forums.ps2dev.org

Iv been reverse engineering game categories for a couple of weeks but its quite hard to keep up with Bubbletune and his weekly releases. If i make any progress i will be sure to post a tutorial on how everything works. Its to bad there's so much secrecy around the xmb like vlf and game categories. ...

How can you patch the game's code? That's not possible, unless they patch it on the fly when loading the game into memory... Which I don't think they do (or do they? xD) I think you're talking about patching kernel exploits found through those games, or maybe those game exploits rely on a FW code v...

I have just the perfect reply for you. Right, I'mma be blunt. You need to stop pretending you know what your talking about because the shit coming out of your mouth is disgusting. I constantly see you posting acting like you know what your talking about and it is really annoying. It's also misleadin...

ab500 wrote:that's true, but i saw references to some hackable games (lumines, gta, ecc) in umdman.prx. strange thing...

Sony also patches games themselfs with firmware updates, they just haven't bothered yet with Medal of Honour. I'm pretty sure that by the time the PSP Go is released, they will have bothered.

When you execute user functions from kernel mode, you need to set k1: unsigned int k1; k1 = pspSdkSetK1(0); function(args); pspSdkSetK1(k1); No, you don't. That's when you hooked a system call and want to make it seem like you're coming from kernel mo...

When you execute user functions from kernel mode, you need to set k1: unsigned int k1; k1 = pspSdkSetK1(0); function(args); pspSdkSetK1(k1); No, you don't. That's when you hooked a system call and want to make it seem like you're coming from kernel mo...

Yes, you can, using a simple jump, but it'll be executed in kernel mode.

The 1.50 hardware reinit problem was mentioned by DAX in the TM readme. What was happening in Booster's original service mode->flash0 boot IPL where it would reboot after suspend/resume if you didn't hold L trigger? Was that simply following the coldboot branch if you didn't hold L (and the hardwar...

Suspend/sleep is a not a cold reboot. Read my post carefully. The whole variable in RAM thing was after an induced suspend/resume, but forcing the IPL to take the cold boot branch to simulate rebooting into the memory stick firmware. Thats why I mentioned a custom IPL to handle it. You'd reinitiali...

You don't have access to the main RAM so early in a cold reboot, and by the time you have, it's likely that it's already been cleared. How does Time Machine handle suspend/resume? It starts execution from the beginning of the IPL again on resume right? Doesn't it need to know which firmware is curr...

It might be feasible to make your application directly reboot into a memory stick firmware such as one installed by Time Machine (Or a "Test M33" firmware from DC if you want a later firmware like 5.00M33). You'll probably have to do something along these lines :/ You'll need a custom IPL...

You've made a mistake in the error checking for the sceUtilitySavedataInitStart call. Your condition is in fact if (result != 0) , and as 0 means succcess and < 0 means error, this will result in it marking it as succesful while it actually errored (and vice versa). Thus, it's obvious that the statu...

It's impossible to emulate enough hardware to make that idea reality, mainly KIRK and SPOCK whichs internals are completely unknown.

There's probably some macro or something to access it like a 2d array but I don't know. short int &#40;*ar&#41;&#91;60&#93;; // note the &#40; and &#41; SceUID blockid = sceKernelAllocPartitionMemory&#40;2, "mem", 0, sizeof&#40;ar&#41;*34, NULL&#41;...

Torch wrote:Or simple make it VSH mode 0x800 if you don't want iop.prx.

Your PBP needs to be started in updater mode for this to work, which the recovery doesn't do (and neither does the VSH if it's not in the UPDATE folder)..

Your main application can't be kernel mode, only back in 1.50. Change it to usermode, and load iop.prx (included in most of Dax's releases, eg. LEDA) from the main application to be granted write access to the flash0 from user mode.

And how will you recompress them? I don't think you can recompress them without DAX's personal prx compressor for some specific modules. I tried editing once and it bricked. Didn't load uncompressed either. I played around with this a while back, it seems early boot modules can't load uncompressed,...

The advantages of everyone's hardware and probably path of execution being 100% identical.... Also probably why the exploits required to try multiple times. Due to all environmental conditions being identical for everyone, the address are bound to turn out to be the same once in a while, even if th...

But when you need to write code, such as code which an exploit jumps into, how would external calls be resolved then? In such cases you would need to manually find the functions right? THAT exactely is my situation in this case! The MIPS itself isn't the problem, finding the function tables is. Whe...

mmm, excuse me, I've looked at scePaf_970DC20D function ( ofw 500) , and I've found this: ====================================================== ; Subroutine scePaf_970DC20D - Address 0x000235A0 ; Imported from scePaf scePaf_970DC20D&#58; 0x000235A0&#58; 0x03E00008 '....' - jr $ra 0x000235A...

I use this trick a lot when I want a small snippet of code to reside in user memory (I don't know if that's what you want to do but it's a great example so I'll just use that here :P), I just allocate a user heap and copy some pure assembly code in there, then hook a function in user memory with it....

It calls a function located in scePaf to get ahold of the version, but this function changes it's NID every 3 firmwares or so. However, what really is usefull here is the second argument being passed, it's a string but Prxtool doesn't properly analyze the data references in new firmware modules, so ...