Yeah, LAUNCH_RIGHTS sounds somewhat like ticket or region error. But I am sure that I have the tickets & everything in the eMMC image. Only thing that might be wrong is that the bootcode in BIOS ROM might initialize a region flag or some AES keys which I am not aware of yet - that could cause stuff like region/decryption errors.
The error is fired here (in Launcher of european 1.4E firmware):
Code:
;------------------
;in: r0 = ptr to title_id,etc (2777800h)
; [r0+00h] = title.id.lsw = "PINH" (for camera)
; [r0+04h] = title.id.msw = 05,00,03,00
; [r0+08h] = 0007h
026A5778 B5F0 push r4-r7,r14
026A577A B085 add sp,-14h
026A577C 1C04 mov r4,r0 ;ptr to title.id, ...and... more info
026A577E F01EFEBB bl 26C44F8h ------> timer? sync? random?
026A5782 8920 ldrh r0,[r4,8h]
026A5784 0700 lsl r0,r0,1Ch ;\isolate bit3-1
026A5786 0F40 lsr r0,r0,1Dh ;/
026A5788 2803 cmp r0,3h
026A578A D10D bne 26A57A8h ;okay
026A578C 6820 ldr r0,[r4] ;title.id.lsw
026A578E 6861 ldr r1,[r4,4h] ;title.id.msw
026A5790 F024FDCC bl 26CA32Ch ------>
026A5794 2800 cmp r0,0h
026A5796 D007 beq 26A57A8h ;okay
026A5798 4939 ldr r1,=2798C40h
026A579A 6088 str r0,[r1,8h]
026A579C 2012 mov r0,12h ;tok_12h_txt_error_check_title_launch_rights_failed
026A579E F7FDFE69 bl 26A3474h ;error
Either bit1-3 of the incoming [r0+08h] value are wrong, or "bl 26CA32Ch" is failing to do whatever it is supposed to do.
The notyet's are warning about unemulated I/O ports, either completely unemulated ones, or, in this case, only 32bit reads being unemulated (normally port 4004D00h is accessed in 16bit units, and I wasn't sure if the hardware does implement 32bit reading at all, although now mention it, I see some functions using 32bit reads for that I/O port).
That sounds like this code (from ARM7 boot sectors):
Code:
37B81A8 E59F0148 ldr r0,=3FFC400h
37B81AC E5D00220 ldrb r0,[r0,220h] ;[3FFC620h]
37B81B0 E3500000 cmp r0,0h
37B81B4 0A000000 beq 37B81BCh ;@@keep_keys
37B81B8 EB00065E bl 37B9B38h ;set_aes_key1x_and_key3_parts ;-AES (CPU ID)
@@keep_keys:
3FFC620h would contain keys relocated from the upper half of the BIOS ROM (to get emulated properly, you would need those keys in the BIOS ROM image). Whereas, I am not absolutely sure what should be stored at 3FFC620h, it could be either one:
1) it could contain the correct keys, then "bl 37B9B38h" would initialize some AES words.
2) it could be zerofilled, then "bl 37B9B38h" would be skipped (and the ROM bootcode be required to have already initialized that AES keys).
Either one should work on hardware (and no$gba). Not sure what happened in your case, sounds as if [3FFC620h] was nonzero, but also not containing the correct XOR values.