From MaxConsole:
Let's make this real clear right now: the Gateway guys are (as always) doing things the right way. The only thing they've ever been guilty of is delivering promises *late*. Every promise they've made, they've kept. We're all excited about the forthcoming release, but seriously, let them do their jobs in their own time if you want them to do it right.
It's very, very clear to me that they're currently hardening their server infrastructure. They've invested in CloudFlare's DDoS protected service, that encompasses the aforementioned DDoS protection, web application firewall, reverse caching/proxying and more. Enabling such a service for a Wordpress-driven site such as theirs is usually fairly straight forward, but it wouldn't necessarily play well out-of-the-box with any custom web apps they've created.
They're pretty clearly preparing a Ninjhax-style QR-code generator to deploy the stage 1 payload, given the confirmed leaked information thus far. This would take the form of a web app. Perhaps CloudFlare is caching generated QR-codes, and they're working around issues such as the wrong QR-codes being sent to the wrong clients? Again, they need to get it right. The wrong payload being generated for the wrong console could be potentially disastrous for all we know. Can you imagine the damage to their reputation?
Imagine if the QR-code generator went down a few minutes after the new update was released, effectively stopping anyone from actually making use of the new update, caused by a stampede of folk trying to use it. Reputation == damaged.
Also, they have to ensure any QR-code generating web app is sound from a security perspective. The last thing they want is for it to be vulnerable to XSS or SQL injection attacks, potentially leaking information of their customers, ie. email addresses, console serial numbers (!) etc. Again, could you imagine the potential damage to their reputation? It also has to perform efficiently, as no amount of caching with CloudFlare will shore up a web app suffering from memory leaks or segfaults for example.
Smealum and his team delivered a similar but ultimately much less complex exploit to around ~30,000 users maximum (that's the estimated number of Cubic Ninja copies in circulation), and he and his team comprising around 4 people in total took a long while to release their exploit, much longer than Team Gateway have. He took a *lot* of shit for delivering that late.
I'd expect that considering Gateway have many, many more Gateway 3DS kits out there, a more complex exploit (kernel level access, remember), a different attack vector, and a whole BUSINESS depending on it going smoothly. They've never given me or publicly announced a firm (or even loose) date, therefore I don't expect one. I have two 3DS's on 9.2.0-20 and two unused Gateway kids in preparation, and I'm fine waiting because I know that when it's released, it'll work right. The site will work, the exploit will work without bricking devices; it'll all be fine.
I'm as excited about this as any one else but I'm happy to wait for it. I'm happy for them to do it right, and cover their asses as much as possible whilst doing so. After all, delivering late is a million times better than bricked consoles, information leaks, overloaded server hardware and pretty much everything else that could go wrong.