#patcher.sethword(0x0801C774, 0x2001) #record #patcher.sethword(0x0801C7A8, 0x2001) #Morola/PC-Audio #patcher.sethword(0x0801C6FE, 0x2001) #patcher.sethword(0x0801C718, 0x11B0) #fix a typo.. # freeing ~200k for code patches patcher.ffrange(0x80986E8, 0x80CCF54) # This mirrors the RESET vector to 0x080C020, for use in booting. patcher.setword(0x0800C020, patcher.getword(0x0800C004), 0x00000000) # This makes RESET point to our stub below. patcher.setword(0x0800C004, 0x08098700 + 1) # This stub calls the target RESET vector, # if it's not FFFFFFFF. patcher.sethword(0x08098700, 0x4840) patcher.sethword(0x08098702, 0x2100) patcher.sethword(0x08098704, 0x3901) patcher.sethword(0x08098706, 0x4508) patcher.sethword(0x08098708, 0xd100) patcher.sethword(0x0809870a, 0x483c) patcher.sethword(0x0809870c, 0x4700) # Stores the RESET handler for our stub. patcher.setword(0x080987fc, patcher.getword(0x0800C020), 0xFFFFFFFF) patcher.export("patched.img")
patcher.setwstring(0x080f9a94, "No Fix") #Change the manufacturer string. *Never Worked...* # patcher.setstring(0x080f9588, # "Travis Goodspeed KK4VCZ"); #Change the device name. patcher.setstring(0x080d0eb4, "Patched MD-380/390G") # freeing ~200k for code patches patcher.ffrange(0x0809bda8, 0x80d0614) #This mirrors the RESET vector to 0x080C020, for use in booting. patcher.setword(0x0800C020, patcher.getword(0x0800C004), 0x00000000) #This makes RESET point to our stub below. patcher.setword(0x0800C004, 0x0809bf00 + 1) # app start @ 0x0809c000 patcher.sethword(0x0809bf00, 0x4840) patcher.sethword(0x0809bf02, 0x2100) patcher.sethword(0x0809bf04, 0x3901) patcher.sethword(0x0809bf06, 0x4508) patcher.sethword(0x0809bf08, 0xd100) patcher.sethword(0x0809bf0a, 0x483c) patcher.sethword(0x0809bf0c, 0x4700) #Stores the RESET handler for our stub. patcher.setword(0x0809bffc, patcher.getword(0x0800C020), 0xFFFFFFFF) patcher.export("patched.img")
patcher=Patcher("unwrapped.img"); #Old logo patcher, no longer used. #fhello=open("welcome.txt","rb"); #hello=fhello.read(); #patcher.str2sprite(0x08094610,hello); #print patcher.sprite2str(0x08094610,0x14,760); #Old patch, matching on the first talkgroup. #We don't use this anymore, because the new patch is better. #patcher.nopout(0x0803ee36,0xd1ef); # New patch for monitoring all talk groups , matched on first # entry iff no other match. #wa mov r5, 0 @ 0x0803ee86 # So the radio thinks it matched at zero. patcher.sethword(0x0803ee86, 0x2500); #wa b 0x0803ee38 @ 0x0803ee88 # Branch back to perform that match. patcher.sethword(0x0803ee88,0xe7d6); #Jump back to matched condition. patcher.export("prom-public.img"); # This should be changed to only show missed calls for private # calls directed at the user, and to decode others without # triggering a missed call. patcher.nopout(0x0803ef10,0xd11f); #Matches all private calls. patcher.export("prom-private.img"); #Everything after here is experimental. #Everything after here is experimental. #Everything after here is experimental.
"Patched MD-380/390G") # freeing ~200k for code patches patcher.ffrange(0x0809bda8, 0x80d0614) # This mirrors the RESET vector to 0x080C020, for use in booting. patcher.setword(0x0800C020, patcher.getword(0x0800C004), 0x00000000) # This makes RESET point to our stub below. patcher.setword(0x0800C004, 0x0809bf00 + 1 ) # app start @ 0x0809c000 patcher.sethword(0x0809bf00, 0x4840) patcher.sethword(0x0809bf02, 0x2100) patcher.sethword(0x0809bf04, 0x3901) patcher.sethword(0x0809bf06, 0x4508) patcher.sethword(0x0809bf08, 0xd100) patcher.sethword(0x0809bf0a, 0x483c) patcher.sethword(0x0809bf0c, 0x4700) # Stores the RESET handler for our stub. patcher.setword(0x0809bffc, patcher.getword(0x0800C020), 0xFFFFFFFF) patcher.export("patched.img")
patcher = Patcher("unwrapped.img") #Old logo patcher, no longer used. #fhello=open("welcome.txt","rb"); #hello=fhello.read(); #patcher.str2sprite(0x08094610,hello); #print patcher.sprite2str(0x08094610,0x14,760); #Old patch, matching on the first talkgroup. #We don't use this anymore, because the new patch is better. #patcher.nopout(0x0803ee36,0xd1ef); # New patch for monitoring all talk groups , matched on first # entry iff no other match. #wa mov r5, 0 @ 0x0803ee86 # So the radio thinks it matched at zero. patcher.sethword(0x0803ee86, 0x2500) #wa b 0x0803ee38 @ 0x0803ee88 # Branch back to perform that match. patcher.sethword(0x0803ee88, 0xe7d6) #Jump back to matched condition. #patcher.export("prom-public.img"); # #These aren't quite enough to skip the Color Code check. Not sure why. # patcher.nopout(0x0803ea62,0xf040); #Main CC check. # patcher.nopout(0x0803ea64,0x80fd); # patcher.nopout(0x0803e994,0xf040); #Late Entry CC check. # patcher.nopout(0x0803e996,0x8164); # patcher.nopout(0x0803fd98); #dmr_dll_parser CC check. # patcher.nopout(0x0803fd9a); # patcher.sethword(0x0803fd8e,0xe02d, #Check in dmr_dll_parser(). # 0xd02d); # patcher.nopout(0x0803eafe,0xf100); #Disable CRC check, in case CC is included.
print("Creating patches from unwrapped.img.") patcher = Patcher("unwrapped.img") #test gps #patcher.nopout((0x800C278 + 0)) #patcher.nopout((0x800C278 + 2)) # bypass vocoder copy protection on D013.020 #test manual dial group callable #patcher.sethword(0x08023170, 0x2204) #patcher.sethword(0x08012912, 0x2804) #patcher.sethword(0x0801290A, 0x221C) #remove power on password bullshit patcher.sethword(0x08013AA6, 0xbdf7); patcher.nopout((0x08033f30 + 0x18)) patcher.nopout((0x08033f30 + 0x1a)) patcher.nopout((0x08033f30 + 0x2e)) patcher.nopout((0x08033f30 + 0x30)) patcher.nopout((0x08033f30 + 0x44)) patcher.nopout((0x08033f30 + 0x46)) patcher.nopout((0x08033f30 + 0x5a)) patcher.nopout((0x08033f30 + 0x5c)) patcher.nopout((0x08033f30 + 0x70)) patcher.nopout((0x08033f30 + 0x72)) patcher.nopout((0x08033f30 + 0x86)) patcher.nopout((0x08033f30 + 0x88)) patcher.nopout((0x0804915c + 0x12)) patcher.nopout((0x0804915c + 0x14))
#Match all private calls. monitormodeprivate=False; if __name__ == '__main__': print "Creating patches from unwrapped.img."; patcher=Patcher("unwrapped.img"); # #These aren't quite enough to skip the Color Code check. Not sure why. patcher.nopout(0x0803ea62,0xf040); #Main CC check. patcher.nopout(0x0803ea64,0x80fd); patcher.nopout(0x0803e994,0xf040); #Late Entry CC check. patcher.nopout(0x0803e996,0x8164); patcher.nopout(0x0803fd98); #dmr_dll_parser CC check. patcher.nopout(0x0803fd9a); patcher.sethword(0x0803fd8e,0xe02d, #Check in dmr_dll_parser(). 0xd02d); patcher.nopout(0x0803eafe,0xf100); #Disable CRC check, in case CC is included. patcher.nopout(0x0803eb00,0x80af); # Patches after here allow for an included applet. #This cuts out the Chinese font, freeing ~200k for code patches. patcher.ffrange(0x809c714,0x80d0f80); #This mirrors the RESET vector to 0x080C020, for use in booting. patcher.setword(0x0800C020, patcher.getword(0x0800C004), 0x00000000);
if __name__ == '__main__': print "Creating patches from unwrapped.img." patcher = Patcher("unwrapped.img") # #These aren't quite enough to skip the Color Code check. Not sure why. patcher.nopout(0x0803ea62, 0xf040) #Main CC check. patcher.nopout(0x0803ea64, 0x80fd) patcher.nopout(0x0803e994, 0xf040) #Late Entry CC check. patcher.nopout(0x0803e996, 0x8164) patcher.nopout(0x0803fd98) #dmr_dll_parser CC check. patcher.nopout(0x0803fd9a) patcher.sethword( 0x0803fd8e, 0xe02d, #Check in dmr_dll_parser(). 0xd02d) patcher.nopout(0x0803eafe, 0xf100) #Disable CRC check, in case CC is included. patcher.nopout(0x0803eb00, 0x80af) # Patches after here allow for an included applet. #This cuts out the Chinese font, freeing ~200k for code patches. patcher.ffrange(0x809c714, 0x80d0f80) #This mirrors the RESET vector to 0x080C020, for use in booting. patcher.setword(0x0800C020, patcher.getword(0x0800C004), 0x00000000) #This makes RESET point to our stub below. patcher.setword(0x0800C004, 0x0809cf00 + 1)
#patcher.nopout((0x08011444)) #patcher.nopout((0x08011444) + 0x2) #test manual dial group callable #patcher.sethword(0x08023170, 0x2204) #patcher.sethword(0x08012912, 0x2804) #patcher.sethword(0x080EB1B0, 0x00FF) #patcher.nopout((0x08028F88)) # patcher.nopout((0x08028F88 + 0x2)) # patcher.nopout((0x08028F88 + 0x4)) #patcher.nopout((0x08028F88 + 0x6)) # patcher.nopout((0x08028F88 + 0x8)) # patcher.nopout((0x08028F88 + 0xA)) #test site roaming patcher.sethword(0x0801C774, 0x2001) #record patcher.sethword(0x0801C7A8, 0x2001) #Morola/PC-Audio patcher.sethword(0x0801C6FE, 0x2001) patcher.sethword(0x0801C718, 0x11B0) #fix a typo.. # freeing ~200k for code patches patcher.ffrange(0x80986E8, 0x80CCF54) # This mirrors the RESET vector to 0x080C020, for use in booting. patcher.setword(0x0800C020, patcher.getword(0x0800C004), 0x00000000) # This makes RESET point to our stub below. patcher.setword(0x0800C004, 0x08098700 + 1)