Skip to content

Instantly share code, notes, and snippets.

View hexkyz's full-sized avatar

hexkyz

124 followers · 10 following
View GitHub Profile
@hexkyz
hexkyz / sploitcore_nvdrv_leak.js
Created December 28, 2018 19:09
sploitcore.prototype.nvdrv_sharedmem_leak = function(nvdrv_buf, dev_handle) {
var temp_buf = this.malloc(0x1000);
var nvdrv_ioctl = this.bridge(0x1A247C, types.int, types.void_p, types.int, types.int, types.void_p, types.void_p, types.void_p);
// Setup buffers
var in_buf_ioctl = utils.add2(temp_buf, 0x000);
var out_buf_ioctl = utils.add2(temp_buf, 0x100);
var out_buf_status = utils.add2(temp_buf, 0x200);
var in_buf = utils.add2(temp_buf, 0x800);
var out_buf = utils.add2(temp_buf, 0x900);
@hexkyz
hexkyz / sploitcore_send_request.js
Created December 28, 2018 19:06
sploitcore.prototype.send_request = function(srv_handle, type, domain_id, cmd_id, params, dump_reply, show_log) {
var req_buf = this.malloc(0x1000);
if (show_log)
utils.log('Request buf: ' + utils.paddr(req_buf));
var request_reply = [0, 0];
var err_code = [0, 0];
// One handle and 2 words input type
@hexkyz
hexkyz / tx_decompress.py
Last active June 18, 2022 23:15
# The following is adapted from https://github.com/reswitched/loaders/blob/master/nxo64.py
#
# ===========================================================================================
#
# Copyright 2017 Reswitched Team
#
# Permission to use, copy, modify, and/or distribute this software for any purpose with or
# without fee is hereby granted, provided that the above copyright notice and this permission
# notice appear in all copies.
#
@hexkyz
hexkyz / tx_unpack.py
Last active June 2, 2023 17:10
###############################################
# TX SX OS unpacker - by hexkyz and naehrwert #
###############################################
from Crypto.Cipher import AES
from Crypto.Util import Counter
import os
import struct
"""
@hexkyz
hexkyz / boot1_target_hex.txt
Created December 28, 2017 20:32
0D40AC6C 20 00 BC 0E 46 93 46 9D 47 08 00 00
@hexkyz
hexkyz / boot1_target.txt
Last active January 14, 2018 21:56
0D40AC6C MOVS R0, #0
0D40AC6E POP {R1-R3}
0D40AC70 MOV R11, R2
0D40AC72 MOV SP, R3
0D40AC74 BX R1
@hexkyz
hexkyz / boot1_boot_info_pseudocode.c
Last active January 16, 2018 22:33
// Do some boring stuff
...
// Decrypt PRSH/PRST with Starbuck ancast key
sub_D400320(0x10000400, 0x7C00, iv);
// Parse PRSH/PRST
sub_D40B030(0x10000400, 0x7C00);
// Locate or create new "boot_info"
@hexkyz
hexkyz / boot_info.txt
Created December 26, 2017 19:07
0x00000000: 0x00000001 // Always 1 (set by boot1 on coldboot)
0x00000004: 0xA6000000 // Boot flags (0x80 means data is set)
0x00000008: 0x00000000 // Boot state
0x0000000C: 0x00000001 // Boot count (increased by boot1 on reset)
0x00000010: 0x00100000 // Set to 0 by boot1 on coldboot
0x00000014: 0x00000000 // Set to 0 by boot1 on coldboot
0x00000018: 0xFFFFFFFF // Set to -1 by boot1 on coldboot
0x0000001C: 0xFFFFFFFF // Set to -1 by boot1 on coldboot
0x00000020: 0xFFFFFFFF // Set to -1 by boot1 on coldboot
0x00000024: 0xFFFFFFFF // Set to -1 by boot1 on coldboot
@hexkyz
hexkyz / prsh_sections.txt
Created December 26, 2017 18:59
Name: "boot_info"
Address: 0x10008000
Size: 0x00000058
UNK: 0x80000000
Name: "mcp_crash_region"
Address: 0x100F7F60
Size: 0x000080A0
UNK: 0x80000000
@hexkyz
hexkyz / 0x10000000.txt
Last active January 14, 2018 21:55
0x10000000: 12 34 56 78 9A BC DE F0 12 34 56 78 9A BC DE F0
...
0x100003F0: 12 34 56 78 9A BC DE F0 12 34 56 78 9A BC DE F0
0x10000400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
...
0x10005A40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005A50: 00 00 00 00
0x10005A54: PRSH XOR checksum
0x10005A58: "PRSH" // magic
0x10005A5C: 0x00000001 // version (0 or 1)