diff --git a/Filesystems/3.04/VIDEO_TS/VIDEO_TS.IFO b/Filesystems/3.04/VIDEO_TS/VIDEO_TS.IFO new file mode 100644 index 0000000..4c65026 Binary files /dev/null and b/Filesystems/3.04/VIDEO_TS/VIDEO_TS.IFO differ diff --git a/Filesystems/3.04/VIDEO_TS/VTS_01_0.IFO b/Filesystems/3.04/VIDEO_TS/VTS_01_0.IFO new file mode 100644 index 0000000..0b6bed8 Binary files /dev/null and b/Filesystems/3.04/VIDEO_TS/VTS_01_0.IFO differ diff --git a/Filesystems/3.04/VIDEO_TS/VTS_02_0.IFO b/Filesystems/3.04/VIDEO_TS/VTS_02_0.IFO new file mode 100644 index 0000000..d9f7983 Binary files /dev/null and b/Filesystems/3.04/VIDEO_TS/VTS_02_0.IFO differ diff --git a/PAYLOADS/PAYLOAD_3.11J/build.sh b/PAYLOADS/PAYLOAD 3.04/build.sh similarity index 71% rename from PAYLOADS/PAYLOAD_3.11J/build.sh rename to PAYLOADS/PAYLOAD 3.04/build.sh index 3850d2a..a0c0843 100644 --- a/PAYLOADS/PAYLOAD_3.11J/build.sh +++ b/PAYLOADS/PAYLOAD 3.04/build.sh @@ -13,7 +13,9 @@ ENTRY=0x01fff9a8 echo $ENTRY echo "Building crt0" -ee-gcc -Ttext=0x01522944 -DENTRY=$ENTRY crt0.S -o fullpayload.elf -nostartfiles -nostdlib -ffreestanding -Wl,-z,max-page-size=0x1 +ee-gcc -Ttext=0x01800180 -DENTRY=$ENTRY crt0.S -o fullpayload.elf -nostartfiles -nostdlib -ffreestanding -Wl,-z,max-page-size=0x1 ee-objcopy -O binary fullpayload.elf fullpayload.bin -Wl,-z,max-page-size=0x1 -echo "Done. Insert fullpayload.bin into VIDEO_TS.IFO at offset 0x2ba4" +# todo make all this hex editing automatic +#echo "Done. Insert fullpayload.bin into VIDEO_TS.IFO at offset 0x2954" +echo "Done. fullpayload.bin at 0x2d00, and payload.bin at 0x3000" diff --git a/PAYLOADS/PAYLOAD_3.11J/crt0.S b/PAYLOADS/PAYLOAD 3.04/crt0.S similarity index 86% rename from PAYLOADS/PAYLOAD_3.11J/crt0.S rename to PAYLOADS/PAYLOAD 3.04/crt0.S index 2f23cd1..5fc0964 100644 --- a/PAYLOADS/PAYLOAD_3.11J/crt0.S +++ b/PAYLOADS/PAYLOAD 3.04/crt0.S @@ -2,7 +2,7 @@ .section .text.startup -.equ getBufferInternal, 0x2952f0 +.equ getBufferInternal, 0x261548 .equ payload, (0x2000000 - 0x800) # End of RAM .global _start @@ -53,10 +53,10 @@ boot: j $v0 nop -.space (_start + 0x2fe2 - 0x2ba4) - . +.space (_start + 0x2faa - 0x2d00) - . fpIndex: - .byte 0x89 - .byte 0xc6 + .byte 0x96 + .byte 0x08 -.space (_start + 0x3000 - 0x2ba4) - . -.incbin "payload.bin" +#.space (_start + 0x3000 - 0x2d00) - . +#.incbin "payload.bin" diff --git a/PAYLOADS/PAYLOAD 3.04/fullpayload.bin b/PAYLOADS/PAYLOAD 3.04/fullpayload.bin new file mode 100644 index 0000000..3d5aba1 Binary files /dev/null and b/PAYLOADS/PAYLOAD 3.04/fullpayload.bin differ diff --git a/PAYLOADS/PAYLOAD 3.04/fullpayload.elf b/PAYLOADS/PAYLOAD 3.04/fullpayload.elf new file mode 100644 index 0000000..345fc1b Binary files /dev/null and b/PAYLOADS/PAYLOAD 3.04/fullpayload.elf differ diff --git a/PAYLOADS/PAYLOAD_3.11J/payload.bin b/PAYLOADS/PAYLOAD 3.04/payload.bin similarity index 50% rename from PAYLOADS/PAYLOAD_3.11J/payload.bin rename to PAYLOADS/PAYLOAD 3.04/payload.bin index 7930815..9e57d24 100644 Binary files a/PAYLOADS/PAYLOAD_3.11J/payload.bin and b/PAYLOADS/PAYLOAD 3.04/payload.bin differ diff --git a/PAYLOADS/PAYLOAD_3.11J/payload.c b/PAYLOADS/PAYLOAD 3.04/payload.c similarity index 91% rename from PAYLOADS/PAYLOAD_3.11J/payload.c rename to PAYLOADS/PAYLOAD 3.04/payload.c index 9088faf..3a88fb9 100644 --- a/PAYLOADS/PAYLOAD_3.11J/payload.c +++ b/PAYLOADS/PAYLOAD 3.04/payload.c @@ -6,15 +6,15 @@ #define min(a, b) (((a) < (b)) ? (a) : (b)) -#define pointToIFO ((void (*)(unsigned int index, unsigned int lba, unsigned int offset))0x258a28) -#define getDiscData ((void (*)(unsigned int s, void *d))0x258b98) +#define pointToIFO ((void (*)(unsigned int index, unsigned int lba, unsigned int offset))0x23dfc8) +#define getDiscData ((void (*)(unsigned int s, void *d))0x23e138) -#define SifIopReset ((int (*)(char *, int))0x20e7d8) -#define SifIopSync ((int (*)(void))0x20e958) -#define SifInitRpc ((void (*)(int))0x208d80) -#define SifExitRpc ((void (*)(void))0x208f20) +#define SifIopReset ((int (*)(char *, int))0x291358) +#define SifIopSync ((int (*)(void))0x2914d8) +#define SifInitRpc ((void (*)(int))0x208260) +#define SifExitRpc ((void (*)(void))0x208400) -#define getBufferInternal ((int (*)(void *filename, int type, int currentSector, void *dest, unsigned int sectorsRemaining, int curReadPos))0x2952f0) +#define getBufferInternal ((int (*)(void *filename, int type, int currentSector, void *dest, unsigned int sectorsRemaining, int curReadPos))0x261548) #define ELF_PT_LOAD 1 diff --git a/PAYLOADS/PAYLOAD_3.11J/payload.elf b/PAYLOADS/PAYLOAD 3.04/payload.elf similarity index 90% rename from PAYLOADS/PAYLOAD_3.11J/payload.elf rename to PAYLOADS/PAYLOAD 3.04/payload.elf index 2461cb6..fab2abb 100644 Binary files a/PAYLOADS/PAYLOAD_3.11J/payload.elf and b/PAYLOADS/PAYLOAD 3.04/payload.elf differ diff --git a/PAYLOADS/PAYLOAD_3.10EU/build.sh b/PAYLOADS/PAYLOAD 3.10/build.sh similarity index 100% rename from PAYLOADS/PAYLOAD_3.10EU/build.sh rename to PAYLOADS/PAYLOAD 3.10/build.sh diff --git a/PAYLOADS/PAYLOAD_3.10EU/crt0.S b/PAYLOADS/PAYLOAD 3.10/crt0.S similarity index 100% rename from PAYLOADS/PAYLOAD_3.10EU/crt0.S rename to PAYLOADS/PAYLOAD 3.10/crt0.S diff --git a/PAYLOADS/PAYLOAD_3.10EU/fullpayload.bin b/PAYLOADS/PAYLOAD 3.10/fullpayload.bin similarity index 100% rename from PAYLOADS/PAYLOAD_3.10EU/fullpayload.bin rename to PAYLOADS/PAYLOAD 3.10/fullpayload.bin diff --git a/PAYLOADS/PAYLOAD_3.10EU/fullpayload.elf b/PAYLOADS/PAYLOAD 3.10/fullpayload.elf similarity index 100% rename from PAYLOADS/PAYLOAD_3.10EU/fullpayload.elf rename to PAYLOADS/PAYLOAD 3.10/fullpayload.elf diff --git a/PAYLOADS/PAYLOAD_3.10EU/payload.bin b/PAYLOADS/PAYLOAD 3.10/payload.bin similarity index 100% rename from PAYLOADS/PAYLOAD_3.10EU/payload.bin rename to PAYLOADS/PAYLOAD 3.10/payload.bin diff --git a/PAYLOADS/PAYLOAD_3.10EU/payload.c b/PAYLOADS/PAYLOAD 3.10/payload.c similarity index 100% rename from PAYLOADS/PAYLOAD_3.10EU/payload.c rename to PAYLOADS/PAYLOAD 3.10/payload.c diff --git a/PAYLOADS/PAYLOAD_3.10EU/payload.elf b/PAYLOADS/PAYLOAD 3.10/payload.elf similarity index 100% rename from PAYLOADS/PAYLOAD_3.10EU/payload.elf rename to PAYLOADS/PAYLOAD 3.10/payload.elf diff --git a/PAYLOADS/PAYLOAD_3.11E/build.sh b/PAYLOADS/PAYLOAD 3.11/build.sh similarity index 100% rename from PAYLOADS/PAYLOAD_3.11E/build.sh rename to PAYLOADS/PAYLOAD 3.11/build.sh diff --git a/PAYLOADS/PAYLOAD_3.11E/crt0.S b/PAYLOADS/PAYLOAD 3.11/crt0.S similarity index 100% rename from PAYLOADS/PAYLOAD_3.11E/crt0.S rename to PAYLOADS/PAYLOAD 3.11/crt0.S diff --git a/PAYLOADS/PAYLOAD_3.11E/fullpayload.bin b/PAYLOADS/PAYLOAD 3.11/fullpayload.bin similarity index 100% rename from PAYLOADS/PAYLOAD_3.11E/fullpayload.bin rename to PAYLOADS/PAYLOAD 3.11/fullpayload.bin diff --git a/PAYLOADS/PAYLOAD_3.11E/fullpayload.elf b/PAYLOADS/PAYLOAD 3.11/fullpayload.elf similarity index 100% rename from PAYLOADS/PAYLOAD_3.11E/fullpayload.elf rename to PAYLOADS/PAYLOAD 3.11/fullpayload.elf diff --git a/PAYLOADS/PAYLOAD_3.11E/payload.bin b/PAYLOADS/PAYLOAD 3.11/payload.bin similarity index 100% rename from PAYLOADS/PAYLOAD_3.11E/payload.bin rename to PAYLOADS/PAYLOAD 3.11/payload.bin diff --git a/PAYLOADS/PAYLOAD_3.11E/payload.c b/PAYLOADS/PAYLOAD 3.11/payload.c similarity index 100% rename from PAYLOADS/PAYLOAD_3.11E/payload.c rename to PAYLOADS/PAYLOAD 3.11/payload.c diff --git a/PAYLOADS/PAYLOAD_3.11E/payload.elf b/PAYLOADS/PAYLOAD 3.11/payload.elf similarity index 100% rename from PAYLOADS/PAYLOAD_3.11E/payload.elf rename to PAYLOADS/PAYLOAD 3.11/payload.elf diff --git a/PAYLOADS/PAYLOAD_3.11J/fullpayload.bin b/PAYLOADS/PAYLOAD_3.11J/fullpayload.bin deleted file mode 100644 index ffefae3..0000000 Binary files a/PAYLOADS/PAYLOAD_3.11J/fullpayload.bin and /dev/null differ diff --git a/PAYLOADS/PAYLOAD_3.11J/fullpayload.elf b/PAYLOADS/PAYLOAD_3.11J/fullpayload.elf deleted file mode 100644 index 1a600c0..0000000 Binary files a/PAYLOADS/PAYLOAD_3.11J/fullpayload.elf and /dev/null differ diff --git a/PREBUILT ISOs/3.04 only - all regions - English lang.iso b/PREBUILT ISOs/3.04 only - all regions - English lang.iso new file mode 100644 index 0000000..48afcb9 Binary files /dev/null and b/PREBUILT ISOs/3.04 only - all regions - English lang.iso differ diff --git a/README.md b/README.md index 78383cd..cc364cd 100644 --- a/README.md +++ b/README.md @@ -11,6 +11,7 @@ Boot your PlayStation 2 without any disc inserted, and press Triangle to identif **Currently only support:** +- 3.04 (tested only region M in emulator so far, but guess all regions EUMACDGJ will work - with English language set in settings) - please ping me and will update this page when confirmed working on hardware. - 3.10 (all regions EUMACDGJ - with English language set in settings) - confirmed working on hardware by CTurt, and others. [Only seems to work with English language](https://www.youtube.com/watch?v=zelVQcD7HCY). - 3.11 (all regions EUMACDGJ) - confirmed working on hardware by [MrMario2011](https://twitter.com/MrMario2011/status/1277586569738813440), and others. Language setting doesn't seem to matter ([Japanese language works at least](https://twitter.com/kood_infothief/status/1277600247024238592)). diff --git a/porting notes.txt b/porting notes.txt index 3d46690..69ca012 100644 --- a/porting notes.txt +++ b/porting notes.txt @@ -1,5 +1,7 @@ OK, so turns out porting to different regions/languages is just a matter of finding new jump target, which isn't too difficult. +Prefer using jump targets which aren't part of the language data, so that exploit is compatible with all languages. I might go back and redo 3.10 for this reason. + Porting to different versions, means finding all the function addresses again, which is the time consuming bit. @@ -81,3 +83,41 @@ payload needs to be modified to load stage 2 differently, I just moved it from 0 payload for 3.10 is at 0x2bb4 copy that over + + +3.04 (M tested only so far, but probably all regions work) +getDiscData - 0x23e138 +getDiscByte - 0x23e068 +currentDiscBytePointer - 0x16ceee4 +endDiscBytePointer - 0x16ceee8 + +0x23cb04 is the copy we want, but I actually decided to look at different buffer overflows in case it is useful for hybrid-ing, here they all are: + +Location Destination Max Size End +0x23bd4c 0x16c6d60 0xffff * 0xc 0x1786D54 +0x23c48c 0x16c79d8 0xffff * 4 0x17079D4 +0x23cb04 0x16c8cd4 0xffff * 3 * 8 0x1848CBC +0x23cc74 0x16c8cd4 0xffff * 4 0x1708CD0 + +writing currentDiscBytePointer, it's value is 0x016ce444 +offset in IFO is 0x2744 - uh on we have collision with 3.10, might not be possible to make hybrid disc with both of those +will need more crazy tricks to do that... we'll see +in mean time, doing 3.04 only disc + +OOB call is at 0x23faac +fpIndex at 0x16cf74a +function pointer array - 0x95ace8 +select 0x95ace8 to 0x95ace8 + 0xffff * 4 = 0x99ACE4 +looking for jump targets, we have some starting with 0x018... +01800180 at 0x95CF40, so index (0x95CF40-0x95ace8)/4 = 0x0896 +fpIndex offset in IFO is 0x2faa +payload offset in IFO is 0x2d00 + +getBufferInternal - 0x261548 +pointToIFO - 0x23dfc8 +getDiscData - 0x23e138 +SifIopReboot - 0x291528 +SifInitRpc - 0x208260 +SifExitRpc - 0x208400 +SifIopReset - 0x291358 +SifIopSync - 0x2914d8