This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
########################################################### | |
# TX SX OS MIPS VM disassembler - by hexkyz and naehrwert # | |
########################################################### | |
import os | |
import re | |
import struct | |
host_calls_0 = { | |
0x8E943DA2 : "host_crc32 (ptr r4r5, len r6)", |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
############################################### | |
# TX SX OS unpacker - by hexkyz and naehrwert # | |
############################################### | |
from Crypto.Cipher import AES | |
from Crypto.Util import Counter | |
import os | |
import struct | |
""" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <stdlib.h> | |
#include <stdio.h> | |
#include <stdint.h> | |
#include <stdbool.h> | |
#include <string.h> | |
#define FUSE_IMAGE_SIZE 0x400 | |
#define ROM_BASE 0x100000 | |
#define FUSE_BOOTROM_PATCH_SIZE_T210_START_BIT 13 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# The following is adapted from https://github.com/reswitched/loaders/blob/master/nxo64.py | |
# | |
# =========================================================================================== | |
# | |
# Copyright 2017 Reswitched Team | |
# | |
# Permission to use, copy, modify, and/or distribute this software for any purpose with or | |
# without fee is hereby granted, provided that the above copyright notice and this permission | |
# notice appear in all copies. | |
# |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# The following is adapted from https://github.com/reswitched/loaders/blob/master/nxo64.py | |
# | |
# =========================================================================================== | |
# | |
# Copyright 2017 Reswitched Team | |
# | |
# Permission to use, copy, modify, and/or distribute this software for any purpose with or | |
# without fee is hereby granted, provided that the above copyright notice and this permission | |
# notice appear in all copies. | |
# |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
############################################### | |
# TX SX OS unpacker - by hexkyz and naehrwert # | |
############################################### | |
from Crypto.Cipher import AES | |
from Crypto.Util import Counter | |
import os | |
import struct | |
""" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sploitcore.prototype.nvhax_patch_creport = function(ch_base_addr, dram_addr, pid, mem_offset, mem_size) { | |
var gpu_va = [0, 0x04]; | |
var dram_base_addr = (dram_addr & 0xFFF00000); | |
var dram_offset = (dram_addr & 0x000F0000); | |
// Map GPU MMIO | |
var gpu_io_vaddr = this.nvhax_map_io(0x57000000, 0x01000000); | |
// Patch the channel with the base DRAM address | |
var ch_iova = this.nvhax_patch_channel(ch_base_addr, dram_base_addr); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sploitcore.prototype.send_request = function(srv_handle, type, domain_id, cmd_id, params, dump_reply, show_log) { | |
var req_buf = this.malloc(0x1000); | |
if (show_log) | |
utils.log('Request buf: ' + utils.paddr(req_buf)); | |
var request_reply = [0, 0]; | |
var err_code = [0, 0]; | |
// One handle and 2 words input type |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sploitcore.prototype.nvdrv_sharedmem_leak = function(nvdrv_buf, dev_handle) { | |
var temp_buf = this.malloc(0x1000); | |
var nvdrv_ioctl = this.bridge(0x1A247C, types.int, types.void_p, types.int, types.int, types.void_p, types.void_p, types.void_p); | |
// Setup buffers | |
var in_buf_ioctl = utils.add2(temp_buf, 0x000); | |
var out_buf_ioctl = utils.add2(temp_buf, 0x100); | |
var out_buf_status = utils.add2(temp_buf, 0x200); | |
var in_buf = utils.add2(temp_buf, 0x800); | |
var out_buf = utils.add2(temp_buf, 0x900); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sploitcore.prototype.break_nvdrv = function(sm_handle) { | |
var meminfo = this.malloc(0x20); | |
var pageinfo = this.malloc(0x8); | |
// Leak nvservices base address | |
var nvdrv_base = this.get_nvdrv_base(sm_handle); | |
// Forge a new service handle for NVDRV | |
var srv_handle = this.forge_handle(sm_handle, "nvdrv:t"); | |
NewerOlder