Added partial support for 2.43 firmware.

Currently I am not able to find elf1_func2 offset, have spend 4 hours for this, and no success. Without patching this, we aren't able to run unsigned code, so current support of 2.43 firmware is useless. I have all needed dumps, and if someone willing to help, contact me via github, I'll provide everything, I can.
lyvius · Dec 19, 2010 · bdd6b1c · bdd6b1c
1 parent 393a14f
commit bdd6b1c
Show file tree

Hide file tree

Showing 2 changed files with 76 additions and 1 deletion.
diff --git a/Makefile b/Makefile
@@ -7,7 +7,7 @@ PPU_OBJCOPY = ppu-objcopy
 PPU_CFLAGS =
 
 # This isn't enough, you must also add rules for the filename_fw with the -D define
-SUPPORTED_FIRMWARES = 3.41 3.41_kiosk 3.40 3.30 3.21 3.15 3.10 3.01 2.85 2.76 2.70 2.60 2.53
+SUPPORTED_FIRMWARES = 3.41 3.41_kiosk 3.40 3.30 3.21 3.15 3.10 3.01 2.85 2.76 2.70 2.60 2.53 2.43
 
 PAYLOADS = shellcode_egghunt.bin \
 	shellcode_panic.bin \
@@ -61,6 +61,9 @@ check_sizes: $(ALL_PAYLOADS)
 
 $(ALL_PAYLOADS): *.h.S config.h
 
+%_2_43.o : %.S
+	$(PPU_CC) $(PPU_CFLAGS) -DFIRMWARE_2_43 -c $< -o $@
+
 %_2_53.o : %.S
 	$(PPU_CC) $(PPU_CFLAGS) -DFIRMWARE_2_53 -c $< -o $@
 

diff --git a/firmware_symbols.h.S b/firmware_symbols.h.S
@@ -832,6 +832,78 @@
 #define elf3_data               0x00194ca0
 #define elf4_data               0x000afc40
 
+#elif defined(FIRMWARE_2_43)
+
+/* Common Symbols */
+#define memcpy			0x00079294
+#define memset			0x00058e88
+#define strcpy			0x00059008
+#define strncmp			0x00059068
+#define strlen			0x00059038
+#define pathdup_from_user	0x001a2550
+#define copy_from_user		0x0001e300
+#define copy_to_user		0x0001e0e0
+#define alloc_and_copy_from_user 0x001a2730
+#define strdup_from_user	0x001a27f8
+#define alloc 			0x0006c2e0
+#define free 			0x0006c708
+#define USBRegisterDriver 	0x000d2c38
+#define syscall_table		0x002d2b18
+#define USBGetDeviceDescriptor	0x000d3660
+#define USBOpenEndpoint		0x000d36a0
+#define USBControlTransfer	0x000d35f0
+#define memory_patch_func	0x0005a708
+#define patch_func1		0x00055a20
+#define patch_func1_offset	0x38
+#define patch_func2		0x0005afc8
+#define patch_func2_offset	0x2c
+#define patch_func3		0x002925d0
+#define patch_func3_offset	0x24
+#define patch_func4		0x0005ac38
+#define patch_func4_offset	0x0
+#define patch_func5		0x0005c460
+#define patch_func5_offset	0x0
+#define patch_func6		0x00033f60
+#define patch_func6_offset	0x0
+#define patch_func7		0x000e565c
+#define patch_func7_offset	0x0
+#define patch_func8		0          // unable to find
+#define patch_func8_offset1	0
+#define patch_func8_offset2	0
+#define patch_func9		0x0005b7f8
+#define patch_func9_offset	0x40c
+#define patch_syscall_func	0x0028a75c
+#define patch_data1		0x0039b6e0
+#define rtoc_entry_1		0xa78
+#define rtoc_entry_2		-0x6630
+
+#define lv2_printf		0x000276b0
+#define lv2_printf_null		0x00289c68
+#define hvsc107_1		0x0001e68c
+#define hvsc107_2		0x0001e718
+#define hvsc107_3		0x0001e550
+
+// Payload bases
+#define MEM_BASE2 		(0x5ca20)
+
+#define RESIDENT_AREA_MAXSIZE   (1352)
+
+#define HASH_TABLE_1            0xb36f6c6700282260
+#define HASH_TABLE_2            0x9474a8b0000169d3
+#define HASH_TABLE_3            0x214aedb3000e9c43
+#define HASH_TABLE_4            0 // not found due to elf1_func2
+
+#define elf1_func1              0x0051e1f0
+#define elf1_func1_offset       0x00
+#define elf1_func2              0 // not found, unsigned elfs aren't working
+#define elf1_func2_offset       0
+#define elf2_func1              0x00026a50
+#define elf2_func1_offset       0x204
+
+
+#define elf3_data               0x002498f0
+#define elf4_data               0 // not found due to elf1_func2
+
 #endif
 
 #ifndef lv2_printf