diff --git a/Makefile b/Makefile index 9aa28d2..e3ca24b 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,5 @@ CC=arm-vita-eabi-gcc -CFLAGS=-Os -fno-builtin-printf -fPIC -fno-builtin-memset -Wall -Wextra -Wno-unused-variable -DFW_360 +CFLAGS=-Os -fno-builtin-printf -fPIC -fno-builtin-memset -Wall -Wextra -Wno-unused-variable -DFW_365 OBJCOPY=arm-vita-eabi-objcopy LDFLAGS=-nodefaultlibs -nostdlib diff --git a/fat.tpl b/fat.tpl index cd82ca6..46513d6 100644 Binary files a/fat.tpl and b/fat.tpl differ diff --git a/first.c b/first.c index c30ddb9..332e26f 100644 --- a/first.c +++ b/first.c @@ -22,13 +22,13 @@ void go(void) { // we need to patch call to read block 1 instead of block 0 as the master block // now that we store a copy of real partition table in block 1 - *(uint16_t*)0x510200C6 = 0x2101; // movs r1, #1 + *(uint16_t*)0x510202CE = 0x2101; // movs r1, #1 - clean_dcache((void *)0x510200C0, 0x20); + clean_dcache((void *)0x510202C0, 0x20); flush_icache(); // reinit os0_dev - int (*fat_init_dev)() = (void*)0x5101FD19; + int (*fat_init_dev)() = (void*)0x5101FF21; char *os0_dev = (void*)0x51167784; int ret = fat_init_dev(os0_dev, 0x110000, 0x510010FD, 0x51028010); // os0_dev, flags, read_block, some_storage @@ -89,7 +89,7 @@ void go(void) { "mov r3, #0\n" "mov sp, %1\n" "mov r4, %2\n" - "bx r4\n" :: "r" (sp - 0x110), "r" (old_sp), "r" (0x5101F571) : "r0", "r1", "r2", "r3", "r4" + "bx r4\n" :: "r" (sp - 0x110), "r" (old_sp), "r" (0x5101F779) : "r0", "r1", "r2", "r3", "r4" ); } diff --git a/gen.py b/gen.py index 822c047..6fb6c1d 100755 --- a/gen.py +++ b/gen.py @@ -33,16 +33,15 @@ def main(): exit(-1) temp_store = 0x511671A0 - - pivot = 0x51014f10 # e890b672 ldm r0, {r1, r4, r5, r6, r9, sl, ip, sp, pc} - pop_pc = 0x5100155f - pop_r0_pc = 0x5100fa31 - pop_r1_r2_r4_r6_pc = 0x51024b87 - blx_r3_pop_r3_pc = 0x51010033 - pop_r3_pc = 0x51010035 - flush_icache = 0x51014521 # ICIALLUIS - clean_dcache = 0x5101456D - debug_printf = 0x51012BD5 + pivot = 0x5101504C # e890b672 ldm r0, {r1, r4, r5, r6, r9, sl, ip, sp, pc} + pop_pc = 0x5100155F + pop_r0_pc = 0x5100E4D1 + pop_r1_r2_r4_r6_pc = 0x51024C53 + blx_r3_pop_r3_pc = 0x510058AF + pop_r3_pc = 0x510058B1 + flush_icache = 0x51014691 # ICIALLUIS + clean_dcache = 0x510146DD + debug_printf = 0x51012D45 pivot_args = [0, 0, 0, 0, 0, 0, 0, temp_store + 0x40, pop_pc] rop = [ diff --git a/installer/CMakeLists.txt b/installer/CMakeLists.txt index 4ed0058..c233872 100644 --- a/installer/CMakeLists.txt +++ b/installer/CMakeLists.txt @@ -95,10 +95,9 @@ target_link_libraries(emmc_helper gcc SceThreadmgrForDriver_stub SceModulemgrForDriver_stub - SceModulemgrForKernel_stub + SceModulemgrForKernel_367_stub SceSblAIMgrForDriver_stub SceIofilemgrForDriver_stub - SceSysmemForKernel_stub SceSysmemForDriver_stub taihenForKernel_stub ) diff --git a/installer/src/kernel.c b/installer/src/kernel.c index 58e3e54..f3f3664 100644 --- a/installer/src/kernel.c +++ b/installer/src/kernel.c @@ -28,7 +28,7 @@ enum { FAT_BIN_USEFUL_SIZE = 0x6000 - 0x400, OS0_SIZE = 0x3820 * BLOCK_SIZE, - OS0_CRC32 = 0xb776951d, + OS0_CRC32 = 0x69b0c99d, }; typedef struct { @@ -373,7 +373,7 @@ int check_blocks(void) { crc = crc32(crc, buffer, sizeof(buffer)); } printf("crc32[2; 48] = 0x%08x\n", crc); - uint32_t known_crc[] = { 0xd40a32e8, 0x8cd78813 }; + uint32_t known_crc[] = { 0xa6b37650, 0x723111d1 }; int found = 0; for (size_t i = 0; i < ARRAYSIZE(known_crc); ++i) { if (crc == known_crc[i]) { diff --git a/nsbl.h b/nsbl.h index 32ec0f3..8124130 100644 --- a/nsbl.h +++ b/nsbl.h @@ -64,7 +64,7 @@ typedef struct SceModuleSelfSectionInfo { uint32_t unknown2; } __attribute__((packed)) SceModuleSelfSectionInfo; -#ifdef FW_360 +#ifdef FW_365 // firmware specific internal structures @@ -249,28 +249,28 @@ typedef struct SceModuleDecryptContext { // firmware specific function offsets #ifdef DEBUG -static int (*printf)(const char *fmt, ...) = (void*)0x510137A9; +static int (*printf)(const char *fmt, ...) = (void*)0x51013919; #else #define printf(...) #endif -static void *(*memset)(void *dst, int ch, int sz) = (void*)0x51013AD1; -static void *(*memcpy)(void *dst, const void *src, int sz) = (void *)0x51013A51; -static void *(*memmove)(void *dst, const void *src, int sz) = (void *)0x51021325; -static void (*clean_dcache)(void *dst, int len) = (void*)0x5101456D; +static void *(*memset)(void *dst, int ch, int sz) = (void*)0x51013C41; +static void *(*memcpy)(void *dst, const void *src, int sz) = (void *)0x51013BC1; +static void *(*memmove)(void *dst, const void *src, int sz) = (void *)0x5102152D; +static void (*clean_dcache)(void *dst, int len) = (void*)0x510146DD; static int (*read_block_os0)() = (void*)0x510010FD; -static void (*flush_icache)() = (void*)0x51014521; -static int (*strncmp)(const char *s1, const char *s2, int len) = (void *)0x51013B30; -static SceObject *(*get_obj_for_uid)(int uid) = (void *)0x51017649; +static void (*flush_icache)() = (void*)0x51014691; +static int (*strncmp)(const char *s1, const char *s2, int len) = (void *)0x51013CA0; +static SceObject *(*get_obj_for_uid)(int uid) = (void *)0x51017785; static int (*module_load)(const SceModuleLoadList *list, int *uids, int count, int) = (void *)0x51001551; -static int (*sceKernelAllocMemBlock)(const char *name, int type, int size, SceKernelAllocMemBlockKernelOpt *opt) = (void *)0x510086C1; -static int (*sceKernelGetMemBlockBase)(int32_t uid, void **basep) = (void *)0x510040E5; -static int (*sceKernelRemapBlock)(int32_t uid, int type) = (void *)0x510086D1; +static int (*sceKernelAllocMemBlock)(const char *name, int type, int size, SceKernelAllocMemBlockKernelOpt *opt) = (void *)0x51007161; +static int (*sceKernelGetMemBlockBase)(int32_t uid, void **basep) = (void *)0x510057E1; +static int (*sceKernelRemapBlock)(int32_t uid, int type) = (void *)0x51007171; // firmware specific patch offsets static SceBootArgs *boot_args = (void *)0x51167528; static SceSysrootContext **sysroot_ctx_ptr = (void *)0x51138A3C; -static void **module_load_func_ptr = (void *)0x51027630; +static void **module_load_func_ptr = (void *)0x510277A8; // sysstate patches #define SCEDISPLAY_LOGO_OFFSET (0x8990) @@ -279,9 +279,9 @@ static void **module_load_func_ptr = (void *)0x51027630; #define SYSSTATE_IS_DEV_MODE_OFFSET (0xE28) #define SYSSTATE_RET_CHECK_BUG (0xD92) static const uint8_t sysstate_ret_patch[] = {0x13, 0x22, 0xc8, 0xf2, 0x01, 0x02}; -#define SYSSTATE_SD0_STRING (0x2460) +#define SYSSTATE_SD0_STRING (0x2448) static const char ur0_path[] = "ur0:"; -#define SYSSTATE_SD0_PSP2CONFIG_STRING (0x23AE) +#define SYSSTATE_SD0_PSP2CONFIG_STRING (0x2396) static const char ur0_psp2config_path[] = "ur0:tai/boot_config.txt"; #define SYSSTATE_FINAL_CALL (0x130) #define SYSSTATE_FINAL (0x18C9) diff --git a/second.c b/second.c index e700c8a..9ebb33e 100644 --- a/second.c +++ b/second.c @@ -270,7 +270,7 @@ static int module_load_patched(const SceModuleLoadList *list, int *uids, int cou obj = get_obj_for_uid(uids[sysmem_idx]); if (obj != NULL) { mod = (SceModuleObject *)&obj->data; - FIND_EXPORT(set_crash_flag, 0x88C17370, 0xF857CDD6); + FIND_EXPORT(set_crash_flag, 0x13D793B7, 0xA465A31A); FIND_EXPORT(printf, 0x88758561, 0x391B74B7); } else { printf("module data invalid for sysmem.skprx!\n");