# Vocoder Patch for MD380 Firmware
# Applies to version S013.020
from Patcher import Patcher
#Match all public calls.
monitormode = False
#Match all private calls.
monitormodeprivate = False
if __name__ == '__main__':
print "Creating patches from unwrapped.img."
patcher = Patcher("unwrapped.img")
# bypass vocoder copy protection on S013.020
patcher.nopout((0x8034a60))
patcher.nopout((0x8034a60 + 0x2))
patcher.nopout((0x8034a76))
patcher.nopout((0x8034a76 + 0x2))
patcher.nopout((0x8034a8c))
patcher.nopout((0x8034a8c + 0x2))
patcher.nopout((0x8034aa2))
patcher.nopout((0x8034aa2 + 0x2))
patcher.nopout((0x8034ab8))
patcher.nopout((0x8034ab8 + 0x2))
patcher.nopout((0x8034ace))
patcher.nopout((0x8034ace + 0x2))
patcher.nopout((0x8049f9a))
patcher.nopout((0x8049f9a + 0x2))
patcher.nopout((0x804a820))
patcher.nopout((0x804a820 + 0x2))
# Vocoder Patch for MD380 Firmware
# Applies to version S013.020
from Patcher import Patcher
# Match all public calls.
monitormode = False
# Match all private calls.
monitormodeprivate = False
if __name__ == '__main__':
print("Creating patches from unwrapped.img.")
patcher = Patcher("unwrapped.img")
# bypass vocoder copy protection on S013.020
patcher.nopout((0x8034a60))
patcher.nopout((0x8034a60 + 0x2))
patcher.nopout((0x8034a76))
patcher.nopout((0x8034a76 + 0x2))
patcher.nopout((0x8034a8c))
patcher.nopout((0x8034a8c + 0x2))
patcher.nopout((0x8034aa2))
patcher.nopout((0x8034aa2 + 0x2))
patcher.nopout((0x8034ab8))
patcher.nopout((0x8034ab8 + 0x2))
patcher.nopout((0x8034ace))
patcher.nopout((0x8034ace + 0x2))
patcher.nopout((0x8049f9a))
patcher.nopout((0x8049f9a + 0x2))
patcher.nopout((0x804a820))
patcher.nopout((0x804a820 + 0x2))
# Applies to version D013.020
from Patcher import Patcher
# Match all public calls.
monitormode = False
# Match all private calls.
monitormodeprivate = False
if __name__ == '__main__':
print("Creating patches from unwrapped.img.")
patcher = Patcher("unwrapped.img")
# bypass vocoder copy protection on D013.020
patcher.nopout((0x08033f30 + 0x18))
patcher.nopout((0x08033f30 + 0x1a))
patcher.nopout((0x08033f30 + 0x2e))
patcher.nopout((0x08033f30 + 0x30))
patcher.nopout((0x08033f30 + 0x44))
patcher.nopout((0x08033f30 + 0x46))
patcher.nopout((0x08033f30 + 0x5a))
patcher.nopout((0x08033f30 + 0x5c))
patcher.nopout((0x08033f30 + 0x70))
patcher.nopout((0x08033f30 + 0x72))
patcher.nopout((0x08033f30 + 0x86))
patcher.nopout((0x08033f30 + 0x88))
patcher.nopout((0x0804915c + 0x12))
patcher.nopout((0x0804915c + 0x14))
patcher.nopout((0x080499e2 + 0x12))
patcher.nopout((0x080499e2 + 0x14))
# Applies to version D013.020
from Patcher import Patcher
# Match all public calls.
monitormode = False
# Match all private calls.
monitormodeprivate = False
if __name__ == '__main__':
print("Creating patches from unwrapped.img.")
patcher = Patcher("unwrapped.img")
# bypass vocoder copy protection on D013.020
patcher.nopout((0x08033f30 + 0x18))
patcher.nopout((0x08033f30 + 0x1a))
patcher.nopout((0x08033f30 + 0x2e))
patcher.nopout((0x08033f30 + 0x30))
patcher.nopout((0x08033f30 + 0x44))
patcher.nopout((0x08033f30 + 0x46))
patcher.nopout((0x08033f30 + 0x5a))
patcher.nopout((0x08033f30 + 0x5c))
patcher.nopout((0x08033f30 + 0x70))
patcher.nopout((0x08033f30 + 0x72))
patcher.nopout((0x08033f30 + 0x86))
patcher.nopout((0x08033f30 + 0x88))
patcher.nopout((0x0804915c + 0x12))
patcher.nopout((0x0804915c + 0x14))
patcher.nopout((0x080499e2 + 0x12))
patcher.nopout((0x080499e2 + 0x14))
#We don't use this anymore, because the new patch is better.
#patcher.nopout(0x0803ee36,0xd1ef);
# New patch for monitoring all talk groups , matched on first
# entry iff no other match.
#wa mov r5, 0 @ 0x0803ee86 # So the radio thinks it matched at zero.
patcher.sethword(0x0803ee86, 0x2500);
#wa b 0x0803ee38 @ 0x0803ee88 # Branch back to perform that match.
patcher.sethword(0x0803ee88,0xe7d6); #Jump back to matched condition.
patcher.export("prom-public.img");
# This should be changed to only show missed calls for private
# calls directed at the user, and to decode others without
# triggering a missed call.
patcher.nopout(0x0803ef10,0xd11f); #Matches all private calls.
patcher.export("prom-private.img");
#Everything after here is experimental.
#Everything after here is experimental.
#Everything after here is experimental.
#This cuts out the Chinese font, freeing ~200k for code patches.
patcher.ffrange(0x809c714,0x80d0f80);
#This mirrors the RESET vector to 0x080C020, for use in booting.
patcher.setword(0x0800C020,
patcher.getword(0x0800C004),
0x00000000);
#This makes the app its own sideload. Don't ship with it!
# Applies to version 2.032
from Patcher import Patcher
#Match all public calls.
monitormode=False;
#Match all private calls.
monitormodeprivate=False;
if __name__ == '__main__':
print "Creating patches from unwrapped.img.";
patcher=Patcher("unwrapped.img");
# #These aren't quite enough to skip the Color Code check. Not sure why.
patcher.nopout(0x0803ea62,0xf040); #Main CC check.
patcher.nopout(0x0803ea64,0x80fd);
patcher.nopout(0x0803e994,0xf040); #Late Entry CC check.
patcher.nopout(0x0803e996,0x8164);
patcher.nopout(0x0803fd98); #dmr_dll_parser CC check.
patcher.nopout(0x0803fd9a);
patcher.sethword(0x0803fd8e,0xe02d, #Check in dmr_dll_parser().
0xd02d);
patcher.nopout(0x0803eafe,0xf100); #Disable CRC check, in case CC is included.
patcher.nopout(0x0803eb00,0x80af);
# Patches after here allow for an included applet.
#This cuts out the Chinese font, freeing ~200k for code patches.
patcher.ffrange(0x809c714,0x80d0f80);
# patcher.nopout(0x0803ea64,0x80fd);
# patcher.nopout(0x0803e994,0xf040); #Late Entry CC check.
# patcher.nopout(0x0803e996,0x8164);
# patcher.nopout(0x0803fd98); #dmr_dll_parser CC check.
# patcher.nopout(0x0803fd9a);
# patcher.sethword(0x0803fd8e,0xe02d, #Check in dmr_dll_parser().
# 0xd02d);
# patcher.nopout(0x0803eafe,0xf100); #Disable CRC check, in case CC is included.
# patcher.nopout(0x0803eb00,0x80af);
#patcher.export("prom-colors.img");
# This should be changed to only show missed calls for private
# calls directed at the user, and to decode others without
# triggering a missed call.
patcher.nopout(0x0803ef10, 0xd11f)
#Matches all private calls.
#patcher.export("prom-private.img");
#Everything after here is experimental.
#Everything after here is experimental.
#Everything after here is experimental.
#This cuts out the Chinese font, freeing ~200k for code patches.
patcher.ffrange(0x809c714, 0x80d0f80)
#This mirrors the RESET vector to 0x080C020, for use in booting.
patcher.setword(0x0800C020, patcher.getword(0x0800C004), 0x00000000)
#This makes RESET point to our stub below.
patcher.setword(0x0800C004, 0x0809cf00 + 1)
# Applies to version S013.020
from Patcher import Patcher
# Match all public calls.
monitormode = False
# Match all private calls.
monitormodeprivate = True
if __name__ == '__main__':
print("Creating patches from unwrapped.img.")
patcher = Patcher("unwrapped.img")
#test
#patcher.sethword(0x08016850, 0x4770)
patcher.nopout((0x080137D0))
patcher.nopout((0x080137D0 + 0x2))
# bypass vocoder copy protection on S013.020
patcher.nopout((0x8034a60))
patcher.nopout((0x8034a60 + 0x2))
patcher.nopout((0x8034a76))
patcher.nopout((0x8034a76 + 0x2))
patcher.nopout((0x8034a8c))
patcher.nopout((0x8034a8c + 0x2))
patcher.nopout((0x8034aa2))
patcher.nopout((0x8034aa2 + 0x2))
patcher.nopout((0x8034ab8))
patcher.nopout((0x8034ab8 + 0x2))
patcher.nopout((0x8034ace))
patcher.nopout((0x8034ace + 0x2))
# Promiscuous Mode Patch for MD380 Firmware
# Applies to version 2.032
from Patcher import Patcher
#Match all public calls.
monitormode = False
#Match all private calls.
monitormodeprivate = False
if __name__ == '__main__':
print "Creating patches from unwrapped.img."
patcher = Patcher("unwrapped.img")
# #These aren't quite enough to skip the Color Code check. Not sure why.
patcher.nopout(0x0803ea62, 0xf040)
#Main CC check.
patcher.nopout(0x0803ea64, 0x80fd)
patcher.nopout(0x0803e994, 0xf040)
#Late Entry CC check.
patcher.nopout(0x0803e996, 0x8164)
patcher.nopout(0x0803fd98)
#dmr_dll_parser CC check.
patcher.nopout(0x0803fd9a)
patcher.sethword(
0x0803fd8e,
0xe02d, #Check in dmr_dll_parser().
0xd02d)
patcher.nopout(0x0803eafe, 0xf100)
#Disable CRC check, in case CC is included.
patcher.nopout(0x0803eb00, 0x80af)
# Promiscuous Mode Patch for MD380 Firmware
# Applies to version 2.032
from Patcher import Patcher
#Match all public calls.
monitormode = False
#Match all private calls.
monitormodeprivate = False
if __name__ == '__main__':
print "Creating patches from unwrapped.img."
patcher = Patcher("unwrapped.img")
# #These aren't quite enough to skip the Color Code check. Not sure why.
patcher.nopout(0x0803ea62, 0xf040)
#Main CC check.
patcher.nopout(0x0803ea64, 0x80fd)
patcher.nopout(0x0803e994, 0xf040)
#Late Entry CC check.
patcher.nopout(0x0803e996, 0x8164)
patcher.nopout(0x0803fd98)
#dmr_dll_parser CC check.
patcher.nopout(0x0803fd9a)
patcher.sethword(
0x0803fd8e,
0xe02d, #Check in dmr_dll_parser().
0xd02d)
patcher.nopout(0x0803eafe, 0xf100)
#Disable CRC check, in case CC is included.
patcher.nopout(0x0803eb00, 0x80af)
# Promiscuous Mode Patch for MD380 Firmware
# Applies to version 2.032
from Patcher import Patcher
# Match all public calls.
monitormode = False
# Match all private calls.
monitormodeprivate = False
if __name__ == '__main__':
print("Creating patches from unwrapped.img.")
patcher = Patcher("unwrapped.img")
# #These aren't quite enough to skip the Color Code check. Not sure why.
patcher.nopout(0x0803ea62, 0xf040) # Main CC check.
patcher.nopout(0x0803ea64, 0x80fd)
patcher.nopout(0x0803e994, 0xf040) # Late Entry CC check.
patcher.nopout(0x0803e996, 0x8164)
patcher.nopout(0x0803fd98) # dmr_dll_parser CC check.
patcher.nopout(0x0803fd9a)
patcher.sethword(
0x0803fd8e,
0xe02d, # Check in dmr_dll_parser().
0xd02d)
patcher.nopout(0x0803eafe,
0xf100) # Disable CRC check, in case CC is included.
patcher.nopout(0x0803eb00, 0x80af)
# Disable the ALPU Licence Check (vocoder version)
patcher.nopout(0x8032a54)
# Applies to version 2.032
from Patcher import Patcher
#Match all public calls.
monitormode=False;
#Match all private calls.
monitormodeprivate=False;
if __name__ == '__main__':
print "Creating patches from unwrapped.img.";
patcher=Patcher("unwrapped.img");
# #These aren't quite enough to skip the Color Code check. Not sure why.
patcher.nopout(0x0803ea62,0xf040); #Main CC check.
patcher.nopout(0x0803ea64,0x80fd);
patcher.nopout(0x0803e994,0xf040); #Late Entry CC check.
patcher.nopout(0x0803e996,0x8164);
patcher.nopout(0x0803fd98); #dmr_dll_parser CC check.
patcher.nopout(0x0803fd9a);
patcher.sethword(0x0803fd8e,0xe02d, #Check in dmr_dll_parser().
0xd02d);
patcher.nopout(0x0803eafe,0xf100); #Disable CRC check, in case CC is included.
patcher.nopout(0x0803eb00,0x80af);
# Patches after here allow for an included applet.
#This cuts out the Chinese font, freeing ~200k for code patches.
patcher.ffrange(0x809c714,0x80d0f80);
