Hacking Gateway kernel access/memory editing question

  • Thread starter Thread starter Sparkette
  • Start date Start date
  • Views Views 2,821
  • Replies Replies 6

Sparkette

Well-Known Member
Member
Joined
Apr 6, 2014
Messages
394
Reaction score
174
Trophies
1
Age
32
XP
579
Country
United States
My understanding is that Gateway, along with the dev menu, etc. basically allows full kernel access. Am I correct?

This would mean it would be possible to do Action Replay-like memory editing, right? (Maybe someone, perhaps myself if I can figure it out, could write a Cheat Engine server similar to the one for Android, so you can use CE with 3DS games.)
 
My understanding is that Gateway, along with the dev menu, etc. basically allows full kernel access. Am I correct?

This would mean it would be possible to do Action Replay-like memory editing, right? (Maybe someone, perhaps myself if I can figure it out, could write a Cheat Engine server similar to the one for Android, so you can use CE with 3DS games.)

SaveDataFiler is available for that. Most games have checksums. Pokemon X/Y/oR/aS are supported by PkHex and other games have tools, as well.
 
  • Like
Reactions: Margen67
SaveDataFiler is available for that. Most games have checksums. Pokemon X/Y/oR/aS are supported by PkHex and other games have tools, as well.

By the sounds of it, he intends to do real-time editing not save editing.
I'm not sure if anything has been done in terms of peeking/poking the 3DS yet. Certainly nothing public.
 
NTR CFW lets you edit the memory via plugins and patch games on the fly. It could be used for cheating, but nobody has written a cheat plugin for it yet, and it since it's based on an old GW launcher.dat, it doesn't support games with 7.x-8.x encryption or cia installing.
 
  • Like
Reactions: acidmango
Palatine CFW's ctrclient allows it too :
ctrclient.exe --serveradr=<3ds ip> --customcmd=“<custom cmd>“

installcia:<cia name>

readmem:<mem type> <offset> <size> @<optional output file name>
memtypes: 11kern, 11usr=, 9
11usr=<process name> (i.e. pxi, pm)

writemem:<mem type> <offset> <size> @<input hex file>
memtypes: 11kern, 11usr=, 9
11usr=<process name> (i.e. pxi, pm)

getservhandle <service name> (i.e. ir:u )

sendservicecmd <service handle> <header code> <arg1>,<arg2>…

getprocinfo:addrconv <arm11 procname> <vaddr> (i.e. pxi 0x100000)
getprocinfo:kprocess <arm11 procname> (i.e. pxi)
getprocinfo:mmutable <arm11 procname> (i.e. pxi)
 
  • Like
Reactions: Margen67
How likely is it that I can use this with my 9.2 3DS using nothing but a Gateway card, given what GW has said so far about 9.2 support? I might be able to make something to connect this to Cheat Engine.


It's not related to emunand compatibility
Only sysnand matters here. CFW creates its own emunand.

Tuto reminder :
1. Launch the GW3DS exploit so you're at the GW3DS menu. You want to dump your NAND to the SD card.

2. Backup your NAND.bin file to your PC.

3. Now you'll want to boot into the GW3DS menu again and select "Format emuNAND".

4. Once that's done go to your PC and open the NAND.bin you extracted earlier in HxD. Now here's where things get tricky. You want to copy lines going from offset 00000000 all the way to and including line 000001F0.

5. Once copied go to the beginning of the code. (To the right of where it says 00000000 under offsets.) And click Copy Insert. Once you've done that go ahead and save the NAND.bin file.

6. Almost done. Next put your SD card that you formatted emuNAND on and open up the emuNAND tool made by n1ghty. Click the option to insert emuNAND and insert the NAND.bin file you modified.

7. Now you're going to want to download the files off of GovanifY's website. Throw the files in the 3DS_Stuff folder into the root of your SD card. Extract the rest of it to your Desktop or wherever.

8. Next up you're going to want to get your DS flashcart's microSD card ready, you'll just want to throw thisfile onto it.

Alright so you think you're ready to install the DevMenu? Hope you're ready to reset your 3DS about 50 times.

1. Boot up your DS flashcart and run the NDS file you downloaded. You want to install the Homebrew Rop Loader 4X, (Not the MSETBOSS one. The other one.) Once that's done go ahead and exit to the 3DS main menu.

2. Make sure you have your SD card that you formatted emuNANDon and injected the NAND.bin in the 3DS and go to Settings->Profile->Nintendo DS Profile. Hold L when pressing Nintendo DS Profile.

3. Now your top screen should be blue, and the bottom screen should flash white for a second. If it didn't flash white then you're going to have to restart your 3DS. Keep doing step 2 until it flashes white and your 3DS reboots. (It won't give you an error.)

4. Perfect. Now that your 3DS rebooted and you're in the 3DS' main menu go to your computer. Those files you downloaded from GovanifY's website are going to come in handy. Open run.bat in Notepad and replace "IPTOMODIFY" with your 3DS' IP address. Save run.bat.

5. Now run the run.bat file. If it says it can't connect, keep trying. Eventually it should send a CIA Install command. Congrats. If it doesn't then you'll want to reboot the 3DS, and try again from step 2. (You don't have to keep editing the run.bat file. Once is enough.)

Now instead of step 5, use ctrclient in command line in order to peek and poke memory.
 

Site & Scene News

Popular threads in this forum