 78 7c 7d 1b 78 4b d8 aa 1d |....|.#x|}.xK...|
+002c3cf0 f8 01 00 b0 7c 9c 23 78 4b d4 01 88 4b d8 aa 1d |....|.#xK...K...| (openhook jump - 0x3E80)
*/
PATCH_JUMP(0x2C8AB8, (PAYLOAD_OFFSET+0xF0));
_poke((u32) (SYSCALL_BASE + 8 * 8), 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x398)); // syscall_8_desc - sys8
_poke((u32) (SYSCALL_BASE + 36 * 8), 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0xC8)); // syscall_map_open_desc - sys36
#ifdef CONFIG_USE_SYS8PERMH4
PATCH_JUMP(PERMS_OFFSET, (PAYLOAD_OFFSET+0x2a8));
#endif
}
void load_payload_syscall36old(int mode)
{
install_lv2_memcpy();
/* WARNING!! It supports only payload with a size multiple of 8 */
lv2_memcpy(0x80000000002be4a0ULL,
(u64) payload_syscall36_355_bin,
payload_syscall36_355_bin_size);
remove_lv2_memcpy();
/* by 2 anonymous people */
_poke32(0x55f14, 0x60000000);
_poke32(0x55f1c, 0x48000098);
_poke32(0x7af68, 0x60000000);
_poke32(0x7af7c, 0x60000000);
_poke(0x55EA0, 0x63FF003D60000000); /* fix 8001003D error */
_poke(0x55F64, 0x3FE080013BE00000); /* fix 8001003E error */
_poke(0x2b3274, 0x4800B32C2BA30420); /* add a jump to payload2_start - hook */
_poke(0x346690, 0x80000000002be570); /* syscall_map_open_desc - sys36 */
}
void load_payload_421dex(int mode)
{
// Remove lv2 protection
lv1poke(0x370A28, 0x0000000000000001ULL);
lv1poke(0x370A30, 0xe0d251b556c59f05ULL);
lv1poke(0x370A38, 0xc232fcad552c80d7ULL);
lv1poke(0x370A40, 0x65140cd200000000ULL);
install_lv2_memcpy();
/* WARNING!! It supports only payload with a size multiple of 8 */
lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_OFFSET,
(u64) payload_sky_421dex_bin,
payload_sky_421dex_bin_size);
lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_UMOUNT_OFFSET, // copy umount routine
(u64) umount_421dex_bin,
umount_421dex_bin_size);
restore_syscall8[0]= SYSCALL_BASE + 64ULL; // (8*8)
restore_syscall8[1]= peekq(restore_syscall8[0]);
u64 id[2];
// copy the id
id[0]= 0x534B314500000000ULL | (u64) PAYLOAD_OFFSET;
id[1] = SYSCALL_BASE + 64ULL; // (8*8)
lv2_memcpy(0x80000000000004f0ULL, (u64) &id[0], 16);
u64 inst8 = peekq(0x8000000000003000ULL); // get TOC
lv2_memcpy(0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x28), (u64) &inst8, 8);
inst8 = 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x20); // syscall_8_desc - sys8
lv2_memcpy(SYSCALL_BASE + (u64) (8 * 8), (u64) &inst8, 8);
usleep(1000);
remove_lv2_memcpy();
pokeq(0x80000000007EF000ULL, 0ULL); // BE Emu mount
pokeq(0x80000000007EF220ULL, 0ULL);
/* BASIC PATCHES SYS36 */
// by 2 anonymous people
_poke32(0x05A9AC, 0x60000000); // already set in ps3ita "nop"
PATCH_JUMP(0x05A9B4, 0x5AA4C); // already set in ps3ita "nop"
_poke32(0x05E370, 0x60000000); // already set in ps3ita "nop"
_poke32(0x05E384, 0x60000000); // already set in ps3ita "nop"
_poke( 0x05A938, 0x63FF003D60000000); // already set in ps3ita - fix 8001003D error "ori %r31, %r31, 0x3D\n nop\n"
_poke32(0x05AA00, 0x3BE00000); // already set in ps3ita - fix 8001003E error -- 3.55 ok in 0x055F64 "li %r31, 0"
PATCH_JUMP(0x05AA04, 0x5A910); // already set in ps3ita
/** Rancid-o: Fix 0x8001003C error (incorrect version in sys_load_param) - It is present in the new game updates **/
_poke(0x29C8C4, 0x386000007C6307B4);
_poke32(0x29C8CC, 0x4E800020);
/*
-002c3cf0 f8 01 00 b0 7c 9c 23 78 7c 7d 1b 78 4b d8 aa 1d |....|.#x|}.xK...|
+002c3cf0 f8 01 00 b0 7c 9c 23 78 4b d4 01 88 4b d8 aa 1d |....|.#xK...K...| (openhook jump - 0x3E80)
*/
PATCH_JUMP(0x2D973C, (PAYLOAD_OFFSET+0x30));
#ifdef CONFIG_USE_SYS8PERMH4
PATCH_JUMP(PERMS_OFFSET, (PAYLOAD_OFFSET+0x18));
#endif
}
void load_payload_431(int mode)
{
install_lv2_memcpy();
/* install lv1 peek/poke/call */
lv2_memcpy(0x800000000000171C,
(u64) lv1_peek_poke_call_routines,
sizeof(lv1_peek_poke_call_routines));
/* WARNING!! It supports only payload with a size multiple of 8 */
lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_OFFSET,
(u64) payload_sky_431_bin,
payload_sky_431_bin_size);
lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_UMOUNT_OFFSET, // copy umount routine
(u64) umount_431_bin,
umount_431_bin_size);
restore_syscall8[0]= SYSCALL_BASE + 64ULL; // (8*8)
restore_syscall8[1]= peekq(restore_syscall8[0]);
u64 id[2];
// copy the id
id[0]= 0x534B314500000000ULL | (u64) PAYLOAD_OFFSET;
id[1] = SYSCALL_BASE + 64ULL; // (8*8)
lv2_memcpy(0x80000000000004f0ULL, (u64) &id[0], 16);
u64 inst8 = peekq(0x8000000000003000ULL); // get TOC
lv2_memcpy(0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x28), (u64) &inst8, 8);
inst8 = 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x20); // syscall_8_desc - sys8
lv2_memcpy(SYSCALL_BASE + (u64) (8 * 8), (u64) &inst8, 8);
usleep(1000);
poke_syscall = 0; // uses sys8_pokeinst
remove_lv2_memcpy();
pokeq(0x80000000007EF000ULL, 0ULL); // BE Emu mount
pokeq(0x80000000007EF220ULL, 0ULL);
//Patches from webMAN
pokeq(0x80000000002979E0ULL, 0x4E80002038600000ULL );
pokeq(0x80000000002979E8ULL, 0x7C6307B44E800020ULL ); // fix 8001003C error
pokeq(0x8000000000057174ULL, 0x63FF003D60000000ULL ); // fix 8001003D error
pokeq(0x800000000005723CULL, 0x3FE080013BE00000ULL ); // fix 8001003E error
pokeq(0x80000000000571E8ULL, 0x600000002F840004ULL );
pokeq(0x80000000000571F0ULL, 0x48000098E8629870ULL );
pokeq(0x800000000005ABACULL, 0x60000000E8610188ULL );
pokeq(0x800000000005ABA0ULL, 0x600000005463063EULL );
_poke((u32) (SYSCALL_BASE + 9 * 8) , 0x8000000000001790ULL);
_poke((u32) (SYSCALL_BASE + 10 * 8), 0x8000000000001798ULL);
/* BASIC PATCHES SYS36 */
// by 2 anonymous people
_poke32(0x0571E8, 0x60000000); // already set in E3 "nop"
PATCH_JUMP(0x0571F0, 0x57288); // already set in E3
_poke32(0x05ABAC, 0x60000000); // already set in E3 "nop"
_poke32(0x05ABC0, 0x60000000); // already set in E3 "nop"
// pokeq(0x800000000005ABACULL,0x60000000E8610188ULL); different patch method
// pokeq(0x800000000005ABA0ULL,0x600000005463063EULL);
_poke( 0x057174, 0x63FF003D60000000); // fix 8001003D error "ori %r31, %r31, 0x3D\n nop\n"
_poke32(0x05723C, 0x3BE00000); // fix 8001003E error -- 3.55 ok in 0x055F64 "li %r31, 0"
PATCH_JUMP(0x057240, 0x5714C); // fix E3 4.30 added error
/** Rancid-o: Fix 0x8001003C error (incorrect version in sys_load_param) - It is present in the new game updates **/
_poke(0x2979E4, 0x386000007C6307B4);
_poke32(0x2979EC, 0x4E800020);
/*
-002c3cf0 f8 01 00 b0 7c 9c 23 78 7c 7d 1b 78 4b d8 aa 1d |....|.#x|}.xK...|
+002c3cf0 f8 01 00 b0 7c 9c 23 78 4b d4 01 88 4b d8 aa 1d |....|.#xK...K...| (openhook jump - 0x3E80)
*/
//0x7C7D1B78
PATCH_JUMP(0x2C3D04, (PAYLOAD_OFFSET+0x30)); // patch openhook
// deleted _poke((u32) (SYSCALL_BASE + 36 * 8), 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0xC8)); // syscall_map_open_desc - sys36
#ifdef CONFIG_USE_SYS8PERMH4
PATCH_JUMP(PERMS_OFFSET, (PAYLOAD_OFFSET+0x18));
#endif
}
void load_payload_355dex(int mode)
{
install_lv2_memcpy();
/* WARNING!! It supports only payload with a size multiple of 8 */
lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_OFFSET,
(u64) payload_sky_355dex_bin,
payload_sky_355dex_bin_size);
lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_UMOUNT_OFFSET, // copy umount routine
(u64) umount_355dex_bin,
umount_355dex_bin_size);
restore_syscall8[0]= SYSCALL_BASE + (u64) (SYSCALL_SK1E * 8ULL); // (8*8)
restore_syscall8[1]= peekq(restore_syscall8[0]);
u64 id[2];
// copy the id
id[0]= 0x534B314500000000ULL | (u64) PAYLOAD_OFFSET;
id[1] = SYSCALL_BASE + (u64) (SYSCALL_SK1E * 8ULL); // (8*8)
lv2_memcpy(0x80000000000004f0ULL, (u64) &id[0], 16);
u64 inst8 = peekq(0x8000000000003000ULL); // get TOC
lv2_memcpy(0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x28), (u64) &inst8, 8);
inst8 = 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x20); // syscall_8_desc - sys8
lv2_memcpy(SYSCALL_BASE + (u64) (SYSCALL_SK1E * 8ULL), (u64) &inst8, 8);
usleep(1000);
remove_lv2_memcpy();
pokeq(0x80000000007EF000ULL, 0ULL); // BE Emu mount
pokeq(0x80000000007EF220ULL, 0ULL);
/* BASIC PATCHES SYS36 */
// by 2 anonymous people
_poke32(0x059800, 0x60000000);
PATCH_JUMP(0x059808, 0x598A0);
_poke32(0x7EF60, 0x60000000);
_poke32(0x7EF74, 0x60000000);
_poke( 0x5978C, 0x63FF003D60000000); // fix 8001003D error "ori %r31, %r31, 0x3D\n nop\n"
_poke32(0x59854, 0x3BE00000); // fix 8001003E error -- 3.55 ok in 0x055F64 "li %r31, 0"
PATCH_JUMP(0x059858, 0x59764);
/** Rancid-o: Fix 0x8001003C error (incorrect version in sys_load_param) - It is present in the new game updates **/
_poke(0x2909E8, 0x386000007C6307B4);
_poke32(0x2909F0, 0x4E800020);
/*
-002c3cf0 f8 01 00 b0 7c 9c 23 78 7c 7d 1b 78 4b d8 aa 1d |....|.#x|}.xK...|
+002c3cf0 f8 01 00 b0 7c 9c 23 78 4b d4 01 88 4b d8 aa 1d |....|.#xK...K...| (openhook jump - 0x3E80)
*/
PATCH_JUMP(0x2C8AB8, (PAYLOAD_OFFSET+0x30));
#ifdef CONFIG_USE_SYS8PERMH4
PATCH_JUMP(PERMS_OFFSET, (PAYLOAD_OFFSET+0x18));
#endif
}
void load_payload_460(int mode)
{
//Remove Lv2 memory protection
/* lv1poke(0x370F28, 0x0000000000000001ULL);
lv1poke(0x370F28 + 8, 0xE0D251B556C59F05ULL);
lv1poke(0x370F28 + 16, 0xC232FCAD552C80D7ULL);
lv1poke(0x370F28 + 24, 0x65140CD200000000ULL); */
install_lv2_memcpy();
/* WARNING!! It supports only payload with a size multiple of 8 */
lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_OFFSET,
(u64) payload_sky_460_bin,
payload_sky_460_bin_size);
lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_UMOUNT_OFFSET, // copy umount routine
(u64) umount_460_bin,
umount_460_bin_size);
restore_syscall8[0]= SYSCALL_BASE + 64ULL; // (8*8)
restore_syscall8[1]= peekq(restore_syscall8[0]);
u64 id[2];
// copy the id
id[0]= 0x534B314500000000ULL | (u64) PAYLOAD_OFFSET;
id[1] = SYSCALL_BASE + 64ULL; // (8*8)
lv2_memcpy(0x80000000000004f0ULL, (u64) &id[0], 16);
u64 inst8 = peekq(0x8000000000003000ULL); // get TOC
lv2_memcpy(0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x28), (u64) &inst8, 8);
inst8 = 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x20); // syscall_8_desc - sys8
lv2_memcpy(SYSCALL_BASE + (u64) (8 * 8), (u64) &inst8, 8);
usleep(1000);
remove_lv2_memcpy();
pokeq(0x80000000007EF000ULL, 0ULL);// BE Emu mount
pokeq(0x80000000007EF220ULL, 0ULL);
/* BASIC PATCHES SYS36 */
// by 2 anonymous people
_poke32(0x565FC, 0x60000000); // done
PATCH_JUMP(0x56604, 0x5669C); // done
_poke32(0x05A658, 0x60000000); // done
_poke32(0x05A66C, 0x60000000); // done
_poke( 0x056588, 0x63FF003D60000000); // fix 8001003D error "ori %r31, %r31, 0x3D\n nop\n" done
_poke32(0x056650, 0x3BE00000); // fix 8001003E error -- 3.55 ok in 0x055F64 "li %r31, 0" done
PATCH_JUMP(0x56654, 0x56560); // Not present in rebug, anyway..
_poke(0x26FDD8, 0x386000007C6307B4); //done
_poke32(0x26FDD8 + 8, 0x4E800020); //done
/*
-002c3cf0 f8 01 00 b0 7c 9c 23 78 7c 7d 1b 78 4b d8 aa 1d |....|.#x|}.xK...|
+002c3cf0 f8 01 00 b0 7c 9c 23 78 4b d4 01 88 4b d8 aa 1d |....|.#xK...K...| (openhook jump - 0x3E80)
*/
PATCH_JUMP(0x2A02E0, (PAYLOAD_OFFSET+0x30)); // patch openhook - done
_poke32(0x2A02BC, 0xF821FF61); // free openhook Rogero 4.30 (put "stdu %sp, -0xA0(%sp)" instead "b sub_2E9F98")
#ifdef CONFIG_USE_SYS8PERMH4
PATCH_JUMP(PERMS_OFFSET, (PAYLOAD_OFFSET+0x18));
#endif
}
void load_payload_430dex(int mode)
{
//Remove lv2 memory protection ( only for cfw Rebug 4.30)
if(peekq(0x8000000000001748ULL) == 0x4400002238600000ULL); // if lv1poke is present...
{
// Thanks cyberskunk! :)
lv1poke(0x370AA8 + 0, 0x0000000000000001ULL);
lv1poke(0x370AA8 + 8, 0xe0d251b556c59f05ULL);
lv1poke(0x370AA8 + 16, 0xc232fcad552c80d7ULL);
lv1poke(0x370AA8 + 24, 0x65140cd200000000ULL);
}
//fix for memcpy syscall on use
pokeq(0x800000000037E048ULL,0x8000000000001500ULL);
pokeq(0x8000000000001500ULL,0x8000000000001510ULL);
install_lv2_memcpy();
/* WARNING!! It supports only payload with a size multiple of 8 */
lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_OFFSET,
(u64) payload_sky_430dex_bin,
payload_sky_430dex_bin_size);
lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_UMOUNT_OFFSET, // copy umount routine
(u64) umount_430dex_bin,
umount_430dex_bin_size);
restore_syscall8[0]= SYSCALL_BASE + 64ULL; // (8*8)
restore_syscall8[1]= peekq(restore_syscall8[0]);
u64 id[2];
// copy the id
id[0]= 0x534B314500000000ULL | (u64) PAYLOAD_OFFSET;
id[1] = SYSCALL_BASE + 64ULL; // (8*8)
lv2_memcpy(0x80000000000004f0ULL, (u64) &id[0], 16);
u64 inst8 = peekq(0x8000000000003000ULL); // get TOC
lv2_memcpy(0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x28), (u64) &inst8, 8);
inst8 = 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x20); // syscall_8_desc - sys8
lv2_memcpy(SYSCALL_BASE + (u64) (8 * 8), (u64) &inst8, 8);
usleep(1000);
remove_lv2_memcpy();
pokeq(0x80000000007EF000ULL, 0ULL);// BE Emu mount
pokeq(0x80000000007EF220ULL, 0ULL);
//Patches from webMAN
pokeq(0x800000000029E034ULL, 0x4E80002038600000ULL );
pokeq(0x800000000029E03CULL, 0x7C6307B44E800020ULL ); // fix 8001003C error
pokeq(0x800000000005AA88ULL, 0x63FF003D60000000ULL ); // fix 8001003D error
pokeq(0x800000000005AB4CULL, 0x3FE080013BE00000ULL ); // fix 8001003E error
pokeq(0x800000000005AAF8ULL, 0x419E00D860000000ULL );
pokeq(0x800000000005AB00ULL, 0x2F84000448000098ULL );
pokeq(0x800000000005E4BCULL, 0x2F83000060000000ULL );
pokeq(0x800000000005E4D0ULL, 0x2F83000060000000ULL );
/* BASIC PATCHES SYS36 */
// by 2 anonymous people
_poke32(0x05AAFC, 0x60000000);
PATCH_JUMP(0x05AB00, 0x5AB9C);
_poke32(0x05E4C0, 0x60000000); // already set in E3 "nop"
_poke32(0x05E4D4, 0x60000000); // already set in E3 "nop"
_poke( 0x05AA88, 0x63FF003D60000000); // fix 8001003D error "ori %r31, %r31, 0x3D\n nop\n"
_poke32(0x05AB50, 0x3BE00000); // fix 8001003E error -- 3.55 ok in 0x055F64 "li %r31, 0"
PATCH_JUMP(0x05AB54, 0x5AA60); // fix E3 4.30 added error
/** Rancid-o: Fix 0x8001003C error (incorrect version in sys_load_param) - It is present in the new game updates **/
_poke(0x29E038, 0x386000007C6307B4);
_poke32(0x29E038 + 8, 0x4E800020);
/*
-002c3cf0 f8 01 00 b0 7c 9c 23 78 7c 7d 1b 78 4b d8 aa 1d |....|.#x|}.xK...|
+002c3cf0 f8 01 00 b0 7c 9c 23 78 4b d4 01 88 4b d8 aa 1d |....|.#xK...K...| (openhook jump - 0x3E80)
*/
PATCH_JUMP(0x2DAE70, (PAYLOAD_OFFSET+0x30)); // patch openhook
// _poke32(0x2DAE40, 0xF821FF61); // free openhook Rogero 4.30 (put "stdu %sp, -0xA0(%sp)" instead "b sub_2E9F98")
#ifdef CONFIG_USE_SYS8PERMH4
PATCH_JUMP(PERMS_OFFSET, (PAYLOAD_OFFSET+0x18));
#endif
}
void load_payload_470dex (int mode)
{
/*
//Remove Lv2 memory protection, NOT needed for REBUG 4.70
lv1poke(0x370F28 + 0, 0x0000000000000001ULL); // Original: 0x0000000000351FD8ULL
lv1poke(0x370F28 + 8, 0xE0D251B556C59F05ULL); // Original: 0x3B5B965B020AE21AULL
lv1poke(0x370F28 + 16, 0xC232FCAD552C80D7ULL); // Original: 0x7D6F60B118E2E81BULL
lv1poke(0x370F28 + 24, 0x65140CD200000000ULL); // Original: 0x315D8B7700000000ULL
*/
install_lv2_memcpy();
/* WARNING!! It supports only payload with a size multiple of 8 */
lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_OFFSET,
(u64) payload_sky_470dex_bin,
payload_sky_470dex_bin_size);
lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_UMOUNT_OFFSET, // copy umount routine
(u64) umount_470dex_bin,
umount_470dex_bin_size);
restore_syscall8[0]= SYSCALL_BASE + 64ULL; // (sc8*8)
restore_syscall8[1]= peekq(restore_syscall8[0]);
u64 id[2];
// copy the id
id[0]= 0x534B314500000000ULL | (u64) PAYLOAD_OFFSET;
id[1] = SYSCALL_BASE + 64ULL; // (sc8*8)
lv2_memcpy(0x80000000000004f0ULL, (u64) &id[0], 16);
u64 inst8 = peekq(0x8000000000003000ULL); // get TOC
lv2_memcpy(0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x28), (u64) &inst8, 8);
inst8 = 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x20); // syscall_8_desc - sys8
lv2_memcpy(SYSCALL_BASE + (u64) (8 * 8), (u64) &inst8, 8);
usleep(1000);
remove_lv2_memcpy();
pokeq(0x80000000007EF000ULL, 0ULL);// BD Emu mount
pokeq(0x80000000007EF220ULL, 0ULL);
//patches by deank for webMAN, I left them here just in case someone wants to play with, but basically the same thing with SYS36 patches below
/*pokeq(0x800000000026D7F4ULL, 0x4E80002038600000ULL ); // fix 8001003C error Original: 0x4E80002038600000ULL // 0x800000000029E528ULL??
pokeq(0x800000000026D7FCULL, 0x7C6307B44E800020ULL ); // fix 8001003C error Original: 0x7C6307B44E800020ULL // 0x800000000029E530ULL??
pokeq(0x8000000000059F58ULL, 0x63FF003D60000000ULL ); // fix 8001003D error Original: 0x63FF003D419EFFD4ULL
pokeq(0x800000000005A01CULL, 0x3FE080013BE00000ULL ); // fix 8001003E error Original: 0x3FE0800163FF003EULL
pokeq(0x8000000000059FC8ULL, 0x419E00D860000000ULL ); // Original: 0x419E00D8419D00C0ULL
pokeq(0x8000000000059FD0ULL, 0x2F84000448000098ULL ); // Original: 0x2F840004409C0048ULL //PATCH_JUMP
pokeq(0x800000000005E0ACULL, 0x2F83000060000000ULL ); // fix 80010009 error Original: 0x2F830000419E00ACULL
pokeq(0x800000000005E0C0ULL, 0x2F83000060000000ULL ); // fix 80010009 error Original: 0x2F830000419E00ACULL
*/
pokeq(0x8000000000059BFCULL, 0x386000012F830000ULL ); // Ignore LIC.DAT check <- DO NOT REMOVE
pokeq(0x800000000022DAC8ULL, 0x38600000F8690000ULL ); // fix 0x8001002B / 80010017 errors (ported for DEX 4.70 2015-03-03)
/* BASIC PATCHES SYS36 */
// by 2 anonymous people
_poke32(0x59FCC, 0x60000000);
PATCH_JUMP(0x59FD4, 0x5A06C);
_poke32(0x5E0B0, 0x60000000);
_poke32(0x5E0C4, 0x60000000);
_poke( 0x59F58, 0x63FF003D60000000); // fix 8001003D error "ori %r31, %r31, 0x3D\n nop\n"
_poke32(0x5A020, 0x3BE00000); // fix 8001003E error -- 3.55 ok in 0x055F64 "li %r31, 0"
//Fix 0x8001003C error (incorrect version in sys_load_param) - It is present in the new game updates **/
_poke(0x26D7F8, 0x386000007C6307B4); //
_poke32(0x26D7F8 + 8, 0x4E800020); //
/*
-002c3cf0 f8 01 00 b0 7c 9c 23 78 7c 7d 1b 78 4b d8 aa 1d |....|.#x|}.xK...|
+002c3cf0 f8 01 00 b0 7c 9c 23 78 4b d4 01 88 4b d8 aa 1d |....|.#xK...K...| (openhook jump - 0x3E80)
*/
PATCH_JUMP(0x2B24A4, (PAYLOAD_OFFSET+0x30)); // patch openhook
// _poke32(0x2B2480, 0xF821FF61); // free openhook Rogero 4.30 (put "stdu %sp, -0xA0(%sp)" instead "b sub_2E9F98")
#ifdef CONFIG_USE_SYS8PERMH4
PATCH_JUMP(PERMS_OFFSET, (PAYLOAD_OFFSET+0x18));
#endif
}
/* SYS36 utils */
void sys36_memcpy( u64 to, const u64 from, size_t sz)
{
install_lv2_memcpy();
lv2_memcpy( to, from, sz);
remove_lv2_memcpy();
}
void load_payload_446dex(int mode)
{
//Remove Lv2 memory protection
lv1poke(0x370AA8, 0x0000000000000001ULL);
lv1poke(0x370AA8 + 8, 0xE0D251B556C59F05ULL);
lv1poke(0x370AA8 + 16, 0xC232FCAD552C80D7ULL);
lv1poke(0x370AA8 + 24, 0x65140CD200000000ULL);
install_lv2_memcpy();
/* WARNING!! It supports only payload with a size multiple of 8 */
lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_OFFSET,
(u64) payload_sky_446dex_bin,
payload_sky_446dex_bin_size);
lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_UMOUNT_OFFSET, // copy umount routine
(u64) umount_446dex_bin,
umount_446dex_bin_size);
restore_syscall8[0]= SYSCALL_BASE + 64ULL; // (8*8)
restore_syscall8[1]= peekq(restore_syscall8[0]);
u64 id[2];
// copy the id
id[0]= 0x534B314500000000ULL | (u64) PAYLOAD_OFFSET;
id[1] = SYSCALL_BASE + 64ULL; // (8*8)
lv2_memcpy(0x80000000000004f0ULL, (u64) &id[0], 16);
u64 inst8 = peekq(0x8000000000003000ULL); // get TOC
lv2_memcpy(0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x28), (u64) &inst8, 8);
inst8 = 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x20); // syscall_8_desc - sys8
lv2_memcpy(SYSCALL_BASE + (u64) (8 * 8), (u64) &inst8, 8);
usleep(1000);
remove_lv2_memcpy();
pokeq(0x80000000007EF000ULL, 0ULL);// BE Emu mount
pokeq(0x80000000007EF220ULL, 0ULL);
/* BASIC PATCHES SYS36 */
// by 2 anonymous people
_poke32(0x59A4C, 0x60000000); // done
PATCH_JUMP(0x59A54, 0x59AEC); // done
_poke32(0x5D410, 0x60000000); // done
_poke32(0x5D424, 0x60000000); // done
_poke( 0x599D8, 0x63FF003D60000000); // fix 8001003D error "ori %r31, %r31, 0x3D\n nop\n" done
_poke32(0x59AA0, 0x3BE00000); // fix 8001003E error -- 3.55 ok in 0x055F64 "li %r31, 0" done
// PATCH_JUMP(0x, 0x56098);
/** Rancid-o: Fix 0x8001003C error (incorrect version in sys_load_param) - It is present in the new game updates **/
_poke(0x29D970, 0x386000007C6307B4); // is still patched in rebug, anyway..
_poke32(0x29D970 + 8, 0x4E800020);
/*
-002c3cf0 f8 01 00 b0 7c 9c 23 78 7c 7d 1b 78 4b d8 aa 1d |....|.#x|}.xK...|
+002c3cf0 f8 01 00 b0 7c 9c 23 78 4b d4 01 88 4b d8 aa 1d |....|.#xK...K...| (openhook jump - 0x3E80)
*/
PATCH_JUMP(0x2DBC80, (PAYLOAD_OFFSET+0x30)); // patch openhook
// _poke32(0x2C4290, 0xF821FF61); // free openhook Rogero 4.30 (put "stdu %sp, -0xA0(%sp)" instead "b sub_2E9F98") - is still present in Rogero 4.41?
#ifdef CONFIG_USE_SYS8PERMH4
PATCH_JUMP(PERMS_OFFSET, (PAYLOAD_OFFSET+0x18));
#endif
}
void load_payload_465(int mode)
{
if(bEnableLv2_memprot_patch) // changed offset: 0x377828 -> 0x370F28
{ //Remove Lv2 memory protection
lv1poke(0x370F28 + 0x00, 0x0000000000000001ULL); // Original: 0x0000000000351FD8ULL
lv1poke(0x370F28 + 0x08, 0xE0D251B556C59F05ULL); // Original: 0x3B5B965B020AE21AULL
lv1poke(0x370F28 + 0x10, 0xC232FCAD552C80D7ULL); // Original: 0x7D6F60B118E2E81BULL
lv1poke(0x370F28 + 0x18, 0x65140CD200000000ULL); // Original: 0x315D8B7700000000ULL
}
install_lv2_memcpy();
/* WARNING!! It supports only payload with a size multiple of 8 */
lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_OFFSET,
(u64) payload_sky_465_bin,
payload_sky_465_bin_size);
lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_UMOUNT_OFFSET, // copy umount routine
(u64) umount_465_bin,
umount_465_bin_size);
restore_syscall8[0]= SYSCALL_BASE + 64ULL; // (8*8)
restore_syscall8[1]= peekq(restore_syscall8[0]);
u64 id[2];
// copy the id
id[0]= 0x534B314500000000ULL | (u64) PAYLOAD_OFFSET;
id[1] = SYSCALL_BASE + 64ULL; // (8*8)
lv2_memcpy(0x80000000000004f0ULL, (u64) &id[0], 16);
u64 inst8 = peekq(0x8000000000003000ULL); // get TOC
lv2_memcpy(0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x28), (u64) &inst8, 8);
inst8 = 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x20); // syscall_8_desc - sys8
lv2_memcpy(SYSCALL_BASE + (u64) (8 * 8), (u64) &inst8, 8);
usleep(1000);
remove_lv2_memcpy();
pokeq(0x80000000007EF000ULL, 0ULL);// BD Emu mount
pokeq(0x80000000007EF220ULL, 0ULL);
//Patches from webMAN
if(bEnableLv2_webman_patch)
{
//patches by deank
pokeq(0x800000000026FDDCULL, 0x4E80002038600000ULL ); // fix 8001003C error Original: 0x4E80002038600000ULL
pokeq(0x800000000026FDE4ULL, 0x7C6307B44E800020ULL ); // fix 8001003C error Original: 0x7C6307B44E800020ULL
pokeq(0x800000000005658CULL, 0x63FF003D60000000ULL ); // fix 8001003D error Original: 0x63FF003D419EFFD4ULL
pokeq(0x8000000000056650ULL, 0x3FE080013BE00000ULL ); // fix 8001003E error Original: 0x3FE0800163FF003EULL
pokeq(0x80000000000565FCULL, 0x419E00D860000000ULL ); // Original: 0x419E00D8419D00C0ULL
pokeq(0x8000000000056604ULL, 0x2F84000448000098ULL ); // Original: 0x2F840004409C0048ULL //PATCH_JUMP
pokeq(0x800000000005A658ULL, 0x2F83000060000000ULL ); // fix 80010009 error Original: 0x2F830000419E00ACULL
pokeq(0x800000000005A66CULL, 0x2F83000060000000ULL ); // fix 80010009 error Original: 0x2F830000419E00ACULL
pokeq(0x8000000000056230ULL, 0x386000012F830000ULL ); // ignore LIC.DAT check
pokeq(0x80000000002302F0ULL, 0x38600000F8690000ULL ); // fix 0x8001002B / 80010017 errors (2015-01-03)
pokeq(0x8000000000055C5CULL, 0xF821FE917C0802A6ULL ); // just restore the original
pokeq(0x8000000000058DB0ULL, 0x419E0038E8610098ULL ); // just restore the original
/*
if(file_exists("/dev_flash/rebug")==false || bEnableLv2_webman_patch==3)
{
//anti-ode patches by deank
//pokeq(0x8000000000055C5CULL, 0xF821FE917C0802A6ULL ); //replaced by deank's patch (2015-01-03)
pokeq(0x8000000000055C84ULL, 0x6000000060000000ULL );
pokeq(0x8000000000055C8CULL, 0x600000003BA00000ULL );
}
*/
if(bEnableLv2_webman_patch>=2 || bEnableLv2_habib_patch == 2) bEnableLv2_habib_patch=0;
}
//Patches by Habib ported to 4.65 (habib_patch = 0=disabled, 1=new patch, 2=new patch except 4.65 Habib Cobra, 3=old patch, 4=no boot speedup patch)
if(bEnableLv2_habib_patch == 2 && is_cobra_based() && file_exists("/dev_flash/habib")) ;
else if((bEnableLv2_habib_patch == 11) || (bEnableLv2_habib_patch == 2))
{ // enable new habib patches (now obsolete) //replaced by deank's patch (2015-01-03)
pokeq(0x8000000000058DB0ULL + 0x00, 0x60000000E8610098ULL);
pokeq(0x8000000000058DB0ULL + 0x08, 0x2FA30000419E000CULL);
pokeq(0x8000000000058DB0ULL + 0x10, 0x388000334800BE15ULL);
pokeq(0x8000000000058DB0ULL + 0x18, 0xE80100F07FE307B4ULL);
pokeq(0x8000000000055C5CULL + 0x00, 0x386000004E800020ULL);
pokeq(0x8000000000055C5CULL + 0x08, 0xFBC10160FBE10168ULL);
pokeq(0x8000000000055C5CULL + 0x10, 0xFB610148FB810150ULL);
pokeq(0x8000000000055C5CULL + 0x18, 0xFBA10158F8010180ULL);
//patch to prevent blackscreen on usb games in jb format
pokeq(0x8000000000055C84ULL, 0x386000002F830001ULL); //Original: 0x481DA6692F830001ULL
pokeq(0x8000000000055C8CULL, 0x419E00303BA00000ULL); //Original: 0x419E00303BA00000ULL
}
else if(bEnableLv2_habib_patch == 10)
{ // disable new habib patches
pokeq(0x8000000000058DB0ULL + 0x00, 0x419E0038E8610098ULL);
pokeq(0x8000000000058DB0ULL + 0x08, 0x2FA30000419E000CULL);
pokeq(0x8000000000058DB0ULL + 0x10, 0x388000334800BE15ULL);
pokeq(0x8000000000058DB0ULL + 0x18, 0xE80100F07FE307B4ULL);
pokeq(0x8000000000055C5CULL + 0x00, 0xF821FE917C0802A6ULL);
pokeq(0x8000000000055C5CULL + 0x08, 0xFBC10160FBE10168ULL);
pokeq(0x8000000000055C5CULL + 0x10, 0xFB610148FB810150ULL);
pokeq(0x8000000000055C5CULL + 0x18, 0xFBA10158F8010180ULL);
}
else
{
if(bEnableLv2_habib_patch >= 1)
{
if(bEnableLv2_habib_patch == 3)
pokeq32(0x8000000000058DB0ULL, 0x60000000); // old fix 0x80010017 error Original: 0x7C7F1B78419E0038ULL
else
pokeq(0x80000000002A1060ULL, 0x386000014E800020ULL); // fix 0x80010017 error Original: 0xFBC1FFF0EBC225B0ULL
// Booting of game discs and backups speed increased
if(bEnableLv2_habib_patch != 4)
{
pokeq32(0x8000000000058DA4ULL, 0x38600001);
pokeq32(0x800000000005A970ULL, 0x38600000);
}
pokeq(0x8000000000055C5CULL, 0x386000004E800020ULL); // fix 0x8001002B error Original: 0xF821FE917C0802A6ULL
}
}
/* BASIC PATCHES SYS36 */
// by 2 anonymous people
_poke32(0x56600, 0x60000000); // Original: 0x419E00D8419D00C0ULL -> 0x419E00D860000000ULL
PATCH_JUMP(0x56608, 0x566A0); // Original: 0x2F840004409C0048ULL -> 0x2F84000448000098ULL
_poke32(0x05A65C, 0x60000000); // fix 80010009 error
_poke32(0x05A670, 0x60000000); // fix 80010019 error
_poke( 0x05658C, 0x63FF003D60000000); // fix 8001003D error "ori %r31, %r31, 0x3D\n nop\n" done
_poke32(0x056654, 0x3BE00000); // fix 8001003E error -- 3.55 ok in 0x055F64 "li %r31, 0" done
PATCH_JUMP(0x56658, 0x56564); // Not present in rebug, anyway..
_poke(0x26FDE0, 0x386000007C6307B4); //fix 8001003C error
_poke32(0x26FDE0 + 8, 0x4E800020); //
/*
-002c3cf0 f8 01 00 b0 7c 9c 23 78 7c 7d 1b 78 4b d8 aa 1d |....|.#x|}.xK...|
+002c3cf0 f8 01 00 b0 7c 9c 23 78 4b d4 01 88 4b d8 aa 1d |....|.#xK...K...| (openhook jump - 0x3E80)
*/
PATCH_JUMP(0x2A02EC, (PAYLOAD_OFFSET+0x30)); // patch openhook - done
_poke32(0x2A02C8, 0xF821FF61); // free openhook Rogero 4.30 (put "stdu %sp, -0xA0(%sp)" instead "b sub_2E9F98")
#ifdef CONFIG_USE_SYS8PERMH4
PATCH_JUMP(PERMS_OFFSET, (PAYLOAD_OFFSET+0x18));
#endif
}
void load_payload_355(int mode)
{
install_lv2_memcpy();
/* WARNING!! It supports only payload with a size multiple of 8 */
lv2_memcpy(0x800000000000ef48ULL,
(u64) payload_sky_355_bin,
payload_sky_355_bin_size);
lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_UMOUNT_OFFSET, // copy umount routine
(u64) umount_355_bin,
umount_355_bin_size);
restore_syscall8[0]= SYSCALL_BASE + 64ULL; // (8*8)
restore_syscall8[1]= peekq(restore_syscall8[0]);
u64 id[2];
// copy the id
id[0]= 0x534B314500000000ULL | (u64) PAYLOAD_OFFSET;
id[1] = SYSCALL_BASE + 64ULL; // (8*8)
lv2_memcpy(0x80000000000004f0ULL, (u64) &id[0], 16);
u64 inst8 = peekq(0x8000000000003000ULL); // get TOC
lv2_memcpy(0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x28), (u64) &inst8, 8);
inst8 = 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x20); // syscall_8_desc - sys8
lv2_memcpy(SYSCALL_BASE + (u64) (8 * 8), (u64) &inst8, 8);
usleep(1000);
remove_lv2_memcpy();
pokeq(0x80000000007EF000ULL, 0ULL);// BE Emu mount
pokeq(0x80000000007EF220ULL, 0ULL);
/* BASIC PATCHES SYS36 */
// by 2 anonymous people
_poke32(0x55f14, 0x60000000);
_poke32(0x55f1c, 0x48000098);
_poke32(0x7af68, 0x60000000);
_poke32(0x7af7c, 0x60000000);
_poke(0x55EA0, 0x63FF003D60000000); // fix 8001003D error
_poke(0x55F64, 0x3FE080013BE00000); // fix 8001003E error
/*
-002b3290 f8 01 00 b0 7c 9c 23 78 7c 7d 1b 78 4b d9 b4 11 |....|.#x|}.xK...|
+002b3290 f8 01 00 b0 7c 9c 23 78 4b d5 bf 40 4b d9 b4 11 |....|.#xK..@K...| (openhook jump - 0xF1D8)
*/
//_poke(0x2b3298, 0x4bd5bda04bd9b411ULL); //jump hook
PATCH_JUMP(0x2b3298, (PAYLOAD_OFFSET+0x30));
/** Rancid-o: Fix 0x8001003C error (incorrect version in sys_load_param) - It is present in the new game updates **/
_poke(0x28A404, 0x386000007C6307B4);
_poke32(0x28A40C, 0x4E800020);
#ifdef CONFIG_USE_SYS8PERMH4
PATCH_JUMP(PERMS_OFFSET, (PAYLOAD_OFFSET+0x18));
#endif
}
int payload_main(uint8_t* output_data, uint64_t output_size) {
int result;
uint64_t ticks;
uint64_t hv_lpar_addr;
uint64_t hv_mapped_size;
uint8_t* hv;
uint8_t* metldr;
uint8_t* stuff;
uint8_t* dumper;
uint8_t* work_data;
uint64_t metldr_offset, metldr_size;
uint64_t stuff_lpar_addr;
uint64_t gameos_lpar_base, gameos_lpar_size;
uint64_t vas_id, spu_id;
uint64_t esid, vsid;
uint64_t priv2_addr, problem_phys, local_store_phys, shadow_addr;
uint64_t intr_status, unused;
struct spu_shadow volatile* spu_shadow;
struct spu_problem volatile* spu_problem;
struct spu_priv2 volatile* spu_priv2;
uint8_t volatile* spu_ls;
uint32_t spu_out_intr_mbox_value, spu_out_mbox_value;
uint8_t mfc_cmd_tag;
uint32_t force_exit;
uint32_t i;
lv2_extend_kstack(0);
result = 0;
hv = NULL;
metldr = NULL;
stuff = NULL;
dumper = NULL;
work_data = NULL;
hv_lpar_addr = 0;
stuff_lpar_addr = 0;
if (!output_data || output_size < DUMP_SIZE) {
result = EINVAL;
goto error;
}
gameos_lpar_base = *(uint64_t*)GAMEOS_LPAR_BASE_PTR;
gameos_lpar_size = *(uint64_t*)GAMEOS_LPAR_SIZE_PTR;
if (!gameos_lpar_base || !gameos_lpar_size) {
result = EFAULT;
goto error;
}
metldr_offset = lv1_peek64(LOADERS_TAB_OFFSET + METLDR_TAB_OFFSET);
metldr_size = lv1_peek64(LOADERS_TAB_OFFSET + METLDR_TAB_SIZE);
if (!metldr_offset || !metldr_size) {
result = EFAULT;
goto error;
}
hv_mapped_size = align_up(metldr_offset + metldr_size, 1 << HV_PAGE_SIZE);
result = lv1_undocumented_function_114(0, HV_PAGE_SIZE, hv_mapped_size, &hv_lpar_addr);
if (result != 0)
goto error;
MM_LOAD_BASE(hv, HV_OFFSET);
result = mm_map_lpar_memory_region(0, MM_EA2VA(hv), hv_lpar_addr, hv_mapped_size, HV_PAGE_SIZE, 0, 0);
if (result != 0)
goto error;
stuff_lpar_addr = gameos_lpar_base + gameos_lpar_size - STUFF_SIZE;
MM_LOAD_BASE(stuff, STUFF_OFFSET);
result = mm_map_lpar_memory_region(0, MM_EA2VA(stuff), stuff_lpar_addr, STUFF_SIZE, STUFF_PAGE_SIZE, 0, 0);
if (result != 0)
goto error;
metldr = stuff;
dumper = ptr_align_up(metldr + metldr_size, 1 << STUFF_PAGE_SIZE);
work_data = ptr_align_up(dumper + dumper_payload_size, 1 << STUFF_PAGE_SIZE);
lv2_memcpy(metldr, hv + metldr_offset, metldr_size);
lv2_memcpy(dumper, dumper_payload, dumper_payload_size);
lv2_memset(work_data, 0, DUMP_SIZE);
result = lv1_undocumented_function_115(hv_lpar_addr);
if (result != 0)
goto done;
hv_lpar_addr = 0;
vas_id = vas_get_id();
result = lv1_construct_logical_spu(PAGE_SIZE_4KB, PAGE_SIZE_4KB, PAGE_SIZE_4KB, PAGE_SIZE_4KB, PAGE_SIZE_4KB, vas_id, 0, &priv2_addr, &problem_phys, &local_store_phys, &unused, &shadow_addr, &spu_id);
if (result != 0)
goto error;
result = lv1_enable_logical_spu(spu_id, 6);
if (result != 0)
goto error;
result = lv1_set_spu_interrupt_mask(spu_id, 0, 0x7);
if (result != 0)
goto error;
result = lv1_set_spu_interrupt_mask(spu_id, 1, 0xF);
if (result != 0)
goto error;
result = lv1_set_spu_interrupt_mask(spu_id, 2, 0xF);
if (result != 0)
goto error;
MM_LOAD_BASE(spu_shadow, SPU_SHADOW_OFFSET);
result = mm_map_lpar_memory_region(0, MM_EA2VA(spu_shadow), shadow_addr, SPU_SHADOW_SIZE, PAGE_SIZE_4KB, 0, 0x3);
if (result != 0)
goto error;
MM_LOAD_BASE(spu_problem, SPU_PROBLEM_OFFSET);
result = mm_map_lpar_memory_region(0, MM_EA2VA(spu_problem), problem_phys, SPU_PROBLEM_SIZE, PAGE_SIZE_4KB, 0, 0);
if (result != 0)
goto error;
MM_LOAD_BASE(spu_priv2, SPU_PRIV2_OFFSET);
result = mm_map_lpar_memory_region(0, MM_EA2VA(spu_priv2), priv2_addr, SPU_PRIV2_SIZE, PAGE_SIZE_4KB, 0, 0);
if (result != 0)
goto error;
MM_LOAD_BASE(spu_ls, SPU_LS_OFFSET);
result = mm_map_lpar_memory_region(0, MM_EA2VA(spu_ls), local_store_phys, SPU_LS_SIZE, PAGE_SIZE_4KB, 0, 0);
if (result != 0)
goto error;
result = lv1_set_spu_privilege_state_area_1_register(spu_id, MFC_SR1, 0x10);
if (result != 0)
goto error;
spu_slb_invalidate_all(spu_priv2);
esid = 0x8000000018000000ULL;
vsid = 0x0000000000001400ULL;
spu_slb_set_entry(spu_priv2, 0, esid, vsid);
spu_priv2->spu_cfg = 0;
eieio();
spu_in_mbox_write_64(spu_problem, (uint64_t)dumper);
spu_sig_notify_1_2_write_64(spu_problem, (uint64_t)metldr);
spu_iso_load_req_enable(spu_priv2);
spu_iso_load_req(spu_problem);
force_exit = 0;
while (1) {
if (force_exit) {
result = ECANCELED;
goto bad;
}
result = lv1_get_spu_interrupt_status(spu_id, 0, &intr_status);
if (result != 0)
goto error;
if (intr_status) {
result = lv1_clear_spu_interrupt_status(spu_id, 0, intr_status, 0);
if (result != 0)
goto error;
}
result = lv1_get_spu_interrupt_status(spu_id, 1, &intr_status);
if (result != 0)
goto error;
if (intr_status) {
result = lv1_clear_spu_interrupt_status(spu_id, 1, intr_status, 0);
if (result != 0)
goto error;
}
result = lv1_get_spu_interrupt_status(spu_id, 2, &intr_status);
if (result != 0)
goto error;
if (intr_status) {
result = lv1_clear_spu_interrupt_status(spu_id, 2, intr_status, 0);
if (result != 0)
goto error;
if (intr_status & 0x1) {
if (spu_mbox_stat_intr_out_mbox_count(spu_problem) != 0) {
spu_out_intr_mbox_value = spu_priv2->spu_out_intr_mbox;
if (spu_out_intr_mbox_value == 1) {
if (spu_mbox_stat_out_mbox_count(spu_problem) == 0) {
result = ECANCELED;
goto bad;
}
spu_out_mbox_value = spu_problem->spu_out_mbox;
if (spu_out_mbox_value != 1) {
result = ECANCELED;
break;
}
ticks = 3 * TB_TICKS_PER_SEC;
sleep(ticks);
mfc_cmd_tag = 1;
if (spu_mfc_cmd_exec(spu_problem, DUMP_LS_ADDR, (uint64_t)work_data, DUMP_SIZE, mfc_cmd_tag, 0, MFC_CMD_PUT)) {
result = ECANCELED;
goto bad;
}
while (spu_mfc_cmd_tag_status(spu_problem, mfc_cmd_tag) == 0) {
if (force_exit) {
result = ECANCELED;
goto bad;
}
}
force_exit = 1;
} else if (spu_out_intr_mbox_value == 2) {
spu_out_mbox_value = spu_problem->spu_out_mbox;
force_exit = 1;
}
}
}
}
if ((spu_problem->spu_status & 0x1) == 0)
break;
ticks = 1 * TB_TICKS_PER_SEC;
sleep(ticks);
}
bad:
if (spu_shadow) {
}
if (spu_problem) {
spu_iso_exit_req(spu_problem);
spu_stop_req(spu_problem);
}
if (spu_priv2) {
}
result = lv1_destruct_logical_spu(spu_id);
if (result != 0)
goto error;
if (work_data)
result = lv2_copy_to_user(work_data, output_data, DUMP_SIZE);
ticks = 5 * TB_TICKS_PER_SEC;
sleep(ticks);
error:
if (hv_lpar_addr != 0)
result = lv1_undocumented_function_115(hv_lpar_addr);
done:
return result;
}
void load_payload_453dex(int mode)
{
//Remove Lv2 memory protection //No needed on REBUG 4.53.1
/* {
lv1poke(0x385130, 0x0000000000000001ULL);
lv1poke(0x385130 + 8, 0xE0D251B556C59F05ULL);
lv1poke(0x385130 + 16, 0xC232FCAD552C80D7ULL);
lv1poke(0x385130 + 24, 0x65140CD200000000ULL);
}
*/
install_lv2_memcpy();
/* WARNING!! It supports only payload with a size multiple of 8 */
lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_OFFSET,
(u64) payload_sky_453dex_bin,
payload_sky_453dex_bin_size);
lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_UMOUNT_OFFSET, // copy umount routine
(u64) umount_453dex_bin,
umount_453dex_bin_size);
restore_syscall8[0]= SYSCALL_BASE + (u64) (SYSCALL_SK1E * 8ULL); // (8*8)
restore_syscall8[1]= peekq(restore_syscall8[0]);
u64 id[2];
// copy the id
id[0]= 0x534B314500000000ULL | (u64) PAYLOAD_OFFSET;
id[1] = SYSCALL_BASE + (u64) (SYSCALL_SK1E * 8ULL); // (8*8)
lv2_memcpy(0x80000000000004f0ULL, (u64) &id[0], 16);
u64 inst8 = peekq(0x8000000000003000ULL); // get TOC
lv2_memcpy(0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x28), (u64) &inst8, 8);
inst8 = 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x20); // syscall_8_desc - sys8
lv2_memcpy(SYSCALL_BASE + (u64) (SYSCALL_SK1E * 8ULL), (u64) &inst8, 8);
usleep(1000);
remove_lv2_memcpy();
pokeq(0x80000000007EF000ULL, 0ULL);// BE Emu mount
pokeq(0x80000000007EF220ULL, 0ULL);
/* BASIC PATCHES SYS36 */
// by 2 anonymous people
_poke32(0x59B04, 0x60000000); // done
PATCH_JUMP(0x59B0C, 0x59BA4); // done
_poke32(0x5D4C8, 0x60000000); // done
_poke32(0x5D4DC, 0x60000000); // done
_poke( 0x59A90, 0x63FF003D60000000); // fix 8001003D error "ori %r31, %r31, 0x3D\n nop\n" done
_poke32(0x59B58, 0x3BE00000); // fix 8001003E error -- 3.55 ok in 0x055F64 "li %r31, 0" done
/** Rancid-o: Fix 0x8001003C error (incorrect version in sys_load_param) - It is present in the new game updates **/
_poke(0x275F10, 0x386000007C6307B4); // is still patched in rebug, anyway..
_poke32(0x275F10 + 8, 0x4E800020);
/*
-002c3cf0 f8 01 00 b0 7c 9c 23 78 7c 7d 1b 78 4b d8 aa 1d |....|.#x|}.xK...|
+002c3cf0 f8 01 00 b0 7c 9c 23 78 4b d4 01 88 4b d8 aa 1d |....|.#xK...K...| (openhook jump - 0x3E80)
*/
PATCH_JUMP(0x2B83E4, (PAYLOAD_OFFSET+0x30)); // patch openhook
#ifdef CONFIG_USE_SYS8PERMH4
PATCH_JUMP(PERMS_OFFSET, (PAYLOAD_OFFSET+0x18));
#endif
}
void load_payload_450dex(int mode)
{
//Remove Lv2 memory protection
if( file_exists("/dev_flash/ps3ita") == 0 ) // is not necessary on cfw ps3ita it don't has lv2 memory protection
{
lv1poke(0x370AA8, 0x0000000000000001ULL);
lv1poke(0x370AA8 + 8, 0xE0D251B556C59F05ULL);
lv1poke(0x370AA8 + 16, 0xC232FCAD552C80D7ULL);
lv1poke(0x370AA8 + 24, 0x65140CD200000000ULL);
}
install_lv2_memcpy();
/* WARNING!! It supports only payload with a size multiple of 8 */
lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_OFFSET,
(u64) payload_sky_450dex_bin,
payload_sky_450dex_bin_size);
lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_UMOUNT_OFFSET, // copy umount routine
(u64) umount_450dex_bin,
umount_450dex_bin_size);
restore_syscall8[0]= SYSCALL_BASE + 64ULL; // (8*8)
restore_syscall8[1]= peekq(restore_syscall8[0]);
u64 id[2];
// copy the id
id[0]= 0x534B314500000000ULL | (u64) PAYLOAD_OFFSET;
id[1] = SYSCALL_BASE + 64ULL; // (8*8)
lv2_memcpy(0x80000000000004f0ULL, (u64) &id[0], 16);
u64 inst8 = peekq(0x8000000000003000ULL); // get TOC
lv2_memcpy(0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x28), (u64) &inst8, 8);
inst8 = 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x20); // syscall_8_desc - sys8
lv2_memcpy(SYSCALL_BASE + (u64) (8 * 8), (u64) &inst8, 8);
usleep(1000);
remove_lv2_memcpy();
pokeq(0x80000000007EF000ULL, 0ULL);// BE Emu mount
pokeq(0x80000000007EF220ULL, 0ULL);
//Patches from webMAN
pokeq(0x8000000000275D38ULL, 0x4E80002038600000ULL ); // fix 8001003C error
pokeq(0x8000000000275D40ULL, 0x7C6307B44E800020ULL ); // fix 8001003C error
pokeq(0x8000000000059A8CULL, 0x63FF003D60000000ULL ); // fix 8001003D error
pokeq(0x8000000000059B50ULL, 0x3FE080013BE00000ULL ); // fix 8001003E error
pokeq(0x8000000000059AFCULL, 0x419E00D860000000ULL );
pokeq(0x8000000000059B04ULL, 0x2F84000448000098ULL );
pokeq(0x800000000005D4C0ULL, 0x2F83000060000000ULL );
pokeq(0x800000000005D4D4ULL, 0x2F83000060000000ULL );
/* BASIC PATCHES SYS36 */
// by 2 anonymous people
_poke32(0x59B00, 0x60000000); // done
PATCH_JUMP(0x59B08, 0x59BA0); // done
_poke32(0x5D4C4, 0x60000000); // done
_poke32(0x5D4D8, 0x60000000); // done
_poke( 0x59A8C, 0x63FF003D60000000); // fix 8001003D error "ori %r31, %r31, 0x3D\n nop\n" done
_poke32(0x59B54, 0x3BE00000); // fix 8001003E error -- 3.55 ok in 0x055F64 "li %r31, 0" done
// PATCH_JUMP(0x, 0x56098);
/** Rancid-o: Fix 0x8001003C error (incorrect version in sys_load_param) - It is present in the new game updates **/
_poke(0x275D3C, 0x386000007C6307B4); // is still patched in rebug, anyway..
_poke32(0x275D3C + 8, 0x4E800020);
/*
-002c3cf0 f8 01 00 b0 7c 9c 23 78 7c 7d 1b 78 4b d8 aa 1d |....|.#x|}.xK...|
+002c3cf0 f8 01 00 b0 7c 9c 23 78 4b d4 01 88 4b d8 aa 1d |....|.#xK...K...| (openhook jump - 0x3E80)
*/
PATCH_JUMP(0x2B820C, (PAYLOAD_OFFSET+0x30)); // patch openhook
#ifdef CONFIG_USE_SYS8PERMH4
PATCH_JUMP(PERMS_OFFSET, (PAYLOAD_OFFSET+0x18));
#endif
}
void load_payload_446(int mode)
{
//Remove Lv2 memory protection
lv1poke(0x370AA8 , 0x0000000000000001ULL);
lv1poke(0x370AA8 + 8 , 0xE0D251B556C59F05ULL);
lv1poke(0x370AA8 + 16, 0xC232FCAD552C80D7ULL);
lv1poke(0x370AA8 + 24, 0x65140CD200000000ULL);
install_lv2_memcpy();
/* WARNING!! It supports only payload with a size multiple of 8 */
lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_OFFSET,
(u64) payload_sky_446_bin,
payload_sky_446_bin_size);
lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_UMOUNT_OFFSET, // copy umount routine
(u64) umount_446_bin,
umount_446_bin_size);
restore_syscall8[0]= SYSCALL_BASE + (u64) (SYSCALL_SK1E * 8ULL); // (8*8)
restore_syscall8[1]= peekq(restore_syscall8[0]);
u64 id[2];
// copy the id
id[0]= 0x534B314500000000ULL | (u64) PAYLOAD_OFFSET;
id[1] = SYSCALL_BASE + (u64) (SYSCALL_SK1E * 8ULL); // (8*8)
lv2_memcpy(0x80000000000004f0ULL, (u64) &id[0], 16);
u64 inst8 = peekq(0x8000000000003000ULL); // get TOC
lv2_memcpy(0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x28), (u64) &inst8, 8);
inst8 = 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x20); // syscall_8_desc - sys8
lv2_memcpy(SYSCALL_BASE + (u64) (SYSCALL_SK1E * 8ULL), (u64) &inst8, 8);
usleep(1000);
remove_lv2_memcpy();
pokeq(0x80000000007EF000ULL, 0ULL);// BE Emu mount
pokeq(0x80000000007EF220ULL, 0ULL);
//Patches from webMAN
pokeq(0x8000000000297310ULL, 0x4E80002038600000ULL ); // fix 8001003C error
pokeq(0x8000000000297318ULL, 0x7C6307B44E800020ULL ); // fix 8001003C error
pokeq(0x80000000000560C0ULL, 0x63FF003D60000000ULL ); // fix 8001003D error
pokeq(0x8000000000056184ULL, 0x3FE080013BE00000ULL ); // fix 8001003E error
pokeq(0x8000000000056130ULL, 0x419E00D860000000ULL );
pokeq(0x8000000000056138ULL, 0x2F84000448000098ULL );
pokeq(0x8000000000059AF4ULL, 0x2F83000060000000ULL );
pokeq(0x8000000000059B08ULL, 0x2F83000060000000ULL );
/* BASIC PATCHES SYS36 */
// by 2 anonymous people
_poke32(0x56134, 0x60000000); // done
PATCH_JUMP(0x5613C, 0x561D4); // done
_poke32(0x059AF8, 0x60000000); // done
_poke32(0x059B0C, 0x60000000); // done
_poke( 0x0560C0, 0x63FF003D60000000); // fix 8001003D error "ori %r31, %r31, 0x3D\n nop\n" done
_poke32(0x056188, 0x3BE00000); // fix 8001003E error -- 3.55 ok in 0x055F64 "li %r31, 0" done
PATCH_JUMP(0x5618C, 0x56098); // Not present in rebug, anyway..
/** Rancid-o: Fix 0x8001003C error (incorrect version in sys_load_param) - It is present in the new game updates **/
_poke(0x297314, 0x386000007C6307B4); //done
_poke32(0x297314 + 8, 0x4E800020); //done
/*
-002c3cf0 f8 01 00 b0 7c 9c 23 78 7c 7d 1b 78 4b d8 aa 1d |....|.#x|}.xK...|
+002c3cf0 f8 01 00 b0 7c 9c 23 78 4b d4 01 88 4b d8 aa 1d |....|.#xK...K...| (openhook jump - 0x3E80)
*/
PATCH_JUMP(0x2C47D4, (PAYLOAD_OFFSET+0x30)); // patch openhook - done
_poke32(0x2C47B0, 0xF821FF61); // free openhook Rogero 4.30 (put "stdu %sp, -0xA0(%sp)" instead "b sub_2E9F98")
_poke(0x2C47B8, 0xFB810080FBA10088ULL); // skip stupid new Rogero patch for ToolBox }:/ (must I restore all LV2 patches to skip this shit?)
#ifdef CONFIG_USE_SYS8PERMH4
PATCH_JUMP(PERMS_OFFSET, (PAYLOAD_OFFSET+0x18));
#endif
}
void load_payload_480(int mode)
{
//Remove Lv2 memory protection, NOT needed for REBUG 4.7x
lv1poke(0x370F28 + 0x00, 0x0000000000000001ULL); // Original: 0x0000000000351FD8ULL
lv1poke(0x370F28 + 0x08, 0xE0D251B556C59F05ULL); // Original: 0x3B5B965B020AE21AULL
lv1poke(0x370F28 + 0x10, 0xC232FCAD552C80D7ULL); // Original: 0x7D6F60B118E2E81BULL
lv1poke(0x370F28 + 0x18, 0x65140CD200000000ULL); // Original: 0x315D8B7700000000ULL
install_lv2_memcpy();
/* WARNING!! It supports only payload with a size multiple of 8 */
lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_OFFSET,
(u64) payload_sky_480_bin,
payload_sky_480_bin_size);
lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_UMOUNT_OFFSET, // copy umount routine
(u64) umount_480_bin,
umount_480_bin_size);
restore_syscall8[0]= SYSCALL_BASE + (u64) (SYSCALL_SK1E * 8ULL); // (8*8)
restore_syscall8[1]= peekq(restore_syscall8[0]);
u64 id[2];
// copy the id
id[0]= 0x534B314500000000ULL | (u64) PAYLOAD_OFFSET;
id[1] = SYSCALL_BASE + (u64) (SYSCALL_SK1E * 8ULL); // (8*8)
lv2_memcpy(0x80000000000004f0ULL, (u64) &id[0], 16);
u64 inst8 = peekq(0x8000000000003000ULL); // get TOC
lv2_memcpy(0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x28), (u64) &inst8, 8);
inst8 = 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x20); // syscall_8_desc - sys8
lv2_memcpy(SYSCALL_BASE + (u64) (SYSCALL_SK1E * 8ULL), (u64) &inst8, 8);
usleep(1000);
remove_lv2_memcpy();
pokeq(0x80000000007EF000ULL, 0ULL);// BD Emu mount
pokeq(0x80000000007EF220ULL, 0ULL);
//patches by deank for webMAN, I left them here just in case someone wants to play with, but basically the same thing with SYS36 patches below
pokeq(0x8000000000267144ULL, 0x4E80002038600000ULL ); // fix 8001003C error Original: 0x4E8000208003026CULL
pokeq(0x800000000026714CULL, 0x7C6307B44E800020ULL ); // fix 8001003C error Original: 0x3D201B433C608001ULL
/*
pokeq(0x800000000005688CULL, 0x63FF003D60000000ULL ); // fix 8001003D error Original: 0x63FF003D419EFFD4ULL
pokeq(0x800000000005664CULL, 0x3FE080013BE00000ULL ); // fix 8001003E error Original: 0x3FE0800163FF003EULL
pokeq(0x80000000000565F8ULL, 0x419E00D860000000ULL ); // Original: 0x419E00D8419D00C0ULL
pokeq(0x8000000000056600ULL, 0x2F84000448000098ULL ); // Original: 0x2F840004409C0048ULL //PATCH_JUMP
pokeq(0x800000000005A6DCULL, 0x2F83000060000000ULL ); // fix 80010009 error Original: 0x2F830000419E00ACULL
pokeq(0x800000000005A6F0ULL, 0x2F83000060000000ULL ); // fix 80010009 error Original: 0x2F830000419E00ACULL
*/
pokeq(0x800000000005622CULL, 0x386000012F830000ULL ); // ignore LIC.DAT check
pokeq(0x80000000002275ECULL, 0x38600000F8690000ULL ); // fix 0x8001002B / 80010017 errors
//pokeq(0x8000000000055C58ULL, 0xF821FE917C0802A6ULL ); // just restore the original
//pokeq(0x8000000000058E18ULL, 0x419E0038E8610098ULL ); // just restore the original
/* BASIC PATCHES SYS36 */
// by 2 anonymous people
_poke32(0x565FC, 0x60000000); //
PATCH_JUMP(0x56604, 0x5669C); //
_poke32(0x5A6E0, 0x60000000); // fix 80010009 error
_poke32(0x5A6F4, 0x60000000); // fix 80010019 error
_poke( 0x56588, 0x63FF003D60000000); // fix 8001003D error "ori %r31, %r31, 0x3D\n nop\n" done
_poke32(0x56650, 0x3BE00000); // fix 8001003E error -- 3.55 ok in 0x055F64 "li %r31, 0" done
//Fix 0x8001003C error (incorrect version in sys_load_param) - It is present in the new game updates **/
//_poke(0x267148, 0x386000007C6307B4); //
//_poke32(0x267148 + 0x8, 0x4E800020); //
/*
-002c3cf0 f8 01 00 b0 7c 9c 23 78 7c 7d 1b 78 4b d8 aa 1d |....|.#x|}.xK...|
+002c3cf0 f8 01 00 b0 7c 9c 23 78 4b d4 01 88 4b d8 aa 1d |....|.#xK...K...| (openhook jump - 0x3E80)
*/
PATCH_JUMP(0x297650, (PAYLOAD_OFFSET+0x30)); // patch openhook - done
//_poke32(0x29762C, 0xF821FF61); // free openhook Rogero 4.30 (put "stdu %sp, -0xA0(%sp)" instead "b sub_2E9F98")
#ifdef CONFIG_USE_SYS8PERMH4
PATCH_JUMP(PERMS_OFFSET, (PAYLOAD_OFFSET+0x18));
#endif
}
void load_payload_421(int mode)
{
// Remove LV2 memory protection using LV1_POKE (syscall 9). Maybe unnecessary
lv1_pokeq(0x370A28, 0x0000000000000001ULL);
lv1_pokeq(0x370A30, 0xe0d251b556c59f05ULL);
lv1_pokeq(0x370A38, 0xc232fcad552c80d7ULL);
lv1_pokeq(0x370A40, 0x65140cd200000000ULL);
install_lv2_memcpy();
/* WARNING!! It supports only payload with a size multiple of 8 */
lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_OFFSET,
(u64) payload_sky_421_bin,
payload_sky_421_bin_size);
lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_UMOUNT_OFFSET, // copy umount routine
(u64) umount_421_bin,
umount_421_bin_size);
restore_syscall8[0]= SYSCALL_BASE + (u64) (SYSCALL_SK1E * 8ULL); // (8*8)
restore_syscall8[1]= peekq(restore_syscall8[0]);
u64 id[2];
// copy the id
id[0]= 0x534B314500000000ULL | (u64) PAYLOAD_OFFSET;
id[1] = SYSCALL_BASE + (u64) (SYSCALL_SK1E * 8ULL); // (8*8)
lv2_memcpy(0x80000000000004f0ULL, (u64) &id[0], 16);
u64 inst8 = peekq(0x8000000000003000ULL); // get TOC
lv2_memcpy(0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x28), (u64) &inst8, 8);
inst8 = 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x20); // syscall_8_desc - sys8
lv2_memcpy(SYSCALL_BASE + (u64) (SYSCALL_SK1E * 8ULL), (u64) &inst8, 8);
usleep(1000);
remove_lv2_memcpy();
pokeq(0x80000000007EF000ULL, 0ULL); // BE Emu mount
pokeq(0x80000000007EF220ULL, 0ULL);
//Patches from webMAN
pokeq(0x8000000000296264ULL, 0x4E80002038600000ULL );
pokeq(0x800000000029626CULL, 0x7C6307B44E800020ULL ); // fix 8001003C error
pokeq(0x8000000000057020ULL, 0x63FF003D60000000ULL ); // fix 8001003D error
pokeq(0x80000000000570E4ULL, 0x3FE080013BE00000ULL ); // fix 8001003E error
pokeq(0x8000000000057090ULL, 0x419E00D860000000ULL );
pokeq(0x8000000000057098ULL, 0x2F84000448000098ULL );
pokeq(0x800000000005AA54ULL, 0x2F83000060000000ULL ); // fix 80010009 error
pokeq(0x800000000005AA68ULL, 0x2F83000060000000ULL ); // fix 80010019 error
/* BASIC PATCHES SYS36 */
// by 2 anonymous people
_poke32(0x057094, 0x60000000); // already set in E3 "nop"
PATCH_JUMP(0x05709C, 0x57134); // already set in E3
_poke32(0x05AA58, 0x60000000); // already set in E3 "nop"
_poke32(0x05AA6C, 0x60000000); // already set in E3 "nop"
_poke( 0x057020, 0x63FF003D60000000); // fix 8001003D error "ori %r31, %r31, 0x3D\n nop\n"
_poke32(0x0570E8, 0x3BE00000); // fix 8001003E error -- 3.55 ok in 0x055F64 "li %r31, 0"
PATCH_JUMP(0x0570EC, 0x56FF8); // fix 4.21 added error
/** Rancid-o: Fix 0x8001003C error (incorrect version in sys_load_param) - It is present in the new game updates **/
_poke(0x296268, 0x386000007C6307B4);
_poke32(0x296270, 0x4E800020);
/*
-002c3cf0 f8 01 00 b0 7c 9c 23 78 7c 7d 1b 78 4b d8 aa 1d |....|.#x|}.xK...|
+002c3cf0 f8 01 00 b0 7c 9c 23 78 4b d4 01 88 4b d8 aa 1d |....|.#xK...K...| (openhook jump - 0x3E80)
*/
PATCH_JUMP(0x2C257C, (PAYLOAD_OFFSET+0x30)); // patch openhook
#ifdef CONFIG_USE_SYS8PERMH4
PATCH_JUMP(PERMS_OFFSET, (PAYLOAD_OFFSET+0x18));
#endif
}
void load_payload_431(int mode)
{
// _poke((u32) (SYSCALL_BASE + 8 * 8) , 0x8000000000001788ULL);
_poke((u32) (SYSCALL_BASE + 9 * 8) , 0x8000000000001790ULL);
_poke((u32) (SYSCALL_BASE + 10 * 8), 0x8000000000001798ULL);
install_lv2_memcpy();
/* install lv1 peek/poke/call */
lv2_memcpy(0x800000000000171C,
(u64) lv1_peek_poke_call_routines,
sizeof(lv1_peek_poke_call_routines));
/* WARNING!! It supports only payload with a size multiple of 8 */
lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_OFFSET,
(u64) payload_sky_431_bin,
payload_sky_431_bin_size);
remove_lv2_memcpy();
/* BASIC PATCHES SYS36 */
// by 2 anonymous people
_poke32(0x0571E8, 0x60000000); // already set in E3 "nop"
PATCH_JUMP(0x0571F0, 0x57288); // already set in E3
_poke32(0x05ABAC, 0x60000000); // already set in E3 "nop"
_poke32(0x05ABC0, 0x60000000); // already set in E3 "nop"
// lv2poke(0x800000000005ABACULL,0x60000000E8610188ULL); different patch method
// lv2poke(0x800000000005ABA0ULL,0x600000005463063EULL);
_poke( 0x057174, 0x63FF003D60000000); // fix 8001003D error "ori %r31, %r31, 0x3D\n nop\n"
_poke32(0x05723C, 0x3BE00000); // fix 8001003E error -- 3.55 ok in 0x055F64 "li %r31, 0"
PATCH_JUMP(0x057240, 0x5714C); // fix E3 4.30 added error
/** Rancid-o: Fix 0x8001003C error (incorrect version in sys_load_param) - It is present in the new game updates **/
_poke(0x2979E4, 0x386000007C6307B4);
_poke32(0x2979EC, 0x4E800020);
/*
-002c3cf0 f8 01 00 b0 7c 9c 23 78 7c 7d 1b 78 4b d8 aa 1d |....|.#x|}.xK...|
+002c3cf0 f8 01 00 b0 7c 9c 23 78 4b d4 01 88 4b d8 aa 1d |....|.#xK...K...| (openhook jump - 0x3E80)
*/
PATCH_JUMP(0x2C3D04, (PAYLOAD_OFFSET+0xF0)); // patch openhook
/*
-0035dc20 80 00 00 00 00 33 bf 88 80 00 00 00 00 33 bf 88 |.....3.......3..|
+0035dc20 80 00 00 00 00 00 41 28 80 00 00 00 00 33 bf 88 |......A(.....3..|
-0035dd00 80 00 00 00 00 33 bf 88 80 00 00 00 00 33 bf 88 |.....3.......3..|
+0035dd00 80 00 00 00 00 00 3e 58 80 00 00 00 00 33 bf 88 |......>X.....3..|
*/
_poke((u32) (SYSCALL_BASE + 8 * 8), 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x398)); // syscall_8_desc - sys8
_poke((u32) (SYSCALL_BASE + 36 * 8), 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0xC8)); // syscall_map_open_desc - sys36
#ifdef CONFIG_USE_SYS8PERMH4
PATCH_JUMP(PERMS_OFFSET, (PAYLOAD_OFFSET+0x2a8));
#endif
}
