# RGLoader patches file
# Patches follow same format as freeBOOT:
# [4byte offset] [4byte patch count] [4byte patch]...

# Devkit 13599 patches

.set	KernelBase,		0x80000000

# use this if offset > 0x8006b200
.set    KernelCodeBase,         0x80004e00  #file offset by 0x44E00

		.globl _start
_start:

# ============================================================================
#	RGLP header
	.long 0x52474C50
# ============================================================================



# ============================================================================
#       Patch XEX flag
# ============================================================================

	.long 0x80006DF4 - KernelBase 
	.long (9f - 0f) / 4
0:
	li %r4, 0x8
	li %r3, 0
9:

#6A6C
	.long 0x80006A6C - KernelBase 
	.long (9f - 0f) / 4   
0:
	li %r3, 0
9:


# ============================================================================
#       Memory Dumper (uart)
# ============================================================================
	.long 0x8002C2A8 - KernelBase 
	.long (9f - 0f) / 4
0:
	mfmsr %r22
	li %r21, 0x10   #setup MSR registers
	andc %r21, %r22, %r21
	mtmsrd %r21, 0  #switch to real mode
	isync
	
	li        %r7, 0x0200
    oris      %r7, %r7, 0x8000   
	sldi      %r7, %r7, 32
	oris      %r7, %r7, 0xEA00
	
	lis       %r8, 0   #setup uart
	oris       %r8, %r8, 0xE601       #; 115200,8,N,1  
	stw       %r8, 0x101C(%r7)


#---------------------------------	
	#;uart start byte
	li %r8, 0x55
	slwi %r8, %r8, 24
	stw %r8, 0x1014(%r7)
	sync
	isync
	
loop0:
	lwz %r8, 0x1018(%r7)        # wait until character is sent
	rlwinm. %r8, %r8, 0, 6, 6
	beq loop0
	
#---------------------------------
	
	li %r11, 0x0     #target address to dump
	#oris %r11, %r11, 0x4
	
	
	li %r4, 0x100     #number of bytes to dump * 4
	#oris %r4, %r4, 0x8
	mtctr %r4
	
cpy: 
	mtmsrd %r22, 0  #switch back
	sync          
	isync
	lwz %r3, 0(%r11) 
	
	mtmsrd %r21, 0  #switch to real mode
	sync          
	isync
	bl send
	
	addi %r11, %r11, 4
	bdnz cpy
	
	b end
	
	
send:
#; byte4
	stw %r3, 0x1014(%r7)        # send the character
	sync
	isync
loop6:
	lwz %r8, 0x1018(%r7)        # wait until character is sent
	rlwinm. %r8, %r8, 0, 6, 6
	beq loop6
	
#; byte3
	sldi %r8, %r3, 8
	stw %r8, 0x1014(%r7)        # send the character
	sync
	isync
loop5:
	lwz %r8, 0x1018(%r7)        # wait until character is sent
	rlwinm. %r8, %r8, 0, 6, 6
	beq loop5
	
#; byte2
	sldi %r8, %r3, 16
	stw %r8, 0x1014(%r7)        # send the character
	sync
	isync
loop4:
	lwz %r8, 0x1018(%r7)        # wait until character is sent
	rlwinm. %r8, %r8, 0, 6, 6
	beq loop4

#; byte1
	sldi %r8, %r3, 24
	stw %r8, 0x1014(%r7)        # send the character
	sync
	isync
loop3:
	lwz %r8, 0x1018(%r7)        # wait until character is sent
	rlwinm. %r8, %r8, 0, 6, 6
	beq loop3
	
	blr
end:
	b end
	
9:
	




#--------------------------------------------------------------
# Retail-on-Dev HV patches:
# Ported from XeExpansion (ver 20353) by unknown
# ============================================================================
#       XEX keys
# ============================================================================
	.long 0x80000064 - KernelBase  # Retail DEV key
	.long (9f - 0f) / 4
0:
	.long 0xD1E3B33A
	.long 0x6C1EF770
	.long 0x5F6DE93B
	.long 0xB6C0DC71
9:

	.long 0x800000F0 - KernelBase  # Retail XEX key
	.long (9f - 0f) / 4
0:
	.long 0x20B185A5
	.long 0x9D28FDC3
	.long 0x40583FBB
	.long 0x0896BF91
9:

# ============================================================================
# 	Check if XEX decrypted properly, if not swap the key
# ============================================================================
	.long 0x800299B0 - KernelBase
	.long (9f - 0f) / 4
0:
	.long 0x2B3C0000
	.long 0x419A0030
	.long 0x2F030000
	.long 0x409A0010
	.long 0x388000F0
	.long 0x48000018
	.long 0x60000000
9:

# ============================================================================
#	HvxCreateImageMapping hash check
# ============================================================================
	.long 0x8002C56C - KernelBase
	.long (9f - 0f) / 4
0:
	.long 0x48000010
9:

# ============================================================================
#	HvxDvdAuthRecordXControl?!
# ============================================================================
	.long 0x80026A2C - KernelBase
	.long (9f - 0f) / 4
0:
	.long 0x38600001
9:

# Kernel patches
# ============================================================================
#	XexpVerifyMedia Type?
# ============================================================================
	.long 0x8008E94C - KernelBase
	.long (9f - 0f) / 4
0:
	.long 0x38600001
9:

# ============================================================================
#	XexpVerifyXexHeaders
#       not really the same thing patched, what was patched got moved to HV
# ============================================================================
	.long 0x80090440 - KernelBase
	.long (9f - 0f) / 4
0:
	.long 0x38600001
9:

# ============================================================================
#	XexpVerifyMinimumVersion?
# ============================================================================
	.long 0x80091200 - KernelBase
	.long (9f - 0f) / 4
0:
	.long 0x38600001
9:

# ============================================================================
#	XexpLoadFile?
# ============================================================================
	.long 0x80092ACC - KernelBase
	.long (9f - 0f) / 4
0:
	.long 0x38600001
9:

#-----------------------------------------------------------------------


# ============================================================================
#	HV Patch flag check
# ============================================================================
	.long 0x80006780 - KernelBase
	.long (9f - 0f) / 4
0:
	nop 
9:



# ============================================================================
#	HV Flag fixing function
# ============================================================================
	.long 0x8000A474 - KernelBase
#	.long (9f - 0f) / 4
0:
	lhz     %r3, 0x6(%r0)  # load flag byte into r3
	li      %r4, 0x20
	andc    %r3, %r3, %r4 # clear bit
	sth     %r3, 0x6(%r0)      # store new flag
	li      %r3, 0x200    # do what we patched
	ba      0x18C4  
9:	


# ============================================================================
#	HV jump to flag fixer
# ============================================================================
	.long 0x800018C0 - KernelBase
	.long (9f - 0f) / 4
0:
	.long 0x4800A476      #jump to flag clearing function
9:

#============================================================================
#	HV patch jump
# ============================================================================
	.long 0x80006934 - KernelBase
	.long (9f - 0f) / 4
0:
	li %r3, 0 
9:


#             SECURITY               
#[----------------------------------------

#============================================================================
#	HV Patch blow fuses              (protection against bad recovery disks etc)
# ============================================================================
	.long 0x80009304 - KernelBase
	.long (9f - 0f) / 4
0:
	li %r3, 1 
	blr
9:

#=============================================================================
#       nop out Shadowbooting on startup  
#=============================================================================


	.long 0x8007660C - KernelCodeBase
	.long (9f - 0f) / 4
0:
	nop
9:

#=============================================================================
#       disable shadow booting function   
#=============================================================================


	.long 0x80076148 - KernelCodeBase
	.long (9f - 0f) / 4
0:
	li %r3, 0
	blr
9:



#-----------------------------------------------------------------------


# ============================================================================
#	Store the new path to xam in some space
# ============================================================================
	.long 0x80040AF4 - KernelBase
	.long (9f - 0f) / 4
0:
	.long 0x5C446576 # \Dev
	.long 0x6963655C # ice\
	.long 0x48617264 # Hard
	.long 0x6469736B # disk
	.long 0x305C5061 # 0\Pa
	.long 0x72746974 # rtit
	.long 0x696F6E31 # ion1
	.long 0x5C78616D # \xam
	.long 0x2E786578 # .xex
        .long 0x00000000 # /0/0/0/0
9:

# ============================================================================
#	Replace low part of new xam.xex path
# ============================================================================
	.long 0x80076624 - KernelCodeBase
	.long (9f - 0f) / 4
0:
	addi %r4, %r11, 0xAF4
9:


# ============================================================================
#	Replace xam xex module load flags
# ============================================================================
	.long 0x80076798 - KernelCodeBase
	.long (9f - 0f) / 4
0:
	lis       %r4, 0x0
9:

# ============================================================================
#	Replace low part of new xam.xex path 2
# ============================================================================
	.long 0x8007679C - KernelCodeBase
	.long (9f - 0f) / 4
0:
	addi %r3, %r11, 0xAF4
9:




# ============================================================================
#	EXPERIMENTAL: Set SystemRoot to HDD   
# ============================================================================


#	.long 0x80075E2C - KernelCodeBase
#	.long (9f - 0f) / 4
#0:
#	nop              #  nop out the hardware flags check

#	.long 0x3D608004 #  lis   r11, 
#	.long 0x388B05A4 #  addi  r4, r11, 
#9:


# ============================================================================
#	HV XEX region check -dev13599
# ============================================================================
	.long 0x8002C664 - KernelBase
	.long (9f - 0f) / 4
0:
	nop
9:
# ============================================================================
#	HV XEX RSA check -dev13599
# ============================================================================
	.long 0x8002C664 - KernelBase
	.long (9f - 0f) / 4
0:
	li %r3, 1
9:

# use KernelCodeBase if offset > 0x8006b200

# ============================================================================
#	XeKeysVerifyRSASignature -dev13599
# ============================================================================
	.long 0x80134440 - KernelCodeBase
	.long (9f - 0f) / 4
0:
	nop
9:
	.long 0x80134474 - KernelCodeBase
	.long (9f - 0f) / 4
0:
	li %r3, 1
9:

# ============================================================================
#	XeKeysVerifyPIRSSignature -dev13599
# ============================================================================
	.long 0x80134514 - KernelCodeBase
	.long (9f - 0f) / 4
0:
	li %r3, 1
9:

# ============================================================================
#	XeKeysConsoleSignatureVerification -dev13599
# ============================================================================
	.long 0x8013648C - KernelCodeBase
	.long (9f - 0f) / 4
0:
	b 0x128
9:

# ============================================================================
#	SataCdRomVerifyDVDX2AuthoringSignature -dev13599
# ============================================================================
	.long 0x800B75D8 - KernelCodeBase
	.long (9f - 0f) / 4
0:
	li %r3, 1
9:

# ============================================================================
#	StfsMapNewBlock hash mismatch -dev13599
# ============================================================================
	.long 0x800D61A4 - KernelCodeBase
	.long (9f - 0f) / 4
0:
	b 0x1C
9:


# ============================================================================
#	UsbdSecVerifyRevertCertificateSignature hash mismatch -dev13599
# ============================================================================
#	.long 0x80103C00 - KernelCodeBase
#	.long (9f - 0f) / 4
#0:
#	li %r3, 1
#9:

#	.long 0x80103C14 - KernelCodeBase
#	.long (9f - 0f) / 4
#0:
#	li %r3, 1
#9:

# ============================================================================
#	SvodMapNewBlock hash mismatch -dev13599
# ============================================================================
#	.long 0x8016D308 - KernelCodeBase
#	.long (9f - 0f) / 4
#0:
#	b 0x30
#9:

# ============================================================================
#	SvodPartiallyCachedRead hash mismatch -dev13599
# ============================================================================
#	.long 0x8016D71C - KernelCodeBase
#	.long (9f - 0f) / 4
#0:
#	nop
#9:

# ============================================================================
#	SataDiskAuthenticateDevice -dev13599
# ============================================================================
#	.long 0x80188828 - KernelCodeBase
#	.long (9f - 0f) / 4
#0:
#	li %r3, 1
#9:


# ============================================================================
	.long 0xffffffff
	.end
# ============================================================================

