User Tools
Table of Contents
Generic getbootdev code :
E3 A0 00 xx E1 A0 F0 0E where xx is boot device
FZ1 Patching
DIPIR Rev =0 DipirEnv @0x5d14 DipirRoutines @0x5d68 @0x5dd8 write new dipirroutines version 0xf4840010 (old content 0xc90a8c33) to force cdrom dipir calling of getbootdev @0x5df8 write getbootdev offset 0x5dfc (old content 0xfc747ccf) @0x5dfc write ldr r0,#1 ; movs pc,lr ;//boot device # what damaged is the demo key,that is not used by rom anyway
FZ10 `94 Patching
DIPIR Rev =1.55 DipirEnv @0x57e4 DipirRoutines @0x583c Scrap buffer @0x58b8 - 0x592b 1. Copy DipirEnv to @0x58b8 2. Patch DipirEnv references @0x13b8 3. Copy DipirRoutines to 0x57e4 4. Update DipirEnv->DipirRoutines to 0x58b8 5. Write @0x5910 mov r0,#1 ; movs pc,lr #bootdevice # 5. Patch DipirRoutines->getbootdev to 0x5910 6. Patch DipirRoutines->version 0xf4840010 Damaged : copyright string
FZ10 '95 Patching (Anvil)
DIPIR Rev =1.66 DipirEnv @0x7824 DipirRoutines @0x789c Scrap buffer @0x7867 - 0x79db, 0x7164-0x719f 1. Copy DipirEnv to @0x7867 2. Patch DipirEnv references @0x2a70, 0x7740 3. Copy DipirRoutines to 0x7824 4. Update DipirEnv->DipirRoutines to 0x7824 5. Write @0x7164 mov r0,#1 ; movs pc,lr #bootdevice # 5. Patch DipirRoutines->getbootdev to 0x7164 6. Patch DipirRoutines->version 0xf4840010 Damaged : copyright strings
CDRomDipir patching
v1.35, 2076 bytes
raw md5: 38bb8a25dfcfc691e92d4341cfb1c2ec
decrypted md5: 585950b1c1d9a347f2f41b07ffb4c475
offset 0x620,0x624, 0x628 → e3500000, 13a00006, 191ba8f0 to e1a00000 e1a00000 e1a00000
DOES NOT CHECK DISKDIGEST!
v1.37 2236 bytes
raw md5: d1564bd92f3c2fa82762bed32375048a
decrypted md5: a7c49440c5c934d7400ee275a88fc065
offset 0x6a8, 0x6ac, 0x6b0 → e3500000, 13a00006, 191babf0 to e1a00000 e1a00000 e1a00000
DOES NOT CHECK DISKDIGEST!
v1.54 5168 bytes
raw md5: 5cc62eca6f1f4c7b4a74093de1e21633
decrypted md5: 8c6bc5d77e8c921b4799b1102693d91b
offset 0x828, 0x82c, 0x830 → e3500000, 13a00006, 191babf0 to e1a00000 e1a00000 e1a00000
for bypassing the diskdigest : offset 0xa78→ EB000156 to E3A00001
v?.?? 5996 bytes
raw md5: 93a6d77f3dc4df73d7f819598de97ddb
decrypted md5: 6c81ffb575ff78625cc66a5fa8076fcd
offset 0xcd4, 0xcd8, 0xcdc → E1300001, 13A00006, 1A00014E to e1a00000 e1a00000 e1a00000
DOES NOT CHECK DISKDIGEST!
v?.?? 6448 bytes
raw md5: 07530dc9acd786dc52734aae9046973c
decrypted md5: de264fbb6c579700060741911cb8213f
offset 0xc20,0xc24,0xc28 → E1300001, 13A00006, 1A000116 to e1a00000 e1a00000 e1a00000
for bypassing the diskdigest : offset 0xdbc → EBFFFF53 to E3A00001
v1.66 6664 bytes
raw md5: 6575e80b4895215e9cb641c9186b90d8
decrypted md5: 62aa65f18d61966852bd040598aab1a9
offset 0xb48, 0xb4c, 0xb50 → E3310000, 13A00006, 1A00007F to e1a00000 e1a00000 e1a00000
for bypassing the diskdigest : offset 0xcc0 → EBFFFF68 to E3A00001
