Toggle sidebar

Hacking Using custom launcher.dat with Gateway Go

  • Thread starter Thread starter AtlanticBit
  • Start date Start date
  • Views Views 36,187
  • Replies Replies 219
  • Likes Likes 1
st4rk said:
Well... .global _start ?

Anyway, why no write a new ROP-Chain in browser to load a file without obfuscation, get the File(16kb) of Launcher.dat(and remove the obfuscation), go to "0x1B90", and write a new code in this ? (build a .bin in ARM11 and copy in 0x1B90 + ).

Ah! a little hint, if you wanna use GSPGPU Services you will need the gspGPuHandle, and this in 4.x version's is on "0x003B643C", you can write something like:

Code: 
getGspGpuHandle:
LDR r0, =0x003B643C
BX LR

:p

"I am curious about something, the gw file is around 4mb but the space where the rop is a lot more limited... so how can they load the extra ~3mb ?"

It won't load complete file, the rest of file is the other arm9 payloads(very little) and the firmware patched.
Click to expand...


So, about the 0x003B643C. Is that for the top, or the bottom screen? If its the bottom... I may be onto something here *evil smile*

Also, what is the address for the top screen, if its the bottom?
 
Slushie3DS said:
Hopefully, that is the case. I could have swore that Smea stated on his Twitter that it should work on 8.0-9.4, but 6.0-7.0 would have problems. Also, I think that Shiny has been making it more compatible.
Click to expand...

It works on 4.x - 9.x

region free loader for 3DS/3DSXL/2DS on firmware versions 4.0-9.4 this also allows you to bypass mandatory gamecard firmware updates
 
st4rk said:
It`s the address to gspGpuHandle, to use GSPGPU Services.
Click to expand...
Any tips/ideas where I could find the gpuhandle on 9.2 ? I understood what I have to do after that to draw on the screen but I can't find the gpu services in the memory.
 
krisztian1997 said:
Any tips/ideas where I could find the gpuhandle on 9.2 ? I understood what I have to do after that to draw on the screen but I can't find the gpu services in the memory.
Click to expand...


Ah, you can look for the GSPGPU Services, just look the command header in ctrulib, go to code and try find it, it will load the command header in a register.

The structure to service call is(GPU):
MRC p15, 0, <Reg>, c13, c0, 3
ADD <reg>, <reg>(/\), #0x80
LDR <reg>, 0x<command header>

and there is a BL to SendSyncRequest(SVC 0x32)

So, if you're using IDA, just press in the part of CODE XREF to back to the function which call the service and in the "R0" probably is the address of gspGpuHandle(if you're looking the GSPGPU of course), i belive which it should be the enough
 
Hmmm... Hmm. need help here. If I'm using the OLD build script(build.bat, 3ds.ld, know what I'm talking about?), how do I output to screen? http://3dbrew.org/wiki/Memory_layout#VRAM_Map_While_Running_System_Applets would seem to tell me how, but that isn't working either. SHOULD be outputting, but its not. Do I need to do something to switch framebuffers, or anything else?
 
shutterbug2000 said:
Hmmm... Hmm. need help here. If I'm using the OLD build script(build.bat, 3ds.ld, know what I'm talking about?), how do I output to screen? http://3dbrew.org/wiki/Memory_layout#VRAM_Map_While_Running_System_Applets would seem to tell me how, but that isn't working either. SHOULD be outputting, but its not. Do I need to do something to switch framebuffers, or anything else?
Click to expand...

which FB addresses are you using? and are you trying to link the compiled files at the same base addrress of the previous launcher dat or you modifieed 3ds.ld?
 
nop90 said:
which FB addresses are you using? and are you trying to link the compiled files at the same base addrress of the previous launcher dat or you modifieed 3ds.ld?
Click to expand...


Well, for the FB addresses, I'm using VRAM+the addresses at the bottom of that page. Not sure what to change in to 3ds.ld, so haven't modified that.
 
  • Like
Reactions: Kakkoii
The thread created in the exploit will likely have a new framebuffers set, you has to find them searching in memory.

To link the the code look in the GW decompiled source and find where the hack load the code than change the base address in 3ds.ld (previusly was 0x080C3EE0). maybe there tou can find the FB addresses too.

Good luck, I really don't want to switch again to barebone coding like a year ago .
 
  • Like
Reactions: Kakkoii
nop90 said:
The thread created in the exploit will likely have a new framebuffers set, you has to find them searching in memory.

To link the the code look in the GW decompiled source and find where the hack load the code than change the base address in 3ds.ld (previusly was 0x080C3EE0). maybe there tou can find the FB addresses too.

Good luck, I really don't want to switch again to barebone coding like a year ago .
Click to expand...


Alright, thanks!
 
Hi guys, I have mt-card im thinking on getting a Nintendo 2ds.. so would it be possible to use this exploit to downgrade a Nintendo 2ds to fw 4.5 with gateway launcher, and than use the default Nintendo ds profile exploit with mtcard launcher to use mt card as any normal 3ds system nand 4.5?
 
DarkKnightPT said:
Hi guys, I have mt-card im thinking on getting a Nintendo 2ds.. so would it be possible to use this exploit to downgrade a Nintendo 2ds to fw 4.5 with gateway launcher, and than use the default Nintendo ds profile exploit with mtcard launcher to use mt card as any normal 3ds system nand 4.5?
Click to expand...

Nope, 2DS cannot downgrade.
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Help on 3DS prices...

Homebrew app Emulator  [Release] 3DS-CLI - Run a real RISC-V Linux environment on the Nintendo 3DS

Hardware  2 Broken 3DSes, need help

Homebrew Homebrew app  [Release] GridLauncher Rosalina

Homebrew  My Secret World DS: is there a way to bypass the password lock?

please help, wont boot

Hardware  I Have 2 THQ Dev Kit 3DSes (Panda), Need Help On Preserving What’s Inside

Homebrew  reBadge - an open source Nintendo Badge Arcade and Theme Shop revival, done with ❤️