Announcing RocketLauncher! The first exploit with unlocked Arm7!

UPDATE:
Looks like NoCash found an exploit that is even better then RocketLauncher:

https://problemkaputt.de/gba.htm

He titled it Unlaunch. The exploit works by exploiting a flaw in Stage2 and apparently works on all firmware versions. It requires you run the installer from a DSiWare based hax environment as access to SD/NAND is required. (thus you can't run this from Slot-1 based TWL exploit)

The flaw in stage2 is a buffer overflow involving Launcher's TMD file. If you provide a larger then normal TMD file, it will attempt to load the TMD into ram anyways (this occurs before it does the RSA check) This causes it to overwrite some code in arm9 ram causing arm9 to execute the custom payload. The full details are found in the info menus in the installer.

Note however the installer does not appear to work correctly at the moment. I'd advise you not attempt to install it from the installer. Use the manual install method instead. BUT I'd highly recommend you have a hard mod before attempting manual install. If you have had experience modifying your nand you may be ok doing this. But for safety sake I would just advise against that until the installer works properly.

(this is one reason why RL hasn't been released yet. No proper installer tools are available yet and we don't want people bricking consoles trying to install it)

The release of this exploit may impact our plans regarding RocketLauncher. I'll post more about this once StuckPixel has decided to comment on this.


Important Notice:

Do NOT visit Data Management in DSi System Settings or use the 3DS Transfer tool after installing unlaunch. You WILL brick the console. Wait until HiyaCFW is refined/released properly so that SD redirected version of Launcher can be used or when NoCash decides to implement his own version of the SD redirect patch.








Today I can finally announce a new exploit for the Nintendo DSi. I found this flaw back on May 29th. Almost a year after NoCash initially discovered a oversight by Nintendo involving the DS Cart White list which this exploit takes advantage of (Nintendo forgot to reimplement the RSA checks on it lolz). I was fudging with various things in the white list to try and get a crash. I got system menu to crash by using large values in section 3! So I contacted NoCash and a few other devs about this to investigate it and to see if it's exploitable. Well long story short it was!


Summery of the above video:

1. The exploit requires 1.4.0 firmware! Older or newer fw revisions do not work!
2. The exploit requires a flashcart that you are able to modify the internal rom it presents to the system.
3. Details on which cards will be compatible will be revealed at a later time.
4. The exploit involves a buffer overflow flaw involving section 3 of the white list.
5. This overflow occurs on arm7 thus allowing overwriting memory exclusive to arm7.
6. As a result a large enough overflow will hit the IRQ interrupt handler. This is how we gain code execution.
7. Arm9 was relatively easy to take over. Though data caching presented a minor roadblock while testing on hardware. :P
8. I currently use a modified build of nds-bootloader from WinterMute's github. You know, that portion of hbmenu responsible for booting SRLs. :P
9. Because we already gained arm7 we only had to put arm9 in the correct wait state so that nds-bootloader can do it's thing. :D
10. The exploit in theory can work from the menu once it's running. But we currently make use of the auto boot feature to ensure a stable consistant environment. Tests with a second console suggest that is the case. Note that the exception vector for arm7 seems to either be somewhere else once the menu GUI is running or the overflow hits something else causing arm7 to crash early. Currently we plan to only target exploiting the system with an autoboot rom as it's more predictable.
11. The exact machanics of the arm9 take over and how nds-bootloader is loaded may change. Currently the entire payload fits on the cart. But we may allow reading a payload off SD instead.

Credits to NoCash, Gericom, and Normmatt for help testing/figuring this out. Big credit to StuckPixel who put in most of the coding needed to make this happen. My contribution was finding the flaw and help with testing on hardware.


I will release further details as we finalize this exploit and prepare stuff that will make installing it easier.

Note you will either need a nand mod or a DSiWare based exploit to downgrade your console/install the modified white list needed for this to work. Hopefully we'll have a better solution then simply using fwtool to do this so that may be the factor that determines release date so please be patient!

When things are ready I will update this thread!
 
Last edited by Apache Thunder,

jerbear64

Well-Known Member
Member
Joined
Dec 10, 2011
Messages
304
Trophies
1
Age
24
XP
381
Country
United States
I'm not even a betatester for it lol.
In fact, I think I should betatest it because I own a PAL DSi XL and RocketLauncher has only been tested with USA DSi systems AFAIK.
The entrypoint was already confirmed to exist in all regional variants of 1.4 IIRC.
 

RocketRobz

Stylish TWiLight Hero
Developer
Joined
Oct 1, 2010
Messages
16,513
Trophies
3
Age
24
XP
20,842
Country
United States
I'm not even a betatester for it lol.
In fact, I think I should betatest it because I own a PAL DSi XL and RocketLauncher has only been tested with USA DSi systems AFAIK.
Well, since whitelist is the same for all regions, RocketLauncher should work for all regions.

EDIT: ninja'd :ninja:
 

CatmanFan

Anxious and regretful
Member
Joined
Aug 14, 2016
Messages
1,962
Trophies
0
Website
www.youtube.com
XP
2,546
Country
Morocco
Will work on all regions.
One more thing: I have several NTR carts, including SM64 PAL, Paws & Claws Let's Ride USA, and Petz Tigerz USA, as well as three flashcarts: R4 SDHC Dual-Core (which doesn't work), R4 Revolution for NDS and R4iTT (which I'm using on 3DS). Which one of these carts should work with RocketLauncher?
 

RocketRobz

Stylish TWiLight Hero
Developer
Joined
Oct 1, 2010
Messages
16,513
Trophies
3
Age
24
XP
20,842
Country
United States
One more thing: I have several NTR carts, including SM64 PAL, Paws & Claws Let's Ride USA, and Petz Tigerz USA, as well as three flashcarts: R4 SDHC Dual-Core (which doesn't work), R4 Revolution for NDS and R4iTT (which I'm using on 3DS). Which one of these carts should work with RocketLauncher?
Support will be added for the carts outside of SM64DS in the future. The flashcards you mentioned probably won't work.
 

BlastedGuy9905

where's the updated autopsy report
Member
Joined
Apr 13, 2017
Messages
2,334
Trophies
1
Age
33
Location
under your desk
XP
4,043
Country
United States


Today I can finally announce a new exploit for the Nintendo DSi. I found this flaw back on May 29th. Almost a year after NoCash initially discovered a oversight by Nintendo involving the DS Cart White list which this exploit takes advantage of (Nintendo forgot to reimplement the RSA checks on it lolz). I was fudging with various things in the white list to try and get a crash. I got system menu to crash by using large values in section 3! So I contacted NoCash and a few other devs about this to investigate it and to see if it's exploitable. Well long story short it was!


Summery of the above video:

1. The exploit requires 1.4.0 firmware! Older or newer fw revisions do not work!
2. The exploit requires a flashcart that you are able to modify the internal rom it presents to the system.
3. Details on which cards will be compatible will be revealed at a later time.
4. The exploit involves a buffer overflow flaw involving section 3 of the white list.
5. This overflow occurs on arm7 thus allowing overwriting memory exclusive to arm7.
6. As a result a large enough overflow will hit the IRQ interrupt handler. This is how we gain code execution.
7. Arm9 was relatively easy to take over. Though data caching presented a minor roadblock while testing on hardware. :P
8. I currently use a modified build of nds-bootloader from WinterMute's github. You know, that portion of hbmenu responsible for booting SRLs. :P
9. Because we already gained arm7 we only had to put arm9 in the correct wait state so that nds-bootloader can do it's thing. :D
10. The exploit in theory can work from the menu once it's running. But we currently make use of the auto boot feature to ensure a stable consistant environment. Tests with a second console suggest that is the case. Note that the exception vector for arm7 seems to either be somewhere else once the menu GUI is running or the overflow hits something else causing arm7 to crash early. Currently we plan to only target exploiting the system with an autoboot rom as it's more predictable.
11. The exact machanics of the arm9 take over and how nds-bootloader is loaded may change. Currently the entire payload fits on the cart. But we may allow reading a payload off SD instead.

Credits to NoCash, Gericom, and Normmatt for help testing/figuring this out. Big credit to StuckPixel who put in most of the coding needed to make this happen. My contribution was finding the flaw and help with testing on hardware.


I will release further details as we finalize this exploit and prepare stuff that will make installing it easier.

Note you will either need a nand mod or a DSiWare based exploit to downgrade your console/install the modified white list needed for this to work. Hopefully we'll have a better solution then simply using fwtool to do this so that may be the factor that determines release date so please be patient!

When things are ready I will update this thread!

England is my city, Apache is my idol.
 
  • Like
Reactions: firke_the_one

MyDePain

Well-Known Member
Member
Joined
Nov 23, 2016
Messages
127
Trophies
0
XP
1,070
Country
France
I am pleased to see that the DSi revives after so many years :yaynds:
Too bad that mine is currently broken and no longer charging due to disassembly. I just need to change the D-Pad / Power card.
 
  • Like
Reactions: firke_the_one

mariogamer

Well-Known Member
Member
Joined
Aug 12, 2015
Messages
1,256
Trophies
0
Age
28
XP
790
Country
Canada
This may sound stupid, but is it possible to build a super cheap flashcard only for rocketlauncher? (Big problem: those team who create flashcard wanna big money...)
 

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • No one is chatting at the moment.
  • Sicklyboy @ Sicklyboy:
    maaaaan that's so awesome but I also don't want to fork over a hundo for it
  • Veho @ Veho:
    The fuuuuu---
  • Veho @ Veho:
    I thought it was an actual xBox at that price.
  • Sicklyboy @ Sicklyboy:
    I wanna grab a 360 Slim and a 360 E one of these days. Missed the boat of getting them at their lowest though, once they were discontinued. Could've got them for cheap back when I was a broke 20 something working at Target, but then again, I was a broke 20 something working at Target
  • Veho @ Veho:
    Being broke is no fun.
  • K3Nv2 @ K3Nv2:
    @Sicklyboy, $150 isn't that bad for a jtag slim on ebay
  • Veho @ Veho:
    I only wish it was actually playable.
  • Veho @ Veho:
    There's a guy on the Tube of You that makes playable mechanical arcade games out of Lego. This could work on the same principle.
  • Veho @ Veho:
    Just a couple of guys taking their manatee out for some fresh air, why you have to molest them?
  • Veho @ Veho:
    Stupid Chinese shop switched their shipping company and this one is slooooooow.
  • LeoTCK @ LeoTCK:
    STOP BUYING CHINESE CRAP THEN
  • LeoTCK @ LeoTCK:
    SUPPORT LOCAL PRODUCTS, MAKE REVOLUTION
  • LeoTCK @ LeoTCK:
    THEY KEEP REMOVING LOCAL SHIt AND REPLACING WItH INFERIOR CHINESE CRAP
  • LeoTCK @ LeoTCK:
    THATS WHY MY PARTNER CANT GET A GOOTWEAR HIS SIZE ANYMORE
  • LeoTCK @ LeoTCK:
    HE HAS BIG FOOT AND BIG DUCK
  • LeoTCK @ LeoTCK:
    d*ck i mean*
  • LeoTCK @ LeoTCK:
    lol
  • Veho @ Veho:
    Mkay.
  • Veho @ Veho:
    I just ordered another package from China just to spite you.
  • SylverReZ @ SylverReZ:
    Leo could not withstand communism.
  • SylverReZ @ SylverReZ:
    Its OUR products to begin with lol.
    SylverReZ @ SylverReZ: Its OUR products to begin with lol.