first commit, enjoy

Makefile

@@ -0,0 +1,15 @@
+# Copyright 2016 FIX94
+# This code is licensed to you under the terms of the GNU GPL, version 2;
+# see file LICENSE or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
+
+all:
+	@$(MAKE) --no-print-directory -C loader
+	@mv -f loader/loader.h exploit/loader.h
+	@$(MAKE) --no-print-directory -C exploit
+	@mkdir -p gci
+	@mv -f exploit/*.gci gci
+
+clean:
+	@$(MAKE) --no-print-directory -C loader clean
+	@$(MAKE) --no-print-directory -C exploit clean
+	rm -rf gci

README.md

@@ -1,2 +1,3 @@
 # pandoratomorrow-exploit-gc
-a exploit for splinter cell pandora tomorrow on gamecube
+A exploit for splinter cell pandora tomorrow on gamecube, you only need a method of injecting the .gci onto your memory card.  
+This exploit will load a boot.dol converted with dol2gci (included in Home Bros.) from your memory card.  

exploit/Makefile

@@ -0,0 +1,88 @@
+# Copyright 2008-2009  Segher Boessenkool  <[email protected]>
+# GameCube Port Copyright 2016 FIX94
+# This code is licensed to you under the terms of the GNU GPL, version 2;
+# see file LICENSE or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
+
+
+# Configuration:
+
+# What toolchain prefix should we use
+CROSS ?= powerpc-eabi-
+
+ifeq ($(OS),Windows_NT)
+	FIXCRC = $(CURDIR)/pandoratomorrow_crc.exe
+else
+	FIXCRC = $(CURDIR)/pandoratomorrow_crc
+endif
+
+# End of configuration.
+
+
+
+# Set CC, LD, OBJCOPY based on CROSS, unless they are set already
+
+ifeq ($(origin CC), default)
+	CC := $(CROSS)gcc -m32
+endif
+ifeq ($(origin LD), default)
+	LD := $(CROSS)ld
+endif
+OBJCOPY ?= $(CROSS)objcopy
+
+
+# The compiler flags we need.
+
+CFLAGS := -Wall -W -O1 -ffreestanding -mno-eabi -mno-sdata -mcpu=750
+
+
+# Build with "V=1" to see the commands executed; be quiet otherwise.
+
+ifeq ($(V),1)
+	Q :=
+else
+	Q := @
+	MAKEFLAGS += --no-print-directory
+endif
+
+
+targets := gt7e.gci gt7p.gci gt7x.gci
+targets-short := gt7e gt7p gt7x
+
+objs := pandoratomorrow.o
+
+all: $(targets)
+
+$(targets): %.gci : %.dat %.hdr
+	@echo "  OUTPUT    $@"
+	$(Q)dd if=$(filter %.hdr,$^) of=$@ bs=1 count=16540 2>/dev/null
+	$(Q)dd if=$(filter %.dat,$^) of=$@ bs=1 seek=16540 count=20480 2>/dev/null
+	$(Q)dd if=$(filter %.hdr,$^) of=$@ bs=1 skip=37020 seek=37020 count=4004 2>/dev/null
+	$(Q)$(FIXCRC) $@
+
+dats := gt7e.dat gt7p.dat gt7x.dat
+
+$(dats): %.dat: %.elf
+	@echo "  OBJCOPY   $@"
+	$(Q)$(OBJCOPY) -Obinary $< $@
+
+elfs := $(dats:.dat=.elf)
+
+gt7e.elf: baddr := 0x80488E40+0x405C
+gt7p.elf: baddr := 0x80489400+0x405C
+gt7x.elf: baddr := 0x80489400+0x405C
+$(elfs): %.elf: %.ld %.o $(objs)
+	@echo "  LINK      $@"
+	$(Q)$(LD) --defsym baddr=$(baddr) -T $^ -o $@
+
+exploit-objs := $(elfs:.elf=.o)
+
+$(exploit-objs): %.o: start.S mapAfterName.bin
+	@echo "  ASSEMBLE  $@"
+	$(Q)$(CC) $(CFLAGS) -c $< -o $@
+
+%.o: %.c
+	@echo "  COMPILE   $@"
+	$(Q)$(CC) $(CFLAGS) -c $< -o $@
+
+clean:
+	-rm -f $(targets) $(saves) $(elfs) $(exploit-objs) $(objs) $(slots) $(dats) loader.h

exploit/gt7e.ld

@@ -0,0 +1,30 @@
+/* Copyright 2008-2009  Segher Boessenkool  <[email protected]>
+   GameCube Port Copyright 2016 FIX94
+   This code is licensed to you under the terms of the GNU GPL, version 2;
+   see file LICENSE or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt */
+
+OUTPUT_FORMAT("elf32-powerpc")
+OUTPUT_ARCH(powerpc:common)
+
+SECTIONS {
+	card_getres = 0x80315E80;
+	card_mountasync = 0x80319380;
+	card_unmount = 0x803195BC;
+	card_open = 0x8031A314;
+	card_close = 0x8031A430;
+	card_readasync = 0x8031AAC4;
+	gx_setdrawdone = 0x8032430C;
+	os_stopaudiosystem = 0x8032DFEC;
+	os_disable_scheduler = 0x80332AE0;
+
+	.pandoratomorrow baddr :
+	{
+		gt7*.o(.start)
+		*(.text)
+		*(.rodata .rodata.*)
+		*(.data)
+		. = 0xFFC;
+		*(.bss)
+		. = 0x5000;
+	}
+}

exploit/gt7p.ld

@@ -0,0 +1,30 @@
+/* Copyright 2008-2009  Segher Boessenkool  <[email protected]>
+   GameCube Port Copyright 2016 FIX94
+   This code is licensed to you under the terms of the GNU GPL, version 2;
+   see file LICENSE or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt */
+
+OUTPUT_FORMAT("elf32-powerpc")
+OUTPUT_ARCH(powerpc:common)
+
+SECTIONS {
+	card_getres = 0x80316664;
+	card_mountasync = 0x80319B64;
+	card_unmount = 0x80319DA0;
+	card_open = 0x8031AAF8;
+	card_close = 0x8031AC14;
+	card_readasync = 0x8031B2A8;
+	gx_setdrawdone = 0x80324868;
+	os_stopaudiosystem = 0x8032E310;
+	os_disable_scheduler = 0x80332D5C;
+
+	.pandoratomorrow baddr :
+	{
+		gt7*.o(.start)
+		*(.text)
+		*(.rodata .rodata.*)
+		*(.data)
+		. = 0xFFC;
+		*(.bss)
+		. = 0x5000;
+	}
+}

exploit/gt7x.ld

@@ -0,0 +1,30 @@
+/* Copyright 2008-2009  Segher Boessenkool  <[email protected]>
+   GameCube Port Copyright 2016 FIX94
+   This code is licensed to you under the terms of the GNU GPL, version 2;
+   see file LICENSE or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt */
+
+OUTPUT_FORMAT("elf32-powerpc")
+OUTPUT_ARCH(powerpc:common)
+
+SECTIONS {
+	card_getres = 0x80316664;
+	card_mountasync = 0x80319B64;
+	card_unmount = 0x80319DA0;
+	card_open = 0x8031AAF8;
+	card_close = 0x8031AC14;
+	card_readasync = 0x8031B2A8;
+	gx_setdrawdone = 0x80324868;
+	os_stopaudiosystem = 0x8032E310;
+	os_disable_scheduler = 0x80332D5C;
+
+	.pandoratomorrow baddr :
+	{
+		gt7*.o(.start)
+		*(.text)
+		*(.rodata .rodata.*)
+		*(.data)
+		. = 0xFFC;
+		*(.bss)
+		. = 0x5000;
+	}
+}

exploit/pandoratomorrow.c

@@ -0,0 +1,143 @@
+// Copyright 2008-2009  Segher Boessenkool  <[email protected]>
+// GameCube Port Copyright 2016 FIX94
+// This code is licensed to you under the terms of the GNU GPL, version 2;
+// see file LICENSE or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
+
+#include "loader.h"
+
+#define TO_ARAM 0
+#define TO_MRAM 1
+
+typedef unsigned int u32;
+typedef unsigned short u16;
+typedef unsigned char u8;
+typedef volatile unsigned int vu32;
+typedef volatile unsigned short vu16;
+
+typedef struct _cInfo
+{
+    int chan;
+    int fnum;
+    int offset;
+    int length;
+    u16 block;
+} cInfo;
+
+int card_getres(int chan);
+int card_mountasync(int chan, void* workArea, void *cb1, void *cb2);
+int card_unmount(int chan);
+int card_open(int chan, const char *path, cInfo *inf);
+int card_close(cInfo *inf);
+int card_readasync(cInfo *inf, void* addr, int length, int offset, void *cb);
+void gx_setdrawdone(void);
+void os_stopaudiosystem(void);
+void os_disable_scheduler(void);
+
+static void sync_cache(void *p, u32 n)
+{
+	u32 start, end;
+
+	start = (u32)p & ~31;
+	end = ((u32)p + n + 31) & ~31;
+	n = (end - start) >> 5;
+
+	while (n--) {
+		asm("dcbst 0,%0 ; icbi 0,%0" : : "b"(p));
+		p += 32;
+	}
+	asm("sync ; isync");
+}
+
+void *_memcpy(void *ptr, const void *src, int size)
+{
+	char* ptr2 = ptr;
+	const char* src2 = src;
+	while(size--) *ptr2++ = *src2++;
+	return ptr;
+}
+
+void os_enable_interrupts()
+{
+	asm("mfmsr 3 ; ori 3, 3, 0x8000 ; mtmsr 3");
+}
+
+void os_disable_interrupts()
+{
+	asm("mfmsr 3 ; rlwinm 3,3,0,17,15 ; mtmsr 3");
+}
+
+void ar_dma(u32 type, u32 mram, u32 aram, u32 len)
+{
+	//interrupts are enabled so play it safe
+	os_disable_interrupts();
+	while(*(vu16*)0xCC00500A & 0x200) ;
+	*(vu16*)0xCC005020 = (mram>>16);
+	*(vu16*)0xCC005022 = (mram&0xFFFF);
+	*(vu16*)0xCC005024 = (aram>>16);
+	*(vu16*)0xCC005026 = (aram&0xFFFF);
+	*(vu16*)0xCC005028 = (type<<15)|(len>>16);
+	*(vu16*)0xCC00502A = (len&0xFFFF);
+	while(*(vu16*)0xCC00500A & 0x200) ;
+	os_enable_interrupts();
+}
+
+void __attribute__ ((noreturn)) _main()
+{
+	//game audio threads are still running
+	//so we just disable threading to prevent the
+	//game from randomly crashing on CARD access
+	os_disable_scheduler();
+	//prevent BEEPing
+	os_stopaudiosystem();
+	//use setdrawdone because the scheduler is
+	//already disabled to prevent audio crashes
+	gx_setdrawdone();
+	//enable interrupts for CARD access
+	os_enable_interrupts();
+	//game id DOLX00 for boot.dol
+	*(volatile u32*)0x80000000 = 0x444F4C58;
+	*(volatile u16*)0x80000004 = 0x3030;
+	sync_cache((void*)0x80000000, 6);
+	//re-mount the memory card
+	card_mountasync(0, (void*)0x81200000, (void*)0, (void*)0);
+	int res;
+	//we have interrupts enabled so we will
+	//know when its not busy anymore luckily
+	while((res = card_getres(0)) == -1) ;
+	//open up boot.dol from memory card
+	cInfo mInf;
+	unsigned int boot_str[3]; boot_str[0] = 0x626F6F74;
+	boot_str[1] = 0x2E646F6C; boot_str[2] = 0;
+	card_open(0, ((char*)&boot_str), &mInf);
+	u32 curOffset = 0;
+	//copy until it returns error
+	while(card_readasync(&mInf, (void*)0x80001800, 0x200, curOffset, (void*)0) == 0)
+	{
+		int res;
+		//we have interrupts enabled so we will
+		//know when its not busy anymore luckily
+		while((res = card_getres(0)) == -1) ;
+		//this indirectly tells us the file is done
+		if(res < 0)
+			break;
+		sync_cache((void*)0x80001800, 0x200);
+		ar_dma(TO_ARAM, 0x1800, curOffset, 0x200);
+		curOffset += 0x200;
+	}
+	//we are done
+	card_close(&mInf);
+	card_unmount(0);
+	//not needed anymore
+	os_disable_interrupts();
+	//copy our loader into mem
+	_memcpy((void*)0x80001800, loader, loader_size);
+	sync_cache((void*)0x80001800, loader_size);
+	//jump to it
+	__asm__ volatile(
+		"lis 3, 0x8000\n"
+		"ori 3, 3, 0x1800\n"
+		"mtlr 3\n"
+		"blr\n"
+	);
+	__builtin_unreachable();
+}

exploit/start.S

@@ -0,0 +1,29 @@
+// Copyright 2008-2009  Segher Boessenkool  <[email protected]>
+// GameCube Port Copyright 2016 FIX94
+// This code is licensed to you under the terms of the GNU GPL, version 2;
+// see file LICENSE or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
+
+#define XSTR(x) #x
+#define ISTR(x) XSTR(x)
+
+	.section .start,"ax"
+
+	// Map Name string size, choose one that overflows stack
+	.short 0x22C
+	// Fill up Map Name
+	.fill 0x228,1,'A'
+	// Pointer to our code
+	.long start
+	// Further save info, not sure if needed
+	.incbin "mapAfterName.bin"
+	// Alignment
+	.short 0
+	// Fill up so game does not interpret code below as 2nd save info
+	.fill 0x4B0,1,0x00
+
+start:
+	// Disable interrupts
+	mfmsr 3 ; rlwinm 3,3,0,17,15 ; mtmsr 3
+
+	// Go for it!
+	b _main