It seems that I finally get the hosdsys to run on my T10K, with the following method:
Running the HDD Browser on the T10000
[/span] This may interest some of you, but I was doing it to debug FHDB. For reasons, it stopped being able to boot my copy of the HDD Browser. I modified its ATAD module a very long time ago, so I am sure it works... Anyway, running my program that loads a decrypted copy of the HDD Browser from the HDD yields this ominous line via dsidb, while dsedb is stuck in a loop around SifGetReg:
Code:
loadmodule: fname rom0:SYSCLIB args 0 arg
loadmodule: id 31, ret 1
loadmodule: fname rom0:UDNL args 11 arg img0:
loadmodule: id 33, ret 1
UDNL returned 1 (not resident)! It can respond!? How's that possible? What happened, is that the T10000's late ROM had UDNL's device blacklist replaced with a whitelist, hence the HDD Browser's custom IOP reboot stops working because UDNL sees the "img0" device as an illegal device. Note that although only "img0:" is visible, the full argument is "img0: img1:". There is a NULL-terminator between arguments for IOP modules. To jump over this wall, I manually loaded UDNL:
Code:
dsidb R> mload rom0:UDNL img0:
...got its address:
Code:
dsidb R> mlist
Id Begin End Size (Text Data Bss) Ver Name
1 830- 190f 10e0 1070 50 20 2.3 System_Memory_Manager
...
22 e7730- e958f 1e60 1cb0 1b0 0 0.0
...and set a breakpoint on that evil function, before starting the module in debug mode:
Code:
dsidb R> bp e7730
$BP3=0x000e7730 init=0x1 curr=0x1 # enabled, auto-init
dsidb R> mstart -d
*** Exception
at=00020004 v0-1=0000003c,00000069 a0-3=007fee7a,000e9401,00000069,000e7700
t0-7=00000018,00000002,00000002,00000002, 00000000,00000000,00000000,00000000
s0-7=007fee60,007fee68,007fee64,00000001, 007fedd8,007feda8,00000420,00000000
t8=00000000 t9=00000000 k0=000171d4 k1=00000000 gp=000f1580 sp=007fed98
fp=007fedf8 ra=000e79b8 lo=00000000 hi=00000000 PC=000e7730 bada=ffffffff
$cr=0x00000024 [ CE0 Breakpoint ]
$sr=0x00000404 [ IM0 IEp ]
0x000e7728: 0xafa5006c sw $a1,0x6c($sp)
0x000e772c: 0x08039f70 j 0x000e7dc0 # <+0x690>
->0x000e7730| 0x00803021 move $a2,$a0
<+0x04>:
0x000e7734: 0x24020020 li $v0,0x20
<+0x08>:
0x000e7738: 0x80c70000 lb $a3,0($a2)
<+0x0c>:
0x000e773c: 0x00000000 nop
<+0x10>:
0x000e7740: 0x10e2fffd beq $a3,$v0,0x000e7738 # <+0x08>
dsidb S>
It's a coincidence that the function exists at the very start of UDNL's text section. I cloned this module before, which was how I knew it exists there. As there are multiple images specified, it is easier to disable this function. This gets it to return immediately, with an "OK" as the return value.
Code:
dsidb S> as $PC jr $ra
dsidb S> step
dsidb S> as $PC addu $v0, $zero, $zero
dsidb S> cont
The browser loads on my DTL-T10000, with it being identified as a SCPH-10000. So easy, right? Now just sink in about 4 hours of trying to figure out why it did not work and add in cursing and swearing. I missed the part about "img0: img1:" and spent about 2-3 hours figuring out why its MCSERV module was missing (since its sceMcInit function was getting stuck at binding). -- THANKS to the assemblergames archive of a post by SP193
Does anyone know how to convert this code so that I can patch UDNL? Thanks!