sbv_patches.h File Reference

This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Functions
int	sbv_patch_enable_lmb (void)
int	sbv_patch_disable_prefix_check (void)
int	sbv_patch_user_mem_clear (void *start)
int	sbv_patch_fileio (void)

Detailed Description

SBV patches.

Definition in file sbv_patches.h.

Function Documentation

sbv_patch_disable_prefix_check()

int sbv_patch_disable_prefix_check

(

void

)

Returns

0: success, none-zero: error

The MODLOAD module has a black/white (depends on version) list that determines what devices can have unprotected EE/IOP executables loaded from. Typically, only protected executables can be loaded from user-writable media like the memory card or HDD unit. This patch will disable the black/white list, allowing executables to be freely loaded from any device.

Definition at line 24 of file patch_disable_prefix_check.c.

{
        union {
                u8 buf[256];
                slib_exp_lib_t exp_lib;
        } buf;
        static u32 patch[2] ALIGNED(16)={
                0x03e00008,     /* jr $ra */
                0x00001021      /* addiu $v0, $0, 0 */
        };
        SifDmaTransfer_t dmat;
        slib_exp_lib_t *modload_lib = &buf.exp_lib;
 
        memset(&_slib_cur_exp_lib_list, 0, sizeof(slib_exp_lib_list_t));
 
        if (!slib_get_exp_lib("modload", modload_lib))
                return -1;
 
        dmat.src=patch;
        dmat.size=sizeof(patch);        //16-bytes will be written to IOP RAM, but the function on the IOP side is longer than 16 bytes in length.
        dmat.dest=modload_lib->exports[15];
        dmat.attr=0;
 
        SifSetDma(&dmat, 1);
 
        return 0;
}

References _slib_cur_exp_lib_list, ALIGNED, SifDmaTransfer_t::attr, SifDmaTransfer_t::dest, slib_exp_lib_t::exports, SifSetDma(), SifDmaTransfer_t::size, slib_get_exp_lib(), and SifDmaTransfer_t::src.

sbv_patch_enable_lmb()

int sbv_patch_enable_lmb

(

void

)

Returns

0: success, none-zero: error

The rom0:LOADFILE RPC service is missing support for LoadModuleBuffer, making it impossible (by default) to IOP load modules from EE RAM. Newer LOADFILE modules do not have this limitation. Unlike the official patch, this version is not dependent on 0x01e00000-0x01e80000.

Definition at line 38 of file patch_enable_lmb.c.

{
        /* This is the routine called by the loadfile RPC dispatcher for LoadModuleBuffer
           over RPC (call #6).  The bracketed operands are the ones patched by the real
           locations in IOP memory before being installed onto the IOP.  */
        static u32 lmb_patch[32] ALIGNED(64) = {
                0x27bdffd8,     /*      addiu   $sp, -40        */
                0xafb00018,     /*      sw      $s0, 0x18($sp)  */
                0xafbf0020,     /*      sw      $ra, 0x20($sp)  */
                0x00808021,     /*      move    $s0, $a0        */
                0x8c840000,     /*      lw      $a0, 0($a0)     */
                0x0c000000,     /*      jal     [LoadModuleBuffer] */
                0xafb1001c,     /*       sw     $s1, 0x1c($sp)  */
                0x3c110000,     /*      lui     $s1, [HI16(result)] */
                0x04400008,     /*      bltz    $v0, 1f         */
                0x36310000,     /*       ori    $s1, [LO16(result)] */
                0x00402021,     /*      move    $a0, $v0        */
                0x26250008,     /*      addiu   $a1, $s1, 8     */
                0x8e060004,     /*      lw      $a2, 4($s0)     */
                0x26070104,     /*      addiu   $a3, $s0, 0x104 */
                0x26280004,     /*      addiu   $t0, $s1, 4     */
                0x0c000000,     /*      jal     [StartModule]   */
                0xafa80010,     /*       sw     $t0, 0x10($sp)  */
                0xae220000,     /* 1:   sw      $v0, 0($s1)     */
                0x02201021,     /*      move    $v0, $s1        */
                0x8fbf0020,     /*      lw      $ra, 0x20($sp)  */
                0x8fb1001c,     /*      lw      $s1, 0x1c($sp)  */
                0x8fb00018,     /*      lw      $s0, 0x18($sp)  */
                0x03e00008,     /*      jr      $ra             */
                0x27bd0028,     /*       addiu  $sp, 40         */
                0x00000000, 0x00000000,
                0x7962424c, 0x00004545, /* "LBbyEE" */
                0x00000000, 0x00000000, 0x00000000, 0x00000000
        };
        u8 buf[256];
        SifRpcReceiveData_t RData;
        slib_exp_lib_t *modload_lib = (slib_exp_lib_t *)buf;
        smod_mod_info_t loadfile_info;
        void *pStartModule, *pLoadModuleBuffer, *patch_addr, *lf_rpc_dispatch, *lf_jump_table_end, *lf_fno_check;
        unsigned short int JumpTableOffset_hi, JumpTableOffset_lo;
        u32 result, *data;
        int id;
        SifDmaTransfer_t dmat;
 
        memset(&_slib_cur_exp_lib_list, 0, sizeof(slib_exp_lib_list_t));
 
        /* Locate the modload export library - it must have at least 16 exports.  */
        if (slib_get_exp_lib("modload", modload_lib) < 16)
                return -1;
 
        pStartModule = modload_lib->exports[8];
        pLoadModuleBuffer = modload_lib->exports[10];
 
        /* Now we need to find the loadfile module.  */
        if (!(id = smod_get_mod_by_name("LoadModuleByEE", &loadfile_info)))
                return -1;
 
        /*      In the Sony original, the whole text section of LOADFILE is scanned for the pattern.
 
                But that required a larger portion of EE RAM, which means that memory
                will have to be allocated. It will also mean that this library will become dependent on additional memory (i.e. 0x01e00000-0x01e80000).
                I think that it's fine to hardcode the address because the affected LOADFILE module is the same in all boot ROMs.
                If someday, somebody finds an unusual (perhaps even prototype) PlayStation 2 console that has an older LOADFILE module that needs this patch too,
                this patch can be revised.
 
                The original sbv library's LMB patch starts scanning at offset 0x400, in a mere 256-byte radius.
                        Locate the loadfile RPC dispatch code, where the first 4 instructions look like:
 
                        27bdffe8        addiu   $sp, -24
                        2c820006        sltiu   $v0, $a0, 6
                        14400003        bnez    $v0, +12
                        afbf0010        sw      $ra, 0x10($sp)  */
 
        if(loadfile_info.text_size < 0x4c4 + 128)
                return -1;
 
        lf_rpc_dispatch = (void *)(loadfile_info.text_start + 0x4c4);
        SyncDCache(&smem_buf, smem_buf.bytes+128);
        if(SifRpcGetOtherData(&RData, (void*)lf_rpc_dispatch, &smem_buf, 128, 0)>=0){
                data=smem_buf.words;
                if(data[0]==0x27bdffe8 && data[1]==0x2c820006 && data[2]==0x14400003 && data[3]==0xafbf0010 && data[5]==0x00001021 && data[6]==0x00041080){
                        lf_fno_check = (void*)(lf_rpc_dispatch+4);
 
                        /* We need to extract the address of the jump table. */
                        JumpTableOffset_hi=*(unsigned short int*)&data[7];
                        JumpTableOffset_lo=*(unsigned short int*)&data[9];
 
                        lf_jump_table_end = (void*)((JumpTableOffset_hi<<16) + (short int)JumpTableOffset_lo + 0x18);
 
                        /* Now we can patch our subversive LoadModuleBuffer RPC call.  */
                        SifInitIopHeap();
                        if ((patch_addr = SifAllocIopHeap(sizeof lmb_patch)) == NULL)
                                return -1;
 
                        /* result is where the RPC return structure is stored.  */
                        result = (u32)patch_addr + 96;
                        lmb_patch[5] = JAL((u32)pLoadModuleBuffer);
                        lmb_patch[7] = HI16(result);
                        lmb_patch[9] = LO16(result);
                        lmb_patch[15] = JAL((u32)pStartModule);
 
                        SyncDCache(lmb_patch, (void *)(lmb_patch + 24));
 
                        dmat.src=lmb_patch;
                        dmat.size=sizeof(lmb_patch);
                        dmat.dest=patch_addr;
                        dmat.attr=0;
 
                        SifSetDma(&dmat, 1);
 
                        /* Finally.  The last thing to do is to patch the loadfile RPC dispatch routine
                           so that it will jump to entry #6 in it's jump table, and to patch the jump
                           table itself.  */
                        smem_write_word(lf_jump_table_end, (u32)patch_addr);
                        smem_write_word(lf_fno_check, 0x2C820007);      //sltiu v0, a0, $0007
 
                        return 0;
                }
        }
 
        return 1;
}

References _slib_cur_exp_lib_list, ALIGNED, SifDmaTransfer_t::attr, smem_buf::bytes, data, SifDmaTransfer_t::dest, slib_exp_lib_t::exports, HI16, JAL, LO16, NULL, result, SifAllocIopHeap(), SifInitIopHeap(), SifRpcGetOtherData(), SifSetDma(), SifDmaTransfer_t::size, slib_get_exp_lib(), smem_write_word(), smod_get_mod_by_name(), SifDmaTransfer_t::src, SyncDCache(), smod_mod_info_t::text_size, smod_mod_info_t::text_start, and smem_buf::words.

Referenced by main().

sbv_patch_fileio()

int sbv_patch_fileio

(

void

)

Returns

0: success, none-zero: error

The rom0:FILEIO RPC service has several glitches, which either result in stability issues or faulty behaviour:

1. Interrupts are not disabled when sceSifSetDma is invoked for getstat() and dread(), which could allow simultaneous access into sceSifSetDma (a critical region).
2. The RPC dispatcher code for remove() has a missing break, resulting in mkdir() being called after remove() returns.

Definition at line 15 of file patch_fileio.c.

{
        /* This patch is a fix for FILEIO on the IOP:
                The handler of rpc_fioremove doesn't exit right after file is
                removed due to the break being missing, which ends up
                calling the mkdir RPC handler in succession.
                A folder with the same name as the deleted file will be created.
                We'll search for FILEIO text section start and patch the rpc
                handler to jump to a subroutine to correct this.
 
                The RPC handlers for getstat() and dread() do not suspend interrupts
                before invoking sceSifSetDma(), which may result in a race condition
                that destroys the internal SIF data structure within SIFMAN.    */
 
        smod_mod_info_t mod_info;
        SifDmaTransfer_t dmat;
        static u32 new_fileio[20] ALIGNED(16)={
                //sceFioRemove fix
                0x0c0001ce,     // jal          +0x738 <- jal fio_remove
                0x00000000,     // nop
                0x0800033a,     // j            +0xce8 <- j rpc_handler_exit
                0x00000000,     // nop
                //sceFioGetstat()/sceFioDread() fix
                0x27bdfff0,     // addiu        sp,sp,-16
                0xafbf0000,     // sw           ra,0(sp)
                0xafa40004,     // sw           a0,4(sp)
                0xafa50008,     // sw           a1,8(sp)
                0x0c000423,     // jal          +0x108c <- jal CpuSuspendIntr
                0x27a4000c,     // addiu        a0,sp,12
                0x8fa40004,     // lw           a0,4(sp)
                0x0c000430,     // jal          +0x10c0 <- jal sceSifSetDma
                0x8fa50008,     // lw           a1,8(sp)
                0x8fa4000c,     // lw           a0,12(sp)
                0x0c000425,     // jal          +0x1094 <- jal CpuResumeIntr
                0xafa20004,     // sw           v0,4(sp)
                0x8fbf0000,     // lw           ra,0(sp)
                0x8fa20004,     // lw           v0,4(sp)
                0x03e00008,     // jr           ra
                0x27bd0010,     // addiu        sp,sp,16
        };
        u32 *p_new_fileio;
        u32 new_jump_op;
        void *patch_addr;
 
        memset(&mod_info, 0, sizeof(mod_info));
        int ret = smod_get_mod_by_name("FILEIO_service", &mod_info);
        if ((!ret) || (mod_info.version != 0x101))
                return -1;
 
        SifInitIopHeap();
        if((patch_addr = SifAllocIopHeap(sizeof(new_fileio))) == NULL)
                return -1;
 
        /* setup our jump opcodes */
        p_new_fileio = UNCACHED_SEG(new_fileio);
 
        //For the sceFioRemove() patch
        p_new_fileio[0] += ((u32)mod_info.text_start >> 2);
        p_new_fileio[2] += ((u32)mod_info.text_start >> 2);
 
        //For the sceFioGetstat() and sceFioDread() patch
        p_new_fileio[8] += ((u32)mod_info.text_start >> 2);
        p_new_fileio[11] += ((u32)mod_info.text_start >> 2);
        p_new_fileio[14] += ((u32)mod_info.text_start >> 2);
 
        /* apply it */
        dmat.src=new_fileio;
        dmat.dest=patch_addr;
        dmat.size=sizeof(new_fileio);
        dmat.attr=0;
        SifSetDma(&dmat, 1);
 
        //For the dump to sceRemove()
        new_jump_op =  JMP((u32)patch_addr);
        smem_write_word((void *)mod_info.text_start + 0x0bb8, new_jump_op);
        new_jump_op =  JAL((u32)patch_addr + 16);
        //For the jumps to sceSifSetDma within sceGetstat() and sceDread():
        smem_write_word((void *)mod_info.text_start + 0x09cc, new_jump_op);
        smem_write_word((void *)mod_info.text_start + 0x0a58, new_jump_op);
 
        return 0;
}

References ALIGNED, SifDmaTransfer_t::attr, SifDmaTransfer_t::dest, JAL, JMP, NULL, SifAllocIopHeap(), SifInitIopHeap(), SifSetDma(), SifDmaTransfer_t::size, smem_write_word(), smod_get_mod_by_name(), SifDmaTransfer_t::src, smod_mod_info_t::text_start, UNCACHED_SEG, and smod_mod_info_t::version.

sbv_patch_user_mem_clear()

int sbv_patch_user_mem_clear

(

void *

start

)

@start address above which all user memory is cleared

Returns

0: success, -1: error

LoadExecPS2() wipes all user-space memory above 0x82000. With this patch, you can define a different start address to prevent your data from being overwritten. In order to completely disable the memory clear, simply pass 0x02000000 to it.

Definition at line 9 of file patch_user_mem_clear.c.

{
        int ret = -1;
        u32 *p;
 
        DI();
        ee_kmode_enter();
 
        for (p = (unsigned int*)0x80001000; p < (unsigned int*)0x80080000; p++) {
                /*
                 * Search for function call and patch $a0
                 *  lui  $a0, 0x0008
                 *  jal  InitializeUserMemory
                 *  ori  $a0, $a0, 0x2000
                 */
                if (p[0] == 0x3c040008 && (p[1] & 0xfc000000) == 0x0c000000 && p[2] == 0x34842000) {
                        p[0] = 0x3c040000 | ((unsigned int)start >> 16);
                        p[2] = 0x34840000 | ((unsigned int)start & 0xffff);
                        ret = 0;
                        break;
                }
        }
 
        ee_kmode_exit();
        EI();
 
        return ret;
}

References DI, ee_kmode_enter(), ee_kmode_exit(), and EI.