Want to Join Us ?

you'll be able to discuss, share and send private messages.

Release MultiMAN 04.20.03 UPD Released

Discussion in 'multiMAN' started by storm shadow, Mar 4, 2013.

Share This Page

  1. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

    [​IMG]


    multiMAN 04.20.03 update is available online and in the WEB column.

    multiMAN ver 04.20.03 UPD (20130303).zip (7.97MB)
    http://www.sendspace.com/file/at0tkc











    PS3SX [BETA].pkg (5.95MB)
    http://www.sendspace.com/file/h0dsht


    Code (C):
    /* (c) 2010-2013 multiMAN, Dynarec Enabler
      (c) 2013 Ing Pereira
    */

    #define HTAB_BASE                0x800000000f000000ULL
     
    #define HTAB_LV2_START_421            (0x01000000ULL)
    #define HTAB_LV2_START_421D            (0x08000000ULL)
    #define HTAB_LV2_START_430            (0x01000000ULL)
     
    // base_addr = address of mM's payload
    // base_addr + 0x100 = address of htab payload
     
    void dynarec_payload()
    {
        u64 base_addr=0;
        u64 patch_htab1=0;
        u64 patch_htab2=0;
        u64 patch_htab3=0;
        HTAB_LV2_START=0;
     
        if(c_firmware==3.55f && !dex_mode)
        {
            base_addr=0x2BE0D0;
            patch_htab1=0x59944;
            patch_htab2=0x5A37C;
            patch_htab3=0x5A844;
        }
        else if(c_firmware==3.55f && dex_mode)
        {
            base_addr=0x2D5B20;
            patch_htab1=0x5D230;
            patch_htab2=0x5DC68;
            patch_htab3=0x5E130;
        }
        else if(c_firmware==4.21f && !dex_mode)
        {
            base_addr=0x2D0C98;
            patch_htab1=0x5CCA4;
            patch_htab2=0x5D6DC; //+A38
            patch_htab3=0x5DBA4; //+4C8
     
        }
        else if(c_firmware==4.21f && dex_mode)
        {
            base_addr=0x2EB418;
            patch_htab1=0x605BC;
            patch_htab2=0x60FF4;
            patch_htab3=0x614BC;
        }
        else if(c_firmware==4.30f && !dex_mode)
        {
            base_addr=0x2D2418; //0x6ff000; to test htab
            patch_htab1=0x5CDF4;
            patch_htab2=0x5D82C;
            patch_htab3=0x5DCF4;
        }
        else if(c_firmware==4.30f && dex_mode)
        {
            base_addr=0x2ECB48;
            patch_htab1=0x6070C;
            patch_htab2=0x61144;
            patch_htab3=0x6160C;
        }
        else if(c_firmware==4.31f && !dex_mode)
        {
            base_addr=0x2D2428;
            patch_htab1=0x5CDF8;
            patch_htab2=0x5D830;
            patch_htab3=0x5DCF8;
        }
        else return;
     
        base_addr|=0x8000000000000000ULL;
        patch_htab1|=0x8000000000000000ULL;
        patch_htab2|=0x8000000000000000ULL;
        patch_htab3|=0x8000000000000000ULL;
     
        if(patch_htab1 && HTAB_LV2_START)
        {
     
            Lv2Syscall2(7, base_addr + 0x100, 0x7C0802A6F8010010ULL);
            Lv2Syscall2(7, base_addr + 0x108, 0xF821FF81F8410070ULL);
            Lv2Syscall2(7, base_addr + 0x110, 0x3C40800060420000ULL);
     
            Lv2Syscall2(7, base_addr + 0x118, 0x784207C664420000ULL | ( ((base_addr+0x198)>>16)&0xFFFF) );
            Lv2Syscall2(7, base_addr + 0x120, 0x60420000E8020000ULL | ( ((base_addr+0x198))&0xFFFF)<<32 );
     
            Lv2Syscall2(7, base_addr + 0x128, 0xE84200087C0903A6ULL);
            Lv2Syscall2(7, base_addr + 0x130, 0x4E800421E8410070ULL);
     
            Lv2Syscall2(7, base_addr + 0x138, 0x38210080E8010010ULL);// BCTR <htab_write_caller> desc
            Lv2Syscall2(7, base_addr + 0x140, 0x7C0803A64E800020ULL);
            Lv2Syscall2(7, base_addr + 0x148, 0x78C607647C0802A6ULL);// <htab_write_caller>
            Lv2Syscall2(7, base_addr + 0x150, 0xF801001060C60002ULL);
            Lv2Syscall2(7, base_addr + 0x158, 0xF821FF914800001DULL);// -> BL <lv1_write_htab>
            Lv2Syscall2(7, base_addr + 0x160, 0x6000000038210070ULL);
            Lv2Syscall2(7, base_addr + 0x168, 0x7C6307B4E8010010ULL);
            Lv2Syscall2(7, base_addr + 0x170, 0x7C0803A64E800020ULL);
            Lv2Syscall2(7, base_addr + 0x178, 0x7C0802A6F8010010ULL);// <lv1_write_htab>
            Lv2Syscall2(7, base_addr + 0x180, 0x3960000144000022ULL);
            Lv2Syscall2(7, base_addr + 0x188, 0x7C6307B4E8010010ULL);
            Lv2Syscall2(7, base_addr + 0x190, 0x7C0803A64E800020ULL);
            Lv2Syscall2(7, base_addr + 0x198, (base_addr + 0x148));    // htab _Custom call desc
            Lv2Syscall2(7, base_addr + 0x1A0, 0x8000000000700000ULL);
     
            /* enable full r/w/x access */
            uint64_t pte0, pte1;
     
            /* process entire lv2 */
            for (int i = 0; i < 128; i++)
            {
                /* read the old value */
                pte0 = Lv2Syscall1(6, HTAB_BASE | (i << 7));
                pte1 = Lv2Syscall1(6, HTAB_BASE | (i << 7) + 8);
     
                /* verify entry is lv2 */
                if ((pte1 >= HTAB_LV2_START) && (pte1 < (HTAB_LV2_START+0x800000ULL)))
                {
                    /* patch proper htab settings */
                    lv1_write_htab_entry(0, i << 3, pte0, (pte1 & 0xff0000) | 0x190);
                }
            }
     
            Lv2Syscall2(7, patch_htab1, (0x480000012C230000ULL) | ( ((base_addr+0x100-patch_htab1)&0xFFFFFF)<<32) );
            Lv2Syscall2(7, patch_htab2, (0x480000012C230000ULL) | ( ((base_addr+0x100-patch_htab2)&0xFFFFFF)<<32) );
            Lv2Syscall2(7, patch_htab3, (0x480000012C230000ULL) | ( ((base_addr+0x100-patch_htab3)&0xFFFFFF)<<32) );
        }
    }


    Code (C):
    ...
        u64 CEX=0x4345580000000000ULL;
        u64 DEX=0x4445580000000000ULL;
     
        if(peekq(0x80000000002E79C8ULL)==DEX) {dex_mode=2; c_firmware=3.41f;}
        else
        if(peekq(0x80000000002CFF98ULL)==CEX) {dex_mode=0; c_firmware=3.41f;}
        else
        if(peekq(0x80000000002EFE20ULL)==DEX) {dex_mode=2; c_firmware=3.55f;}
        else
        if(peekq(0x80000000002D83D0ULL)==CEX) {dex_mode=0; c_firmware=3.55f;}
        else
        if(peekq(0x8000000000302D88ULL)==DEX) {dex_mode=2; c_firmware=4.21f;}
        else
        if(peekq(0x80000000002E8610ULL)==CEX) {dex_mode=0; c_firmware=4.21f;}
        else
        if(peekq(0x80000000002E9F08ULL)==CEX) {dex_mode=0; c_firmware=4.30f;}
        else
        if(peekq(0x8000000000304630ULL)==DEX) {dex_mode=2; c_firmware=4.30f;}
        else
        if(peekq(0x80000000002E9F18ULL)==CEX) {dex_mode=0; c_firmware=4.31f;}
        else
    // unknown fw...

    In IDA for 4.30CEX where:

    base_addr=0x2D2418 which makes the payload go at base_addr+0x100 -> 0x2D2518:

    Code (C):
    ROM:002D2518 # =============== S U B R O U T I N E =======================================
    ROM:002D2518
    ROM:002D2518
    ROM:002D2518 sub_2D2518:                            # CODE XREF: sub_5C9D4+420p
    ROM:002D2518                                        # sub_5D590+29Cp
    ROM:002D2518
    ROM:002D2518 .set var_10, -0x10
    ROM:002D2518 .set arg_10,  0x10
    ROM:002D2518
    ROM:002D2518                mflr      r0
    ROM:002D251C                std      r0, arg_10(r1)
    ROM:002D2520                stdu      r1, -0x80(r1)
    ROM:002D2524                std      r2, 0x80+var_10(r1)
    ROM:002D2528                lis      r2, -0x8000
    ROM:002D252C                mr        r2, r2
    ROM:002D2530                sldi      r2, r2, 32
    ROM:002D2534                oris      r2, r2, 0x2D
    ROM:002D2538                ori      r2, r2, 0x25B0
    ROM:002D253C                ld        r0, 0(r2)
    ROM:002D2540                ld        r2, 8(r2)
    ROM:002D2544                mtctr    r0
    ROM:002D2548                bctrl
    ROM:002D254C                ld        r2, 0x80+var_10(r1)
    ROM:002D2550                addi      r1, r1, 0x80
    ROM:002D2554                ld        r0, arg_10(r1)
    ROM:002D2558                mtlr      r0
    ROM:002D255C                blr
    ROM:002D255C # End of function sub_2D2518
    ROM:002D255C
    ROM:002D2560 # ---------------------------------------------------------------------------
    ROM:002D2560
    ROM:002D2560 loc_2D2560:                            # DATA XREF: ROM:002D25B4o
    ROM:002D2560                clrrdi    r6, r6, 2
    ROM:002D2564                mflr      r0
    ROM:002D2568                std      r0, 0x10(r1)
    ROM:002D256C                ori      r6, r6, 2
    ROM:002D2570                stdu      r1, -0x70(r1)
    ROM:002D2574                bl        sub_2D2590
    ROM:002D2578                nop
    ROM:002D257C                addi      r1, r1, 0x70
    ROM:002D2580                extsw    r3, r3
    ROM:002D2584                ld        r0, 0x10(r1)
    ROM:002D2588                mtlr      r0
    ROM:002D258C                blr
    ROM:002D2590
    ROM:002D2590 # =============== S U B R O U T I N E =======================================
    ROM:002D2590
    ROM:002D2590
    ROM:002D2590 sub_2D2590:                            # CODE XREF: ROM:002D2574p
    ROM:002D2590
    ROM:002D2590 .set arg_10,  0x10
    ROM:002D2590
    ROM:002D2590                mflr      r0
    ROM:002D2594                std      r0, arg_10(r1)
    ROM:002D2598                li        r11, 1
    ROM:002D259C                hvsc                    # hvsc(1): lv1_write_htab_entry
    ROM:002D25A0                extsw    r3, r3
    ROM:002D25A4                ld        r0, arg_10(r1)
    ROM:002D25A8                mtlr      r0
    ROM:002D25AC                blr
    ROM:002D25AC # End of function sub_2D2590
    ROM:002D25AC
    ROM:002D25AC # ---------------------------------------------------------------------------
    ROM:002D25B0                .long 0x80000000
    ROM:002D25B4                .long loc_2D2560
    ROM:002D25B8                .long 0x80000000
    ROM:002D25BC                .long unk_700000

    Code (C):
    002D2518  7C 08 02 A6 F8 01 00 10  F8 21 FF 81 F8 41 00 70
    002D2528  3C 40 80 00 60 42 00 00  78 42 07 C6 64 42 00 2D
    002D2538  60 42 25 B0 E8 02 00 00  E8 42 00 08 7C 09 03 A6
    002D2548  4E 80 04 21 E8 41 00 70  38 21 00 80 E8 01 00 10
    002D2558  7C 08 03 A6 4E 80 00 20  78 C6 07 64 7C 08 02 A6
    002D2568  F8 01 00 10 60 C6 00 02  F8 21 FF 91 48 00 00 1D
    002D2578  60 00 00 00 38 21 00 70  7C 63 07 B4 E8 01 00 10
    002D2588  7C 08 03 A6 4E 80 00 20  7C 08 02 A6 F8 01 00 10
    002D2598  39 60 00 01 44 00 00 22  7C 63 07 B4 E8 01 00 10
    002D25A8  7C 08 03 A6 4E 80 00 20  80 00 00 00 00 2D 25 60
    002D25B8  80 00 00 00 00 70 00 00
     
Top