Skip to content

Instantly share code, notes, and snippets.

hexkyz

Block or report user

Report or block hexkyz

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
View sploitcore_nvdrv_leak.js
sploitcore.prototype.nvdrv_sharedmem_leak = function(nvdrv_buf, dev_handle) {
var temp_buf = this.malloc(0x1000);
var nvdrv_ioctl = this.bridge(0x1A247C, types.int, types.void_p, types.int, types.int, types.void_p, types.void_p, types.void_p);
// Setup buffers
var in_buf_ioctl = utils.add2(temp_buf, 0x000);
var out_buf_ioctl = utils.add2(temp_buf, 0x100);
var out_buf_status = utils.add2(temp_buf, 0x200);
var in_buf = utils.add2(temp_buf, 0x800);
var out_buf = utils.add2(temp_buf, 0x900);
View sploitcore_send_request.js
sploitcore.prototype.send_request = function(srv_handle, type, domain_id, cmd_id, params, dump_reply, show_log) {
var req_buf = this.malloc(0x1000);
if (show_log)
utils.log('Request buf: ' + utils.paddr(req_buf));
var request_reply = [0, 0];
var err_code = [0, 0];
// One handle and 2 words input type
View tx_decompress.py
# The following is adapted from https://github.com/reswitched/loaders/blob/master/nxo64.py
#
# ===========================================================================================
#
# Copyright 2017 Reswitched Team
#
# Permission to use, copy, modify, and/or distribute this software for any purpose with or
# without fee is hereby granted, provided that the above copyright notice and this permission
# notice appear in all copies.
#
View tx_unpack.py
###############################################
# TX SX OS unpacker - by hexkyz and naehrwert #
###############################################
from Crypto.Cipher import AES
from Crypto.Util import Counter
import os
import struct
"""
View boot1_target_hex.txt
0D40AC6C 20 00 BC 0E 46 93 46 9D 47 08 00 00
View boot1_target.txt
0D40AC6C MOVS R0, #0
0D40AC6E POP {R1-R3}
0D40AC70 MOV R11, R2
0D40AC72 MOV SP, R3
0D40AC74 BX R1
View boot1_boot_info_pseudocode.c
// Do some boring stuff
...
// Decrypt PRSH/PRST with Starbuck ancast key
sub_D400320(0x10000400, 0x7C00, iv);
// Parse PRSH/PRST
sub_D40B030(0x10000400, 0x7C00);
// Locate or create new "boot_info"
View boot_info.txt
0x00000000: 0x00000001 // Always 1 (set by boot1 on coldboot)
0x00000004: 0xA6000000 // Boot flags (0x80 means data is set)
0x00000008: 0x00000000 // Boot state
0x0000000C: 0x00000001 // Boot count (increased by boot1 on reset)
0x00000010: 0x00100000 // Set to 0 by boot1 on coldboot
0x00000014: 0x00000000 // Set to 0 by boot1 on coldboot
0x00000018: 0xFFFFFFFF // Set to -1 by boot1 on coldboot
0x0000001C: 0xFFFFFFFF // Set to -1 by boot1 on coldboot
0x00000020: 0xFFFFFFFF // Set to -1 by boot1 on coldboot
0x00000024: 0xFFFFFFFF // Set to -1 by boot1 on coldboot
View prsh_sections.txt
Name: "boot_info"
Address: 0x10008000
Size: 0x00000058
UNK: 0x80000000
Name: "mcp_crash_region"
Address: 0x100F7F60
Size: 0x000080A0
UNK: 0x80000000
View 0x10000000.txt
0x10000000: 12 34 56 78 9A BC DE F0 12 34 56 78 9A BC DE F0
...
0x100003F0: 12 34 56 78 9A BC DE F0 12 34 56 78 9A BC DE F0
0x10000400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
...
0x10005A40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005A50: 00 00 00 00
0x10005A54: PRSH XOR checksum
0x10005A58: "PRSH" // magic
0x10005A5C: 0x00000001 // version (0 or 1)
You can’t perform that action at this time.