Update patches for 3.1.0 (WIP, crashes)

sd-bootloader-ng/bootmanager/sd/revvox/boot/ngCfg.json

@@ -29,14 +29,14 @@
         "watchdog": true,
         "ofwFix": true,
         "ofwSimBL": true,
-        "patches": ["blockCheck.307", "blockCheckRemove.308", "noCerts.305", "noChargWake.305", "noHide.308", "noPass3.305", "noPrivacy.305", "uidCheck.307"]
+        "patches": ["blockCheck.310", "blockCheckRemove.310", "noCerts.305", "noChargWake.305", "noHide.308", "noPass3.305", "noPrivacy.305", "uidCheck.307"]
     },
     "ofw3": {
         "checkHash": true,
         "hashFile": false,
         "watchdog": true,
         "ofwFix": true,
-        "patches": ["blockCheck.307", "blockCheckRemove.308", "noCerts.305", "noChargWake.305", "noHide.308", "noPass3.305", "noPrivacy.305", "uidCheck.307"]
+        "patches": ["blockCheck.310", "blockCheckRemove.310", "noCerts.305", "noChargWake.305", "noHide.308", "noPass3.305", "noPrivacy.305", "uidCheck.307"]
     },
     "cfw1": {
         "checkHash": false,

sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/blockCheck.310.json

@@ -0,0 +1,11 @@
+{
+    "general": {
+        "_desc": "Removes check for tag blocks count > 8",
+        "_memPos": "3.1.0=0x1B23E",
+        "_fwVer": "3.1.0"
+    },
+    "searchAndReplace": [{
+        "search":  ["e7", "f7", "75", "fb", "48", "45", "4f", "f0", "06", "00", "08", "bf", "08", "26"],
+        "replace": ["??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "26", "00"]
+    }]
+}

sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/blockCheckRemove.310.json

@@ -0,0 +1,12 @@
+{
+    "general": {
+        "_desc": "Allows tags with block count <8",
+        "_memPos": "0x1B16A",
+        "_memPosFw": "3.1.0",
+        "_fwVer": "3.1.0"
+    },
+    "searchAndReplace": [{
+        "search":  ["e7", "f7", "d7", "fb", "09", "9a", "06", "46", "03", "46", "00", "28"],
+        "replace": ["00", "20", "00", "bf", "??", "??", "??", "??", "??", "??", "??", "??"]
+    }]
+}

sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/enableWeb.310.json

@@ -0,0 +1,56 @@
+{
+    "general": {
+        "_desc": "Enable Webinterface without going into AP Mode",
+        "_memPos": "",
+        "_fwVer": "3.1.0"
+    },
+    "positions": [{
+        "_id": 0,
+        "_name": "Prepare/CloseWifiConfigOnDoubleEar?",
+        "_fwVer": "3.1.0",
+        "offset": 0,
+        "search":  ["10", "b5", "04", "46", "1e", "f0", "1e", "fd", "02", "46"]
+    }, {
+        "_id": 1,
+        "_name": "SetTonieMode/BluePulse",
+        "_fwVer": "3.0.5+",
+        "offset": 0,
+        "search":  ["70", "b5", "14", "4e", "14", "4a", "0d", "46", "31", "68", "52", "f8", "20", "30", "52", "f8", "21", "20", "12", "49", "04", "46", "41", "f2", "fb", "70"]
+    }],    
+    "searchAndReplace": [{
+        "_desc": "Keep in WiFi in ROLE_STA instead of switching to ROLE_AP",
+        "_memPos": "3.1.0=0x2163E",
+        "_fwVer": "3.1.0",
+        "search":  [
+            "00", "2b", "0c", "db", "02", "20"
+        ],
+        "replace": [
+            "??", "??", "??", "??", "00", "??"
+        ]
+    },{
+        "_desc": "Disable check on SlDrvCmd result",
+        "_fwVer": "3.0.5+",
+        "search":  [
+            "00", "2b", "06", "db"
+        ],
+        "replace": [
+            "??", "??", "00", "bf"
+        ]
+    },{
+        "_desc": "Branch to tonie mode (instead of blue pulsing)",
+        "_fwVer": "3.0.8+",
+        "search":  [
+            "10", "21",
+            "06", "20",
+            "??", "f7", "??", "??",
+            "??", "??"
+        ],
+
+        "replace": [
+            "??", "??",
+            "??", "??",
+            "??", "??", "??", "??",
+            "06", "e0"
+        ]
+    }]
+}

sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/enableWeb.dev.310.json

@@ -0,0 +1,56 @@
+{
+    "general": {
+        "_desc": "Enable Webinterface without going into AP Mode",
+        "_memPos": "",
+        "_fwVer": "3.1.0"
+    },
+    "positions": [{
+        "_id": 0,
+        "_name": "Prepare/CloseWifiConfigOnDoubleEar?",
+        "_fwVer": "3.1.0",
+        "offset": 0,
+        "search":  ["10", "b5", "04", "46", "1e", "f0", "1e", "fd", "02", "46"]
+    }, {
+        "_id": 1,
+        "_name": "SetTonieMode/BluePulse",
+        "_fwVer": "3.0.5+",
+        "offset": 0,
+        "search":  ["70", "b5", "14", "4e", "14", "4a", "0d", "46", "31", "68", "52", "f8", "20", "30", "52", "f8", "21", "20", "12", "49", "04", "46", "41", "f2", "fb", "70"]
+    }],    
+    "searchAndReplace": [{
+        "_desc": "Keep in WiFi in ROLE_STA instead of switching to ROLE_AP",
+        "_memPos": "3.1.0=0x2163E",
+        "_fwVer": "3.1.0",
+        "search":  [
+            "00", "2b", "0c", "db", "02", "20"
+        ],
+        "replace": [
+            "??", "??", "??", "??", "00", "??"
+        ]
+    },{
+        "_desc": "Disable check on SlDrvCmd result",
+        "_fwVer": "3.0.5+",
+        "search":  [
+            "00", "2b", "06", "db"
+        ],
+        "replace": [
+            "??", "??", "00", "bf"
+        ]
+    },{
+        "_desc": "Branch to tonie mode (instead of blue pulsing)",
+        "_fwVer": "3.0.8+",
+        "search":  [
+            "10", "21",
+            "06", "20",
+            {"asm":{"instr": "bl", "param":"p1", "length": 4}},
+            "??", "??"
+        ],
+
+        "replace": [
+            "??", "??",
+            "??", "??",
+            "??", "??", "??", "??",
+            "06", "e0"
+        ]
+    }]
+}

sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/noHide.308.json

@@ -2,10 +2,25 @@
     "general": {
         "_desc": "Do not hide files, if they are marked as deprecated from server. Breaks updating tonie (creative/live) content.",
         "_memPos": "",
-        "_fwVer": "3.0.8"
+        "_fwVer": "3.0.8+"
     },
+    "positions": [{
+        "_id": 0,
+        "_name": "f_chmod_hide",
+        "offset": 0,
+        "search":  ["f0", "b5", "8f", "b0", "0e"]
+    }],
     "searchAndReplace": [{
-        "search":  ["01", "21", "1c", "a8", "fc", "f7", "77", "fa"],
-        "replace": ["??", "??", "??", "??", "00", "bf", "00", "bf"]
+        "search":  [
+            "01", "21",
+            "1c", "a8",
+            "??", "f7", "??", "??"
+        ],
+        "replace": [
+            "??", "??",
+            "??", "??",
+            "00", "bf", "00", "bf"
+        ]
     }]
 }
+

sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/noHideA.308.json

@@ -1,12 +1,11 @@
 {
     "general": {
         "_desc": "Always unhides files (instead of hiding them)",
-        "_memPos": "",
-        "_fwVer": "3.0.8"
+        "_memPos": "3.0.8=0x142DC, 3.1.0=0x16ED2",
+        "_fwVer": "3.0.8+"
     },
     "searchAndReplace": [{
-        "search":  ["00", "29", "14", "bf", "02", "27", "00", "27"],
-        "replace": ["??", "??", "??", "??", "00", "??", "??", "??"]
+        "search":  ["14", "bf", "02", "27", "00", "27"],
+        "replace": ["??", "??", "00", "??", "??", "??"]
     }]
 }
-

sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/noPass3.305.json

@@ -8,22 +8,22 @@
         "_id": 0,
         "_name": "rfidFieldRegisterSet?",
         "offset": 0,
-        "search":  ["73", "b5", "11", "4d", "2a", "78"]
+        "search":  ["??", "b5", "11", "??", "??", "78", "2a", "b9", "??", "??", "??", "??", "4f", "f4", "a9", "50"]
     },{
         "_id": 1,
         "_name": "rfidReset?",
         "offset": 0,
-        "search":  ["73", "b5", "2f", "4e", "33", "78"]
+        "search":  ["??", "b5", "??", "??", "??", "78", "??", "46", "33", "b1", "00", "22"]
     },{
         "_id": 2,
         "_name": "bne LAB_AfterPwSuccess",
         "offset": 4,
-        "search":  ["05", "28", "04", "46"],
+        "search":  ["05", "28", "??", "46"],
         "deasmAddress": true
     }],
     "searchAndReplace": [{
         "search":  ["4f", "f0", "??", "31", "??", "aa", "00", "20", "??", "91", "??", "??", "??", "??", "05", "28",
-            "04", "46", "??", "d1",
+            "??", "46", "??", "d1",
             "??", "49",
             "??", "48", "??", "??",
             "??", "??"],

sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/noPrivacy.310.json

@@ -0,0 +1,11 @@
+{
+    "general": {
+        "_desc": "Removes ENABLE PRIVACY to keep the tags readable",
+        "_memPos": "3.1.0=0x1B2BC",
+        "_fwVer": "3.1.0"
+    },
+    "searchAndReplace": [{
+        "search":  ["11", "21", "38", "46", "8d", "f8", "76", "90", "f2", "f7", "f4", "ff"],
+        "replace": ["??", "??", "??", "??", "??", "??", "??", "??", "00", "bf", "00", "bf"]
+    }]
+}

sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/swd.json

@@ -5,7 +5,12 @@
         "_fwVer": ""
     },
     "searchAndReplace": [{
-        "search":  ["0b", "2d", "04", "f1", "0c", "04", "ee", "d1", "a8", "4d", "2b", "68", "4f", "f4", "87", "64", "43", "f0", "02", "03", "2b", "60", "01", "21", "0f", "20", "??", "??", "??", "??", "23", "68", "40", "f2", "14", "47", "9b", "6a", "08", "21", "12", "20", "98", "47"],
-        "replace": ["0a", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "00", "bf"]
+        "_desc": "Skip last iteration",
+        "search":  ["01", "??", "0b", "??", "??", "f1", "0c", "??", "ee", "d1"],
+        "replace": ["??", "??", "0a", "??", "??", "??", "??", "??", "??", "??"]
+    }, {
+        "_desc": "NOP call ROMAPI",
+        "search":  ["08", "21", "12", "20", "98", "47"],
+        "replace": ["??", "??", "??", "??", "00", "bf"]
     }]
-}
+}

sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/uidCheck.307.json

@@ -1,11 +1,11 @@
 {
     "general": {
         "_desc": "Removes UID validation (E0 04 03) to allow SLIX and SLIX2 tags",
-        "_memPos": "",
+        "_memPos": "3.0.7=0xB7B4, 3.0.8=0x1F28, 3.1.0=0x194A0",
         "_fwVer": "3.0.7+"
     },
     "searchAndReplace": [{
-        "search":  ["bd", "f8", "42", "20", "4e", "f2", "04", "03", "9a", "42", "40", "f0", "??", "80", "9d", "f8", "41", "30", "03", "2b", "40", "f0", "??", "80"],
-        "replace": ["??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "00", "bf", "00", "bf", "??", "??", "??", "??", "??", "??", "00", "bf", "00", "bf"]
+        "search":  ["9a", "42", "40", "f0", "??", "80", "9d", "f8", "??", "30", "03", "2b", "40", "f0", "??", "??"],
+        "replace": ["??", "??", "00", "bf", "00", "bf", "??", "??", "??", "??", "??", "??", "00", "bf", "00", "bf"]
     }]
 }

wiki/OFWPatches.md

@@ -8,10 +8,10 @@ This patch clears the paths to the certificates. This way the box will abort the
 ## Alternative Tags (SLIX / SLIX2)
 If you want to use alternative tags those patches will help you. Even other iso15693 tags may work.
 
-### Block count >8 ([blockCheck.307.json](https://github.com/toniebox-reverse-engineering/hackiebox_cfw_ng/blob/master/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/blockCheck.307.json))
+### Block count >8 ([blockCheck.310.json](https://github.com/toniebox-reverse-engineering/hackiebox_cfw_ng/blob/master/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/blockCheck.310.json) / [blockCheck.307.json](https://github.com/toniebox-reverse-engineering/hackiebox_cfw_ng/blob/master/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/blockCheck.307.json))
 Usally the toniebox checks if the tag has exactly 8 blocks. The check allows the tag to have more than that. (ex. SLIX or SLIX2)
 
-### Block count <=8 ([blockCheckRemove.308.json](https://github.com/toniebox-reverse-engineering/hackiebox_cfw_ng/blob/master/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/blockCheckRemove.308.json))
+### Block count <=8 ([blockCheckRemove.310.json](https://github.com/toniebox-reverse-engineering/hackiebox_cfw_ng/blob/master/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/blockCheckRemove.310.json) / [blockCheckRemove.308.json](https://github.com/toniebox-reverse-engineering/hackiebox_cfw_ng/blob/master/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/blockCheckRemove.308.json))
 Usally the toniebox checks if the tag has exactly 8 blocks. The check allows the tag to have less than that.
 
 ### No privacy password ([noPass3.305.json](https://github.com/toniebox-reverse-engineering/hackiebox_cfw_ng/blob/master/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/noPass3.305.json))
@@ -38,7 +38,7 @@ Usally the toniebox sets the file attribute hidden of the tonie file for all liv
 ### Disable charger wakeup ([noChargWake.305.json](https://github.com/toniebox-reverse-engineering/hackiebox_cfw_ng/blob/master/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/noChargWake.305.json))
 The toniebox won't wakeup anymore if it is put onto the charger. ***Attention, this patch is only working if you disconnect the battery for a second before loading the patched ofw. If you start the unpatched ofw once, you will have to disconnect the battery again***
 
-### Disable privacy mode ([noPrivacy.305.json](https://github.com/toniebox-reverse-engineering/hackiebox_cfw_ng/blob/master/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/noPrivacy.305.json))
+### Disable privacy mode ([noPrivacy.310.json](https://github.com/toniebox-reverse-engineering/hackiebox_cfw_ng/blob/master/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/noPrivacy.310.json) / [noPrivacy.305.json](https://github.com/toniebox-reverse-engineering/hackiebox_cfw_ng/blob/master/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/noPrivacy.305.json))
 Usally the toniebox puts every tag into privacy mode after reading it. This patch disables that, so you can easily read the UID with any standard iso15693 reader like your phone.