a few changes made in private that really should've been public:

  - add IPCMessage.dataArrayBuffer
	- add svcMixin.svcWaitSynchronization
	- add optional length parameter to utils.str2ab

exploit/ipc.js

@@ -85,6 +85,16 @@ IPCMessage.prototype.datau64 = function () {
 	return this;
 };
 
+IPCMessage.prototype.dataArrayBuffer = function(ab) {
+	this.dataBuffer = [];
+	var u32 = new Uint32Array(ab);
+	for(var i = 0; i < u32.length; i++) {
+		this.dataBuffer[i] = u32[i];
+	}
+
+	return this;
+};
+
 IPCMessage.prototype.addDescriptor = function (da, addr, size, third) {
 	if (addr instanceof ArrayBuffer || ArrayBuffer.isView(addr)) {
 		var buf = addr;

exploit/svc.js

@@ -229,4 +229,10 @@ svcMixin.svcReplyAndReceiveWithUserBuffer = function (buf, handles, reply, timeo
 	return this.svcWithResult(0x44, [handleIdxBuffer, buf, buf.byteLength, handles ? new Uint32Array(handles) : 0, handles ? handles.length : 0, reply, timeout]).replaceValue(handleIdxBuffer[0]);
 };
 
+svcMixin.svcWaitSynchronization = function (handles, timeout) {
+	var handlesBuffer = new Uint32Array(handles);
+	var handleIdxBuffer = new Uint32Array(1);
+	return this.svcWithResult(0x18, [handleIdxBuffer, handlesBuffer, handlesBuffer.length, timeout]).replaceValue(handleIdxBuffer[0]);
+}
+
 module.exports = svcMixin;

exploit/utils.js

@@ -335,8 +335,15 @@ exports.hexdump = function (name, inp, count) {
 	}
 };
 
-exports.str2ab = function (str) {
-	var ab = new ArrayBuffer(str.length + 1);
+exports.str2ab = function (str, length) {
+	if(length === undefined) {
+		length = str.length + 1;
+	} else {
+		if(length < str.length + 1) {
+			throw new Error("buffer is too small to pack string");
+		}
+	}
+	var ab = new ArrayBuffer(length);
 	var u8 = new Uint8Array(ab);
 	for (var i = 0; i < str.length; i++) {
 		u8[i] = str.charCodeAt(i);