Jump to content


Photo

Evox M8 Bios Bfm Patches


  • Please log in to reply
No replies to this topic

#1 ldotsfan

ldotsfan

    X-S Messiah

  • Dev/Contributor
  • PipPipPipPipPipPipPip
  • 3,100 posts
  • Xbox Version:v1.1
  • 360 version:unknown

Posted 02 June 2012 - 03:37 AM

I think these Evox M8 Bios Bfm patches were written by rmenhal for use in PBL Metoo. Since these code are now hard to come by, here's the code snippets

m8_bfm_2bl_patch.asm
CODE

;;;
;;; Compile this with NASM.
;;;
;;; BFM patch for EvoX M8 bios 2bl. Compile and paste this at offset 0x1cc
;;; into the 2bl (or 0x3d1cc into the 256k bios image).
;;;


BITS 32
ORG 0x4001cc

    cli
    cld
    mov    edx,ecx
    mov    edi,0x8000f000
    mov    ecx,0x40
    mov    eax,0xe3
pmempagesl:
    mov    [edi+0x800],eax
    stosd
    add    eax,0x400000
    loop    pmempagesl

    mov    ecx,0x1c0
    xor    eax,eax
nmpagesl:    
    mov    [edi+0x800],eax
    stosd
    loop    nmpagesl

    mov    edi,0x8000f000
    mov    eax,0xf063
    mov    [edi+0xc00],eax
    sub    eax,0x1000
    mov    [edi+0xff0],eax
    mov    [edi+0xff4],eax
    mov    [edi+0xff8],eax
    mov    [edi+0xffc],eax

    sub    edi,0x1000
    mov    ebp,4
maprommirl:
    lea    eax,[edx+0x63]
    mov    ecx,0x100
maproml:stosd
    add    eax,0x1000
    loop    maproml
    dec    ebp
    jnz    maprommirl

    mov    eax,0xf000
    mov    cr3,eax
    lgdt    [0x4001c0]
    jmp    0x8:dtcj
dtcj:    
    mov    eax,0x10
    mov    ds,ax
    mov    es,ax
    mov    ss,ax
    mov    esp,0x80400000
    xor    eax,eax
    mov    fs,ax
    mov    gs,ax

    add    edx,0x80100000
    mov    [shadowromtop],edx

    mov    eax,unpackandrun
    call    eax
.inf:    jmp short .inf


align 4
shadowromtop    dd 0


unpackandrun:
    and    dword [0x80402e51],byte 0

    call    0x40071f

    mov    eax,[shadowromtop]
    add    [0x80010030],eax
    jmp    0x4005c1


m8_bfm_kernel_patch.asm
CODE

;;;
;;; Compile this with NASM.
;;;
;;; Allocate contiguous memory for the initialized data segment and
;;; video encoder data segment. Then allocate the corresponding section of
;;; the flash rom to make the pages present and copy the data. Then free
;;; the temporary flash rom allocation. The flash rom is no longer needed.
;;;
;;; Intended to be patched into M8 at 0x80054922 (jmp). This patch can be
;;; placed anywhere, including INIT section. I put it at offset 0x8002f0de.
;;;
;;; To make a working BFM kernel, you'll also need to replace the byte 0xc1
;;; at offset 0x8001e7b7 with byte 0x00. Additionally you need to set the
;;; flags at 0x8003c138 from byte 0x00 to byte 0x03.
;;;


BITS 32
ORG 8002F0DEh

    pushad

    mov    esi,80010000h
    push    esi
    call    8001DDD4h; MmGetPhysicalAddress

    dec    eax
    mov    ebx,[esi+2Ch]
    add    ebx,[esi+38h]

    push    byte 4
    push    byte 0
    push    eax
    push    byte 0
    push    ebx
    call    8001DE22h; MmAllocateContiguousMemoryEx
    mov    edi,eax

    push    byte 1
    push    ebx
    push    edi
    call    8001E021h; MmPersistContiguousMemory

    mov    edx,[esi+30h]

    push    edi
    
    lea    ecx,[ebx+0FFFh]
    mov    ebp,07FFFF000h
    lea    eax,[edx+ecx]
    add    ecx,edi
    and    edx,ebp
    and    edi,ebp
    and    eax,ebp
    and    ecx,ebp

;; EDX = src start
;; EAX = src end
;; EDI = dest start
;; ECX = dest end

    cmp    edx,edi
    jae    highsrc
    cmp    eax,edi
    jbe    srcalloc
    mov    eax,edi
    jmp    short srcalloc
highsrc:cmp    edx,ecx
    jae    srcalloc
    mov    edx,ecx

srcalloc:
    pop    edi

    cmp    eax,edx
    je    skipsa
    
    push    byte 4
    push    byte 0
    dec    eax
    push    eax
    push    edx
    sub    eax,edx
    inc    eax
    push    eax
    call    8001DE22h; MmAllocateContiguousMemoryEx
    push    eax; push argument for MmFreeContiguousMemory


    pushf
    push    dword [esi+30h]
    cli
    mov    eax,0C0200040h
    push    dword [eax]
    or    dword [eax],byte 03h
    mov    ecx,cr3
    mov    cr3,ecx
    
    mov    [esi+30h],edi
    wbinvd

    pop    dword [eax]
    mov    cr3,ecx
    pop    esi
    
    cmp    esi,edi
    ja    copy
    je    nocopy

    lea    ecx,[esi+ebx]
    cmp    ecx,edi
    jbe    copy

    lea    esi,[ecx-1]
    lea    edi,[edi+ebx-1]
    std

copy:    mov    ecx,ebx
    rep    movsb
nocopy:
    popf
    
    call    8001E4E7h; MmFreeContiguousMemory

skipsa:
    popad
    jmp    800B145Ah


m8_eject_trick_patch.asm
CODE

;;;
;;; Compile with NASM.
;;;
;;; Eject trick patch for Evox M8. Better than the original. :)
;;; Compile and paste this at kernel offset 0x8002f5c8.
;;;
;;; Set the dword at offset 0x8002f687 to:    
;;;   ff ff ff 00 for eject trick
;;;   ff ff ff 80 for eject fix (never reset on eject).
;;;
;;; Additionally:
;;;   for eject trick, set the byte at 0x8001501b to 0xc3.
;;;   for eject fix, set the byte at 0x8001500b to 0xc3.
;;;

    
BITS 32
snorg        equ 0x8002f5c8
ORG        0x8002f5c8

    
lf5c8:    mov    eax,[0x8003c138]
    xor    edi,edi

    cmp    byte [0x8003b87c],0x0
    jne    decideroe
    test    al,0x8
    jne    skroedsbl

    push    eax
    push    ecx
retry:    push    byte 1
    push    edi
    push    byte 0x19
    push    byte 0x20
    call    0x80014743
    test    eax,eax
    jl    retry
    pop    ecx
    pop    eax
skroedsbl:

    
decideroe:    
    and    eax,byte -0x9
    cmp    byte [ebp+0xc],0x0
    jnz    roeoff
    mov    edx,[ebp-0x14]
    test    [edx+0x9c],ecx
    jnz    roeoff
    test    al,0x4
    jnz    roeoff
    test    [0x8003c158],ecx
    jz    setflags

roeoff:    or    eax,byte +0x8
setflags:    
    mov    [0x8003c138],eax

    jmp    0x8002f63f


%if ($-lf5c8) > (0x8002f629-snorg)
    %error patch too big!
%endif

    times ((0x8002f629-snorg)-($-lf5c8)) db 0xcc


m8_xbl_block_patch1.asm and m8_xbl_block_patch2.asm
CODE

BITS 32
ORG 8002EF52h
SNORG equ 8002EF52h


xblpatch1:    
    mov    esi,[ebx+14h]
    test    esi,esi
    jz    .skip
    mov    edi,xblsecstr
    push    byte XBLSECSTRLEN
    pop    ecx
    rep    cmpsb
    jne    .skip

    call    8002F68Bh

.skip:    pop    edi
    db    0EBh, 8002EF97h-(SNORG+2+$-$$)


xblsecstr    db 'XONLINE',0
XBLSECSTRLEN    equ $-xblsecstr


%if ($-xblpatch1) > (8002EF76h-SNORG)
    %error patch too big!
%endif

    times ((8002EF76h-SNORG)-($-xblpatch1)) db 0xcc

BITS 32
ORG 8002F68Bh
SNORG equ 8002F68Bh


xblpatch2:    
    mov    eax,[ebx+4]
    mov    ecx,[ebx+10h]
    cmp    ecx,byte 12
    jb    .skip
    sub    ecx,byte 10

.searchl:
    inc    eax
    dec    ecx
    jz    .skip

    mov    esi,eax
    mov    edi,codestr
    push    byte CODESTRLEN
    pop    ecx
    rep    cmpsb
    jne    .searchl
    
    cmp    dword [eax+7],80151000h
    jne    .searchl

    mov    word [eax+2],9090h

.skip:
    ret


codestr        db 0A8h, 01h, 75h, 0Ch, 0C7h, 45h
CODESTRLEN    equ $-codestr


%if ($-xblpatch2) > (8002F6F8h-SNORG)
    %error patch too big!
%endif

    times ((8002F6F8h-SNORG)-($-xblpatch2)) db 0xcc


Edited by ldotsfan, 02 June 2012 - 03:39 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users