From ba7fa5bbda2ccd19c0a1c37ab99115183a2a1b27 Mon Sep 17 00:00:00 2001 From: CTurt Date: Sun, 6 Sep 2020 19:10:55 +0100 Subject: [PATCH] 2.13 still not working :/ --- PAYLOADS/1.00-2.13/Mainrules.mk | 8 +++-- PAYLOADS/1.00-2.13/eecrt0.ee.S | 5 ++-- PAYLOADS/1.00-2.13/eepayload.ee.c | 39 +++++++++++++++++++++---- PAYLOADS/1.00-2.13/emulator.mk | 4 +++ PAYLOADS/1.00-2.13/hardware.mk | 3 ++ PAYLOADS/1.00-2.13/ioppayload.iop.c | 39 +++++++++++++++++++++++-- PAYLOADS/1.00-2.13/stage1_210_212.iop.S | 14 +++++++-- PAYLOADS/1.00-2.13/syscalls.ee.S | 38 +++++++++++++++++++++++- 8 files changed, 136 insertions(+), 14 deletions(-) diff --git a/PAYLOADS/1.00-2.13/Mainrules.mk b/PAYLOADS/1.00-2.13/Mainrules.mk index 220cd8b..687a3e7 100644 --- a/PAYLOADS/1.00-2.13/Mainrules.mk +++ b/PAYLOADS/1.00-2.13/Mainrules.mk @@ -11,7 +11,8 @@ IOP_OBJDUMP = iop-objdump IOP_SYMBOLS = -DREAD_SECTORS_210=$(IOP_READ_SECTORS_210) -DORIGINAL_RETURN_ADDRESS_210=$(IOP_ORIGINAL_RETURN_ADDRESS_210) -DRETURN_ADDRESS_LOCATION_210=$(IOP_RETURN_ADDRESS_LOCATION_210) \ -DREAD_SECTORS_212=$(IOP_READ_SECTORS_212) -DORIGINAL_RETURN_ADDRESS_212=$(IOP_ORIGINAL_RETURN_ADDRESS_212) -DRETURN_ADDRESS_LOCATION_212=$(IOP_RETURN_ADDRESS_LOCATION_212) \ - -DREAD_SECTORS_213=$(IOP_READ_SECTORS_213) -DORIGINAL_RETURN_ADDRESS_213=$(IOP_ORIGINAL_RETURN_ADDRESS_213) -DRETURN_ADDRESS_LOCATION_213=$(IOP_RETURN_ADDRESS_LOCATION_213) + -DREAD_SECTORS_213=$(IOP_READ_SECTORS_213) -DORIGINAL_RETURN_ADDRESS_213=$(IOP_ORIGINAL_RETURN_ADDRESS_213) -DRETURN_ADDRESS_LOCATION_213=$(IOP_RETURN_ADDRESS_LOCATION_213) \ + -DREAD_SECTORS_110=$(IOP_READ_SECTORS_110) -DORIGINAL_RETURN_ADDRESS_110=$(IOP_ORIGINAL_RETURN_ADDRESS_110) -DRETURN_ADDRESS_LOCATION_110=$(IOP_RETURN_ADDRESS_LOCATION_110) IOP_CFLAGS = -O2 -G 0 -nostartfiles -nostdlib -ffreestanding -g $(IOP_SYMBOLS) @@ -30,9 +31,12 @@ dvd.iso: dvd.base.iso stage1_210_212.iop.bin stage1_213.iop.bin ioppayload.iop.b # For now it's easier to just use a base dvd rather than attempting to generate an image and patch it cp dvd.base.iso dvd.iso - # Return address 0x00818f4 = 530676 + # Return address (2.10 - 2.13) 0x00818f4 = 530676 printf $(STAGE1_LOAD_ADDRESS_STRING_210_212) | dd of=dvd.iso bs=1 seek=530676 count=4 conv=notrunc + # Return address 1.10 (0x000818bc = 530620) + printf $(STAGE1_LOAD_ADDRESS_STRING_110) | dd of=dvd.iso bs=1 seek=530620 count=4 conv=notrunc + # Old toolchains don't support this option, so just copy byte-by-byte... # bs=4096 iflag=skip_bytes,count_bytes diff --git a/PAYLOADS/1.00-2.13/eecrt0.ee.S b/PAYLOADS/1.00-2.13/eecrt0.ee.S index 0b00949..9e4d82f 100644 --- a/PAYLOADS/1.00-2.13/eecrt0.ee.S +++ b/PAYLOADS/1.00-2.13/eecrt0.ee.S @@ -19,6 +19,7 @@ _start: jr $a0 +# Don't use on phat PS2... completely broken syscall #ExecPS2: - #la $v1, 0x07 - #syscall 0x07 # ExecPS2 +# la $v1, 0x07 +# syscall 0x07 # ExecPS2 diff --git a/PAYLOADS/1.00-2.13/eepayload.ee.c b/PAYLOADS/1.00-2.13/eepayload.ee.c index 7a1246c..26f227a 100644 --- a/PAYLOADS/1.00-2.13/eepayload.ee.c +++ b/PAYLOADS/1.00-2.13/eepayload.ee.c @@ -8,18 +8,44 @@ extern void SifWriteBackDCache(void *ptr, int size); extern int SifSetReg(unsigned int register_num, unsigned int register_value); extern int SifGetReg(unsigned int register_num); -//static int SifIopSync(void) { -// #define SIF_REG_SMFLAG 4 -// #define SIF_STAT_BOOTEND 0x40000 -// return((SifGetReg(SIF_REG_SMFLAG) & SIF_STAT_BOOTEND) != 0); -//} +static int SifIopSync(void) { + #define SIF_REG_SMFLAG 4 + #define SIF_STAT_BOOTEND 0x40000 + return((SifGetReg(SIF_REG_SMFLAG) & SIF_STAT_BOOTEND) != 0); +} static void flush(void) { asm volatile("la $v1, 0x64; la $a0, 0; syscall 0x64"); // FlushCache data writeback asm volatile("la $v1, 0x64; la $a0, 2; syscall 0x64"); // FlushCache instruction invalidate } + int GetThreadId(void); +void ChangeThreadPriority(int thread_id, int priority); +int CancelWakeupThread(int thread_id); +void TerminateThread(int thread_id); +void DeleteThread(int thread_id); + +static void TerminateAllThreads(void) { + int i, ThreadID; + + ThreadID=GetThreadId(); + ChangeThreadPriority(ThreadID, 0); + CancelWakeupThread(ThreadID); + for(i=1; i<256; i++){ //Skip idle thread. + if(i!=ThreadID){ + TerminateThread(i); + DeleteThread(i); + } + } +} + int main(void) { + // ExecPS2 is broken on Phat PS2... manually kill other threads instead + TerminateAllThreads(); + + // Signal IOP that EE is Ready, willing, and fully enabled! + SifSetReg(3, 1); + volatile int *waitAddress = (void *)0x21FFF7F0; while(!*waitAddress); @@ -33,6 +59,9 @@ int main(void) { flush(); + //SifIopReset("rom0:UDNL rom0:EELOADCNF", 0); + //while(!SifIopSync()); + //ExecPS2(*entry_point_address, 0, 0, 0); ExecPS2(*entry_point_address, 0, 1, argument); // kHn: arg == cdrom0: } diff --git a/PAYLOADS/1.00-2.13/emulator.mk b/PAYLOADS/1.00-2.13/emulator.mk index f388cd2..8252377 100644 --- a/PAYLOADS/1.00-2.13/emulator.mk +++ b/PAYLOADS/1.00-2.13/emulator.mk @@ -1,3 +1,6 @@ +#STAGE1_LOAD_ADDRESS_110 = 0xa00b66a8 +#STAGE1_LOAD_ADDRESS_STRING_110 = '\xa8\x66\x0b\xa0' + STAGE1_LOAD_ADDRESS_210_212 = 0xa00b7548 STAGE1_LOAD_ADDRESS_STRING_210_212 = '\x48\x75\x0b\xa0' @@ -7,6 +10,7 @@ STAGE1_LOAD_ADDRESS_STRING_213 = '\xc8\x6f\x0b\xa0' STAGE1_ISO_210_212 = 532728 # 0x820f8 STAGE1_ISO_213 = 534136 # 0x82678 +IOP_READ_SECTORS_110 = 0xb19e4 IOP_READ_SECTORS_210 = 0xb260c IOP_READ_SECTORS_212 = 0xb25f8 IOP_READ_SECTORS_213 = 0xb21f8 diff --git a/PAYLOADS/1.00-2.13/hardware.mk b/PAYLOADS/1.00-2.13/hardware.mk index f75360e..9d46db8 100644 --- a/PAYLOADS/1.00-2.13/hardware.mk +++ b/PAYLOADS/1.00-2.13/hardware.mk @@ -1,3 +1,6 @@ + + + STAGE1_LOAD_ADDRESS_210_212 = 0xa0062C48 STAGE1_LOAD_ADDRESS_STRING_210_212 = '\x48\x2c\x06\xa0' diff --git a/PAYLOADS/1.00-2.13/ioppayload.iop.c b/PAYLOADS/1.00-2.13/ioppayload.iop.c index 9c13f50..7a7d8f5 100644 --- a/PAYLOADS/1.00-2.13/ioppayload.iop.c +++ b/PAYLOADS/1.00-2.13/ioppayload.iop.c @@ -72,6 +72,8 @@ static void memset_ee(void *s, int c, unsigned int n); //#include "iopresolve.h" +#define BD2 (*(volatile int *)0xBD000020) //msflag + static void readData(void *dest, unsigned int offset, size_t n) { //unsigned char buffer[SECTOR_SIZE]; //unsigned char *buffer = (void *)0xfd000; @@ -121,7 +123,8 @@ void _start(void) { sceSifDmaStat = (void *)0x17170; unsigned int addiu_magic = 0x27bdffc8; // addiu $sp, $sp, -0x38 - if(*(unsigned int *)READ_SECTORS_210 == addiu_magic) readSectors = (void *)READ_SECTORS_210; + //if(*(unsigned int *)READ_SECTORS_110 == addiu_magic) readSectors = (void *)READ_SECTORS_110; + if(*(unsigned int *)READ_SECTORS_210 == addiu_magic) readSectors = (void *)READ_SECTORS_210; else if(*(unsigned int *)READ_SECTORS_212 == addiu_magic) readSectors = (void *)READ_SECTORS_212; else if(*(unsigned int *)READ_SECTORS_213 == addiu_magic) readSectors = (void *)READ_SECTORS_213; @@ -139,9 +142,13 @@ void _start(void) { transfer_to_ee((void *)0x01477B80, &return_address, sizeof(return_address)); // 2.13E/A // Clear bit 0 of 0x208bb710 to make EE exit loop waiting for IOP, and return to our above payload - //unsigned int loopValue = 0x010004; + unsigned int loopValue = 0x010004; //transfer_to_ee((void *)0x208bb710, &loopValue, sizeof(loopValue)); // 2.10E + transfer_to_ee((void *)0x2087d110, &loopValue, sizeof(loopValue)); // 2.13E + // We wait for EE side to be ready before sending ELF. + while(!(SifGetMSFlag() & 1)); + SifSetMSFlag(3); //unsigned char *buffer = (void *)0xfe000; unsigned char *buffer = (void *)0xBB800; @@ -246,6 +253,34 @@ static void *memset(void *s, int c, unsigned int n) return s; } +static int SifGetMSFlag() +{ + int a, b; + + b = BD2; + do { + a=b; + b=BD2; + } while(a != b); + + return a; +} + +static int SifSetMSFlag(unsigned int value) +{ + int a, b; + + BD2 = value; + + b = BD2; + do { + a=b; + b=BD2; + } while(a != b); + + return a; +} + asm("\n\ .global ee_crt0\n\ ee_crt0:\n\ diff --git a/PAYLOADS/1.00-2.13/stage1_210_212.iop.S b/PAYLOADS/1.00-2.13/stage1_210_212.iop.S index b0c2c99..f1c51a1 100644 --- a/PAYLOADS/1.00-2.13/stage1_210_212.iop.S +++ b/PAYLOADS/1.00-2.13/stage1_210_212.iop.S @@ -13,8 +13,14 @@ iop_payload_address = 0xa00fd000 _start: move $fp, $sp # We need to reset $fp as it gets trashed by memcpy -check_210: la $v1, 0x27bdffc8 # addiu $sp, $sp, -0x38 + +check_110: + #la $v0, READ_SECTORS_110 + #lw $t0, 0($v0) + #beq $t0, $v1, read_iop_payload + +check_210: la $v0, READ_SECTORS_210 lw $t0, 0($v0) beq $t0, $v1, read_iop_payload @@ -35,8 +41,12 @@ read_iop_payload: la $v0, ENTRY jalr $v0 -check_210_again: la $v1, 0x27bdffc8 # addiu $sp, $sp, -0x38 + +check_110_again: + + +check_210_again: la $v0, READ_SECTORS_210 lw $v0, 0($v0) la $a0, RETURN_ADDRESS_LOCATION_210 diff --git a/PAYLOADS/1.00-2.13/syscalls.ee.S b/PAYLOADS/1.00-2.13/syscalls.ee.S index 0da0655..6dedaec 100644 --- a/PAYLOADS/1.00-2.13/syscalls.ee.S +++ b/PAYLOADS/1.00-2.13/syscalls.ee.S @@ -1,10 +1,46 @@ -# ElReino 2020 +# ElReino and CTurt 2020 # Since GCC does something strange, we can't write syscall thunks directly in C # as GCC adds move $v1, $v0 directly after jr $ra, effectively trashing $v0. # I don't know why this happens, but I do know enough about GCC that this # approach will most probably be easier. But feel free to try fixing it. +.global GetThreadId +GetThreadId: + la $v1, 0x2f + syscall 0x2f + jr $ra + +.global ChangeThreadPriority +ChangeThreadPriority: + la $v1, 0x29 + syscall 0x29 + jr $ra + +.global CancelWakeupThread +CancelWakeupThread: + la $v1, 0x35 + syscall 0x35 + jr $ra + +.global TerminateThread +TerminateThread: + la $v1, 0x25 + syscall 0x25 + jr $ra + +.global DeleteThread +DeleteThread: + la $v1, 0x21 + syscall 0x21 + jr $ra + +.global SifSetReg +SifSetReg: + la $v1, 0x79 + syscall 0x79 + jr $ra + .global SifGetReg SifGetReg: la $v1, 0x7a