# RGLoader patches file
# Patches follow same format as XeBuild, but with RGLP at start
# When used with RGLoader patch engine, they should be at 0xb0000 in the NAND (without ECC)
# [4byte offset] [4byte patch count] [4byte patch]...

# Devkit 14699 patches

.set	KernelBase,		0x80000000

# use this if offset > 0x8006b200
.set    KernelCodeBase,         0x80004e00  #file offset by 0x44E00

		.globl _start
_start:

# ============================================================================
#	RGLP header
	.long 0x52474C50
# ============================================================================


#----------------------------------------------------------



# ============================================================================
#       Retail XEX2 AES key
# ============================================================================
	.long 0x800000F0 - KernelBase
	.long (9f - 0f) / 4
0:
	.long 0x20B185A5
	.long 0x9D28FDC3
	.long 0x40583FBB
	.long 0x0896BF91
9:


# ============================================================================
#	HV jump to flag fixer
# ============================================================================
	.long 0x800018C0 - KernelBase
	.long (9f - 0f) / 4
0:
	.long 0x4800AC02      #jump to flag clearing function
9:

# ============================================================================
#       KV check patches - Hvxkeyshmacsha
# ============================================================================
	.long 0x80004C84 - KernelBase  # First check on
	.long (9f - 0f) / 4
0:
	nop
9:

# ============================================================================
#	HV Patch flag check
# ============================================================================
	.long 0x80006920 - KernelBase
	.long (9f - 0f) / 4
0:
	nop 
9:

#============================================================================
#	HV patch jump
# ============================================================================
	.long 0x80006AD4 - KernelBase
	.long (9f - 0f) / 4
0:
	li %r3, 0 
9:

# ============================================================================
#       Patch XEX flag
# ============================================================================

	.long 0x80006C08 - KernelBase 
	.long (9f - 0f) / 4
0:
	li %r3, 0
9:

	.long 0x80006F94 - KernelBase 
	.long (9f - 0f) / 4
0:
	li %r4, 0x8
	li %r3, 0
9:

#============================================================================
#	HV Patch blow fuses              (protection against bad recovery disks etc)
# ============================================================================
	.long 0x8000987C - KernelBase
	.long (9f - 0f) / 4
0:
	li %r3, 1 
	blr
9:


# ============================================================================
#	MachineCheck (mfspr   r3, LPCR)
# ============================================================================
	.long 0x80000218 - KernelBase
	.long (9f - 0f) / 4
0:
	.long 0x00000000
9:


# ============================================================================
#	HV Flag fixing function
# ============================================================================
	.long 0x8000AC00 - KernelBase
	.long (9f - 0f) / 4
0:
	lhz     %r3, 0x6(%r0)  # load flag byte into r3
	li      %r4, 0x20
	andc    %r3, %r3, %r4 # clear bit
	sth     %r3, 0x6(%r0)      # store new flag
	li      %r3, 0x200    # do what we patched
	ba      0x18C4  
9:

# ============================================================================
#       DVDAuth2 retail key
# ============================================================================
	.long 0x80010B30 - KernelBase
	.long (9f - 0f) / 4
0:
	.long 0xD1E3B33A
	.long 0x6C1EF770
	.long 0x5F6DE93B
	.long 0xB6C0DC71
9:

# ============================================================================
#	HvxDvdAuthRecordXControl
# ============================================================================
	.long 0x80026B1C - KernelBase
	.long (9f - 0f) / 4
0:
	.long 0x38600001
9:

# ============================================================================
#       HV DAE 
# ============================================================================
	.long 0x80028E9C - KernelBase  
	.long (9f - 0f) / 4
0:
	.long 0x38600000
	nop
9:

# ============================================================================
# 	Check if XEX decrypted properly, if not swap the key
# ============================================================================
	.long 0x80029AA0 - KernelBase
	.long (9f - 0f) / 4
0:
	.long 0x2B3C0000
	.long 0x419A0030
	.long 0x2F030000
	.long 0x409A0010
	.long 0x388000F0
	.long 0x48000018
	.long 0x60000000
9:

# ============================================================================
#	HvxSetImagePageTableEntry memory addr check
# ============================================================================
	.long 0x80029C58 - KernelBase
	.long (9f - 0f) / 4
0:
	.long 0x60000000
9:

# ============================================================================
#	HvxCreateImageMapping hash check
# ============================================================================
	.long 0x8002C704 - KernelBase
	.long (9f - 0f) / 4
0:
	.long 0x48000010
9:

#-----------------------------------------------------------------------

# ============================================================================
#	HV XEX region check -dev13599
# ============================================================================
	.long 0x8002C7FC - KernelBase
	.long (9f - 0f) / 4
0:
	nop
9:




# ============================================================================
#	HvxExpansionInstall sig check
# ============================================================================
	.long 0x80030BAC - KernelBase
	.long (9f - 0f) / 4
0:
	.long 0x60000000
9:

# ============================================================================
#	HvxExpansionInstall hash? (uses memcmp) check
# ============================================================================
	.long 0x80030C2C - KernelBase
	.long (9f - 0f) / 4
0:
	.long 0x60000000
9:





# Kernel patches




# ============================================================================
#	Patch XEX Restrictions check
# ============================================================================

	.long 0x800A2A98 - KernelBase
	.long (9f - 0f) / 4
0:
	.long 0x38600001
9:

	.long 0x800A0B2C - KernelBase
	.long (9f - 0f) / 4
0:
	.long 0x48000018
9:




# ============================================================================
#       SataCdRomAuthenticationExSequence
# ============================================================================
	.long 0x800C4C08 - KernelBase  
	.long (9f - 0f) / 4
0:
	b 0x38
9:

#----------------------------------------------------------

# ============================================================================
#	SataCdRomActivateHCDFRuntimePatch TSST signature check
# ============================================================================
	.long 0x800C461C - KernelBase
	.long (9f - 0f) / 4
0:
	.long 0x48000184  # b 0x184
9:

# ============================================================================
#	SataCdRomActivateHCDFRuntimePatch blacklisted drive check
# ============================================================================
	.long 0x800C4638 - KernelBase
	.long (9f - 0f) / 4
0:
	.long 0x48000168  # b 0x168
9:




# ============================================================================
#	XexpVerifyMedia Type?
# ============================================================================
	.long 0x8009EA5C - KernelBase
	.long (9f - 0f) / 4
0:
	.long 0x38600001
9:

# ============================================================================
#	XexpVerifyXexHeaders
#       not really the same thing patched, what was patched got moved to HV
# ============================================================================
	.long 0x800A0570 - KernelBase
	.long (9f - 0f) / 4
0:
	.long 0x38600001
9:

# ============================================================================
#	XexpVerifyXexHeaders?
# ============================================================================
	.long 0x800A0514 - KernelBase
	.long (9f - 0f) / 4
0:
	.long 0x38600001  
9:

# ============================================================================
#	XexpVerifyMinimumVersion?
# ============================================================================
	.long 0x800A1330 - KernelBase
	.long (9f - 0f) / 4
0:
	.long 0x38600001
9:

# ============================================================================
#	XexpLoadFile?
# ============================================================================
	.long 0x800A2BFC - KernelBase
	.long (9f - 0f) / 4
0:
	.long 0x38600001
9:


#-----------------------------------------------------------------------



#=============================================================================
#       nop out Shadowbooting on startup  
#=============================================================================


	.long 0x8008180C - KernelBase
	.long (9f - 0f) / 4
0:
	nop
9:

#=============================================================================
#       disable shadow booting function   
#=============================================================================


	.long 0x80081348 - KernelBase
	.long (9f - 0f) / 4
0:
	li %r3, 0
	blr
9:



#-----------------------------------------------------------------------




# ============================================================================
#	Set SystemRoot to HDD
# ============================================================================

	.long 0x80040AC8 - KernelBase
	.long (9f - 0f) / 4
0:
	.word 50  #//length
	.word 51  #//maxlength
	
	.long 0x80040AD0 #//ptr to string
	
	
	.string "\\Device\\Harddisk0\\Partition1\\Filesystems\\14699-dev\0"
	.align 2

9:

	.long 0x8008102C - KernelBase
	.long (9f - 0f) / 4
0:
	nop              #  nop out the hardware flags check
	.long 0x3D608004 #  lis   r11, 
	
	.long 0x388B0AC8 #  addi  r4, r11 #custom
9:




# use KernelCodeBase if offset > 0x8006b200

# ============================================================================
#	XeKeysVerifyRSASignature -dev13599
# ============================================================================
	.long 0x80144138 - KernelBase
	.long (9f - 0f) / 4
0:
	nop
9:
	.long 0x8014416C - KernelBase
	.long (9f - 0f) / 4
0:
	li %r3, 1
9:


# ============================================================================
#	SataCdRomVerifyDVDX2AuthoringSignature -dev13599
# ============================================================================
	.long 0x800C2C48 - KernelBase
	.long (9f - 0f) / 4
0:
	li %r3, 1
9:

# ============================================================================
#	SataDiskAuthenticateDevice -dev13599
# ============================================================================
	.long 0x801994A0 - KernelBase
	.long (9f - 0f) / 4
0:
	li %r3, 1
9:

#==========THE FOLLOWING ARE NOT IMPORTANT AT THE MOMENT=====

# ============================================================================
#	XeKeysVerifyPIRSSignature -dev13599
# ============================================================================
	.long 0x8014420C - KernelBase
	.long (9f - 0f) / 4
0:
	li %r3, 1
9:

# ============================================================================
#	XeKeysConsoleSignatureVerification -dev13599
# ============================================================================
	.long 0x8014617C - KernelBase
	.long (9f - 0f) / 4
0:
	b 0x128
9:

# ============================================================================
#	StfsMapNewBlock hash mismatch -dev13599
# ============================================================================
	.long 0x800E16F4 - KernelBase
	.long (9f - 0f) / 4
0:
	.long 0x48000034
9:

# ============================================================================
#	SvodMapNewBlock hash mismatch -dev13599
# ============================================================================
	.long 0x8017D070 - KernelBase
	.long (9f - 0f) / 4
0:
	b 0x30
9:

# ============================================================================
#	SvodPartiallyCachedRead hash mismatch -dev13599
# ============================================================================
	.long 0x8017D384 - KernelBase
	.long (9f - 0f) / 4
0:
	nop
9:



# ============================================================================
	.long 0xffffffff
	.end
# ============================================================================

