hexkyz
/ sploitcore_nvdrv_leak.js
Created
December 28, 2018 19:09
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sploitcore.prototype.nvdrv_sharedmem_leak = function(nvdrv_buf, dev_handle) { | |
| var temp_buf = this.malloc(0x1000); | |
| var nvdrv_ioctl = this.bridge(0x1A247C, types.int, types.void_p, types.int, types.int, types.void_p, types.void_p, types.void_p); | |
| // Setup buffers | |
| var in_buf_ioctl = utils.add2(temp_buf, 0x000); | |
| var out_buf_ioctl = utils.add2(temp_buf, 0x100); | |
| var out_buf_status = utils.add2(temp_buf, 0x200); | |
| var in_buf = utils.add2(temp_buf, 0x800); | |
| var out_buf = utils.add2(temp_buf, 0x900); |
hexkyz
/ sploitcore_send_request.js
Created
December 28, 2018 19:06
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sploitcore.prototype.send_request = function(srv_handle, type, domain_id, cmd_id, params, dump_reply, show_log) { | |
| var req_buf = this.malloc(0x1000); | |
| if (show_log) | |
| utils.log('Request buf: ' + utils.paddr(req_buf)); | |
| var request_reply = [0, 0]; | |
| var err_code = [0, 0]; | |
| // One handle and 2 words input type |
hexkyz
/ tx_decompress.py
Last active
February 17, 2025 13:22
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # The following is adapted from https://github.com/reswitched/loaders/blob/master/nxo64.py | |
| # | |
| # =========================================================================================== | |
| # | |
| # Copyright 2017 Reswitched Team | |
| # | |
| # Permission to use, copy, modify, and/or distribute this software for any purpose with or | |
| # without fee is hereby granted, provided that the above copyright notice and this permission | |
| # notice appear in all copies. | |
| # |
hexkyz
/ tx_unpack.py
Last active
November 23, 2024 01:39
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ############################################### | |
| # TX SX OS unpacker - by hexkyz and naehrwert # | |
| ############################################### | |
| from Crypto.Cipher import AES | |
| from Crypto.Util import Counter | |
| import os | |
| import struct | |
| """ |
hexkyz
/ boot1_target_hex.txt
Created
December 28, 2017 20:32
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 0D40AC6C 20 00 BC 0E 46 93 46 9D 47 08 00 00 |
hexkyz
/ boot1_target.txt
Last active
January 14, 2018 21:56
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 0D40AC6C MOVS R0, #0 | |
| 0D40AC6E POP {R1-R3} | |
| 0D40AC70 MOV R11, R2 | |
| 0D40AC72 MOV SP, R3 | |
| 0D40AC74 BX R1 |
hexkyz
/ boot1_boot_info_pseudocode.c
Last active
January 16, 2018 22:33
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Do some boring stuff | |
| ... | |
| // Decrypt PRSH/PRST with Starbuck ancast key | |
| sub_D400320(0x10000400, 0x7C00, iv); | |
| // Parse PRSH/PRST | |
| sub_D40B030(0x10000400, 0x7C00); | |
| // Locate or create new "boot_info" |
hexkyz
/ boot_info.txt
Created
December 26, 2017 19:07
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 0x00000000: 0x00000001 // Always 1 (set by boot1 on coldboot) | |
| 0x00000004: 0xA6000000 // Boot flags (0x80 means data is set) | |
| 0x00000008: 0x00000000 // Boot state | |
| 0x0000000C: 0x00000001 // Boot count (increased by boot1 on reset) | |
| 0x00000010: 0x00100000 // Set to 0 by boot1 on coldboot | |
| 0x00000014: 0x00000000 // Set to 0 by boot1 on coldboot | |
| 0x00000018: 0xFFFFFFFF // Set to -1 by boot1 on coldboot | |
| 0x0000001C: 0xFFFFFFFF // Set to -1 by boot1 on coldboot | |
| 0x00000020: 0xFFFFFFFF // Set to -1 by boot1 on coldboot | |
| 0x00000024: 0xFFFFFFFF // Set to -1 by boot1 on coldboot |
hexkyz
/ prsh_sections.txt
Created
December 26, 2017 18:59
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Name: "boot_info" | |
| Address: 0x10008000 | |
| Size: 0x00000058 | |
| UNK: 0x80000000 | |
| Name: "mcp_crash_region" | |
| Address: 0x100F7F60 | |
| Size: 0x000080A0 | |
| UNK: 0x80000000 | |
hexkyz
/ 0x10000000.txt
Last active
January 14, 2018 21:55
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 0x10000000: 12 34 56 78 9A BC DE F0 12 34 56 78 9A BC DE F0 | |
| ... | |
| 0x100003F0: 12 34 56 78 9A BC DE F0 12 34 56 78 9A BC DE F0 | |
| 0x10000400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| ... | |
| 0x10005A40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| 0x10005A50: 00 00 00 00 | |
| 0x10005A54: PRSH XOR checksum | |
| 0x10005A58: "PRSH" // magic | |
| 0x10005A5C: 0x00000001 // version (0 or 1) |