Hacking [Attempt] Running GW3.0 Web Exploit on a Local Network

[luney]

All of those errors you are reporting are exactly what I get if I don't have my GW inserted and go to the page. It displays the gw loading bit for about 10 seconds and then the 3ds errors and says to restart.

 

[Foxi4]

Thread renamed and reopened upon request, it's distinct enough to separate it from other update-related questions.

 

[bendrr]

Thread renamed and reopened upon request, it's distinct enough to separate it from other update-related questions.

Thank you, I appreciate it.

All of those errors you are reporting are exactly what I get if I don't have my GW inserted and go to the page. It displays the gw loading bit for about 10 seconds and then the 3ds errors and says to restart.

The gateway card is inserted with the new files from the 3.0 Ultra folder. The new launcher.dat is on the sd card. At this point I believe there are function(s) in the index.php file. I'm definitely missing some stuff.

 

[Apache Thunder]

The issue is what the correct user agent string is for 9.2 fw. I'm sure it may be different depending on the version of firmware you are using. Though not all firmware updates changed the version string of the webbrowser. Someone care to share what the user agent string is for the web browser on 9.2 fw?

FYI for FW 9.2 the version of Internet Browser as viewed from settings is 1.7567

 

[Falo]

The issue is what the correct user agent string is for 9.2 fw. I'm sure it may be different depending on the version of firmware you are using. Though not all firmware updates changed the version string of the webbrowser. Someone care to share what the user agent string is for the web browser on 9.2 fw?

for 9.2 EU: "Mozilla/5.0 (Nintendo 3DS; U; ; de) Version/1.7567.EU"

here the payload as hex dump:
it's a rop chain, useless without ram dumps... ( "dmc:/Launcher.dat" ^^)

00000000  C4 57 10 00 C4 57 10 00 C4 57 10 00 C4 57 10 00  ÄW..ÄW..ÄW..ÄW..
00000010  FC C2 10 00 B3 50 10 00 34 CA 19 00 F0 85 B8 08  üÂ..³P..4Ê..ð…¸.
00000020  08 80 18 00 0C A0 1D 00 EB 46 19 00 00 00 F1 08  .€... ..ëF....ñ.
00000030  30 86 B8 08 01 00 00 00 20 B0 39 00 1C C0 1C 00  0†¸..... °9..À..
00000040  10 60 2C 00 0C FE 22 00 F0 1F 23 00 F0 BF 2C 00  .`,..þ".ð.#.ð¿,.
00000050  00 40 12 00 FD FF 33 00 C4 57 10 00 FC C2 10 00  .@..ýÿ3.ÄW..üÂ..
00000060  00 A0 01 00 F4 8A 22 00 04 00 F1 08 34 73 10 00  . ..ôŠ"...ñ.4s..
00000070  24 C0 1C 00 EB 46 19 00 00 00 F1 08 20 00 F1 08  $À..ëF....ñ. .ñ.
00000080  00 10 F0 08 00 40 00 00 F8 5F 29 00 FC 3F 25 00  ..ð..@..ø_).ü?%.
00000090  E0 86 16 00 30 E0 2B 00 10 20 21 00 40 1F 27 00  à†..0à+.. !.@.'.
000000A0  5C C0 20 00 C4 E0 2D 00 00 20 1B 00 FC C2 10 00  \À .Äà-.. ..üÂ..
000000B0  0C 85 B8 08 CC BA 11 00 C4 57 10 00 F4 8A 22 00  .…¸.̺..ÄW..ôŠ".
000000C0  81 82 82 D5 58 06 35 00 FD FF 11 00 F4 8A 22 00  .‚‚ÕX.5.ýÿ..ôŠ".
000000D0  0C 85 B8 08 34 73 10 00 50 48 35 00 FC C2 10 00  .…¸.4s..PH5.üÂ..
000000E0  18 86 B8 08 CC BA 11 00 6D 7F 12 00 4C 01 10 00  .†¸.̺..m...L...
000000F0  E0 37 10 00 8C 84 B8 08 0C 84 B8 08 CC BA 11 00  à7..Œ„¸..„¸.̺..
00000100  00 BB 11 00 C4 57 10 00 F4 8A 22 00 00 00 00 00  .»..ÄW..ôŠ".....
00000110  58 06 35 00 A0 03 13 00 A8 65 10 00 34 14 10 00  X.5. ...¨e..4...
00000120  64 FF 22 00 A0 03 13 00 00 84 B8 08 C4 57 10 00  dÿ". ....„¸.ÄW..
00000130  C4 57 10 00 5C 0B 10 00 44 FE 22 00 C4 57 10 00  ÄW..\...Dþ".ÄW..
00000140  E0 5A 2C 00 C4 57 10 00 F4 8A 22 00 58 06 35 00  àZ,.ÄW..ôŠ".X.5.
00000150  C4 57 10 00 93 2C 18 00 FC C2 10 00 18 86 B8 08  ÄW..“,..üÂ...†¸.
00000160  CC BA 11 00 FD FF 11 00 94 66 10 00 94 66 10 00  ̺..ýÿ..”f..”f..
00000170  F4 8A 22 00 04 00 00 00 58 06 35 00 44 03 13 00  ôŠ".....X.5.D...
00000180  F4 8A 22 00 18 86 B8 08 34 73 10 00 24 0D 10 00  ôŠ"..†¸.4s..$...
00000190  F4 8A 22 00 00 B0 0F F7 58 06 35 00 64 98 11 00  ôŠ"..°.÷X.5.d˜..
000001A0  8C 1A 15 00 C0 59 20 00 FC C2 10 00 10 86 B8 08  Œ...ÀY .üÂ...†¸.
000001B0  F4 8A 22 00 FC 0F F0 08 94 66 10 00 D4 5F 35 00  ôŠ".ü.ð.”f..Ô_5.
000001C0  F4 8A 22 00 A8 84 B8 08 24 FC 10 00 15 22 2C 00  ôŠ".¨„¸.$ü...",.
000001D0  C4 57 10 00 C4 57 10 00 A8 65 10 00 54 56 2D 00  ÄW..ÄW..¨e..TV-.
000001E0  78 37 10 00 64 A8 2F 00 94 9B 11 00 80 E7 20 00  x7..d¨/.”›..€ç .
000001F0  05 86 12 00 A8 3D 10 00 F8 85 B8 08 C4 57 10 00  .†..¨=..ø…¸.ÄW..
00000200  E0 5A 2C 00 FD FF 10 00 E4 C8 2F 00 E0 37 10 00  àZ,.ýÿ..äÈ/.à7..
00000210  94 C4 23 00 58 03 13 00 00 10 F0 08 44 03 13 00  ”Ä#.X.....ð.D...
00000220  00 84 B8 08 C4 57 10 00 C4 57 10 00 44 03 13 00  .„¸.ÄW..ÄW..D...
00000230  64 00 6D 00 63 00 3A 00 2F 00 4C 00 61 00 75 00  d.m.c.:./.L.a.u.
00000240  6E 00 63 00 68 00 65 00 72 00 2E 00 64 00 61 00  n.c.h.e.r...d.a.
00000250  74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  t...............
00000260  00 00 00 00 00 00 00 00 00 00 00 00 44 03 13 00  ............D...
00000270  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000280  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000290  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000002A0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000002B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000002C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000002D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000002E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000002F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

 

[WiiUBricker]

What if someone hacks Gateway's site and modifies the payload so that it bricks the 3DS?

 

[Apache Thunder]

I have the US region console. I just change it to this then?

"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7567.US"

Last string changed to US and string in the middle changed from 'de" (which I assume is the code for German language) to "en" for english.

 

[Apache Thunder]

Bump. Holy ***K I did it! Mirrored the index.htm and frame.html file using the correct user agent and hosted it via a basic local sever AND IT WORKED! Now I have access to Gateway mode incase the website goes down.

 

[luney]

Someone in the main thread has the payload and is able to load it from a local server to launch the exploit and load their GW without internet access. That's all I'm after. Being able to do this mobile without internet access.

 

[luney]

Care to share?

Edit: I understand how to use the files but cannot figure out how to get them for myself. Any help?

 

[Apache Thunder]

I used a really old internet download manager to download the index.htm file. (FlashGet version 1.9)

Although any download manager that allows using a custom user agent string will do. Just input the string I had above as the user agent for whatever it is you will use to access the file. The version string above is valid for fw 9.2 US region consoles only. You'll need to make a couple of changes if you have a different region console.

 

[luney]

Awesome! I have Flashget on my desktop which is down atm. I will get it on my laptop. Thank you for the help.

 

[luney]

Hey I need to put the web address in there somewhere as well don't I?

 

[VeryCrushed]

If people can contribute user agent strings for there consoles i will make a full package and host it on my site.

 

[KazoWAR]

got it to work. the index.html page is different based on different user agents, mainly the string in the unescape() function used in the magicfun() function. the user agent for the 3DS is (at least for a US console) "Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/X.XXXX.US" where the X is the version number of the browser. mine read 1.7567 so the complete user agent for my 9.2U 3ds is "Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7567.US". to easily check go to this site on the 3ds browser http://whatsmyuseragent.com/. After i used that user agent and used the index.html i was given in my local server the exploit worked(it could still crash to home menu just like the normal only version does)

Spoiler

Spoiler

 

[luney]

ok i see where to put the url but where do i enter the user agent info in flashget?

My user string is exactly the same but I can't figure where to put that in flashget? any help?

 

[liomajor]

Awesome, worked for me using 4.5.0-20E with XAMPP.

 

[Arkansaw]

is there a quick way to identify your own user agent string on a 3ds?

 

[Duo8]

got it to work. the index.html page is different based on different user agents, mainly the string in the unescape() function used in the magicfun() function. the user agent for the 3DS is (at least for a US console) "Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/X.XXXX.US" where the X is the version number of the browser. mine read 1.7567 so the complete user agent for my 9.2U 3ds is "Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7567.US". to easily check go to this site on the 3ds browser http://whatsmyuseragent.com/. After i used that user agent and used the index.html i was given in my local server the exploit worked(it could still crash to home menu just like the normal only version does)

Spoiler

Spoiler

I just did exactly this (down to every step actually) an hour ago. Setting up an http server on my phone proves to be a pain though.

I did it all through chrome lol.

 

[VeryCrushed]

is there a quick way to identify your own user agent string on a 3ds?

Here: http://gateway-news.tk/ow_gateway/ua.php