invoxiplaygames.uk
+48
-1
homebrew/xebuild/freeboot-like_patches.md
+48
-1
homebrew/xebuild/freeboot-like_patches.md
···
303
303
386000004E800020
304
304
305
305
; XeKeysConsoleSignatureVerification
306
+
; shellcode checks if r5 (is current console) is 0, if it isn't, writes 1 to it
306
307
0010BF20
307
308
00000005
308
309
2B05000038600001419A0008906500004E800020
···
331
332
; loads dashlaunch, etc. TODO: study
332
333
0010BF40
333
334
0000002C
334
-
[shellcode]
335
+
336
+
dashlaunch_load_shellcode:
337
+
; only launch dashlaunch if xam succeeded, else exit Phase1Initialization
338
+
bge cr6, load_dashlaunch
339
+
blr
340
+
341
+
load_dashlaunch:
342
+
; XexLoadImage("\Device\Flash\launch.xex", 8, 0, 0);
343
+
lis r3, 0x8010
344
+
lis r5, 0
345
+
li r4, 0
346
+
ori r4, r4, 8
347
+
ori r3, r3, 0xbfd0 ; 0x8010BFD0 - path to \Device\Flash\launch.xex
348
+
li r6, 0
349
+
bl XexLoadImage
350
+
351
+
; sets a flag so we know we at least attempted to load dashlaunch
352
+
; *(uint32_t *)0x8010BFEC = 0
353
+
li r3, 0
354
+
lis r4, 0x8010
355
+
ori r4, r4, 0xbfec
356
+
isync
357
+
stw r3, 0(r4)
358
+
b after_dashlaunch_load_shellcode_hook ; continue Phase1Initialization
359
+
360
+
; TODO
361
+
addi r5, r1, 0x54
362
+
lis r7, -0x7ff0
363
+
ori r7, r7, 0xbfec
364
+
lwz r8, 0(r7)
365
+
isync
366
+
cmplwi cr6, r8, 0
367
+
beq cr6, 0x8010bfa0
368
+
mr r31, r31
369
+
b 0x8010bf88
370
+
blr
371
+
cmplwi cr6, r3, 0x14
372
+
bne cr6, 0x8010bfcc
373
+
lis r7, -0x7ff0
374
+
ori r7, r7, 0xbfec
375
+
lwz r8, 0(r7)
376
+
isync
377
+
cmplwi cr6, r8, 0
378
+
beq cr6, 0x8010bfcc
379
+
mr r31, r31
380
+
b 0x8010bfb4
381
+
b 0x80108410
335
382
336
383
; Phase1Initialisation: replace a check to see if Xam failed with a branch to
337
384
; the above shellcode