Toggle sidebar

Hacking Using custom launcher.dat with Gateway Go

  • Thread starter Thread starter AtlanticBit
  • Start date Start date
  • Views Views 35,928
  • Replies Replies 219
  • Likes Likes 1
shutterbug2000 said:
That's fine, do you have any idea how to do it?
Click to expand...

yifan_lu already explained it several times how to do it, but you have to know some assembly and C to do it, also the launcher.dat used by smea is a bit different because its only a smaller part of the big exploit (the kernel exploit part is fixed in >9.2 firmwares).
 
I know, I just don't understand how to actually pull it off. If anyone can write an "easy to follow" guide, it would be much appreciated!
 
shutterbug2000 said:
"It's pretty easy actually. Compile your ARM11 userland code (make sure it starts with a NOP), encrypt it with the shitty stream cipher described in my first post (along with the original part 2). Find the offset to the encrypted payload for your FW version (diff my annotated ROP payload with the go hax for your FW version, the gadgets are the same) and replace it with part 2 + your custom ARM code. and it will run.

Or what I did was replace two words in the first stage to skip the decryption. Then you don't have to bother encrypting/decrypting each time you make a change."

^^ How EXACTLY would I do this process?
Click to expand...

Without trying to sound rude, if those statements you quoted don't make any sense to you then you don't have the knowledge to do this.
There is no "easy to follow" guide until someone smart enough creates the tools to do so.
 
  • Like
Reactions: Zidapi
Well, I understand what they're saying, it's just:

1.Where is the payload for a specific firmware(as in, what are the offsets for 4.5, etc.)?

2. How would I encrypt the program with the "stream cipher"?

P.S: No offense taken! :lol:
 
Waiitttt... I have an idea here. If someone can just explain the "part 2 + your custom ARM code" part. Is that like, combining it in a hex editor? If so, which would go first?
 
Well, it's "Partially" working now. It begins to load, but when the white screen slides in, it freezes, and I have to reset the system. This is farther then before, and if anyone knows what may be going on, please let me know!
 
  • Like
Reactions: Margen67 and Sizednochi
shutterbug2000 said:
"It's pretty easy actually. Compile your ARM11 userland code (make sure it starts with a NOP), encrypt it with the shitty stream cipher described in my first post (along with the original part 2). Find the offset to the encrypted payload for your FW version (diff my annotated ROP payload with the go hax for your FW version, the gadgets are the same) and replace it with part 2 + your custom ARM code. and it will run.

Or what I did was replace two words in the first stage to skip the decryption. Then you don't have to bother encrypting/decrypting each time you make a change."

^^ How EXACTLY would I do this process?
Click to expand...

- compile ARM11 code with armips or just write it in plain assembler (if you know what you do), load address is 0x009D2000
- copy decrypted stage2 in front of your arm11 code to forge a payload
- add padding to make it 0x4000 byte
this means
0x0 - 0x1B8F = original rop code or your own
0x1B90 - 0x3FFF = your arm11 code + padding
- then encrypt it with the pseudo-rng encryption
- finally copy it to the launcher.dat offset, based on your firmware, example: 7.1 - 9.4 is 0x1A000

Note: you get arm11 code execution, but this is not enough to do anything else than what is possible with ninjhax

shutterbug2000 said:
Well, I understand what they're saying, it's just:

1.Where is the payload for a specific firmware(as in, what are the offsets for 4.5, etc.)?

2. How would I encrypt the program with the "stream cipher"?

P.S: No offense taken! :lol:
Click to expand...

to 1: 0x12000
to 2: write some code in vb/c/c++/c#/python/java/whatever...

shutterbug2000 said:
Well, it's "Partially" working now. It begins to load, but when the white screen slides in, it freezes, and I have to reset the system. This is farther then before, and if anyone knows what may be going on, please let me know!
Click to expand...
This means your system crashed and nothing else, you did something wrong and it's impossible to guess what the cause was.
 
  • Like
Reactions: Ra1d, Zidapi and yifan_lu
Falo said:
- compile ARM11 code with armips or just write it in plain assembler (if you know what you do), load address is 0x009D2000
- copy decrypted stage2 in front of your arm11 code to forge a payload
- add padding to make it 0x4000 byte
this means
0x0 - 0x1B8F = original rop code or your own
0x1B90 - 0x3FFF = your arm11 code + padding
- then encrypt it with the pseudo-rng encryption
- finally copy it to the launcher.dat offset, based on your firmware, example: 7.1 - 9.4 is 0x1A000
Note: you get arm11 code execution, but this is not enough to do anything else than what is possible with ninjhax
to 1: 0x12000
to 2: write some code in vb/c/c++/c#/python/java/whatever...
This means your system crashed and nothing else, you did something wrong and it's impossible to guess what the cause was.
Click to expand...

I understood all of that but I am having problems with decrypting it on pc, I tried writting a program in C# and then in C++ to read 4 bytes and add the addcipher to it but I get a lot of gibberish with both of the programs in the output file instead of ASM.
 
krisztian1997 said:
I understood all of that but I am having problems with decrypting it on pc, I tried writting a program in C# and then in C++ to read 4 bytes and add the addcipher to it but I get a lot of gibberish with both of the programs in the output file instead of ASM.
Click to expand...

Could you post the source (or solution, if you are using C#) of your program?
We might find the 'gibberish' problem.
 
  • Like
Reactions: Margen67
shutterbug2000 said:
Well, it's "Partially" working now. It begins to load, but when the white screen slides in, it freezes, and I have to reset the system. This is farther then before, and if anyone knows what may be going on, please let me know!
Click to expand...

The "white screen slides in" part is actually a feature of Gateway's launcher. It's for cleaning the graphical artifacts generated from the exploit. aka either you are a lying douche or you accidently used Gateway's launcher.
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Why did the price of 3ds shoot up ?

Hacking Homebrew Project  BlazerTube - a YouTube 3DS revival using the REAL app!

Homebrew app Emulator  [Release] 3DS-CLI - Run a real RISC-V Linux environment on the Nintendo 3DS

Gaming  any good rpgs on 3ds?

Hardware  2 Broken 3DSes, need help

Website for finding alternative games for 3DS

Hacking  Modding Reassurance

GodMode9 wont launch, holding START just goes to home screen