From 3338ff8f02db2302d35d37bc538727bb337b7898 Mon Sep 17 00:00:00 2001 From: Spotlight Date: Sat, 15 Jan 2022 03:30:08 -0600 Subject: [PATCH] Properly apply BAT changes for vWii It was determined that Opera mapped out things within the 0xe0000000 range. We remap 0x93xxxxxx to be as wide as possible, in order to write over ES. Nintendo, by default, appears only maps 8 megabytes(?) (mask 0xff) - too little for us. We then change our IOS patch address to write at 0x92a73ad4 instead of 0xd3a73ad4, as some unknown shenanigans appear to be in play. Writes fully commit via 0x92. Lastly, we switch to utilize ipl::Exception::__ct in order to have exceptions displayed should any errors occur. --- patch_overwrite.go | 40 +++++++++++++++++++++++----------------- 1 file changed, 23 insertions(+), 17 deletions(-) diff --git a/patch_overwrite.go b/patch_overwrite.go index 5487352..e514598 100644 --- a/patch_overwrite.go +++ b/patch_overwrite.go @@ -103,7 +103,7 @@ var OverwriteIOSPatch = PatchSet{ Name: "Insert patch table", AtOffset: 3205088, - Before: emptyBytes(48), + Before: emptyBytes(52), After: []byte{ ////////////// // PATCH #1 // @@ -118,8 +118,8 @@ var OverwriteIOSPatch = PatchSet{ // PATCH #2 // ////////////// // We want to write to IOSC_VerifyPublicKeySign at 0x13a73ad4. - // For us, this is mapped to 0xd3a73ad4. - 0xd3, 0xa7, 0x3a, 0xd4, + // For us, this is mapped to 0x92a73ad4. + 0x92, 0xa7, 0x3a, 0xd4, // 0x20004770 is equivalent in ARM THUMB to: // mov r0, #0x0 // bx lr @@ -136,22 +136,22 @@ var OverwriteIOSPatch = PatchSet{ ////////////////////////// // Patch location: // We want to write at 0x20102100, aka "ES_AddTicket". - // (0x20102100 | 0xc0000000) -> 0xe0102100 - 0xe0, 0x10, 0x21, 0x00, + // We use the address mapped to PowerPC. + 0x93, 0x9f, 0x21, 0x00, // The original code has a few conditionals preventing system title usage. // We simply branch off past these. - // 0x681a2a01 is equivalent in ARM THUMB to: + // 0x681ae008 is equivalent in ARM THUMB to: // ldr r2,[r3,#0x0] ; original code we wish to preserve // ; so we can write 32 bits // b +0x14 ; branch past conditionals - 0x68, 0x1a, 0x2a, 0x01, + 0x68, 0x1a, 0xe0, 0x08, ////////////////////////// // PATCH #4 - vWii only // ////////////////////////// // We want to write to 0x20103240, aka "ES_AddTitleStart". - // (0x20103240 | 0xc0000000) -> 0xe0103240 - 0xe0, 0x10, 0x32, 0x40, + // We use the address mapped to PowerPC. + 0x93, 0x9f, 0x32, 0x40, // The original code has a few conditionals preventing system title usage. // 0xe00846c0 is equivalent in ARM THUMB to: // b +0x8 ; branch past conditionals @@ -162,14 +162,18 @@ var OverwriteIOSPatch = PatchSet{ // PATCH #5 - vWii only // ////////////////////////// // Lastly, we want to write to 0x20103564, aka "ES_AddContentStart". - // (0x20103564 | 0xc0000000) -> 0xe0103564 - 0xe0, 0x10, 0x35, 0x64, + // We use the address mapped to PowerPC. + 0x93, 0x9f, 0x35, 0x64, // The original code has a few conditionals preventing system title usage. // We simply branch off past these. // 0xe00c46c0 is equivalent in ARM THUMB to: // b +0xc ; branch past conditionals // add sp,#0x0 ; recommended THUMB nop 0xe0, 0x0c, 0xb0, 0x00, + + // This is additionally not a patch! + // We use this to store our ideal MEM2 mapping. + 0x90, 0x00, 0x1f, 0xff, }, }, Patch{ @@ -222,6 +226,11 @@ var OverwriteIOSPatch = PatchSet{ // bne (last blr) Instruction{0x40, 0x82, 0x00, 0x30}, + // Load a better mapping for upper MEM2. + LWZ(R9, 0x30, R8), + // mtspr DBAT7U, r9 + Instruction{0x7d, 0x3e, 0x8b, 0xa6}, + // Apply ES_AddTicket LWZ(R9, 0x18, R8), LWZ(R10, 0x1c, R8), @@ -237,9 +246,6 @@ var OverwriteIOSPatch = PatchSet{ LWZ(R10, 0x2c, R8), STW(R10, 0x0, R9), - EIEIO(), - BLR(), - // We're finished patching! BLR(), }.toBytes(), @@ -255,15 +261,15 @@ var OverwriteIOSPatch = PatchSet{ }.toBytes(), }, Patch{ - Name: "Modify ipl::scene::Setting::prepare", - AtOffset: 127640, + Name: "Modify ipl::Exception::__ct", + AtOffset: 31904, Before: Instructions{ BLR(), }.toBytes(), After: Instructions{ // b overwriteIOSMemory - Instruction{0x4b, 0xfe, 0x5c, 0x9c}, + Instruction{0x42, 0x80, 0xd2, 0x94}, }.toBytes(), }, }