Remove A9LH & Brahma support altogether, use FIRM format instead

patches/emunand.s

@@ -45,4 +45,4 @@
 sdmmc:	                .ascii "SDMC"
 nand_offset:		.ascii "NAND" ; For rednand this should be 1
 ncsd_header_offset:	.ascii "NCSD" ; Depends on nand manufacturer + emunand type (GW/RED)
-.close
+.close

patches/k11modules.s

@@ -102,4 +102,4 @@
         b die
 
 .pool
-.close
+.close

patches/reboot.s

@@ -2,9 +2,15 @@
 
 .arm.little
 
-payload_addr equ 0x23F00000   ; Brahma payload address
-payload_maxsize equ 0x100000  ; Maximum size for the payload (maximum that CakeBrah supports)
+argv_addr equ 0x27FFDF00
+fname_addr equ 0x27FFDF80
+low_tid_addr equ 0x27FFDFE0
+copy_launch_stub_addr equ 0x27FFE000
 
+firm_addr equ 0x24000000
+firm_maxsize equ (copy_launch_stub_addr - 0x1000 - firm_addr)
+
+arm11_entrypoint_addr equ 0x1FFFFFFC
 .create "build/reboot.bin", 0
 .arm
     ; Interesting registers and locations to keep in mind, set just before this code is ran:
@@ -28,42 +34,41 @@ payload_maxsize equ 0x100000  ; Maximum size for the payload (maximum that CakeB
         cmp r0, r2
         bne pxi_wait_recv
 
-    mov r4, #2
+    ; Open file
+    add r0, r7, #8
+    adr r1, fname
+    mov r2, #1
+    ldr r6, [fopen]
+    orr r6, 1
+    blx r6
+    cmp r0, #0
+    bne panic
 
-    open_payload:
-        ; Open file
-        add r0, r7, #8
-        adr r1, fname
-        mov r2, #1
-        ldr r6, [fopen]
-        orr r6, 1
-        blx r6
-        cmp r0, #0
-        beq read_payload
-        subs r4, r4, #1
-        beq panic
-        adr r0, fname
-        adr r1, nand_mount
-        mov r2, #8
-        bl memcpy16
-        b open_payload
-
-    read_payload:
-        ; Read file
-        mov r0, r7
-        adr r1, bytes_read
-        ldr r2, =payload_addr
-        ldr r3, =payload_maxsize
-        ldr r6, [r7]
-        ldr r6, [r6, #0x28]
-        blx r6
+    ; Read file
+    mov r0, r7
+    adr r1, bytes_read
+    ldr r2, =firm_addr
+    ldr r3, =firm_maxsize
+    ldr r6, [r7]
+    ldr r6, [r6, #0x28]
+    blx r6
 
     ; Copy the low TID (in UTF-16) of the wanted firm to the 5th byte of the payload
-    ldr r0, =payload_addr + 4
+    ldr r0, =low_tid_addr
     add r1, r8, #0x1A
     mov r2, #0x10
     bl memcpy16
 
+    ldr r0, =fname_addr
+    adr r1, fname
+    mov r2, #42
+    bl memcpy16
+
+    ldr r0, =argv_addr
+    ldr r1, =fname_addr
+    ldr r2, =low_tid_addr
+    stmia r0, {r1, r2}
+
     ; Set kernel state
     mov r0, #0
     mov r1, #0
@@ -81,12 +86,14 @@ payload_maxsize equ 0x100000  ; Maximum size for the payload (maximum that CakeB
         b die
 
     memcpy16:
+        cmp r2, #0
+        bxeq lr
         add r2, r0, r2
-        copy_loop:
+        copy_loop16:
             ldrh r3, [r1], #2
             strh r3, [r0], #2
             cmp r0, r2
-            blo copy_loop
+            blo copy_loop16
         bx lr
 
     panic:
@@ -98,7 +105,7 @@ payload_maxsize equ 0x100000  ; Maximum size for the payload (maximum that CakeB
 bytes_read: .word 0
 fopen: .ascii "OPEN"
 .pool
-fname: .dcw "sdmc:/arm9loaderhax.bin"
+fname: .dcw "sdmc:/arm9loaderha.firm"
        .word 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
 .pool
 nand_mount: .dcw "nand"
@@ -106,12 +113,75 @@ nand_mount: .dcw "nand"
 .align 4
     kernelcode_start:
 
-    ldr sp, =0x080FF000
+    mrs r0, cpsr  ; disable interrupts
+    orr r0, #0xC0
+    msr cpsr, r0
+
+    ldr sp, =0x27FFDF00
+
+    ldr r0, =copy_launch_stub_addr
+    adr r1, copy_launch_stub
+    mov r2, #(copy_launch_stub_end - copy_launch_stub)
+    bl memcpy32
 
     ; Disable MPU
     ldr r0, =0x42078 ; alt vector select, enable itcm
     mcr p15, 0, r0, c1, c0, 0
 
+    bl flushCaches
+
+    ldr r0, =copy_launch_stub_addr
+    bx r0
+
+    copy_launch_stub:
+
+    ldr r4, =firm_addr
+
+    mov r5, #0
+    load_section_loop:
+        ; Such checks. Very ghetto. Wow.
+        add r3, r4, #0x40
+        add r3, r5,lsl #5
+        add r3, r5,lsl #4
+        ldmia r3, {r6-r8}
+        mov r0, r7
+        add r1, r4, r6
+        mov r2, r8
+        bl memcpy32
+        add r5, #1
+        cmp r5, #3
+        blo load_section_loop
+
+    ldr r0, =arm11_entrypoint_addr
+    ldr r1, [r4, #0x08]
+    str r1, [r0]
+
+    mov r0, #2 ; argc
+    ldr r1, =argv_addr ; argv
+    ldr r2, =0xBEEF    ; magic word
+
+    ldr r5, =arm11_entrypoint_addr
+    ldr r6, [r4, #0x08]
+    str r6, [r5]
+
+    ldr lr, [r4, #0x0c]
+    bx lr
+
+    memcpy32:
+    cmp r2, #0
+    bxeq lr
+    add r2, r0, r2
+    copy_loop32:
+        ldr r3, [r1], #4
+        str r3, [r0], #4
+        cmp r0, r2
+        blo copy_loop32
+    bx lr
+
+    copy_launch_stub_end:
+
+    flushCaches:
+
     ; Clean and flush data cache
     mov r1, #0 ; segment counter
     outer_loop:
@@ -134,10 +204,7 @@ nand_mount: .dcw "nand"
     ; Flush instruction cache
     mcr p15, 0, r1, c7, c5, 0
 
-    ; Jump to payload
-    ldr r0, =payload_addr
-    bx r0
+    bx lr
 
 .pool
 .close
-

patches/svcGetCFWInfo.s

@@ -45,4 +45,4 @@ infoStart:
     .word 0         ; truncated commit hash
     .word 0         ; config
 infoEnd:
-.close
+.close