Patches: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
 
(64 intermediate revisions by 11 users not shown)
Line 31: Line 31:


===nas_plugin.sprx===
===nas_plugin.sprx===
==== geohot patch ====
==== geohot patch ====
:<b>Allow</b>: pseudo-retail pkg installation
:<b>Allow</b>: pseudo-retail pkg installation
Line 38: Line 39:
> 00003250  7c 06 03 78 48 04 b7 21  e8 41 00 28 38 00 00 00
> 00003250  7c 06 03 78 48 04 b7 21  e8 41 00 28 38 00 00 00
</pre>
</pre>
 
*Note : Official COBRA7 includes this patch as well, old homebrew from 3.55 era need this patch.
====waninkoko patch - PL3 ====
*ex) modulespatch in COBRA7 -> { geohot_pkg_offset, LI(R0, 0), &condition_true }
:<b>Allow</b>: debug pkg installs
:: --allow-debug-pkg (ps3mfw command-line option)
<pre>
< 00037350  41 9e 00 4c 38 00 00 00  81 22 8b 10 81 62 8b 14
---
> 00037350  41 9e 00 04 38 00 00 00  81 22 8b 10 81 62 8b 14
</pre>


====kakaroto patch====
====kakaroto patch====
Line 56: Line 50:
> 2f 89 00 00 60 00 00 00 38 00 00 00 81 22 8b 10 81 62 8b 14
> 2f 89 00 00 60 00 00 00 38 00 00 00 81 22 8b 10 81 62 8b 14
</pre>
</pre>
*Note : Most CEX MFWs include this kakaroto's patch, also used in COBRA7.
*ex) modulespatch in COBRA7 -> { elf2_func1 + elf2_func1_offset, NOP, &condition_true }
==== rebug patch ====
:<b>Allow</b>: pseudo-retail pkg installation
<pre>
< 41 9E 01 B0 3B A1 00 80 3D 00 2E 7B 7B BD 00 20 3D
---
> 60 00 00 00 3B A1 00 80 3D 00 2E 7B 7B BD 00 20 3D
</pre>
*Note : Also can be used for DEX CFW as well.
*ex) PS3iTA, REBUG REX/D-REX


====ecdsa check patch for fw 4.50 cex====
====ecdsa check patch for fw 4.50 cex====
Line 63: Line 68:
---
---
> 00003260  E8 41 00 28 7C 60 1B 78  F8 1F 01 80 38 60 00 00
> 00003260  E8 41 00 28 7C 60 1B 78  F8 1F 01 80 38 60 00 00
</pre>
====waninkoko patch - PL3 ====
:<b>Allow</b>: debug pkg installs
:: --allow-debug-pkg (ps3mfw command-line option)
<pre>
< 00037350  41 9e 00 4c 38 00 00 00  81 22 8b 10 81 62 8b 14
---
> 00037350  41 9e 00 04 38 00 00 00  81 22 8b 10 81 62 8b 14
</pre>
</pre>


===vsh.self===
===vsh.self===
====PL3 patch====
====PL3 patch====
:<b>Allow</b>: unsigned apps
:<b>Allow</b>: allow unsigned apps on CEX MFW


<pre>
<pre>
Line 85: Line 99:
   31a7e0: 88 09 00 00 lbz    r0,0(r9)
   31a7e0: 88 09 00 00 lbz    r0,0(r9)
</pre>
</pre>
modulespatch in COBRA7
{ elf1_func2 + elf1_func2_offset, '''NOP''', &condition_true },


<pre>
<pre>
Line 104: Line 121:
   60fef8: 4b ff ff e1 bl      0x60fed8
   60fef8: 4b ff ff e1 bl      0x60fed8
</pre>
</pre>
modulespatch in COBRA7
{ elf1_func1 + elf1_func1_offset, '''LI(R3, 1)''', &condition_true },
{ elf1_func1 + elf1_func1_offset + 4, '''BLR''', &condition_true },
*Note : Commonly used in almost all 4.xx MFWs, Do '''NOT''' use this patch for '''DEX MFW''', it breaks the ability to run NPDRM fself.


====reActPSN====
====reActPSN====
Line 125: Line 150:


</pre>(Source : http://pastebin.com/26RHud5Q)
</pre>(Source : http://pastebin.com/26RHud5Q)


====XMB InGame ScreenShot Feature====
====XMB InGame ScreenShot Feature====
Line 204: Line 228:


=== Make Remote Play SFO Flag obsolete ===
=== Make Remote Play SFO Flag obsolete ===
(for disc games)
==== game_ext_plugin.prx ====
==== game_ext_plugin.prx ====


Line 216: Line 243:


<pre>
<pre>
Part1
< 2F 80 00 00 41 9E 00 28 38 60 00 00 38 80 00 00
---
> 60 00 00 00 48 00 00 28 38 60 00 00 38 80 00 00
Part2
< 000f5a40  39 08 05 48 39 20 00 00  38 60 00 00 4b ff fc 45
< 000f5a40  39 08 05 48 39 20 00 00  38 60 00 00 4b ff fc 45
---
---
Line 231: Line 264:
   2d5a50: 38 00 00 00 li      r0,0
   2d5a50: 38 00 00 00 li      r0,0
</pre>
</pre>
*Note : Allow mapping of protected memory, needed for lv2 peek/poke
====LV1 peek/poke (Unused LV1 calls 182 & 183)====
'''Allow''' : LV1 peek/poke
<pre>
< 64 00 FF FF 60 00 FF EC F8 03 00 C0 4E 80 00 20 38 00 00 00 64 00 FF FF 60 00 FF EC F8 03 00 C0
---
> E8 83 00 18 E8 84 00 00 F8 83 00 C8 4E 80 00 20 38 00 00 00 E8 A3 00 20 E8 83 00 18 F8 A4 00 00
</pre>
====Disable System Integrity Check====
<pre>
< 48 00 E0 35 2F 83 00 00 38 60 00 01 41 9E 00 20
---
> 38 60 00 00 2F 83 00 00 38 60 00 01 41 9E 00 20
</pre>
*Note : Safe to use with mismatched COREOS/SYSCON versions or if PS3 is not QA enabled
====Skip all ACL Checks====
<pre>
< 54 63 06 3E 2F 83 00 00 41 9E 00 14 E8 01 00 70 54 00 07 FE 2F 80 00 00 40 9E 00 18
---
> 38 60 00 01 2F 83 00 00 41 9E 00 14 38 00 00 01 54 00 07 FE 2F 80 00 00 40 9E 00 18
</pre>
*Note : Needed for OtherOS++/Downgrader


====wutangrza patch====
====wutangrza patch====
Line 246: Line 310:
> 00136be0  3a 20 63 6f 72 65 20 63  6f 6e 74 65 78 74 2e 63  |: core context.c|
> 00136be0  3a 20 63 6f 72 65 20 63  6f 6e 74 65 78 74 2e 63  |: core context.c|
</pre>
</pre>


===lv2_kernel.self===
===lv2_kernel.self===
Line 311: Line 374:
==== kakaroto's sigcheck patch ====
==== kakaroto's sigcheck patch ====
In memory 0x800000000005A2A8 (which corresponds to offset 0x6a2a8 in lv2_kernel.elf) replace : "e9 22 99 90 7c 08 02 a6"
In memory 0x800000000005A2A8 (which corresponds to offset 0x6a2a8 in lv2_kernel.elf) replace : "e9 22 99 90 7c 08 02 a6"
with : "38 60 00 00 4e 80 00 20".<br />(Source: https://twitter.com/KaKaRoToKS/status/260742786972798977)
with : "38 60 00 00 4e 80 00 20".<br />(Source: https://twitter.com/KaKaRoToKS/status/260742786972798977
<br>Pastie webarchive backup: http://web.archive.org/web/20141024180714/http://pastie.org/private/3np6uj6md1occbctdeir6a)
 
== disable epilepsy message ==
<!--// thanks mysis //-->
patch to ''disable'' ([[Languages#Photosensitive_epilepsy_text_removal.2Freplacement|not just replace]]), the warning screen that is show on boot since FW 4.00 and when patched, no longer delays the VSH bootprocess
 
[[PS3MFW_Builder#disable_epilepsy_warning|PS3 MFW builder - disable_epilepsy_warning task]] (using the same search/replace as below)
 
seg024:00000000006E75F9 byte_6E75F9:    .byte 1                # DATA XREF: sub_CAC70+314�o
seg024:00000000006E75F9                                        # sub_CAC70+324�w ...
                                                                # 1 = show health care msg, 0 = dont show
=== VSH.self ===
the message and all about it are done in [[Sysconf_plugin]], but it is loaded with special parameter from [[VSH]]
==== Retail/CEX + Shop/SEX ====
  set search  "\x00\x00\x00\x02\x00\x00\x00\x01\x02\x01\x01\x01\xFF\xFF\xFF\xFF"
  set replace "\x00\x00\x00\x02\x00\x00\x00\x01\x02\x00\x01\x01\xFF\xFF\xFF\xFF"
==== Debug/DEX ====
  set search  "\x00\x00\x00\x00\x00\x00\x00\x00\x01\x01\x01\x00\xFF\xFF\xFF\xFF"
  set replace "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x01\x00\xFF\xFF\xFF\xFF"
 
==== Tool/DECR + Arcade/GEX ====
nothing to patch, not set by default
  seg025:000000000070F8B9 unk_70F8B9:    .space 1
 
=== Offsets ===
{|class="wikitable" style="font-size:small; text-align: center;border:2px ridge #999999;"
|-
! vsh.elf !! 4.00 !! 4.01 !! 4.10 !! 4.11 !! 4.20 !! 4.21 !! 4.23 !! 4.25 !! 4.26 !! 4.30 !! 4.31 !! 4.40 !! 4.41 !! 4.45 !! 4.46 !! 4.50 !! 4.55 !! 4.60 !! 4.65 !! 4.66 !! 4.70 !! 4.75
|-
| {{CEX}} || 0x6D7100 || - || 0x6D7230 || 0x6D7230 || 0x6E7758 || 0x6E7758 || - || 0x6E7760 || - || 0x6E7860 || 0x6E7860 || 0x6E79C0 || 0x6E79C0 || 0x6E7C88 || 0x6E7C88 || - || - || 0x6E8958 || 0x6E8960 || 0x6E8978 || 0x6E89E8 || 0x6E8370
|-
| {{SEX}} || 0x6D6F90 || - || 0x6D70C0 || 0x6D70C0 || 0x6D75F0 || 0x6D75F0 || 0x6D75F0 || - || 0x6D75F8 || - || 0x6E7878 || 0x6E79D8 || 0x6E79D8 || 0x6E7CA0 || 0x6E7CA0 || - || 0x6E88C8 || 0x6E8970 || - || 0x6E8990 || 0x6E8A00 || 0x6E8388
|-
| {{DEX}} || 0x6E7A68 || 0x6E7A68 || 0x6E7B98 || 0x6E7B98 || 0x6E80C0 || 0x6E80C0 || - || 0x6E80C8 || - || 0x6E81C8 || - || - || - || - || 0x6F85F0 || 0x6F9200 || 0x6F9218 || 0x6F92B8 || - || 0x6F92E0 || 0x6F9350 ||
|-
|}
 
== disable wait for coldboot view sleep ==
<!--// thanks mysis //-->
==== CEX + SHOP + DEX + DECR ====
  set search  "\x88\x1D\x00\x06\x3C\x60\x00"
  set replace "\x38\x00\x00\x01\x3C\x60\x00"
==== GEX/Arcade ====
N/A
 
=== Offsets ===
{|class="wikitable" style="font-size:small; text-align: center;border:2px ridge #999999;"
|-
! vsh.elf !! 4.00 !! 4.01 !! 4.10 !! 4.11 !! 4.20 !! 4.21 !! 4.23 !! 4.25 !! 4.26 !! 4.30 !! 4.31 !! 4.40 !! 4.41 !! 4.45 !! 4.46 !! 4.50 !! 4.55 !! 4.60 !! 4.65 !! 4.66 !! 4.70 !! 4.75
|-
| {{CEX}} || 0xBEA98 || - || 0xBEA88 || 0xBEABC || 0xBF1DC || 0xBF1DC || - || 0xBF1E4 || - || 0xBF4E4 || 0xBF4E4 || 0xBF4E4 || 0xBF4E4 || 0xBF4E4 || 0xBF4E4 || - || - || 0xBF3B0 || 0xBF3B0 || 0xBF3B0 || 0xBF30C || 0xBF30C
|-
| {{SEX}} || 0xBED04 || - || 0xBECF4 || 0xBED28 || 0xBF44C || 0xBF44C || 0xBF44C || - || 0xBF454 || - || 0xBF754 || 0xBF6E8 || 0xBF6E8 || 0xBF6E8 || 0xBF6E8 || - || 0xBF5F4 || 0xBF5A4 || - || 0xBF5A4 || 0xBF500 || 0xBF500
|-
| {{DEX}} || 0xC3AA8 || 40xC3AA8 || 0xC3A98 || 0xC3ACC || 0xC41D4 || 0xC41D4 || - || 0xC41EC || - || 0xC44EC || - || - || - || - || - || 0xC43D4 || 0xC43F0 || 0xC43B0 || - || 0xC43B0 || - ||
|-
| {{DECR}} || 0xC3F58 || - || - || - || - || - || - || - || - || - || - || - || - || - || - || 0xC5110 || - || - || - || - || - ||
|-
|}
 
==Enforce gameboot animation==
on higher Firmwares
game_ext_plugin.sprx :
38 80 00 00 7B E3 00 20 -> 38 80 00 00 38 60 00 02 + add gameboot_multi + gameboot_stereo
 
if not found on newer fw try:
2F 89 00 00 7B C3 00 20 -> 2F 89 00 00 38 60 00 02 + add gameboot_multi + gameboot_stereo
 
==XMB icons removal==
Samples: https://www.sendspace.com/file/e822dp


== 4.46 patches ==
*[[Rcomage]] usage notes:
=== vsh.self CEX ===
**dump resources raw, without conversion (unmark all the checkboxes)
==== no epilepsy message ====
**compile using zlib header compression (mark the zlib checkbox)
 
===Main XMB icons removal===
Extract the contents of: '''[[xmb_plugin_normal]].rco'''
 
*In the .xml file that represents the .rco structure (aka [[RCOXML Coding | RCOXML]])
**Locate the tag '''XMenu''', is composed by a long list of attributes, locate the attribute '''menus="0xa"''', it defines the number of columns in main XMB (there are 10 main icons for 10 columns in [[XMB]])
***Replace the value of '''menus="0xa"''' by the number of main icons you want in XMB (this number depends of how many you are going to remove)
**Under '''XMenu''' there are several '''XMList''' elements that works as the descriptors of the 10 icons in main XMB
***Delete the '''XMList''' line/s that defines the icon/s you want to remove
 
Sample for 4.70 firmware ---> https://www.sendspace.com/file/0libpe
 
===XMB In-game icons removal===
The process is the same with the file '''[[xmb_ingame]].rco''' but this .rco contains the icon images, so for every icon removed at code is good to remove the icon image, is not needed to remove the images but this will make the final size of the .rco smaller
 
*Under '''ImageTree''' there are several '''Image''' elements that works as the 10 icons in main XMB
**Delete the '''Image''' line/s that defines the icon/s you want to remove
 
== 4.60+ patches ==
 
LIC.DAT patch


<pre>
<pre>
< 0x6E7C90 02 01 01 01 FF FF FF FF
ROM:00056218 loc_56218:                              # CODE XREF: sub_560A8+160j
---
ROM:00056218                li        r0, 1
> 0x6E7C90 02 00 01 01 FF FF FF FF
ROM:0005621C                ld        r3, off_349198 # aDev_bdvdPs3__0 (PARAM.SFO)
ROM:00056220                addi      r4, r1, 0x4F0+var_468
ROM:00056224                lbz      r30, 0x4F0+var_480+1(r1)
ROM:00056228                stw      r0, 0x6C(r28)
ROM:0005622C                lbz      r29, 0x4F0+var_480(r1)
ROM:00056230                bl        sub_29FDAC # ----> replaced with li r3, 1 to disable the sub call for /dev_bdvd/...../LIC.DAT
</pre>
</pre>


=== vsh.self DEX ===
*Note : A patch to ignore LIC.DAT to prevent random freezing from launching homebrew
==== no epilepsy message ====
*Found by dean many thanks to him :)
 
===RIF R and S must not be 0 (4.84/4.85)===
:<b>Allow</b>: RIF's with R and S 0 filled(reactpsn patches allow invalid signature like 1 but it must be filled). Useful for HEN because its previous revisions skipped them
 
seg001:00252020                li        r3, 0
 
seg001:00252024                blr
 
=== Make VSH Attachable (Debug LV2)  ===
 
== 4.75+ patches ==
 
===PSP DRM fix (4.75/4.76)===
:<b>Allow</b>: unsigned PSP packages(aka type free without license) , a.k.a. '''80029537''' error fix
 
< 7FE307B4 EB8101E0EBA101E8 7C0803A6
> 38600000 EB8101E0EBA101E8 7C0803A6
 
seg001:0000000000255260 loc_255260:                            # CODE XREF: seg001:0000000000255244j
seg001:0000000000255260                                        # seg001:0000000000255250j
seg001:0000000000255260                lis      r31, -0x7FFE # '''0x80029537'''
seg001:0000000000255264                ori      r31, r31, 0x9537 # '''0x80029537'''
seg001:0000000000255268
 
*Note : SONY added new drm for PSP, unsigned pkgs are impossible to run without this patch.
*Thanks to habib who did awesome job on reversing :)
 
=== Make EVERYTHING Attachable (Debug LV2)  ===
 
< 40 9E FF C8 4B FF FF C8 E9 22 80 08 7C 08 02 A6
> 40 9E FF C8 4B FF FF C8 38 60 00 01 4E 80 00 20


<pre>
<pre>
< 0x6F85F0 00 00 00 00 00 00 00 00  01 01 01 00 FF FF FF FF
patches lv2::access_control_engine::is_debuggable to always return true.
---
> 0x6F85F0 00 00 00 00 00 00 00 00  00 01 01 00 FF FF FF FF
</pre>
</pre>


== 4.50 patches ==
== 4.82 lv2ldr.elf Disable ECDSA Checks ==
=== vsh.self CEX ===
==== no epilepsy message ====


;Part 1:
Offset | Original Hex Value:
<pre>
<pre>
< 0x6E88A0 02 01 01 01 FF FF FF FF
000022B0 | 3F E1 12 85 18 01 42 06 33 04 99 00 21 00 0F 83
---
> 0x6E88A0 02 00 01 01 FF FF FF FF
</pre>
</pre>


=== vsh.self DEX ===
Offset | Replace Hex Value:
==== no epilepsy message ====
 
<pre>
<pre>
< 0x6F9200 00 00 00 00 00 00 00 00  01 01 01 00 FF FF FF FF
000022B0 | 3F E1 12 85 18 01 42 06 40 80 00 03 21 00 0F 83
---
> 0x6F9200 00 00 00 00 00 00 00 00  00 01 01 00 FF FF FF FF
</pre>
</pre>


== 4.66 patches ==
;Part 2:
=== vsh.self CEX ===
 
==== no epilepsy message ====
Offset | Original Hex Value:
<pre>
<pre>
< 006E8980  02 01 01 01 FF FF FF FF
00002AA0 | 33 03 9C 00 21 00 33 03 04 00 28 84 3F E0 2D 05
---
</pre>
> 006E8980  02 00 01 01 FF FF FF FF


== 4.70 patches ==
Offset | Replace Hex Value:
=== no epilepsy message ===
==== vsh.self CEX ====
<pre>
<pre>
< 0x6E89F0 02 01 01 01 FF FF FF FF
00002AA0 | 40 80 00 03 21 00 33 03 04 00 28 84 3F E0 2D 05
---
> 0x6E89F0 02 00 01 01 FF FF FF FF
</pre>
</pre>


{{System Firmware}}<noinclude>[[Category:Main]]</noinclude>
{{Custom Firmware}}
<noinclude>[[Category:Main]]</noinclude>

Latest revision as of 00:35, 23 July 2020

3.41/3.55 patches[edit | edit source]

Summary[edit | edit source]

Ego lv1 mmap lv2 p&p debug pkg pseudo-retail pkg unsigned app install pkgs app_home Notes
geohot NO NO NO YES NO YES NO installs via ps3swu patcher
w00tangrza YES YES NO NO NO NO NO
waninkoko v1 YES YES YES YES YES YES YES bricks all 256MB NAND SKU's
kmeaw YES YES YES YES NO YES YES
waninkoko v2 YES YES YES YES YES YES YES extensive lv2 patching
f0xtr()n YES YES YES YES NO YES YES repackage of kmeaw?
  • lv1_function_114 mmap (lv1.self)
  • lv2 peek (lv2_kernel.self)
  • lv2 poke (lv2_kernel.self)
  • debug pkg (nas_plugin.sprx)
  • pseudo-retail pkg (nas_plugin.sprx)
  • unsigned app (vsh.self)
  • install pkgs (category_game.xml)
  • app_home (category_game.xml)

nas_plugin.sprx[edit | edit source]

geohot patch[edit | edit source]

Allow: pseudo-retail pkg installation
< 00003250  7c 06 03 78 48 04 b7 21  e8 41 00 28 7c 60 1b 78
---
> 00003250  7c 06 03 78 48 04 b7 21  e8 41 00 28 38 00 00 00
  • Note : Official COBRA7 includes this patch as well, old homebrew from 3.55 era need this patch.
  • ex) modulespatch in COBRA7 -> { geohot_pkg_offset, LI(R0, 0), &condition_true }

kakaroto patch[edit | edit source]

Allow: debug pkg installation
--allow-debug-pkg (ps3mfw command-line option)
< 2f 89 00 00 41 9e 00 4c 38 00 00 00 81 22 8b 10 81 62 8b 14
---
> 2f 89 00 00 60 00 00 00 38 00 00 00 81 22 8b 10 81 62 8b 14
  • Note : Most CEX MFWs include this kakaroto's patch, also used in COBRA7.
  • ex) modulespatch in COBRA7 -> { elf2_func1 + elf2_func1_offset, NOP, &condition_true }

rebug patch[edit | edit source]

Allow: pseudo-retail pkg installation
< 41 9E 01 B0 3B A1 00 80 3D 00 2E 7B 7B BD 00 20 3D
--- 
> 60 00 00 00 3B A1 00 80 3D 00 2E 7B 7B BD 00 20 3D
  • Note : Also can be used for DEX CFW as well.
  • ex) PS3iTA, REBUG REX/D-REX

ecdsa check patch for fw 4.50 cex[edit | edit source]

Allow: pseudo-retail pkg installation
< 00003260  E8 41 00 28 7C 60 1B 78  F8 1F 01 80 E8 7F 01 80
---
> 00003260  E8 41 00 28 7C 60 1B 78  F8 1F 01 80 38 60 00 00

waninkoko patch - PL3[edit | edit source]

Allow: debug pkg installs
--allow-debug-pkg (ps3mfw command-line option)
< 00037350  41 9e 00 4c 38 00 00 00  81 22 8b 10 81 62 8b 14
---
> 00037350  41 9e 00 04 38 00 00 00  81 22 8b 10 81 62 8b 14

vsh.self[edit | edit source]

PL3 patch[edit | edit source]

Allow: allow unsigned apps on CEX MFW
< 030a7d0: 409d 0008 3960 0000 8122 ea60 9969 0000
---
> 030a7d0: 409d 0008 6000 0000 8122 ea60 9969 0000
   31a7c8:	38 03 ff 7f 	addi    r0,r3,-129
   31a7cc:	2b a0 00 01 	cmpldi  cr7,r0,1
   31a7d0:	40 9d 00 08 	ble-    cr7,0x31a7d8
-  31a7d4:	39 60 00 00 	li      r11,0
+  31a7d4:	60 00 00 00 	nop
   31a7d8:	81 22 ea 60 	lwz     r9,-5536(r2)
   31a7dc:	99 69 00 00 	stb     r11,0(r9)
   31a7e0:	88 09 00 00 	lbz     r0,0(r9)
modulespatch in COBRA7 
{ elf1_func2 + elf1_func2_offset, NOP, &condition_true }, 
< 05ffee0: 6063 8c06 4bff fe80 f821 ff81 7c08 02a6
---
> 05ffee0: 6063 8c06 4bff fe80 3860 0001 4e80 0020
   60fedc:	3c 60 00 04 	lis     r3,4
   60fee0:	60 63 8c 06 	ori     r3,r3,35846
   60fee4:	4b ff fe 80 	b       0x60fd64
-  60fee8:	f8 21 ff 81 	stdu    r1,-128(r1)
-  60feec:	7c 08 02 a6 	mflr    r0
+  60fee8:	38 60 00 01 	li      r3,1
+  60feec:	4e 80 00 20 	blr
   60fef0:	38 61 00 70 	addi    r3,r1,112
   60fef4:	f8 01 00 90 	std     r0,144(r1)
   60fef8:	4b ff ff e1 	bl      0x60fed8
modulespatch in COBRA7 
	
{ elf1_func1 + elf1_func1_offset, LI(R3, 1), &condition_true },
{ elf1_func1 + elf1_func1_offset + 4, BLR, &condition_true },
  • Note : Commonly used in almost all 4.xx MFWs, Do NOT use this patch for DEX MFW, it breaks the ability to run NPDRM fself.


reActPSN[edit | edit source]

Allow: unsigned act.dat and *.rif files
version       addr       old data          new data                   function
3.55retail   0x30b230  4b cf 5b 45  ->   38 60 00 00     // fixed  allow unsigned act.dat *.rif
3.55retail   0x30ac90  48 31 b4 65  ->   38 60 00 00     // fixed  act.dat missing after reboot
      
3.55debug    0x312308  4b ce ea 6d  ->   38 60 00 00     // fixed  allow unsigned act.dat *.rif
3.55debug    0x311d68  48 31 b7 d5  ->   38 60 00 00     // fixed  act.dat missing after reboot
      
3.41retail   0x305dc4  4b cf af b1  ->   38 60 00 00     // fixed  allow unsigned act.dat *.rif
3.41retail   0x305824  48 31 43 ad  ->   38 60 00 00     // fixed  act.dat missing after reboot
      
3.41debug    0x30cedc  4b cf 3e 99  ->   38 60 00 00     // fixed  allow unsigned act.dat *.rif
3.41debug    0x30c93c  48 31 47 1d  ->   38 60 00 00     // fixed  act.dat missing after reboot

4.30debug    0x2481e4  4b db 8b 91  ->   38 60 00 00     // fixed  allow unsigned act.dat *.rif
4.30debug    0x247c44  48 3d 59 61  ->   38 60 00 00     // fixed  act.dat missing after reboot

(Source : http://pastebin.com/26RHud5Q)

XMB InGame ScreenShot Feature[edit | edit source]

Allow: taking screenshots in every game (ps3,psp,minis,... - except ps2)

4.21 retail:

  • Export: vshmain_981D7E9F is retrieving enabled(1)/disabled(0) Screenshot feature-flag from dword_720A4C+4
seg001:0000000000193498
seg001:0000000000193498 _Export_vshmain_981D7E9F:               # DATA XREF: OPD:_Export_vshmain_981D7E9F_opd�o
seg001:0000000000193498                 lis       r9, dword_720A4C@h
seg001:000000000019349C                 lwz       r9, dword_720A4C@l(r9)
seg001:00000000001934A0                 addi      r9, r9, 4
seg001:00000000001934A4                 lwarx     r0, r0, r9                                ->  li    r0, 1
seg001:00000000001934A8                 srawi     r9, r0, 0x1F
seg001:00000000001934AC                 xor       r3, r9, r0
seg001:00000000001934B0                 subf      r3, r3, r9
seg001:00000000001934B4                 srwi      r3, r3, 31
seg001:00000000001934B8                 extsw     r3, r3
seg001:00000000001934BC                 blr
seg001:00000000001934BC # End of function _Export_vshmain_981D7E9F

This fix will make xmb enabling screenshot save button, but it will error out when trying. it requires another patch inside vsh.self:

sub_195084:  (4.21 retail as well)
...
seg001:00000000001950A0                 lwz       r9, dword_720A4C@l(r9)
seg001:00000000001950A4                 stfd      f31, 0x190+var_8(r1)
seg001:00000000001950A8                 std       r22, 0x190+var_68(r1)
seg001:00000000001950AC                 std       r23, 0x190+var_60(r1)
seg001:00000000001950B0                 std       r24, 0x190+var_58(r1)
seg001:00000000001950B4                 std       r25, 0x190+var_50(r1)
seg001:00000000001950B8                 std       r26, 0x190+var_48(r1)
seg001:00000000001950BC                 std       r27, 0x190+var_40(r1)
seg001:00000000001950C0                 std       r28, 0x190+var_38(r1)
seg001:00000000001950C4                 std       r29, 0x190+var_30(r1)
seg001:00000000001950C8                 std       r31, 0x190+var_20(r1)
seg001:00000000001950CC                 addi      r9, r9, 4
seg001:00000000001950D0                 lwarx     r0, r0, r9                                ->  li    r0, 1
seg001:00000000001950D4                 cmpwi     cr7, r0, 0
seg001:00000000001950D8                 li        r3, -0x270D
seg001:00000000001950DC                 beq       cr7, return
vsh.elf (CEX, 4.50)[edit | edit source]
< 00184278  7C 00 48 28
---
> 00184278  38 00 00 01

< 00185EB0  7C 00 48 28
---
> 00185EB0  38 00 00 01

Thats it! Enables Screenshot-Feature working fine. Have fun, i do !

Remote Play with PlayStation 3 (Windows Software)[edit | edit source]

premo_plugin.prx[edit | edit source]

for 4.50
< 0xB7E4 38 60 00 00  li r3, 0
---
> 0xB7E4  38 60 00 01 li r3, 1

premo_game_plugin.prx[edit | edit source]

for 4.50
< 0xC9E4 38 60 00 00  li r3, 0
---
> 0xC9E4 38 60 00 01  li r3, 1

Enables playing Remote Play enabled games (via SFO) to be played via sonys official remote play pc software.

Make Remote Play SFO Flag obsolete[edit | edit source]

(for disc games)

game_ext_plugin.prx[edit | edit source]

original bytes:

41 9e 00 1c 2f 83 00 03

patched bytes:

41 9e 00 28 2f 83 00 03

lv1.self[edit | edit source]

graf chokolo patch[edit | edit source]

lv1_undocumented_function_114 (mmap)
Part1
< 2F 80 00 00 41 9E 00 28 38 60 00 00 38 80 00 00
---
> 60 00 00 00 48 00 00 28 38 60 00 00 38 80 00 00

Part2
< 000f5a40  39 08 05 48 39 20 00 00  38 60 00 00 4b ff fc 45
---
> 000f5a40  39 08 05 48 39 20 00 01  38 60 00 00 4b ff fc 45
   2d5a38:	7f 87 e3 78 	mr      r7,r28
   2d5a3c:	e8 89 00 00 	ld      r4,0(r9)
   2d5a40:	39 08 05 48 	addi    r8,r8,1352
-  2d5a44:	39 20 00 00 	li      r9,0
+  2d5a44:	39 20 00 01 	li      r9,1
   2d5a48:	38 60 00 00 	li      r3,0
   2d5a4c:	4b ff fc 45 	bl      0x2d5690
   2d5a50:	38 00 00 00 	li      r0,0
  • Note : Allow mapping of protected memory, needed for lv2 peek/poke

LV1 peek/poke (Unused LV1 calls 182 & 183)[edit | edit source]

Allow : LV1 peek/poke

< 64 00 FF FF 60 00 FF EC F8 03 00 C0 4E 80 00 20 38 00 00 00 64 00 FF FF 60 00 FF EC F8 03 00 C0
---
> E8 83 00 18 E8 84 00 00 F8 83 00 C8 4E 80 00 20 38 00 00 00 E8 A3 00 20 E8 83 00 18 F8 A4 00 00

Disable System Integrity Check[edit | edit source]

 < 48 00 E0 35 2F 83 00 00 38 60 00 01 41 9E 00 20
 ---
 > 38 60 00 00 2F 83 00 00 38 60 00 01 41 9E 00 20
  • Note : Safe to use with mismatched COREOS/SYSCON versions or if PS3 is not QA enabled

Skip all ACL Checks[edit | edit source]

 < 54 63 06 3E 2F 83 00 00 41 9E 00 14 E8 01 00 70 54 00 07 FE 2F 80 00 00 40 9E 00 18
 ---
 > 38 60 00 01 2F 83 00 00 41 9E 00 14 38 00 00 01 54 00 07 FE 2F 80 00 00 40 9E 00 18
  • Note : Needed for OtherOS++/Downgrader

wutangrza patch[edit | edit source]

hash fixing
< 00136bc0  00 00 00 00 00 00 00 00  72 73 78 20 64 72 69 76  |........rsx driv|
---
> 00136bc0  00 00 00 00 00 00 00 00  72 73 73 20 64 72 69 76  |........rss driv|
< 00136be0  3a 20 63 6f 72 65 2f 63  6f 6e 74 65 78 74 2e 63  |: core/context.c|
---
> 00136be0  3a 20 63 6f 72 65 20 63  6f 6e 74 65 78 74 2e 63  |: core context.c|

lv2_kernel.self[edit | edit source]

PL3 patch[edit | edit source]

lv2 peek / poke
< 00029330  7c 63 07 b4 38 21 00 a0  4e 80 00 20 3c 60 80 01
---
> 00029330  7c 63 07 b4 38 21 00 a0  4e 80 00 20 e8 63 00 00
< 00029340  60 63 00 03 4e 80 00 20  3c 60 80 01 60 63 00 03
---
> 00029340  60 00 00 00 4e 80 00 20  f8 83 00 00 60 00 00 00
 8000000000019330:	7c 63 07 b4 	extsw   r3,r3
 8000000000019334:	38 21 00 a0 	addi    r1,r1,160
 8000000000019338:	4e 80 00 20 	blr
-800000000001933c:	3c 60 80 01 	lis     r3,-32767
-8000000000019340:	60 63 00 03 	ori     r3,r3,3
+800000000001933c:	e8 63 00 00 	ld      r3,0(r3)
+8000000000019340:	60 00 00 00 	nop
 8000000000019344:	4e 80 00 20 	blr
-8000000000019348:	3c 60 80 01 	lis     r3,-32767
-800000000001934c:	60 63 00 03 	ori     r3,r3,3
+8000000000019348:	f8 83 00 00 	std     r4,0(r3)
+800000000001934c:	60 00 00 00 	nop
 8000000000019350:	4e 80 00 20 	blr
 8000000000019354:	3c 60 80 01 	lis     r3,-32767
 8000000000019358:	60 63 00 03 	ori     r3,r3,3

wutangrza patch[edit | edit source]

hash fixing
< 002d6e00  6f 75 6c 64 20 6e 6f 74  20 67 65 74 20 50 50 50  |ould not get PPP|
---
> 002d6e00  6f 75 6c 64 20 6e 6f 74  20 6e 6f 74 20 6e 6f 74  |ould not not not|
---
< 002d6e10  6f 45 20 68 65 61 64 65  72 0a 00 00 00 00 00 00  |oE header.......|
---
> 002d6e10  20 6e 6f 74 20 6e 6f 74  20 6e 6f 74 20 6e 00 00  | not not not n..|
< 00359380  a0 40 36 6b 2d 8a 50 99  1e b3 0c 53 e5 9b 5d 6e
---
> 00359380  5e b8 a5 00 8c f3 bc 24  08 91 19 61 e6 db 19 cb
---
< 00359390  61 2c ac b8 00 00 00 00  00 00 00 00 00 00 00 00
---
> 00359390  0d ca fd 2f 00 00 00 00  00 00 00 00 00 00 00 00

4.21 patches[edit | edit source]

Summary[edit | edit source]

lv2_kernel.self[edit | edit source]

kakaroto's sigcheck patch[edit | edit source]

In memory 0x800000000005A2A8 (which corresponds to offset 0x6a2a8 in lv2_kernel.elf) replace : "e9 22 99 90 7c 08 02 a6" with : "38 60 00 00 4e 80 00 20".
(Source: https://twitter.com/KaKaRoToKS/status/260742786972798977
Pastie webarchive backup: http://web.archive.org/web/20141024180714/http://pastie.org/private/3np6uj6md1occbctdeir6a)

disable epilepsy message[edit | edit source]

patch to disable (not just replace), the warning screen that is show on boot since FW 4.00 and when patched, no longer delays the VSH bootprocess

PS3 MFW builder - disable_epilepsy_warning task (using the same search/replace as below)

seg024:00000000006E75F9 byte_6E75F9:    .byte 1                 # DATA XREF: sub_CAC70+314�o
seg024:00000000006E75F9                                         # sub_CAC70+324�w ...
                                                                # 1 = show health care msg, 0 = dont show

VSH.self[edit | edit source]

the message and all about it are done in Sysconf_plugin, but it is loaded with special parameter from VSH

Retail/CEX + Shop/SEX[edit | edit source]

 set search  "\x00\x00\x00\x02\x00\x00\x00\x01\x02\x01\x01\x01\xFF\xFF\xFF\xFF"
 set replace "\x00\x00\x00\x02\x00\x00\x00\x01\x02\x00\x01\x01\xFF\xFF\xFF\xFF"

Debug/DEX[edit | edit source]

 set search  "\x00\x00\x00\x00\x00\x00\x00\x00\x01\x01\x01\x00\xFF\xFF\xFF\xFF"
 set replace "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x01\x00\xFF\xFF\xFF\xFF"

Tool/DECR + Arcade/GEX[edit | edit source]

nothing to patch, not set by default

 seg025:000000000070F8B9 unk_70F8B9:     .space 1

Offsets[edit | edit source]

vsh.elf 4.00 4.01 4.10 4.11 4.20 4.21 4.23 4.25 4.26 4.30 4.31 4.40 4.41 4.45 4.46 4.50 4.55 4.60 4.65 4.66 4.70 4.75
 CEX  0x6D7100 - 0x6D7230 0x6D7230 0x6E7758 0x6E7758 - 0x6E7760 - 0x6E7860 0x6E7860 0x6E79C0 0x6E79C0 0x6E7C88 0x6E7C88 - - 0x6E8958 0x6E8960 0x6E8978 0x6E89E8 0x6E8370
 SEX  0x6D6F90 - 0x6D70C0 0x6D70C0 0x6D75F0 0x6D75F0 0x6D75F0 - 0x6D75F8 - 0x6E7878 0x6E79D8 0x6E79D8 0x6E7CA0 0x6E7CA0 - 0x6E88C8 0x6E8970 - 0x6E8990 0x6E8A00 0x6E8388
 DEX  0x6E7A68 0x6E7A68 0x6E7B98 0x6E7B98 0x6E80C0 0x6E80C0 - 0x6E80C8 - 0x6E81C8 - - - - 0x6F85F0 0x6F9200 0x6F9218 0x6F92B8 - 0x6F92E0 0x6F9350

disable wait for coldboot view sleep[edit | edit source]

CEX + SHOP + DEX + DECR[edit | edit source]

 set search  "\x88\x1D\x00\x06\x3C\x60\x00"
 set replace "\x38\x00\x00\x01\x3C\x60\x00"

GEX/Arcade[edit | edit source]

N/A

Offsets[edit | edit source]

vsh.elf 4.00 4.01 4.10 4.11 4.20 4.21 4.23 4.25 4.26 4.30 4.31 4.40 4.41 4.45 4.46 4.50 4.55 4.60 4.65 4.66 4.70 4.75
 CEX  0xBEA98 - 0xBEA88 0xBEABC 0xBF1DC 0xBF1DC - 0xBF1E4 - 0xBF4E4 0xBF4E4 0xBF4E4 0xBF4E4 0xBF4E4 0xBF4E4 - - 0xBF3B0 0xBF3B0 0xBF3B0 0xBF30C 0xBF30C
 SEX  0xBED04 - 0xBECF4 0xBED28 0xBF44C 0xBF44C 0xBF44C - 0xBF454 - 0xBF754 0xBF6E8 0xBF6E8 0xBF6E8 0xBF6E8 - 0xBF5F4 0xBF5A4 - 0xBF5A4 0xBF500 0xBF500
 DEX  0xC3AA8 40xC3AA8 0xC3A98 0xC3ACC 0xC41D4 0xC41D4 - 0xC41EC - 0xC44EC - - - - - 0xC43D4 0xC43F0 0xC43B0 - 0xC43B0 -
 DECR  0xC3F58 - - - - - - - - - - - - - - 0xC5110 - - - - -

Enforce gameboot animation[edit | edit source]

on higher Firmwares

game_ext_plugin.sprx : 
38 80 00 00 7B E3 00 20 -> 38 80 00 00 38 60 00 02 + add gameboot_multi + gameboot_stereo
if not found on newer fw try:
2F 89 00 00 7B C3 00 20 -> 2F 89 00 00 38 60 00 02 + add gameboot_multi + gameboot_stereo

XMB icons removal[edit | edit source]

Samples: https://www.sendspace.com/file/e822dp

  • Rcomage usage notes:
    • dump resources raw, without conversion (unmark all the checkboxes)
    • compile using zlib header compression (mark the zlib checkbox)

Main XMB icons removal[edit | edit source]

Extract the contents of: xmb_plugin_normal.rco

  • In the .xml file that represents the .rco structure (aka RCOXML)
    • Locate the tag XMenu, is composed by a long list of attributes, locate the attribute menus="0xa", it defines the number of columns in main XMB (there are 10 main icons for 10 columns in XMB)
      • Replace the value of menus="0xa" by the number of main icons you want in XMB (this number depends of how many you are going to remove)
    • Under XMenu there are several XMList elements that works as the descriptors of the 10 icons in main XMB
      • Delete the XMList line/s that defines the icon/s you want to remove

Sample for 4.70 firmware ---> https://www.sendspace.com/file/0libpe

XMB In-game icons removal[edit | edit source]

The process is the same with the file xmb_ingame.rco but this .rco contains the icon images, so for every icon removed at code is good to remove the icon image, is not needed to remove the images but this will make the final size of the .rco smaller

  • Under ImageTree there are several Image elements that works as the 10 icons in main XMB
    • Delete the Image line/s that defines the icon/s you want to remove

4.60+ patches[edit | edit source]

LIC.DAT patch

ROM:00056218 loc_56218:                              # CODE XREF: sub_560A8+160j
ROM:00056218                 li        r0, 1
ROM:0005621C                 ld        r3, off_349198 # aDev_bdvdPs3__0 (PARAM.SFO)
ROM:00056220                 addi      r4, r1, 0x4F0+var_468
ROM:00056224                 lbz       r30, 0x4F0+var_480+1(r1)
ROM:00056228                 stw       r0, 0x6C(r28)
ROM:0005622C                 lbz       r29, 0x4F0+var_480(r1)
ROM:00056230                 bl        sub_29FDAC # ----> replaced with li r3, 1 to disable the sub call for /dev_bdvd/...../LIC.DAT
  • Note : A patch to ignore LIC.DAT to prevent random freezing from launching homebrew
  • Found by dean many thanks to him :)

RIF R and S must not be 0 (4.84/4.85)[edit | edit source]

Allow: RIF's with R and S 0 filled(reactpsn patches allow invalid signature like 1 but it must be filled). Useful for HEN because its previous revisions skipped them

seg001:00252020 li r3, 0

seg001:00252024 blr

Make VSH Attachable (Debug LV2)[edit | edit source]

4.75+ patches[edit | edit source]

PSP DRM fix (4.75/4.76)[edit | edit source]

Allow: unsigned PSP packages(aka type free without license) , a.k.a. 80029537 error fix
< 7FE307B4 EB8101E0EBA101E8 7C0803A6
> 38600000 EB8101E0EBA101E8 7C0803A6
seg001:0000000000255260 loc_255260:                             # CODE XREF: seg001:0000000000255244j
seg001:0000000000255260                                         # seg001:0000000000255250j
seg001:0000000000255260                 lis       r31, -0x7FFE # 0x80029537
seg001:0000000000255264                 ori       r31, r31, 0x9537 # 0x80029537
seg001:0000000000255268
  • Note : SONY added new drm for PSP, unsigned pkgs are impossible to run without this patch.
  • Thanks to habib who did awesome job on reversing :)

Make EVERYTHING Attachable (Debug LV2)[edit | edit source]

< 40 9E FF C8 4B FF FF C8 E9 22 80 08 7C 08 02 A6
> 40 9E FF C8 4B FF FF C8 38 60 00 01 4E 80 00 20
patches lv2::access_control_engine::is_debuggable to always return true.

4.82 lv2ldr.elf Disable ECDSA Checks[edit | edit source]

Part 1

Offset | Original Hex Value:

000022B0 | 3F E1 12 85 18 01 42 06 33 04 99 00 21 00 0F 83

Offset | Replace Hex Value:

000022B0 | 3F E1 12 85 18 01 42 06 40 80 00 03 21 00 0F 83
Part 2

Offset | Original Hex Value:

00002AA0 | 33 03 9C 00 21 00 33 03 04 00 28 84 3F E0 2D 05

Offset | Replace Hex Value:

00002AA0 | 40 80 00 03 21 00 33 03 04 00 28 84 3F E0 2D 05