I figured out a way of taking screenshots.
It works through the process "layermanager". Unfortunately, its default config forbids screenshots with a line "disableSnapshots=1".
Since layermanager and its config are in the root-ifs, it's not easy to modify them. You'd have to dump the flash, modify the ifs and flash it back. Chances of a brick are high for something so trivial.
Instead I disassembled the layermanager, found where the check for that attribute is and then modified layermanager in memory.
The check happens in FUN_08057a24. If this function returns 1, we're not allowed to take screenshots. Thus, at 0x08057a46 we will change the instruction
"mov.l @(r0,r1),r0" to "mov #0x0,r0". This forces the function to return 0.
Copy the attached dd binary to somewhere r/w. Like /mnt/hbdebug for example. Plug a usb drive into USB1 and dump the memory:
If the CIC crashes, it doesn't matter. layermanager will be in the same place because processes are started in the same order every time.
With the memory dump search for byte sequence "00 E0 04 91 1E 00 E3 6F 26 4F 0B 00 F6 6E 4C 01". Note the offset of "1E 00", this is the instruction to patch. Since the startup script is the same, your offset may be the same as mine.
Dump the two bytes of memory at that offset to double-check:
If the output was "1E 00" proceed to patch it:
Finally, we can take an actual screenshot:
E92 images to follow.
It works through the process "layermanager". Unfortunately, its default config forbids screenshots with a line "disableSnapshots=1".
Since layermanager and its config are in the root-ifs, it's not easy to modify them. You'd have to dump the flash, modify the ifs and flash it back. Chances of a brick are high for something so trivial.
Instead I disassembled the layermanager, found where the check for that attribute is and then modified layermanager in memory.
The check happens in FUN_08057a24. If this function returns 1, we're not allowed to take screenshots. Thus, at 0x08057a46 we will change the instruction
"mov.l @(r0,r1),r0" to "mov #0x0,r0". This forces the function to return 0.
Copy the attached dd binary to somewhere r/w. Like /mnt/hbdebug for example. Plug a usb drive into USB1 and dump the memory:
Code:
dd if=/dev/mem of=/fs/usb0/cic-memory.bin bs=4096 count=32768
With the memory dump search for byte sequence "00 E0 04 91 1E 00 E3 6F 26 4F 0B 00 F6 6E 4C 01". Note the offset of "1E 00", this is the instruction to patch. Since the startup script is the same, your offset may be the same as mine.
Dump the two bytes of memory at that offset to double-check:
Code:
dd if=/dev/mem of=/fs/usb0/layer-dump.bin bs=1 skip=138934854 count=2
If the output was "1E 00" proceed to patch it:
Code:
dd if=/fs/usb0/patch.bin of=/dev/mem bs=1 seek=138934854 count=2
Finally, we can take an actual screenshot:
Code:
// 256 is the main screen. 513 is the split screen
echo d-shot 256 /fs/usb0/screenshot-d.png > /dev/layermanager
E92 images to follow.
Attachments
Last edited: