- Jun 13, 2019
- 25
- 38
- 13
- AGName
- the7thchild
- AG Join Date
- 2011-2-7
Does anyone know how to unpack osd100.elf for some modding?
I want to re-direct some rom0 calls to host0:. Thanks a lot
I want to re-direct some rom0 calls to host0:. Thanks a lot
Here are some links you may find helpful
Please help to unpack osd100.elf for HOSDSYS
- Thread starter the7thchild
- Start date
- Jun 13, 2019
- 25
- 38
- 13
- AGName
- the7thchild
- AG Join Date
- 2011-2-7
Thanks for those guys who helped. I have redirected UDNL to host0: and now the HDD has started up successfully. However, the program terminates and gets back to rom0:OSDSYS for unknown reason, here is the tty log:
IOP Realtime Kernel Ver. 2.2
Copyright 1999-2002 (C) Sony Computer Entertainment Inc.
IOP DECI2 manager Version 0.9.4
Copyright 1999,2000,2003 (C) Sony Computer Entertainment Inc.
DECI2 manager start.
Multi Threaded Fileio module.(99/11/15)
iop heap service (99/11/03)
Get Reboot Request From EE
Soft reboot
cdvdman Init
Reboot service module.(99/11/10)
IOP Realtime Kernel Ver. 2.2
Copyright 1999-2002 (C) Sony Computer Entertainment Inc.
IOP DECI2 manager Version 0.9.4
Copyright 1999,2000,2003 (C) Sony Computer Entertainment Inc.
DECI2 manager start.
cdvd driver module version 0.1.1 (C)SCEI
Load File service.(99/11/05)
Multi Threaded Fileio module.(99/11/15)
iop heap service (99/11/03)
loadmodule: fname rom0:SYSCLIB args 0 arg
loadmodule: id 31, ret 1
loadmodule: fname host0:UDNL args 11 arg img0:
use alternate ROM image
Update reboot complete
cdvdman Init
SDR driver version 2.0.0 (C)SCEI
Exit rsd_main
USB Driver (Version 0.16.0)
USB Keyboard Driver 1.02
Max Keyboards : 2
Debug level : 0
IOP Realtime Kernel Ver. 2.1
Copyright 1999-2001 (C) Sony Computer Entertainment Inc.
IOP DECI2 manager Version 0.9.1
Copyright 1999 (C) Sony Computer Entertainment Inc.
DECI2 manager start.
Reboot service module.(99/11/10)
sd driver module version 0.6.0 (C)SCEI
sce_osd_sdr_loop
cdvd driver module version 0.1.1 (C)SCEI
Load File service.(99/11/05)
Multi Threaded Fileio module.(99/11/15)
iop heap service (99/11/03)
loadbuffer: addrres c7000 args 0 arg
dev9: CXD9566 detected.
dev9: T10K detected
dev9: CXD9566(pcmcia) driver start
loadbuffer: id 42, ret 0
loadbuffer: addrres cb700 args 0 arg
loadbuffer: id 43, ret 0
loadbuffer: addrres cb700 args 12 arg -o
hdd: max open = 7, 300 buffers
hdd: 19:49:11 02/06/2020
hdd: disk0: 0x04a817c8 sectors, max 0x00200000
hdd: checking log...
hdd: drive status 0, format version 00000002
hdd: version 0104 driver start. This is OSD VERSION !!!!!!!!!!!
loadbuffer: id 44, ret 0
loadbuffer: addrres 126a00 args 18 arg -m
pfs: max mount 7, max open 10, 127 bufs
pfs: version 0104 driver start. This is OSD VERSION !!!!!!!!!!!
loadbuffer: id 45, ret 0
loadelf version 3.30
Get Reboot Request From EE
Soft reboot
cdvdman Init
Reboot service module.(99/11/10)
Load File service.(99/11/05)
IOP Realtime Kernel Ver. 2.2
Copyright 1999-2002 (C) Sony Computer Entertainment Inc.
IOP DECI2 manager Version 0.9.4
Copyright 1999,2000,2003 (C) Sony Computer Entertainment Inc.
DECI2 manager start.
Multi Threaded Fileio module.(99/11/15)
iop heap service (99/11/03)
cdvd driver module version 0.1.1 (C)SCEI
loadelf: fname rom0:OSDSYS secname all
loadelf version 3.30
Input ELF format filename = rom0:OSDSYS
1 00100000 000178d4 ..
2 00117900 00004e8a .
Loaded, rom0:OSDSYS
start address 0x100008
gp address 00000000
Can somebody help to check what has happened? Thanks!
IOP Realtime Kernel Ver. 2.2
Copyright 1999-2002 (C) Sony Computer Entertainment Inc.
IOP DECI2 manager Version 0.9.4
Copyright 1999,2000,2003 (C) Sony Computer Entertainment Inc.
DECI2 manager start.
Multi Threaded Fileio module.(99/11/15)
iop heap service (99/11/03)
Get Reboot Request From EE
Soft reboot
cdvdman Init
Reboot service module.(99/11/10)
IOP Realtime Kernel Ver. 2.2
Copyright 1999-2002 (C) Sony Computer Entertainment Inc.
IOP DECI2 manager Version 0.9.4
Copyright 1999,2000,2003 (C) Sony Computer Entertainment Inc.
DECI2 manager start.
cdvd driver module version 0.1.1 (C)SCEI
Load File service.(99/11/05)
Multi Threaded Fileio module.(99/11/15)
iop heap service (99/11/03)
loadmodule: fname rom0:SYSCLIB args 0 arg
loadmodule: id 31, ret 1
loadmodule: fname host0:UDNL args 11 arg img0:
use alternate ROM image
Update reboot complete
cdvdman Init
SDR driver version 2.0.0 (C)SCEI
Exit rsd_main
USB Driver (Version 0.16.0)
USB Keyboard Driver 1.02
Max Keyboards : 2
Debug level : 0
IOP Realtime Kernel Ver. 2.1
Copyright 1999-2001 (C) Sony Computer Entertainment Inc.
IOP DECI2 manager Version 0.9.1
Copyright 1999 (C) Sony Computer Entertainment Inc.
DECI2 manager start.
Reboot service module.(99/11/10)
sd driver module version 0.6.0 (C)SCEI
sce_osd_sdr_loop
cdvd driver module version 0.1.1 (C)SCEI
Load File service.(99/11/05)
Multi Threaded Fileio module.(99/11/15)
iop heap service (99/11/03)
loadbuffer: addrres c7000 args 0 arg
dev9: CXD9566 detected.
dev9: T10K detected
dev9: CXD9566(pcmcia) driver start
loadbuffer: id 42, ret 0
loadbuffer: addrres cb700 args 0 arg
loadbuffer: id 43, ret 0
loadbuffer: addrres cb700 args 12 arg -o
hdd: max open = 7, 300 buffers
hdd: 19:49:11 02/06/2020
hdd: disk0: 0x04a817c8 sectors, max 0x00200000
hdd: checking log...
hdd: drive status 0, format version 00000002
hdd: version 0104 driver start. This is OSD VERSION !!!!!!!!!!!
loadbuffer: id 44, ret 0
loadbuffer: addrres 126a00 args 18 arg -m
pfs: max mount 7, max open 10, 127 bufs
pfs: version 0104 driver start. This is OSD VERSION !!!!!!!!!!!
loadbuffer: id 45, ret 0
loadelf version 3.30
Get Reboot Request From EE
Soft reboot
cdvdman Init
Reboot service module.(99/11/10)
Load File service.(99/11/05)
IOP Realtime Kernel Ver. 2.2
Copyright 1999-2002 (C) Sony Computer Entertainment Inc.
IOP DECI2 manager Version 0.9.4
Copyright 1999,2000,2003 (C) Sony Computer Entertainment Inc.
DECI2 manager start.
Multi Threaded Fileio module.(99/11/15)
iop heap service (99/11/03)
cdvd driver module version 0.1.1 (C)SCEI
loadelf: fname rom0:OSDSYS secname all
loadelf version 3.30
Input ELF format filename = rom0:OSDSYS
1 00100000 000178d4 ..
2 00117900 00004e8a .
Loaded, rom0:OSDSYS
start address 0x100008
gp address 00000000
Can somebody help to check what has happened? Thanks!
Which unpacked ELF did you run ?
- If that's the MBR ELF, did you patch it so it loads hosdsys.elf as pain (decrypted ELF) ?
- If that's the decrypted hosdsys.elf, did you run it with
as argument ?
And if you used the signed hosdsys.elf, does your target system support MagicGate decryption ?
edit :
- If that's the MBR ELF, did you patch it so it loads hosdsys.elf as pain (decrypted ELF) ?
- If that's the decrypted hosdsys.elf, did you run it with
Code:
hdd0:__system:pfs:/osd100/hosdsys.elfAnd if you used the signed hosdsys.elf, does your target system support MagicGate decryption ?
edit :
F*ck me, it obviously is hosdsys.
- Jun 13, 2019
- 25
- 38
- 13
- AGName
- the7thchild
- AG Join Date
- 2011-2-7
Yes, the hosdsys is run directly as host0:hosdsys.elf (I have placed the corresponding files to hdd0:__system and __sysconf). The UDNL in T10000 rom0 seems to be not compatible so the system hangs after loading that module. Thanks for the unpacked (1.0J decrypted) elf, I was able to patch a UDNL call from rom0: to host0: for a UDNL I have obtained from SCPH-70000 bios. The program now boots to HDD and USB drivers but terminate somehow in the middle to calls rom0:OSDSYS. Anyone knows how to fix this? Thanks!
- Jun 13, 2019
- 25
- 38
- 13
- AGName
- the7thchild
- AG Join Date
- 2011-2-7
- Jun 13, 2019
- 25
- 38
- 13
- AGName
- the7thchild
- AG Join Date
- 2011-2-7
It seems that I finally get the hosdsys to run on my T10K, with the following method:
Running the HDD Browser on the T10000
[/span] This may interest some of you, but I was doing it to debug FHDB. For reasons, it stopped being able to boot my copy of the HDD Browser. I modified its ATAD module a very long time ago, so I am sure it works... Anyway, running my program that loads a decrypted copy of the HDD Browser from the HDD yields this ominous line via dsidb, while dsedb is stuck in a loop around SifGetReg:
Code:
loadmodule: fname rom0:SYSCLIB args 0 arg
loadmodule: id 31, ret 1
loadmodule: fname rom0:UDNL args 11 arg img0:
loadmodule: id 33, ret 1
UDNL returned 1 (not resident)! It can respond!? How's that possible? What happened, is that the T10000's late ROM had UDNL's device blacklist replaced with a whitelist, hence the HDD Browser's custom IOP reboot stops working because UDNL sees the "img0" device as an illegal device. Note that although only "img0:" is visible, the full argument is "img0: img1:". There is a NULL-terminator between arguments for IOP modules. To jump over this wall, I manually loaded UDNL:
Code:
dsidb R> mload rom0:UDNL img0:
...got its address:
Code:
dsidb R> mlist
Id Begin End Size (Text Data Bss) Ver Name
1 830- 190f 10e0 1070 50 20 2.3 System_Memory_Manager
...
22 e7730- e958f 1e60 1cb0 1b0 0 0.0
...and set a breakpoint on that evil function, before starting the module in debug mode:
Code:
dsidb R> bp e7730
$BP3=0x000e7730 init=0x1 curr=0x1 # enabled, auto-init
dsidb R> mstart -d
*** Exception
at=00020004 v0-1=0000003c,00000069 a0-3=007fee7a,000e9401,00000069,000e7700
t0-7=00000018,00000002,00000002,00000002, 00000000,00000000,00000000,00000000
s0-7=007fee60,007fee68,007fee64,00000001, 007fedd8,007feda8,00000420,00000000
t8=00000000 t9=00000000 k0=000171d4 k1=00000000 gp=000f1580 sp=007fed98
fp=007fedf8 ra=000e79b8 lo=00000000 hi=00000000 PC=000e7730 bada=ffffffff
$cr=0x00000024 [ CE0 Breakpoint ]
$sr=0x00000404 [ IM0 IEp ]
0x000e7728: 0xafa5006c sw $a1,0x6c($sp)
0x000e772c: 0x08039f70 j 0x000e7dc0 # <+0x690>
->0x000e7730| 0x00803021 move $a2,$a0
<+0x04>:
0x000e7734: 0x24020020 li $v0,0x20
<+0x08>:
0x000e7738: 0x80c70000 lb $a3,0($a2)
<+0x0c>:
0x000e773c: 0x00000000 nop
<+0x10>:
0x000e7740: 0x10e2fffd beq $a3,$v0,0x000e7738 # <+0x08>
dsidb S>
It's a coincidence that the function exists at the very start of UDNL's text section. I cloned this module before, which was how I knew it exists there. As there are multiple images specified, it is easier to disable this function. This gets it to return immediately, with an "OK" as the return value.
Code:
dsidb S> as $PC jr $ra
dsidb S> step
dsidb S> as $PC addu $v0, $zero, $zero
dsidb S> cont
The browser loads on my DTL-T10000, with it being identified as a SCPH-10000. So easy, right? Now just sink in about 4 hours of trying to figure out why it did not work and add in cursing and swearing. I missed the part about "img0: img1:" and spent about 2-3 hours figuring out why its MCSERV module was missing (since its sceMcInit function was getting stuck at binding). -- THANKS to the assemblergames archive of a post by SP193
Does anyone know how to convert this code so that I can patch UDNL? Thanks!
Running the HDD Browser on the T10000
[/span] This may interest some of you, but I was doing it to debug FHDB. For reasons, it stopped being able to boot my copy of the HDD Browser. I modified its ATAD module a very long time ago, so I am sure it works... Anyway, running my program that loads a decrypted copy of the HDD Browser from the HDD yields this ominous line via dsidb, while dsedb is stuck in a loop around SifGetReg:
Code:
loadmodule: fname rom0:SYSCLIB args 0 arg
loadmodule: id 31, ret 1
loadmodule: fname rom0:UDNL args 11 arg img0:
loadmodule: id 33, ret 1
UDNL returned 1 (not resident)! It can respond!? How's that possible? What happened, is that the T10000's late ROM had UDNL's device blacklist replaced with a whitelist, hence the HDD Browser's custom IOP reboot stops working because UDNL sees the "img0" device as an illegal device. Note that although only "img0:" is visible, the full argument is "img0: img1:". There is a NULL-terminator between arguments for IOP modules. To jump over this wall, I manually loaded UDNL:
Code:
dsidb R> mload rom0:UDNL img0:
...got its address:
Code:
dsidb R> mlist
Id Begin End Size (Text Data Bss) Ver Name
1 830- 190f 10e0 1070 50 20 2.3 System_Memory_Manager
...
22 e7730- e958f 1e60 1cb0 1b0 0 0.0
...and set a breakpoint on that evil function, before starting the module in debug mode:
Code:
dsidb R> bp e7730
$BP3=0x000e7730 init=0x1 curr=0x1 # enabled, auto-init
dsidb R> mstart -d
*** Exception
at=00020004 v0-1=0000003c,00000069 a0-3=007fee7a,000e9401,00000069,000e7700
t0-7=00000018,00000002,00000002,00000002, 00000000,00000000,00000000,00000000
s0-7=007fee60,007fee68,007fee64,00000001, 007fedd8,007feda8,00000420,00000000
t8=00000000 t9=00000000 k0=000171d4 k1=00000000 gp=000f1580 sp=007fed98
fp=007fedf8 ra=000e79b8 lo=00000000 hi=00000000 PC=000e7730 bada=ffffffff
$cr=0x00000024 [ CE0 Breakpoint ]
$sr=0x00000404 [ IM0 IEp ]
0x000e7728: 0xafa5006c sw $a1,0x6c($sp)
0x000e772c: 0x08039f70 j 0x000e7dc0 # <+0x690>
->0x000e7730| 0x00803021 move $a2,$a0
<+0x04>:
0x000e7734: 0x24020020 li $v0,0x20
<+0x08>:
0x000e7738: 0x80c70000 lb $a3,0($a2)
<+0x0c>:
0x000e773c: 0x00000000 nop
<+0x10>:
0x000e7740: 0x10e2fffd beq $a3,$v0,0x000e7738 # <+0x08>
dsidb S>
It's a coincidence that the function exists at the very start of UDNL's text section. I cloned this module before, which was how I knew it exists there. As there are multiple images specified, it is easier to disable this function. This gets it to return immediately, with an "OK" as the return value.
Code:
dsidb S> as $PC jr $ra
dsidb S> step
dsidb S> as $PC addu $v0, $zero, $zero
dsidb S> cont
The browser loads on my DTL-T10000, with it being identified as a SCPH-10000. So easy, right? Now just sink in about 4 hours of trying to figure out why it did not work and add in cursing and swearing. I missed the part about "img0: img1:" and spent about 2-3 hours figuring out why its MCSERV module was missing (since its sceMcInit function was getting stuck at binding). -- THANKS to the assemblergames archive of a post by SP193
Does anyone know how to convert this code so that I can patch UDNL? Thanks!
- Jun 13, 2019
- 25
- 38
- 13
- AGName
- the7thchild
- AG Join Date
- 2011-2-7
The HOSDSYS boot is completed for T10K and T15K TOOL.
For those who are interested, please download at https://www.sendspace.com/file/0wzocj
Follow the readme instruction
For those who are interested, please download at https://www.sendspace.com/file/0wzocj
Follow the readme instruction
- Jun 13, 2019
- 25
- 38
- 13
- AGName
- the7thchild
- AG Join Date
- 2011-2-7
Just for reference, the filenames are the following:
TOOL.part1.rar
TOOL.part2.rar