3.04 support

PAYLOADS/PAYLOAD 3.04/build.sh

@@ -13,7 +13,9 @@ ENTRY=0x01fff9a8
 echo $ENTRY
 echo "Building crt0"
 
-ee-gcc -Ttext=0x01522944 -DENTRY=$ENTRY crt0.S -o fullpayload.elf -nostartfiles -nostdlib -ffreestanding -Wl,-z,max-page-size=0x1
+ee-gcc -Ttext=0x01800180 -DENTRY=$ENTRY crt0.S -o fullpayload.elf -nostartfiles -nostdlib -ffreestanding -Wl,-z,max-page-size=0x1
 ee-objcopy -O binary fullpayload.elf fullpayload.bin -Wl,-z,max-page-size=0x1
 
-echo "Done. Insert fullpayload.bin into VIDEO_TS.IFO at offset 0x2ba4"
+# todo make all this hex editing automatic
+#echo "Done. Insert fullpayload.bin into VIDEO_TS.IFO at offset 0x2954"
+echo "Done. fullpayload.bin at 0x2d00, and payload.bin at 0x3000"

PAYLOADS/PAYLOAD 3.04/crt0.S

@@ -2,7 +2,7 @@
 
 .section .text.startup
 
-.equ getBufferInternal, 0x2952f0
+.equ getBufferInternal, 0x261548
 .equ payload, (0x2000000 - 0x800) # End of RAM
 
 .global _start
@@ -53,10 +53,10 @@ boot:
 	j $v0
 	nop
 
-.space (_start + 0x2fe2 - 0x2ba4) - .
+.space (_start + 0x2faa - 0x2d00) - .
 fpIndex:
-	.byte 0x89
+	.byte 0x96
-	.byte 0xc6
+	.byte 0x08
 
-.space (_start + 0x3000 - 0x2ba4) - .
+#.space (_start + 0x3000 - 0x2d00) - .
-.incbin "payload.bin"
+#.incbin "payload.bin"

PAYLOADS/PAYLOAD 3.04/payload.c

@@ -6,15 +6,15 @@
 
 #define min(a, b) (((a) < (b)) ? (a) : (b))
 
-#define pointToIFO ((void (*)(unsigned int index, unsigned int lba, unsigned int offset))0x258a28)
+#define pointToIFO ((void (*)(unsigned int index, unsigned int lba, unsigned int offset))0x23dfc8)
-#define getDiscData ((void (*)(unsigned int s, void *d))0x258b98)
+#define getDiscData ((void (*)(unsigned int s, void *d))0x23e138)
 
-#define SifIopReset ((int (*)(char *, int))0x20e7d8)
+#define SifIopReset ((int (*)(char *, int))0x291358)
-#define SifIopSync ((int (*)(void))0x20e958)
+#define SifIopSync ((int (*)(void))0x2914d8)
-#define SifInitRpc ((void (*)(int))0x208d80)
+#define SifInitRpc ((void (*)(int))0x208260)
-#define SifExitRpc ((void (*)(void))0x208f20)
+#define SifExitRpc ((void (*)(void))0x208400)
 
-#define getBufferInternal ((int (*)(void *filename, int type, int currentSector, void *dest, unsigned int sectorsRemaining, int curReadPos))0x2952f0)
+#define getBufferInternal ((int (*)(void *filename, int type, int currentSector, void *dest, unsigned int sectorsRemaining, int curReadPos))0x261548)
 
 #define ELF_PT_LOAD 1
 

README.md

@@ -11,6 +11,7 @@ Boot your PlayStation 2 without any disc inserted, and press Triangle to identif
 
 **Currently only support:**
 
+- 3.04 (tested only region M in emulator so far, but guess all regions EUMACDGJ will work - with English language set in settings) - please ping me and will update this page when confirmed working on hardware.
 - 3.10 (all regions EUMACDGJ - with English language set in settings) - confirmed working on hardware by CTurt, and others. [Only seems to work with English language](https://www.youtube.com/watch?v=zelVQcD7HCY).
 - 3.11 (all regions EUMACDGJ) - confirmed working on hardware by [MrMario2011](https://twitter.com/MrMario2011/status/1277586569738813440), and others. Language setting doesn't seem to matter ([Japanese language works at least](https://twitter.com/kood_infothief/status/1277600247024238592)).
 

porting notes.txt

@@ -1,5 +1,7 @@
 OK, so turns out porting to different regions/languages is just a matter of finding new jump target, which isn't too difficult.
 
+Prefer using jump targets which aren't part of the language data, so that exploit is compatible with all languages. I might go back and redo 3.10 for this reason.
+
 Porting to different versions, means finding all the function addresses again, which is the time consuming bit.
 
 
@@ -81,3 +83,41 @@ payload needs to be modified to load stage 2 differently, I just moved it from 0
 payload for 3.10 is at 0x2bb4 copy that over
 
 
+
+
+3.04 (M tested only so far, but probably all regions work)
+getDiscData - 0x23e138
+getDiscByte - 0x23e068
+currentDiscBytePointer - 0x16ceee4
+endDiscBytePointer - 0x16ceee8
+
+0x23cb04 is the copy we want, but I actually decided to look at different buffer overflows in case it is useful for hybrid-ing, here they all are:
+
+Location 	Destination 	Max Size 	End
+0x23bd4c 	0x16c6d60 	0xffff * 0xc 	0x1786D54
+0x23c48c 	0x16c79d8 	0xffff * 4 	0x17079D4
+0x23cb04 	0x16c8cd4 	0xffff * 3 * 8 	0x1848CBC 	
+0x23cc74 	0x16c8cd4 	0xffff * 4 	0x1708CD0
+
+writing currentDiscBytePointer, it's value is 0x016ce444
+offset in IFO is 0x2744 - uh on we have collision with 3.10, might not be possible to make hybrid disc with both of those
+will need more crazy tricks to do that... we'll see
+in mean time, doing 3.04 only disc
+
+OOB call is at 0x23faac
+fpIndex at 0x16cf74a
+function pointer array - 0x95ace8
+select 0x95ace8 to 0x95ace8 + 0xffff * 4 = 0x99ACE4
+looking for jump targets, we have some starting with 0x018...
+01800180 at 0x95CF40, so index (0x95CF40-0x95ace8)/4 = 0x0896
+fpIndex offset in IFO is 0x2faa
+payload offset in IFO is 0x2d00
+
+getBufferInternal - 0x261548
+pointToIFO - 0x23dfc8
+getDiscData - 0x23e138
+SifIopReboot - 0x291528
+SifInitRpc - 0x208260
+SifExitRpc - 0x208400
+SifIopReset - 0x291358
+SifIopSync - 0x2914d8