void patch_sceLoadExec(void)
{
//find loadexec module
SceModule2 * loadexec = (SceModule2*)sctrlKernelFindModuleByName("sceLoadExec");
//allow all user levels to call sceKernelExitVSHVSH (needed for installer reboot)
_sw(0x10000008, loadexec->text_addr + g_offs->loadexec_patch_other.sceKernelExitVSHVSHCheck1);
_sw(NOP, loadexec->text_addr + g_offs->loadexec_patch_other.sceKernelExitVSHVSHCheck1);
}
// mode: 0 - OFW 1 - CFW
void patch_sceLoadExec(int mode)
{
SceModule2 * loadexec = (SceModule2*)sctrlKernelFindModuleByName("sceLoadExec");
u32 text_addr;
struct sceLoadExecPatch *patch;
if (loadexec == NULL) {
return;
}
text_addr = loadexec->text_addr;
if(psp_model == PSP_GO) { // PSP-N1000
patch = &g_offs->loadexec_patch_05g;
} else {
patch = &g_offs->loadexec_patch_other;
}
//save LoadReboot function
LoadReboot = (void*)loadexec->text_addr;
if(mode == 0) {
//restore LoadReboot
_sw(MAKE_CALL(LoadReboot), loadexec->text_addr + patch->LoadRebootCall);
//restore jmp to 0x88600000
_sw(0x3C018860, loadexec->text_addr + patch->RebootJump);
} else if(mode == 1) {
//replace LoadReboot function
_sw(MAKE_CALL(load_reboot), loadexec->text_addr + patch->LoadRebootCall);
//patch Rebootex position to 0x88FC0000
_sw(0x3C0188FC, loadexec->text_addr + patch->RebootJump); // lui $at, 0x88FC
}
sync_cache();
}
void patch_sceLoaderCore(void)
{
//find module
SceModule2 * loadcore = (SceModule2 *)sctrlKernelFindModuleByName("sceLoaderCore");
//patch sceKernelCheckExecFile (sub_0C10)
_sw((unsigned int)_sceKernelCheckExecFile, loadcore->text_addr + g_offs->loadercore_patch.sceKernelCheckExecFilePtr);
_sw(MAKE_CALL(_sceKernelCheckExecFile), loadcore->text_addr + g_offs->loadercore_patch.sceKernelCheckExecFileCall1);
_sw(MAKE_CALL(_sceKernelCheckExecFile), loadcore->text_addr + g_offs->loadercore_patch.sceKernelCheckExecFileCall2);
_sw(MAKE_CALL(_sceKernelCheckExecFile), loadcore->text_addr + g_offs->loadercore_patch.sceKernelCheckExecFileCall3);
//6.35 relocation fix for rt7
//fake relocation type 7 to be treated like 0
//patches handler table so jr $t5 returns properly on type 7 ;)
u32 faketype = 0;
u32 origtype = 7;
_sw(*(u32 *)(loadcore->text_addr + g_offs->loadercore_patch.ReloactionTable + faketype * 4), loadcore->text_addr + g_offs->loadercore_patch.ReloactionTable + origtype * 4);
//patch ProbeExec1 (sub_001AC)
ProbeExec1 = (void*)loadcore->text_addr + g_offs->loadercore_patch.ProbeExec1; //dword_6248
_sw(MAKE_CALL(_ProbeExec1), loadcore->text_addr + g_offs->loadercore_patch.ProbeExec1Call);
//patch ProbeExec2 (sub_004E8)
ProbeExec2 = (void*)loadcore->text_addr + g_offs->loadercore_patch.ProbeExec2; //dword_6364
_sw(MAKE_CALL(_ProbeExec2), loadcore->text_addr + g_offs->loadercore_patch.ProbeExec2Call1);
_sw(MAKE_CALL(_ProbeExec2), loadcore->text_addr + g_offs->loadercore_patch.ProbeExec2Call2);
//enable syscall exports (?)
_sw(0x3C090000, loadcore->text_addr + g_offs->loadercore_patch.EnableSyscallExport);
//undo check #1
_sw(0, loadcore->text_addr + g_offs->loadercore_patch.LoaderCoreCheck1); //bnez
//undo check #2
_sw(0, loadcore->text_addr + g_offs->loadercore_patch.LoaderCoreCheck2); //beqzl
_sw(0, loadcore->text_addr + g_offs->loadercore_patch.LoaderCoreCheck2 + 4); //lui (likely branch instruction)
//undo check #3
_sw(0, loadcore->text_addr + g_offs->loadercore_patch.LoaderCoreCheck3); //beqzl
_sw(0, loadcore->text_addr + g_offs->loadercore_patch.LoaderCoreCheck3 + 4); //lui (likely branch instruction)
// pops version check
_sw(0x1000FFCB, loadcore->text_addr + g_offs->loadercore_patch.pops_version_check); // b loc_000075B4
//undo rebootex patches
void * memlmd_323366CA = (void*)sctrlHENFindFunction("sceMemlmd", "memlmd", g_offs->loadercore_patch.memlmd_323366CA_NID);
_sw(MAKE_CALL(memlmd_323366CA), loadcore->text_addr + g_offs->loadercore_patch.LoaderCoreUndo1Call1);
_sw(MAKE_CALL(memlmd_323366CA), loadcore->text_addr + g_offs->loadercore_patch.LoaderCoreUndo1Call2);
_sw(MAKE_CALL(memlmd_323366CA), loadcore->text_addr + g_offs->loadercore_patch.LoaderCoreUndo1Call3);
void * memlmd_7CF1CD3E = (void*)sctrlHENFindFunction("sceMemlmd", "memlmd", g_offs->loadercore_patch.memlmd_7CF1CD3E_NID);
_sw(MAKE_CALL(memlmd_7CF1CD3E), loadcore->text_addr + g_offs->loadercore_patch.LoaderCoreUndo2Call1);
_sw(MAKE_CALL(memlmd_7CF1CD3E), loadcore->text_addr + g_offs->loadercore_patch.LoaderCoreUndo2Call2);
/* undo my own patches */
_sw(0x1040002C, loadcore->text_addr + 0x58E0);
_sw(0x0040F809, loadcore->text_addr + 0x58E8);
void * sub_3E80 = (void*)loadcore->text_addr + 0x3E80;
_sw(MAKE_CALL(sub_3E80), loadcore->text_addr + 0x3E00);
_sw(MAKE_CALL(sub_3E80), loadcore->text_addr + 0x3F58);
_sw(MAKE_CALL(sub_3E80), loadcore->text_addr + 0x58F8);
_sw(MAKE_CALL(sub_3E80), loadcore->text_addr + 0x5908);
_sw(0x10400009, loadcore->text_addr + 0x5944);
_sw(0x0040F809, loadcore->text_addr + 0x5950);
setup_nid_resolver();
#ifdef DEBUG
hook_import_bynid((SceModule*)loadcore, "KDebugForKernel", 0x84F370BC, printk, 0);
#endif
patch_sceKernelStartModule(loadcore->text_addr);
}