Skip to content

Instantly share code, notes, and snippets.

hexkyz

Block or report user

Report or block hexkyz

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
View nvhax_peephole.js
sploitcore.prototype.nvhax_peephole_dump_mem = function(ch_iova, gpu_va, mem_size) {
// Map GPU MMIO
var gpu_io_vaddr = this.nvhax_map_io(0x57000000, 0x01000000);
// Write the channel's iova in PEEPHOLE PBUS register
this.nvhax_write32(utils.add2(gpu_io_vaddr, 0x1718), (0x80000000 | ch_iova));
// Write the GPU virtual address in PEEPHOLE registers
this.nvhax_write32(utils.add2(gpu_io_vaddr, 0x6000C), gpu_va[1]);
this.nvhax_write32(utils.add2(gpu_io_vaddr, 0x60010), gpu_va[0]);
View nvhax_dump_proc.js
sploitcore.prototype.nvhax_patch_creport = function(ch_base_addr, dram_addr, pid, mem_offset, mem_size) {
var gpu_va = [0, 0x04];
var dram_base_addr = (dram_addr & 0xFFF00000);
var dram_offset = (dram_addr & 0x000F0000);
// Map GPU MMIO
var gpu_io_vaddr = this.nvhax_map_io(0x57000000, 0x01000000);
// Patch the channel with the base DRAM address
var ch_iova = this.nvhax_patch_channel(ch_base_addr, dram_base_addr);
View boot1_boot_info_pseudocode.c
// Do some boring stuff
...
// Decrypt PRSH/PRST with Starbuck ancast key
sub_D400320(0x10000400, 0x7C00, iv);
// Parse PRSH/PRST
sub_D40B030(0x10000400, 0x7C00);
// Locate or create new "boot_info"
View boot1_target_hex.txt
0D40AC6C 20 00 BC 0E 46 93 46 9D 47 08 00 00
View boot1_target.txt
0D40AC6C MOVS R0, #0
0D40AC6E POP {R1-R3}
0D40AC70 MOV R11, R2
0D40AC72 MOV SP, R3
0D40AC74 BX R1
View boot_info.txt
0x00000000: 0x00000001 // Always 1 (set by boot1 on coldboot)
0x00000004: 0xA6000000 // Boot flags (0x80 means data is set)
0x00000008: 0x00000000 // Boot state
0x0000000C: 0x00000001 // Boot count (increased by boot1 on reset)
0x00000010: 0x00100000 // Set to 0 by boot1 on coldboot
0x00000014: 0x00000000 // Set to 0 by boot1 on coldboot
0x00000018: 0xFFFFFFFF // Set to -1 by boot1 on coldboot
0x0000001C: 0xFFFFFFFF // Set to -1 by boot1 on coldboot
0x00000020: 0xFFFFFFFF // Set to -1 by boot1 on coldboot
0x00000024: 0xFFFFFFFF // Set to -1 by boot1 on coldboot
View prsh_sections.txt
Name: "boot_info"
Address: 0x10008000
Size: 0x00000058
UNK: 0x80000000
Name: "mcp_crash_region"
Address: 0x100F7F60
Size: 0x000080A0
UNK: 0x80000000
View 0x10000000.txt
0x10000000: 12 34 56 78 9A BC DE F0 12 34 56 78 9A BC DE F0
...
0x100003F0: 12 34 56 78 9A BC DE F0 12 34 56 78 9A BC DE F0
0x10000400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
...
0x10005A40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005A50: 00 00 00 00
0x10005A54: PRSH XOR checksum
0x10005A58: "PRSH" // magic
0x10005A5C: 0x00000001 // version (0 or 1)
View prsh_prst.c
typedef struct {
char name[0x100];
void* data;
u32 size;
u32 unk;
u8 hash[0x14];
u8 padding[0x0C];
} prsh_section;
typedef struct {
View smc_handler_1.50.txt
ROM:005161C0 ANDEQ R0, R0, R0
ROM:005161C4 ANDEQ R0, R0, R0
ROM:005161C8 CLREX
ROM:005161CC STR LR, [SP,#-8]
ROM:005161D0 MRS LR, SPSR
ROM:005161D4 STR LR, [SP,#-4]
ROM:005161D8 SUB SP, SP, #8
ROM:005161DC CMP R12, #0x500 -> Max R12 value is 0x500 :(
ROM:005161E0 BCS loc_516208
ROM:005161E4 CMP R12, #0x100
You can’t perform that action at this time.