multiMAN -- Crunching Support & Releases

**rednekcowboy** · 03-02-2013, 08:46 AM

Originally Posted by deank

Let me upload it again - it is easier than to search for it:

DUMMY_BDEMU.rar (1.35MB)
http://www.sendspace.com/file/48vs1g

Dean

Thanks man, awesome as always!!!

**bobross** · 03-02-2013, 12:31 PM

Rogero 4.30 v2.06?

**deank** · 03-02-2013, 01:01 PM

Right... It is a test/developer build/rsod bypass firmware... like 2.07 which is rsod/bsod bypass/downgrade fw..., so nothing to get excited.

I guess you don't believe that Rogero just wakes up one morning and releases new version without proper tests.

**gDrive** · 03-02-2013, 07:43 PM

Originally Posted by deank

You can use the stealth versions on other firmwares, too, but then it is not really 'stealth'.

The idea with Rogero FWs is that you have the toolbox preinstalled (in /dev_flash and not with the games where it could be suspicious). And via the toolbox you load/update stealthMAN - this allows you to keep your XMB clean and have no other apps installed (that can be detected).

Anyway - there is no real safe way to go online. I don't have PSN and don't play online.

Hence me referring to it now as proxyMAN, simply because you use the installPKG app to start up mM!

**dogmc** · 03-03-2013, 05:29 AM

can you make me a stealthMAN-[Greed Corp].pkg 04.20.00 base or something better Mr D

oh how 2 update from stealthMAN-[Greed Corp].pkg 2 4.20.base and fodder up ned some help

**dogmc** · 03-03-2013, 08:13 AM

Originally Posted by gDrive

Hence me referring to it now as proxyMAN, simply because you use the installPKG app to start up mM!

whats that bad whit it explain 2 us (proxyMAN) give a link 4 it

**deank** · 03-03-2013, 10:45 AM

multiMAN 04.20.03 update is available online and in the WEB column.

multiMAN ver 04.20.03 UPD (20130303).zip (7.97MB)
http://www.sendspace.com/file/at0tkc

* Added support for 4.30DEX CFW (REBUG) (TBA)
* Added support for PS1 BIN+CUE (using ps1_emu/netemu) for 3.55DEX, 4.21DEX and 4.30DEX

* Added DynaRec support: New option in Settings "Enable DYNAREC"
* DYNAREC support for 3.55CEX/DEX, 4.21CEX/DEX, 4.30CEX/DEX, 4.31CEX
* Fixed few minor issues in 4x2 and 8x4 modes (refreshing the game title when insert/ejecting a PS3 game disc)
* Fixed a very rare bug in mmOS when icon names/texts are getting corrupted

DYNAREC support tested on 4.21REX and 4.30ROGERO with ps3sx_Beta.pkg which is enough to assume that the implementation is proper. Thanks to Ing. Pereira for the htab info and PeteUK for the testing. All offsets can be found in my source below so Ing. Pereira can port his app for other firmwares, too. Also there is an easier way to detect all CFW firmwares and I posted about it at the end of this post.

=============================================

Here is a slightly modified PS3SX:

* You can install it on any mM supported firmware (3.55CEX/DEX, 4.21CEX/DEX, 4.30CEX/DEX, 4.31CEX)
* The configuration file is USRDIR/CF.ini
* Comes with bios and all paths set properly where the default ROM path is /dev_hdd0/PSXISO
* EBOOT.BIN calls RELOAD.SELF so you can boot PS3SX directly from multiMAN
* It has VERY POOR compatibility but shows that dynarec is working on all firmwares.

PS3SX [BETA].pkg (5.95MB)
http://www.sendspace.com/file/h0dsht

You can enable DynaRec in mM's settings and directly load PS3SX from mM's GAME column. Thanks to aldostools for the cover. Developers can use this dynarec option in mM if they wish to test their apps in this environment.

=============================================

The implementation in mM is different than IngPereira's approach, because it doesn't use the 0x700000 area for the payload and the patches, there are no issues with PKG files and works on all firmwares. Still the kammy data for the hvsc redirections is used, but dynarec's usage is greatly simplified by an "On/Off" option in mM.

I'm just saying this because some morons will go again with their idiotic comments about copy/pasting. Parts of the mM code is here, along with info how to make it work on all firmwares.

Dean

It is as simple as that:

Code:

/* (c) 2010-2013 multiMAN, Dynarec Enabler
   (c) 2013 Ing Pereira
*/
#define HTAB_BASE                0x800000000f000000ULL

#define HTAB_LV2_START_421            (0x01000000ULL)
#define HTAB_LV2_START_421D            (0x08000000ULL)
#define HTAB_LV2_START_430            (0x01000000ULL)

// base_addr = address of mM's payload
// base_addr + 0x100 = address of htab payload

void dynarec_payload()
{
    u64 base_addr=0;
    u64 patch_htab1=0;
    u64 patch_htab2=0;
    u64 patch_htab3=0;
    HTAB_LV2_START=0;

    if(c_firmware==3.55f && !dex_mode)
    {
        base_addr=0x2BE0D0;
        patch_htab1=0x59944;
        patch_htab2=0x5A37C;
        patch_htab3=0x5A844;
    }
    else if(c_firmware==3.55f && dex_mode)
    {
        base_addr=0x2D5B20;
        patch_htab1=0x5D230;
        patch_htab2=0x5DC68;
        patch_htab3=0x5E130;
    }
    else if(c_firmware==4.21f && !dex_mode)
    {
        base_addr=0x2D0C98;
        patch_htab1=0x5CCA4;
        patch_htab2=0x5D6DC; //+A38
        patch_htab3=0x5DBA4; //+4C8

    }
    else if(c_firmware==4.21f && dex_mode)
    {
        base_addr=0x2EB418;
        patch_htab1=0x605BC;
        patch_htab2=0x60FF4;
        patch_htab3=0x614BC;
    }
    else if(c_firmware==4.30f && !dex_mode)
    {
        base_addr=0x2D2418; //0x6ff000; to test htab
        patch_htab1=0x5CDF4;
        patch_htab2=0x5D82C;
        patch_htab3=0x5DCF4;
    }
    else if(c_firmware==4.30f && dex_mode)
    {
        base_addr=0x2ECB48;
        patch_htab1=0x6070C;
        patch_htab2=0x61144;
        patch_htab3=0x6160C;
    }
    else if(c_firmware==4.31f && !dex_mode)
    {
        base_addr=0x2D2428;
        patch_htab1=0x5CDF8;
        patch_htab2=0x5D830;
        patch_htab3=0x5DCF8;
    }
    else return;

    base_addr|=0x8000000000000000ULL;
    patch_htab1|=0x8000000000000000ULL;
    patch_htab2|=0x8000000000000000ULL;
    patch_htab3|=0x8000000000000000ULL;

    if(patch_htab1 && HTAB_LV2_START)
    {

        Lv2Syscall2(7, base_addr + 0x100, 0x7C0802A6F8010010ULL);
        Lv2Syscall2(7, base_addr + 0x108, 0xF821FF81F8410070ULL);
        Lv2Syscall2(7, base_addr + 0x110, 0x3C40800060420000ULL);

        Lv2Syscall2(7, base_addr + 0x118, 0x784207C664420000ULL | ( ((base_addr+0x198)>>16)&0xFFFF) );
        Lv2Syscall2(7, base_addr + 0x120, 0x60420000E8020000ULL | ( ((base_addr+0x198))&0xFFFF)<<32 );

        Lv2Syscall2(7, base_addr + 0x128, 0xE84200087C0903A6ULL);
        Lv2Syscall2(7, base_addr + 0x130, 0x4E800421E8410070ULL);

        Lv2Syscall2(7, base_addr + 0x138, 0x38210080E8010010ULL);// BCTR <htab_write_caller> desc
        Lv2Syscall2(7, base_addr + 0x140, 0x7C0803A64E800020ULL);
        Lv2Syscall2(7, base_addr + 0x148, 0x78C607647C0802A6ULL);// <htab_write_caller>
        Lv2Syscall2(7, base_addr + 0x150, 0xF801001060C60002ULL);
        Lv2Syscall2(7, base_addr + 0x158, 0xF821FF914800001DULL);// -> BL <lv1_write_htab>
        Lv2Syscall2(7, base_addr + 0x160, 0x6000000038210070ULL);
        Lv2Syscall2(7, base_addr + 0x168, 0x7C6307B4E8010010ULL);
        Lv2Syscall2(7, base_addr + 0x170, 0x7C0803A64E800020ULL);
        Lv2Syscall2(7, base_addr + 0x178, 0x7C0802A6F8010010ULL);// <lv1_write_htab>
        Lv2Syscall2(7, base_addr + 0x180, 0x3960000144000022ULL);
        Lv2Syscall2(7, base_addr + 0x188, 0x7C6307B4E8010010ULL);
        Lv2Syscall2(7, base_addr + 0x190, 0x7C0803A64E800020ULL);
        Lv2Syscall2(7, base_addr + 0x198, (base_addr + 0x148));     // htab _Custom call desc
        Lv2Syscall2(7, base_addr + 0x1A0, 0x8000000000700000ULL);

        /* enable full r/w/x access */
        uint64_t pte0, pte1;

        /* process entire lv2 */
        for (int i = 0; i < 128; i++)
        {
            /* read the old value */
            pte0 = Lv2Syscall1(6, HTAB_BASE | (i << 7));
            pte1 = Lv2Syscall1(6, HTAB_BASE | (i << 7) + 8);

            /* verify entry is lv2 */
            if ((pte1 >= HTAB_LV2_START) && (pte1 < (HTAB_LV2_START+0x800000ULL)))
            {
                /* patch proper htab settings */
                lv1_write_htab_entry(0, i << 3, pte0, (pte1 & 0xff0000) | 0x190);
            }
        }

        Lv2Syscall2(7, patch_htab1, (0x480000012C230000ULL) | ( ((base_addr+0x100-patch_htab1)&0xFFFFFF)<<32) );
        Lv2Syscall2(7, patch_htab2, (0x480000012C230000ULL) | ( ((base_addr+0x100-patch_htab2)&0xFFFFFF)<<32) );
        Lv2Syscall2(7, patch_htab3, (0x480000012C230000ULL) | ( ((base_addr+0x100-patch_htab3)&0xFFFFFF)<<32) );
    }
}

Code:

...
    u64 CEX=0x4345580000000000ULL;
    u64 DEX=0x4445580000000000ULL;

    if(peekq(0x80000000002E79C8ULL)==DEX) {dex_mode=2; c_firmware=3.41f;}
    else
    if(peekq(0x80000000002CFF98ULL)==CEX) {dex_mode=0; c_firmware=3.41f;}
    else
    if(peekq(0x80000000002EFE20ULL)==DEX) {dex_mode=2; c_firmware=3.55f;}
    else
    if(peekq(0x80000000002D83D0ULL)==CEX) {dex_mode=0; c_firmware=3.55f;}
    else
    if(peekq(0x8000000000302D88ULL)==DEX) {dex_mode=2; c_firmware=4.21f;}
    else
    if(peekq(0x80000000002E8610ULL)==CEX) {dex_mode=0; c_firmware=4.21f;}
    else
    if(peekq(0x80000000002E9F08ULL)==CEX) {dex_mode=0; c_firmware=4.30f;}
    else
    if(peekq(0x8000000000304630ULL)==DEX) {dex_mode=2; c_firmware=4.30f;}
    else
    if(peekq(0x80000000002E9F18ULL)==CEX) {dex_mode=0; c_firmware=4.31f;}
    else
// unknown fw...

In IDA for 4.30CEX where:

base_addr=0x2D2418 which makes the payload go at base_addr+0x100 -> 0x2D2518:

Code:

ROM:002D2518 # =============== S U B R O U T I N E =======================================
ROM:002D2518
ROM:002D2518
ROM:002D2518 sub_2D2518:                             # CODE XREF: sub_5C9D4+420p
ROM:002D2518                                         # sub_5D590+29Cp
ROM:002D2518
ROM:002D2518 .set var_10, -0x10
ROM:002D2518 .set arg_10,  0x10
ROM:002D2518
ROM:002D2518                 mflr      r0
ROM:002D251C                 std       r0, arg_10(r1)
ROM:002D2520                 stdu      r1, -0x80(r1)
ROM:002D2524                 std       r2, 0x80+var_10(r1)
ROM:002D2528                 lis       r2, -0x8000
ROM:002D252C                 mr        r2, r2
ROM:002D2530                 sldi      r2, r2, 32
ROM:002D2534                 oris      r2, r2, 0x2D
ROM:002D2538                 ori       r2, r2, 0x25B0
ROM:002D253C                 ld        r0, 0(r2)
ROM:002D2540                 ld        r2, 8(r2)
ROM:002D2544                 mtctr     r0
ROM:002D2548                 bctrl
ROM:002D254C                 ld        r2, 0x80+var_10(r1)
ROM:002D2550                 addi      r1, r1, 0x80
ROM:002D2554                 ld        r0, arg_10(r1)
ROM:002D2558                 mtlr      r0
ROM:002D255C                 blr
ROM:002D255C # End of function sub_2D2518
ROM:002D255C
ROM:002D2560 # ---------------------------------------------------------------------------
ROM:002D2560
ROM:002D2560 loc_2D2560:                             # DATA XREF: ROM:002D25B4o
ROM:002D2560                 clrrdi    r6, r6, 2
ROM:002D2564                 mflr      r0
ROM:002D2568                 std       r0, 0x10(r1)
ROM:002D256C                 ori       r6, r6, 2
ROM:002D2570                 stdu      r1, -0x70(r1)
ROM:002D2574                 bl        sub_2D2590
ROM:002D2578                 nop
ROM:002D257C                 addi      r1, r1, 0x70
ROM:002D2580                 extsw     r3, r3
ROM:002D2584                 ld        r0, 0x10(r1)
ROM:002D2588                 mtlr      r0
ROM:002D258C                 blr
ROM:002D2590
ROM:002D2590 # =============== S U B R O U T I N E =======================================
ROM:002D2590
ROM:002D2590
ROM:002D2590 sub_2D2590:                             # CODE XREF: ROM:002D2574p
ROM:002D2590
ROM:002D2590 .set arg_10,  0x10
ROM:002D2590
ROM:002D2590                 mflr      r0
ROM:002D2594                 std       r0, arg_10(r1)
ROM:002D2598                 li        r11, 1
ROM:002D259C                 hvsc                    # hvsc(1): lv1_write_htab_entry
ROM:002D25A0                 extsw     r3, r3
ROM:002D25A4                 ld        r0, arg_10(r1)
ROM:002D25A8                 mtlr      r0
ROM:002D25AC                 blr
ROM:002D25AC # End of function sub_2D2590
ROM:002D25AC
ROM:002D25AC # ---------------------------------------------------------------------------
ROM:002D25B0                 .long 0x80000000
ROM:002D25B4                 .long loc_2D2560
ROM:002D25B8                 .long 0x80000000
ROM:002D25BC                 .long unk_700000

Code:

002D2518  7C 08 02 A6 F8 01 00 10  F8 21 FF 81 F8 41 00 70
002D2528  3C 40 80 00 60 42 00 00  78 42 07 C6 64 42 00 2D
002D2538  60 42 25 B0 E8 02 00 00  E8 42 00 08 7C 09 03 A6
002D2548  4E 80 04 21 E8 41 00 70  38 21 00 80 E8 01 00 10
002D2558  7C 08 03 A6 4E 80 00 20  78 C6 07 64 7C 08 02 A6
002D2568  F8 01 00 10 60 C6 00 02  F8 21 FF 91 48 00 00 1D
002D2578  60 00 00 00 38 21 00 70  7C 63 07 B4 E8 01 00 10
002D2588  7C 08 03 A6 4E 80 00 20  7C 08 02 A6 F8 01 00 10
002D2598  39 60 00 01 44 00 00 22  7C 63 07 B4 E8 01 00 10
002D25A8  7C 08 03 A6 4E 80 00 20  80 00 00 00 00 2D 25 60
002D25B8  80 00 00 00 00 70 00 00

**pete_uk** · 03-03-2013, 10:47 AM

Great update

Thanks again Dean

& thanks to Ing Pereira

**TomatOsaUce** · 03-03-2013, 10:48 AM

Beyond awesome!!!
Thanks Dean, Thanks Ing Pereira and thanks to people who ever so nicely suggest things to you

**Dino05** · 03-03-2013, 02:41 PM

Italian translation LANG_IT of 621 lines for multiMAN 04.20.03

DigiTopZ

SHOP01media EUROPE

Game Console Repairs

VGC Repairs

Thread: multiMAN -- Crunching Support & Releases

Thread Tools

Search Thread

Display

Posting Permissions