Hacking Using custom launcher.dat with Gateway Go

[MRJPGames]

That's fine, do you have any idea how to do it?

no

 

[krisztian1997]

That's fine, do you have any idea how to do it?

yifan_lu already explained it several times how to do it, but you have to know some assembly and C to do it, also the launcher.dat used by smea is a bit different because its only a smaller part of the big exploit (the kernel exploit part is fixed in >9.2 firmwares).

 

[shutterbug2000]

I know, I just don't understand how to actually pull it off. If anyone can write an "easy to follow" guide, it would be much appreciated!

 

[shutterbug2000]

I know, I just don't understand how to actually pull it off. If anyone can write an "easy to follow" guide, it would be much appreciated!

I still can't figure out how to do this. If anyone could provide a file/ guide, I would really like that.

 

[ChrisRX]

"It's pretty easy actually. Compile your ARM11 userland code (make sure it starts with a NOP), encrypt it with the shitty stream cipher described in my first post (along with the original part 2). Find the offset to the encrypted payload for your FW version (diff my annotated ROP payload with the go hax for your FW version, the gadgets are the same) and replace it with part 2 + your custom ARM code. and it will run.

Or what I did was replace two words in the first stage to skip the decryption. Then you don't have to bother encrypting/decrypting each time you make a change."

^^ How EXACTLY would I do this process?

Without trying to sound rude, if those statements you quoted don't make any sense to you then you don't have the knowledge to do this.
There is no "easy to follow" guide until someone smart enough creates the tools to do so.

 

[shutterbug2000]

Well, I understand what they're saying, it's just:

1.Where is the payload for a specific firmware(as in, what are the offsets for 4.5, etc.)?

2. How would I encrypt the program with the "stream cipher"?

P.S: No offense taken!

 

[tony_2018]

Start a thread with an idea................check
Find other people to do the work ..........W.I.P.

 

[shutterbug2000]

Waiitttt... I have an idea here. If someone can just explain the "part 2 + your custom ARM code" part. Is that like, combining it in a hex editor? If so, which would go first?

 

[KazoWAR]

I just wish smealum would make the hombrew launcher work from the web exploit.

 

[shutterbug2000]

Well, it's "Partially" working now. It begins to load, but when the white screen slides in, it freezes, and I have to reset the system. This is farther then before, and if anyone knows what may be going on, please let me know!

 

[Falo]

"It's pretty easy actually. Compile your ARM11 userland code (make sure it starts with a NOP), encrypt it with the shitty stream cipher described in my first post (along with the original part 2). Find the offset to the encrypted payload for your FW version (diff my annotated ROP payload with the go hax for your FW version, the gadgets are the same) and replace it with part 2 + your custom ARM code. and it will run.

Or what I did was replace two words in the first stage to skip the decryption. Then you don't have to bother encrypting/decrypting each time you make a change."

^^ How EXACTLY would I do this process?

- compile ARM11 code with armips or just write it in plain assembler (if you know what you do), load address is 0x009D2000
- copy decrypted stage2 in front of your arm11 code to forge a payload
- add padding to make it 0x4000 byte
this means
0x0 - 0x1B8F = original rop code or your own
0x1B90 - 0x3FFF = your arm11 code + padding
- then encrypt it with the pseudo-rng encryption
- finally copy it to the launcher.dat offset, based on your firmware, example: 7.1 - 9.4 is 0x1A000

Note: you get arm11 code execution, but this is not enough to do anything else than what is possible with ninjhax

Well, I understand what they're saying, it's just:

1.Where is the payload for a specific firmware(as in, what are the offsets for 4.5, etc.)?

2. How would I encrypt the program with the "stream cipher"?

P.S: No offense taken!

to 1: 0x12000
to 2: write some code in vb/c/c++/c#/python/java/whatever...

Well, it's "Partially" working now. It begins to load, but when the white screen slides in, it freezes, and I have to reset the system. This is farther then before, and if anyone knows what may be going on, please let me know!

This means your system crashed and nothing else, you did something wrong and it's impossible to guess what the cause was.

 

[shutterbug2000]

Ok, one last question: How do I get the "decrypted stage2", and what do I do if the homebrew is larger than that size?

 

[NCDyson]

Ok, one last question: How do I get the "decrypted stage2", and what do I do if the homebrew is larger than that size?

wait for someone else to figure it out and make a cfw installer/launcher.

 

[krisztian1997]

- compile ARM11 code with armips or just write it in plain assembler (if you know what you do), load address is 0x009D2000
- copy decrypted stage2 in front of your arm11 code to forge a payload
- add padding to make it 0x4000 byte
this means
0x0 - 0x1B8F = original rop code or your own
0x1B90 - 0x3FFF = your arm11 code + padding
- then encrypt it with the pseudo-rng encryption
- finally copy it to the launcher.dat offset, based on your firmware, example: 7.1 - 9.4 is 0x1A000
Note: you get arm11 code execution, but this is not enough to do anything else than what is possible with ninjhax
to 1: 0x12000
to 2: write some code in vb/c/c++/c#/python/java/whatever...
This means your system crashed and nothing else, you did something wrong and it's impossible to guess what the cause was.

I understood all of that but I am having problems with decrypting it on pc, I tried writting a program in C# and then in C++ to read 4 bytes and add the addcipher to it but I get a lot of gibberish with both of the programs in the output file instead of ASM.

 

[0xFFFF]

I understood all of that but I am having problems with decrypting it on pc, I tried writting a program in C# and then in C++ to read 4 bytes and add the addcipher to it but I get a lot of gibberish with both of the programs in the output file instead of ASM.

Could you post the source (or solution, if you are using C#) of your program?
We might find the 'gibberish' problem.

 

[0xFFFF]

Well, it's "Partially" working now. It begins to load, but when the white screen slides in, it freezes, and I have to reset the system. This is farther then before, and if anyone knows what may be going on, please let me know!

The "white screen slides in" part is actually a feature of Gateway's launcher. It's for cleaning the graphical artifacts generated from the exploit. aka either you are a lying douche or you accidently used Gateway's launcher.

 

[krisztian1997]

Could you post the source (or solution, if you are using C#) of your program?
We might find the 'gibberish' problem.

I am not an expert in working with files in c++ so my code is very ugly http://pastebin.com/RDSQcUj8

 

[0xFFFF]

I am not an expert in working with files in c++ so my code is very ugly http://pastebin.com/RDSQcUj8

key += 0xD5828281;
fread(&buffer, sizeof(int), 1, input);
buffer += key;
fwrite(&buffer, sizeof(int), 1, output);

should be

key += 0xD5828281;
buffer += key;
fread(&buffer, sizeof(int), 1, input);
fwrite(&buffer, sizeof(int), 1, output);

 

[krisztian1997]

should be

Why ? I first have to read the 4 bytes from the file then add the cipher.

 

[0xFFFF]

Why ? I first have to read the 4 bytes from the file then add the cipher.

fread(&buffer, sizeof(int), 1, input);

uses a buffer of 0 in the original src