Patches
3.41/3.55 patches
Summary
Ego | lv1 mmap | lv2 p&p | debug pkg | pseudo-retail pkg | unsigned app | install pkgs | app_home | Notes |
---|---|---|---|---|---|---|---|---|
geohot | NO | NO | NO | YES | NO | YES | NO | installs via ps3swu patcher |
w00tangrza | YES | YES | NO | NO | NO | NO | NO | |
waninkoko v1 | YES | YES | YES | YES | YES | YES | YES | bricks all 256MB NAND SKU's |
kmeaw | YES | YES | YES | YES | NO | YES | YES | |
waninkoko v2 | YES | YES | YES | YES | YES | YES | YES | extensive lv2 patching |
f0xtr()n | YES | YES | YES | YES | NO | YES | YES | repackage of kmeaw? |
- lv1_function_114 mmap (lv1.self)
- lv2 peek (lv2_kernel.self)
- lv2 poke (lv2_kernel.self)
- debug pkg (nas_plugin.sprx)
- pseudo-retail pkg (nas_plugin.sprx)
- unsigned app (vsh.self)
- install pkgs (category_game.xml)
- app_home (category_game.xml)
nas_plugin.sprx
geohot patch
- Allow: pseudo-retail pkg installation
< 00003250 7c 06 03 78 48 04 b7 21 e8 41 00 28 7c 60 1b 78 --- > 00003250 7c 06 03 78 48 04 b7 21 e8 41 00 28 38 00 00 00
- Note : Official COBRA7 includes this patch as well, old homebrew from 3.55 era need this patch.
- ex) modulespatch in COBRA7 -> { geohot_pkg_offset, LI(R0, 0), &condition_true }
kakaroto patch
- Allow: debug pkg installation
- --allow-debug-pkg (ps3mfw command-line option)
< 2f 89 00 00 41 9e 00 4c 38 00 00 00 81 22 8b 10 81 62 8b 14 --- > 2f 89 00 00 60 00 00 00 38 00 00 00 81 22 8b 10 81 62 8b 14
- Note : Most CEX MFWs include this kakaroto's patch, also used in COBRA7.
- ex) modulespatch in COBRA7 -> { elf2_func1 + elf2_func1_offset, NOP, &condition_true }
rebug patch
- Allow: pseudo-retail pkg installation
< 41 9E 01 B0 3B A1 00 80 3D 00 2E 7B 7B BD 00 20 3D --- > 60 00 00 00 3B A1 00 80 3D 00 2E 7B 7B BD 00 20 3D
- Note : Also can be used for DEX CFW as well.
- ex) PS3iTA, REBUG REX/D-REX
ecdsa check patch for fw 4.50 cex
- Allow: pseudo-retail pkg installation
< 00003260 E8 41 00 28 7C 60 1B 78 F8 1F 01 80 E8 7F 01 80 --- > 00003260 E8 41 00 28 7C 60 1B 78 F8 1F 01 80 38 60 00 00
waninkoko patch - PL3
- Allow: debug pkg installs
- --allow-debug-pkg (ps3mfw command-line option)
< 00037350 41 9e 00 4c 38 00 00 00 81 22 8b 10 81 62 8b 14 --- > 00037350 41 9e 00 04 38 00 00 00 81 22 8b 10 81 62 8b 14
vsh.self
PL3 patch
- Allow: allow unsigned apps on CEX MFW
< 030a7d0: 409d 0008 3960 0000 8122 ea60 9969 0000 --- > 030a7d0: 409d 0008 6000 0000 8122 ea60 9969 0000
31a7c8: 38 03 ff 7f addi r0,r3,-129 31a7cc: 2b a0 00 01 cmpldi cr7,r0,1 31a7d0: 40 9d 00 08 ble- cr7,0x31a7d8 - 31a7d4: 39 60 00 00 li r11,0 + 31a7d4: 60 00 00 00 nop 31a7d8: 81 22 ea 60 lwz r9,-5536(r2) 31a7dc: 99 69 00 00 stb r11,0(r9) 31a7e0: 88 09 00 00 lbz r0,0(r9)
modulespatch in COBRA7 { elf1_func2 + elf1_func2_offset, NOP, &condition_true },
< 05ffee0: 6063 8c06 4bff fe80 f821 ff81 7c08 02a6 --- > 05ffee0: 6063 8c06 4bff fe80 3860 0001 4e80 0020
60fedc: 3c 60 00 04 lis r3,4 60fee0: 60 63 8c 06 ori r3,r3,35846 60fee4: 4b ff fe 80 b 0x60fd64 - 60fee8: f8 21 ff 81 stdu r1,-128(r1) - 60feec: 7c 08 02 a6 mflr r0 + 60fee8: 38 60 00 01 li r3,1 + 60feec: 4e 80 00 20 blr 60fef0: 38 61 00 70 addi r3,r1,112 60fef4: f8 01 00 90 std r0,144(r1) 60fef8: 4b ff ff e1 bl 0x60fed8
modulespatch in COBRA7 { elf1_func1 + elf1_func1_offset, LI(R3, 1), &condition_true }, { elf1_func1 + elf1_func1_offset + 4, BLR, &condition_true },
- Note : Commonly used in almost all 4.xx MFWs, Do NOT use this patch for DEX MFW, it breaks the ability to run NPDRM fself.
reActPSN
- Allow: unsigned act.dat and *.rif files
version addr old data new data function 3.55retail 0x30b230 4b cf 5b 45 -> 38 60 00 00 // fixed allow unsigned act.dat *.rif 3.55retail 0x30ac90 48 31 b4 65 -> 38 60 00 00 // fixed act.dat missing after reboot 3.55debug 0x312308 4b ce ea 6d -> 38 60 00 00 // fixed allow unsigned act.dat *.rif 3.55debug 0x311d68 48 31 b7 d5 -> 38 60 00 00 // fixed act.dat missing after reboot 3.41retail 0x305dc4 4b cf af b1 -> 38 60 00 00 // fixed allow unsigned act.dat *.rif 3.41retail 0x305824 48 31 43 ad -> 38 60 00 00 // fixed act.dat missing after reboot 3.41debug 0x30cedc 4b cf 3e 99 -> 38 60 00 00 // fixed allow unsigned act.dat *.rif 3.41debug 0x30c93c 48 31 47 1d -> 38 60 00 00 // fixed act.dat missing after reboot 4.30debug 0x2481e4 4b db 8b 91 -> 38 60 00 00 // fixed allow unsigned act.dat *.rif 4.30debug 0x247c44 48 3d 59 61 -> 38 60 00 00 // fixed act.dat missing after reboot
(Source : http://pastebin.com/26RHud5Q)
XMB InGame ScreenShot Feature
- Allow: taking screenshots in every game (ps3,psp,minis,... - except ps2)
4.21 retail:
- Export: vshmain_981D7E9F is retrieving enabled(1)/disabled(0) Screenshot feature-flag from dword_720A4C+4
seg001:0000000000193498 seg001:0000000000193498 _Export_vshmain_981D7E9F: # DATA XREF: OPD:_Export_vshmain_981D7E9F_opd�o seg001:0000000000193498 lis r9, dword_720A4C@h seg001:000000000019349C lwz r9, dword_720A4C@l(r9) seg001:00000000001934A0 addi r9, r9, 4 seg001:00000000001934A4 lwarx r0, r0, r9 -> li r0, 1 seg001:00000000001934A8 srawi r9, r0, 0x1F seg001:00000000001934AC xor r3, r9, r0 seg001:00000000001934B0 subf r3, r3, r9 seg001:00000000001934B4 srwi r3, r3, 31 seg001:00000000001934B8 extsw r3, r3 seg001:00000000001934BC blr seg001:00000000001934BC # End of function _Export_vshmain_981D7E9F
This fix will make xmb enabling screenshot save button, but it will error out when trying. it requires another patch inside vsh.self:
sub_195084: (4.21 retail as well) ... seg001:00000000001950A0 lwz r9, dword_720A4C@l(r9) seg001:00000000001950A4 stfd f31, 0x190+var_8(r1) seg001:00000000001950A8 std r22, 0x190+var_68(r1) seg001:00000000001950AC std r23, 0x190+var_60(r1) seg001:00000000001950B0 std r24, 0x190+var_58(r1) seg001:00000000001950B4 std r25, 0x190+var_50(r1) seg001:00000000001950B8 std r26, 0x190+var_48(r1) seg001:00000000001950BC std r27, 0x190+var_40(r1) seg001:00000000001950C0 std r28, 0x190+var_38(r1) seg001:00000000001950C4 std r29, 0x190+var_30(r1) seg001:00000000001950C8 std r31, 0x190+var_20(r1) seg001:00000000001950CC addi r9, r9, 4 seg001:00000000001950D0 lwarx r0, r0, r9 -> li r0, 1 seg001:00000000001950D4 cmpwi cr7, r0, 0 seg001:00000000001950D8 li r3, -0x270D seg001:00000000001950DC beq cr7, return
vsh.elf (CEX, 4.50)
< 00184278 7C 00 48 28 --- > 00184278 38 00 00 01 < 00185EB0 7C 00 48 28 --- > 00185EB0 38 00 00 01
Thats it! Enables Screenshot-Feature working fine. Have fun, i do !
Remote Play with PlayStation 3 (Windows Software)
premo_plugin.prx
for 4.50
< 0xB7E4 38 60 00 00 li r3, 0 --- > 0xB7E4 38 60 00 01 li r3, 1
premo_game_plugin.prx
for 4.50
< 0xC9E4 38 60 00 00 li r3, 0 --- > 0xC9E4 38 60 00 01 li r3, 1
Enables playing Remote Play enabled games (via SFO) to be played via sonys official remote play pc software.
Make Remote Play SFO Flag obsolete
(for disc games)
game_ext_plugin.prx
original bytes:
41 9e 00 1c 2f 83 00 03
patched bytes:
41 9e 00 28 2f 83 00 03
lv1.self
graf chokolo patch
- lv1_undocumented_function_114 (mmap)
Part1 < 2F 80 00 00 41 9E 00 28 38 60 00 00 38 80 00 00 --- > 60 00 00 00 48 00 00 28 38 60 00 00 38 80 00 00 Part2 < 000f5a40 39 08 05 48 39 20 00 00 38 60 00 00 4b ff fc 45 --- > 000f5a40 39 08 05 48 39 20 00 01 38 60 00 00 4b ff fc 45
2d5a38: 7f 87 e3 78 mr r7,r28 2d5a3c: e8 89 00 00 ld r4,0(r9) 2d5a40: 39 08 05 48 addi r8,r8,1352 - 2d5a44: 39 20 00 00 li r9,0 + 2d5a44: 39 20 00 01 li r9,1 2d5a48: 38 60 00 00 li r3,0 2d5a4c: 4b ff fc 45 bl 0x2d5690 2d5a50: 38 00 00 00 li r0,0
- Note : Allow mapping of protected memory, needed for lv2 peek/poke
LV1 peek/poke (Unused LV1 calls 182 & 183)
Allow : LV1 peek/poke
< 64 00 FF FF 60 00 FF EC F8 03 00 C0 4E 80 00 20 38 00 00 00 64 00 FF FF 60 00 FF EC F8 03 00 C0 --- > E8 83 00 18 E8 84 00 00 F8 83 00 C8 4E 80 00 20 38 00 00 00 E8 A3 00 20 E8 83 00 18 F8 A4 00 00
Disable System Integrity Check
< 48 00 E0 35 2F 83 00 00 38 60 00 01 41 9E 00 20 --- > 38 60 00 00 2F 83 00 00 38 60 00 01 41 9E 00 20
- Note : Safe to use with mismatched COREOS/SYSCON versions or if PS3 is not QA enabled
Skip all ACL Checks
< 54 63 06 3E 2F 83 00 00 41 9E 00 14 E8 01 00 70 54 00 07 FE 2F 80 00 00 40 9E 00 18 --- > 38 60 00 01 2F 83 00 00 41 9E 00 14 38 00 00 01 54 00 07 FE 2F 80 00 00 40 9E 00 18
- Note : Needed for OtherOS++/Downgrader
wutangrza patch
- hash fixing
< 00136bc0 00 00 00 00 00 00 00 00 72 73 78 20 64 72 69 76 |........rsx driv| --- > 00136bc0 00 00 00 00 00 00 00 00 72 73 73 20 64 72 69 76 |........rss driv|
< 00136be0 3a 20 63 6f 72 65 2f 63 6f 6e 74 65 78 74 2e 63 |: core/context.c| --- > 00136be0 3a 20 63 6f 72 65 20 63 6f 6e 74 65 78 74 2e 63 |: core context.c|
lv2_kernel.self
PL3 patch
- lv2 peek / poke
< 00029330 7c 63 07 b4 38 21 00 a0 4e 80 00 20 3c 60 80 01 --- > 00029330 7c 63 07 b4 38 21 00 a0 4e 80 00 20 e8 63 00 00
< 00029340 60 63 00 03 4e 80 00 20 3c 60 80 01 60 63 00 03 --- > 00029340 60 00 00 00 4e 80 00 20 f8 83 00 00 60 00 00 00
8000000000019330: 7c 63 07 b4 extsw r3,r3 8000000000019334: 38 21 00 a0 addi r1,r1,160 8000000000019338: 4e 80 00 20 blr -800000000001933c: 3c 60 80 01 lis r3,-32767 -8000000000019340: 60 63 00 03 ori r3,r3,3 +800000000001933c: e8 63 00 00 ld r3,0(r3) +8000000000019340: 60 00 00 00 nop 8000000000019344: 4e 80 00 20 blr -8000000000019348: 3c 60 80 01 lis r3,-32767 -800000000001934c: 60 63 00 03 ori r3,r3,3 +8000000000019348: f8 83 00 00 std r4,0(r3) +800000000001934c: 60 00 00 00 nop 8000000000019350: 4e 80 00 20 blr 8000000000019354: 3c 60 80 01 lis r3,-32767 8000000000019358: 60 63 00 03 ori r3,r3,3
wutangrza patch
- hash fixing
< 002d6e00 6f 75 6c 64 20 6e 6f 74 20 67 65 74 20 50 50 50 |ould not get PPP| --- > 002d6e00 6f 75 6c 64 20 6e 6f 74 20 6e 6f 74 20 6e 6f 74 |ould not not not| --- < 002d6e10 6f 45 20 68 65 61 64 65 72 0a 00 00 00 00 00 00 |oE header.......| --- > 002d6e10 20 6e 6f 74 20 6e 6f 74 20 6e 6f 74 20 6e 00 00 | not not not n..|
< 00359380 a0 40 36 6b 2d 8a 50 99 1e b3 0c 53 e5 9b 5d 6e --- > 00359380 5e b8 a5 00 8c f3 bc 24 08 91 19 61 e6 db 19 cb --- < 00359390 61 2c ac b8 00 00 00 00 00 00 00 00 00 00 00 00 --- > 00359390 0d ca fd 2f 00 00 00 00 00 00 00 00 00 00 00 00
4.21 patches
Summary
lv2_kernel.self
kakaroto's sigcheck patch
In memory 0x800000000005A2A8 (which corresponds to offset 0x6a2a8 in lv2_kernel.elf) replace : "e9 22 99 90 7c 08 02 a6"
with : "38 60 00 00 4e 80 00 20".
(Source: https://twitter.com/KaKaRoToKS/status/260742786972798977)
disable epilepsy message
patch to disable (not just replace), the warning screen that is show on boot since FW 4.00 and when patched, no longer delays the VSH bootprocess
PS3 MFW builder - disable_epilepsy_warning task (using the same search/replace as below)
seg024:00000000006E75F9 byte_6E75F9: .byte 1 # DATA XREF: sub_CAC70+314�o seg024:00000000006E75F9 # sub_CAC70+324�w ... # 1 = show health care msg, 0 = dont show
VSH.self
the message and all about it are done in Sysconf_plugin, but it is loaded with special parameter from VSH
Retail/CEX + Shop/SEX
set search "\x00\x00\x00\x02\x00\x00\x00\x01\x02\x01\x01\x01\xFF\xFF\xFF\xFF" set replace "\x00\x00\x00\x02\x00\x00\x00\x01\x02\x00\x01\x01\xFF\xFF\xFF\xFF"
Debug/DEX
set search "\x00\x00\x00\x00\x00\x00\x00\x00\x01\x01\x01\x00\xFF\xFF\xFF\xFF" set replace "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x01\x00\xFF\xFF\xFF\xFF"
Tool/DECR + Arcade/GEX
nothing to patch, not set by default
seg025:000000000070F8B9 unk_70F8B9: .space 1
Offsets
vsh.elf | 4.00 | 4.01 | 4.10 | 4.11 | 4.20 | 4.21 | 4.23 | 4.25 | 4.26 | 4.30 | 4.31 | 4.40 | 4.41 | 4.45 | 4.46 | 4.50 | 4.55 | 4.60 | 4.65 | 4.66 | 4.70 | 4.75 |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
CEX | 0x6D7100 | - | 0x6D7230 | 0x6D7230 | 0x6E7758 | 0x6E7758 | - | 0x6E7760 | - | 0x6E7860 | 0x6E7860 | 0x6E79C0 | 0x6E79C0 | 0x6E7C88 | 0x6E7C88 | - | - | 0x6E8958 | 0x6E8960 | 0x6E8978 | 0x6E89E8 | 0x6E8370 |
SEX | 0x6D6F90 | - | 0x6D70C0 | 0x6D70C0 | 0x6D75F0 | 0x6D75F0 | 0x6D75F0 | - | 0x6D75F8 | - | 0x6E7878 | 0x6E79D8 | 0x6E79D8 | 0x6E7CA0 | 0x6E7CA0 | - | 0x6E88C8 | 0x6E8970 | - | 0x6E8990 | 0x6E8A00 | 0x6E8388 |
DEX | 0x6E7A68 | 0x6E7A68 | 0x6E7B98 | 0x6E7B98 | 0x6E80C0 | 0x6E80C0 | - | 0x6E80C8 | - | 0x6E81C8 | - | - | - | - | 0x6F85F0 | 0x6F9200 | 0x6F9218 | 0x6F92B8 | - | 0x6F92E0 | 0x6F9350 |
disable wait for coldboot view sleep
CEX + SHOP + DEX + DECR
set search "\x88\x1D\x00\x06\x3C\x60\x00" set replace "\x38\x00\x00\x01\x3C\x60\x00"
GEX/Arcade
N/A
Offsets
vsh.elf | 4.00 | 4.01 | 4.10 | 4.11 | 4.20 | 4.21 | 4.23 | 4.25 | 4.26 | 4.30 | 4.31 | 4.40 | 4.41 | 4.45 | 4.46 | 4.50 | 4.55 | 4.60 | 4.65 | 4.66 | 4.70 | 4.75 |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
CEX | 0xBEA98 | - | 0xBEA88 | 0xBEABC | 0xBF1DC | 0xBF1DC | - | 0xBF1E4 | - | 0xBF4E4 | 0xBF4E4 | 0xBF4E4 | 0xBF4E4 | 0xBF4E4 | 0xBF4E4 | - | - | 0xBF3B0 | 0xBF3B0 | 0xBF3B0 | 0xBF30C | 0xBF30C |
SEX | 0xBED04 | - | 0xBECF4 | 0xBED28 | 0xBF44C | 0xBF44C | 0xBF44C | - | 0xBF454 | - | 0xBF754 | 0xBF6E8 | 0xBF6E8 | 0xBF6E8 | 0xBF6E8 | - | 0xBF5F4 | 0xBF5A4 | - | 0xBF5A4 | 0xBF500 | 0xBF500 |
DEX | 0xC3AA8 | 40xC3AA8 | 0xC3A98 | 0xC3ACC | 0xC41D4 | 0xC41D4 | - | 0xC41EC | - | 0xC44EC | - | - | - | - | - | 0xC43D4 | 0xC43F0 | 0xC43B0 | - | 0xC43B0 | - | |
DECR | 0xC3F58 | - | - | - | - | - | - | - | - | - | - | - | - | - | - | 0xC5110 | - | - | - | - | - |
Enforce gameboot animation
on higher Firmwares
game_ext_plugin.sprx : 38 80 00 00 7B E3 00 20 -> 38 80 00 00 38 60 00 02 + add gameboot_multi + gameboot_stereo
if not found on newer fw try: 2F 89 00 00 7B C3 00 20 -> 2F 89 00 00 38 60 00 02 + add gameboot_multi + gameboot_stereo
XMB icons removal
Samples: https://www.sendspace.com/file/e822dp
- Rcomage usage notes:
- dump resources raw, without conversion (unmark all the checkboxes)
- compile using zlib header compression (mark the zlib checkbox)
Main XMB icons removal
Extract the contents of: xmb_plugin_normal.rco
- In the .xml file that represents the .rco structure (aka RCOXML)
- Locate the tag XMenu, is composed by a long list of attributes, locate the attribute menus="0xa", it defines the number of columns in main XMB (there are 10 main icons for 10 columns in XMB)
- Replace the value of menus="0xa" by the number of main icons you want in XMB (this number depends of how many you are going to remove)
- Under XMenu there are several XMList elements that works as the descriptors of the 10 icons in main XMB
- Delete the XMList line/s that defines the icon/s you want to remove
- Locate the tag XMenu, is composed by a long list of attributes, locate the attribute menus="0xa", it defines the number of columns in main XMB (there are 10 main icons for 10 columns in XMB)
Sample for 4.70 firmware ---> https://www.sendspace.com/file/0libpe
XMB In-game icons removal
The process is the same with the file xmb_ingame.rco but this .rco contains the icon images, so for every icon removed at code is good to remove the icon image, is not needed to remove the images but this will make the final size of the .rco smaller
- Under ImageTree there are several Image elements that works as the 10 icons in main XMB
- Delete the Image line/s that defines the icon/s you want to remove
4.60+ patches
LIC.DAT patch
ROM:00056218 loc_56218: # CODE XREF: sub_560A8+160j ROM:00056218 li r0, 1 ROM:0005621C ld r3, off_349198 # aDev_bdvdPs3__0 (PARAM.SFO) ROM:00056220 addi r4, r1, 0x4F0+var_468 ROM:00056224 lbz r30, 0x4F0+var_480+1(r1) ROM:00056228 stw r0, 0x6C(r28) ROM:0005622C lbz r29, 0x4F0+var_480(r1) ROM:00056230 bl sub_29FDAC # ----> replaced with li r3, 1 to disable the sub call for /dev_bdvd/...../LIC.DAT
- Note : A patch to ignore LIC.DAT to prevent random freezing from launching homebrew
- Found by dean many thanks to him :)
RIF R and S must not be 0 (4.84/4.85)
- Allow: RIF's with R and S 0 filled(reactpsn patches allow invalid signature like 1 but it must be filled). Useful for HEN because its previous revisions skipped them
seg001:00252020 li r3, 0
seg001:00252024 blr
Make VSH Attachable (Debug LV2)
4.75+ patches
PSP DRM fix (4.75/4.76)
- Allow: unsigned PSP packages(aka type free without license) , a.k.a. 80029537 error fix
< 7FE307B4 EB8101E0EBA101E8 7C0803A6 > 38600000 EB8101E0EBA101E8 7C0803A6
seg001:0000000000255260 loc_255260: # CODE XREF: seg001:0000000000255244j seg001:0000000000255260 # seg001:0000000000255250j seg001:0000000000255260 lis r31, -0x7FFE # 0x80029537 seg001:0000000000255264 ori r31, r31, 0x9537 # 0x80029537 seg001:0000000000255268
- Note : SONY added new drm for PSP, unsigned pkgs are impossible to run without this patch.
- Thanks to habib who did awesome job on reversing :)
Make VSH Attachable (Debug LV2)
< 40 9E FF C8 4B FF FF C8 E9 22 80 08 7C 08 02 A6 > 40 9E FF C8 4B FF FF C8 38 60 00 01 4E 80 00 20
|