From 060331284ee8251b33701078ee6e38124eab029f Mon Sep 17 00:00:00 2001
From: Spotlight <spotlight@joscomputing.space>
Date: Thu, 20 Jan 2022 19:51:14 -0600
Subject: [PATCH] Remap DBAT7 to cover full IOS range

---
 patch_overwrite.go | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/patch_overwrite.go b/patch_overwrite.go
index e514598..292860a 100644
--- a/patch_overwrite.go
+++ b/patch_overwrite.go
@@ -119,7 +119,7 @@ var OverwriteIOSPatch = PatchSet{
 			//////////////
 			// We want to write to IOSC_VerifyPublicKeySign at 0x13a73ad4.
 			// For us, this is mapped to 0x92a73ad4.
-			0x92, 0xa7, 0x3a, 0xd4,
+			0x93, 0xa7, 0x3a, 0xd4,
 			// 0x20004770 is equivalent in ARM THUMB to:
 			//    mov r0, #0x0
 			//    bx lr
@@ -173,7 +173,7 @@ var OverwriteIOSPatch = PatchSet{
 
 			// This is additionally not a patch!
 			// We use this to store our ideal MEM2 mapping.
-			0x90, 0x00, 0x1f, 0xff,
+			0x93, 0x00, 0x01, 0xff,
 		},
 	},
 	Patch{
@@ -194,6 +194,11 @@ var OverwriteIOSPatch = PatchSet{
 			// Apply lower half
 			STH(R10, 0x0, R9),
 
+			// Load a better mapping for upper MEM2.
+			LWZ(R9, 0x30, R8),
+			// mtspr DBAT7U, r9
+			Instruction{0x7d, 0x3e, 0x8b, 0xa6},
+
 			// Load address/value pair for IOSC_VerifyPublicKeySign
 			LWZ(R9, 0x8, R8),
 			LWZ(R10, 0xc, R8),
@@ -226,11 +231,6 @@ var OverwriteIOSPatch = PatchSet{
 			// bne (last blr)
 			Instruction{0x40, 0x82, 0x00, 0x30},
 
-			// Load a better mapping for upper MEM2.
-			LWZ(R9, 0x30, R8),
-			// mtspr DBAT7U, r9
-			Instruction{0x7d, 0x3e, 0x8b, 0xa6},
-
 			// Apply ES_AddTicket
 			LWZ(R9, 0x18, R8),
 			LWZ(R10, 0x1c, R8),