Hacking Using custom launcher.dat with Gateway Go
- Thread starter AtlanticBit
- Start date
- Views 35,969
- Replies 219
- Likes 1
Smea has confirmed that spider .text is out of range, but there is a way to get ahold of code execution. It's through stage three and four of his exploit from his write-up. Basically, spider hack » RO hack » complete code execution.
Well, here's what I'm doing.
1. Extracting from 1A000-1BB8F(maybe inaccurate, not entirely sure right now, also only for 7.x to 9.4) in the GW launcher.
2. Combining a bin file with the data above, and a payload.bin from a Homebrew into another bin file, using a hex editor and placing the data above on top, and the payload.bin on the bottom(the bytes of the two
)3. Going to 1A000 in the GW launcher, and pasting WITH OVERWRITE(important, without this it will just crash back to home menu!), then copying this new Launcher.dat to the sd card, and loading go.gateway.com .
Does anyone see any faults in this process?
Also, it should be very well noted that hijacking Download Play via spider/SKATER is possible, as Smea did this in his Regionthree release.
Well, here's what I'm doing.
1. Extracting from 1A000-1BB8F(maybe inaccurate, not entirely sure right now, also only for 7.x to 9.4) in the GW launcher.
2. Combining a bin file with the data above, and a payload.bin from a Homebrew into another bin file, using a hex editor and placing the data above on top, and the payload.bin on the bottom(the bytes of the two
3. Going to 1A000 in the GW launcher, and pasting WITH OVERWRITE(important, without this it will just crash back to home menu!), then copying this new Launcher.dat to the sd card, and loading go.gateway.com .
Does anyone see any faults in this process?
I am not an expert in asm, but asm code has no main function/entrypoint ? and I am not sure if the ROP code directly launches whats after the 1BB8F, I think that you can do it like that... but like I said I don't know a lot about asm.
I had assumed, from your post, that you were intending to use the browser in some way, and I was just warning you that spider/SKATER (The browser applet) is very limited. This all, of course, is only implied if you meant to use the browser as a 'base.'
I am curious about something, the gw file is around 4mb but the space where the rop is a lot more limited... so how can they load the extra ~3mb ?
Well... .global _start ?
Anyway, why no write a new ROP-Chain in browser to load a file without obfuscation, get the File(16kb) of Launcher.dat(and remove the obfuscation), go to "0x1B90", and write a new code in this ? (build a .bin in ARM11 and copy in 0x1B90 + ).
Ah! a little hint, if you wanna use GSPGPU Services you will need the gspGPuHandle, and this in 4.x version's is on "0x003B643C", you can write something like:
Code:
getGspGpuHandle:
LDR r0, =0x003B643C
BX LR"I am curious about something, the gw file is around 4mb but the space where the rop is a lot more limited... so how can they load the extra ~3mb ?"
It won't load complete file, the rest of file is the other arm9 payloads(very little) and the firmware patched.
I already have the custom ropchain with no obsfucation (shiny posted his version some pages ago) and the 16kb payload from the launcher.dat also decoded, but I don't know a lot of asm so I have no idea what to really do.
That is a very good question, but I can not give you an answer, sadly. The Gateway team has split their stage one code in two to hide some of it, so knowledge of how it fully works is limited. I've been talking to Smea sparingly, but he's a bit distant, so gaining new knowledge from him is like a full time job.
Btw, i looked at it really fast in these two days, they have really much stages in this exploit.
I focused on arm9 becouse it does all the fancy things, but the exploit itself isn't protected in any way. I mean, to exexute simple arm9 code you just have to overwrite their payload. The hash checks are done in later stages.
I focused on arm9 becouse it does all the fancy things, but the exploit itself isn't protected in any way. I mean, to exexute simple arm9 code you just have to overwrite their payload. The hash checks are done in later stages.
Can you confirm if this does work with games from our region? I just tried it with one, and it did not seem to work. I don't have any games from different regions, but it'd be nice to see it in action.
4 Questions
1. Does it say Moo cause I am on my PC? nvm I just cheched the php file
2. What's inside the gateway.dg file?
3. Could we use that for something other than a downgrade?
4. How about editing the file and putting in CFW or devmenu?
Don't have any out of region games unfortunately. I just pushed a few fixes though which caused it to crash earlier, so maybe redownload the unlaunch.dat?
- Moo.
- I don't know, never checked, probably never will
- I don't know, never checked, probably never will
- I don't know, never tried, never will.
Similar threads
Site & Scene News
New Hot Discussed
-
-
19K views
Pokemon Platinum PC port gets a surprise release
Seemingly out of nowhere a PC port for Pokemon Platinum has surfaced online, bundled alongside the source code for those interested in building and developing it for... -
13K views
Steam Deck gets a major price bump, more than 40% increase for US buyers
With very little in the way of announcement, Valve has today increased the price of the Steam Deck but some fairly considerable margins. Both of the available models... -
10K views
Sony announces PlayStation Plus price increase for new customers starting May 20
Earlier this year, Sony announced major price increases for the PS5, PS5 Pro, and PlayStation Portal. Now the company is raising prices again, this time for... -
9K views
Nintendo Direct June 9, 2026 roundup - Ocarina of Time remake announced, Kingdom Hearts IV trailer
Nintendo's expected Summer showcase is here, offering up plenty of new announcements and exciting reveals. Let's see what they have in store in the latest Nintendo... -
9K views
Pokémon Crystal gets a PC port titled "suiCune" based on C/C++ language
Continuing with the great news of Pokémon Platinum getting a native unofficial PC port just a few days ago, today, yet another classic title from the franchise has... -
8K views
Paper Mario PC recompilation "ReCut" gets its first pre-release build
The latest in a growing number of native PC ports, Paper Mario ReCut got its first pre-release build earlier this week. Based on the N64 recompilation toolchain, the... -
7K views
Low-level 3DS emulator 3Beans released alongside setup tutorial video
When you talk about 3DS emulation, most people would jump to Citra. As the defacto choice since its first release it's seen tremendous success, and even after its... -
6K views
PlayStation State of Play June 2, 2026 broadcast - new God of War announced
A whole hour of PlayStation content is on the way, thanks to the latest State of Play showcase. Headlining the stream will be Marvel's Wolverine, alongside a... -
5K views
Call of Duty: Modern Warfare 4 to launch on Nintendo Switch 2 in October
For the first time in 13 years, the Call of Duty series will again return to Nintendo's consoles. Set to launch on the 23rd of October, the latest release, Modern... -
5K views
RAManimator adds animated graphics to emulated games with no ROM editing
Back in April we covered the ROM hacking efforts to add fifth-generation animated sprites to third generation Pokemon games. It remains a thoroughly impressive...
-
-
-
171 replies
Steam Deck gets a major price bump, more than 40% increase for US buyers
With very little in the way of announcement, Valve has today increased the price of the Steam Deck but some fairly considerable margins. Both of the available models... -
141 replies
Nintendo Direct June 9, 2026 roundup - Ocarina of Time remake announced, Kingdom Hearts IV trailer
Nintendo's expected Summer showcase is here, offering up plenty of new announcements and exciting reveals. Let's see what they have in store in the latest Nintendo... -
102 replies
Pokemon Platinum PC port gets a surprise release
Seemingly out of nowhere a PC port for Pokemon Platinum has surfaced online, bundled alongside the source code for those interested in building and developing it for... -
92 replies
Sony announces PlayStation Plus price increase for new customers starting May 20
Earlier this year, Sony announced major price increases for the PS5, PS5 Pro, and PlayStation Portal. Now the company is raising prices again, this time for... -
91 replies
What do you want to see in the next Nintendo Direct?
With rumours circulating about a Nintendo Direct in the coming days and weeks, fans are left speculating and hoping as to what might be included. At the centre of all... -
77 replies
Paper Mario PC recompilation "ReCut" gets its first pre-release build
The latest in a growing number of native PC ports, Paper Mario ReCut got its first pre-release build earlier this week. Based on the N64 recompilation toolchain, the... -
71 replies
PlayStation State of Play June 2, 2026 broadcast - new God of War announced
A whole hour of PlayStation content is on the way, thanks to the latest State of Play showcase. Headlining the stream will be Marvel's Wolverine, alongside a... -
71 replies
Nintendo Direct to air on the 9th of June, set to feature 50 minutes of Switch and Switch 2 games launching this year
After much speculation and rumour, the fabled Nintendo Direct is upon us. Set to go live tomorrow, the 9th of June, at 3pm in the UK, it'll feature 50 minutes of... -
63 replies
Call of Duty: Modern Warfare 4 to launch on Nintendo Switch 2 in October
For the first time in 13 years, the Call of Duty series will again return to Nintendo's consoles. Set to launch on the 23rd of October, the latest release, Modern... -
55 replies
Nintendo fined 35 million euros by the French government due to Switch 1 Joycon malfunctions
Following an investigation over misleading commercial practices, today Nintendo has been imposed a fine of 35 million euros related to the controller malfunctions...
-
