Hacking Using custom launcher.dat with Gateway Go

[shutterbug2000]

Well... .global _start ?

Anyway, why no write a new ROP-Chain in browser to load a file without obfuscation, get the File(16kb) of Launcher.dat(and remove the obfuscation), go to "0x1B90", and write a new code in this ? (build a .bin in ARM11 and copy in 0x1B90 + ).

Ah! a little hint, if you wanna use GSPGPU Services you will need the gspGPuHandle, and this in 4.x version's is on "0x003B643C", you can write something like:

getGspGpuHandle:
LDR r0, =0x003B643C
BX LR

"I am curious about something, the gw file is around 4mb but the space where the rop is a lot more limited... so how can they load the extra ~3mb ?"

It won't load complete file, the rest of file is the other arm9 payloads(very little) and the firmware patched.

So, about the 0x003B643C. Is that for the top, or the bottom screen? If its the bottom... I may be onto something here *evil smile*

Also, what is the address for the top screen, if its the bottom?

 

[st4rk]

So, about the 0x003B643C. Is that for the top, or the bottom screen? If its the bottom... I may be onto something here *evil smile*

Also, what is the address for the top screen, if its the bottom?

It`s the address to gspGpuHandle, to use GSPGPU Services.

 

[shutterbug2000]

It`s the address to gspGpuHandle, to use GSPGPU Services.

So, what would I do if I wanted to draw to the bottom or top screen?

 

[shutterbug2000]

So, what would I do if I wanted to draw to the bottom or top screen?

As in, what memory offset would I write to? Think I have an idea, but that's something I'm not sure about.

 

[st4rk]

As in, what memory offset would I write to? Think I have an idea, but that's something I'm not sure about.

eh... as far as i know you need use the services to draw on screen(look the ctrulib examples) in user-land.

 

[tHciNc]

Hopefully, that is the case. I could have swore that Smea stated on his Twitter that it should work on 8.0-9.4, but 6.0-7.0 would have problems. Also, I think that Shiny has been making it more compatible.

It works on 4.x - 9.x

region free loader for 3DS/3DSXL/2DS on firmware versions 4.0-9.4 this also allows you to bypass mandatory gamecard firmware updates

 

[Slushie3DS]

It works on 4.x - 9.x

region free loader for 3DS/3DSXL/2DS on firmware versions 4.0-9.4 this also allows you to bypass mandatory gamecard firmware updates

Maybe the cartridge I'm using isn't compatible.

 

[krisztian1997]

It`s the address to gspGpuHandle, to use GSPGPU Services.

Any tips/ideas where I could find the gpuhandle on 9.2 ? I understood what I have to do after that to draw on the screen but I can't find the gpu services in the memory.

 

[st4rk]

Any tips/ideas where I could find the gpuhandle on 9.2 ? I understood what I have to do after that to draw on the screen but I can't find the gpu services in the memory.

Ah, you can look for the GSPGPU Services, just look the command header in ctrulib, go to code and try find it, it will load the command header in a register.

The structure to service call is(GPU):
MRC p15, 0, <Reg>, c13, c0, 3
ADD <reg>, <reg>(/\), #0x80
LDR <reg>, 0x<command header>

and there is a BL to SendSyncRequest(SVC 0x32)

So, if you're using IDA, just press in the part of CODE XREF to back to the function which call the service and in the "R0" probably is the address of gspGpuHandle(if you're looking the GSPGPU of course), i belive which it should be the enough

 

[Slushie3DS]

Bump.

 

[shutterbug2000]

Hmmm... Hmm. need help here. If I'm using the OLD build script(build.bat, 3ds.ld, know what I'm talking about?), how do I output to screen? http://3dbrew.org/wiki/Memory_layout#VRAM_Map_While_Running_System_Applets would seem to tell me how, but that isn't working either. SHOULD be outputting, but its not. Do I need to do something to switch framebuffers, or anything else?

 

[nop90]

Hmmm... Hmm. need help here. If I'm using the OLD build script(build.bat, 3ds.ld, know what I'm talking about?), how do I output to screen? http://3dbrew.org/wiki/Memory_layout#VRAM_Map_While_Running_System_Applets would seem to tell me how, but that isn't working either. SHOULD be outputting, but its not. Do I need to do something to switch framebuffers, or anything else?

which FB addresses are you using? and are you trying to link the compiled files at the same base addrress of the previous launcher dat or you modifieed 3ds.ld?

 

[shutterbug2000]

which FB addresses are you using? and are you trying to link the compiled files at the same base addrress of the previous launcher dat or you modifieed 3ds.ld?

Well, for the FB addresses, I'm using VRAM+the addresses at the bottom of that page. Not sure what to change in to 3ds.ld, so haven't modified that.

 

[nop90]

The thread created in the exploit will likely have a new framebuffers set, you has to find them searching in memory.

To link the the code look in the GW decompiled source and find where the hack load the code than change the base address in 3ds.ld (previusly was 0x080C3EE0). maybe there tou can find the FB addresses too.

Good luck, I really don't want to switch again to barebone coding like a year ago .

 

[shutterbug2000]

The thread created in the exploit will likely have a new framebuffers set, you has to find them searching in memory.

To link the the code look in the GW decompiled source and find where the hack load the code than change the base address in 3ds.ld (previusly was 0x080C3EE0). maybe there tou can find the FB addresses too.

Good luck, I really don't want to switch again to barebone coding like a year ago .

Alright, thanks!

 

[DarkKnightPT]

Hi guys, I have mt-card im thinking on getting a Nintendo 2ds.. so would it be possible to use this exploit to downgrade a Nintendo 2ds to fw 4.5 with gateway launcher, and than use the default Nintendo ds profile exploit with mtcard launcher to use mt card as any normal 3ds system nand 4.5?

 

[shinyquagsire23]

Hi guys, I have mt-card im thinking on getting a Nintendo 2ds.. so would it be possible to use this exploit to downgrade a Nintendo 2ds to fw 4.5 with gateway launcher, and than use the default Nintendo ds profile exploit with mtcard launcher to use mt card as any normal 3ds system nand 4.5?

Nope, 2DS cannot downgrade.

 

[DarkKnightPT]

Nope, 2DS cannot downgrade.

ok thanks

 

[mordorer]

https://github.com/yifanlu/Spider3DSTools

Yifan lu works

 

[naxil]

Good tools? We can use it for launch homebrew with broswer hack?