GO Exploit

Discussion in '3DS - Flashcards & Custom Firmwares' started by ernilos, Jan 10, 2015.

  1. ernilos
    OP

    ernilos GBAtemp Regular

    Member
    152
    140
    Aug 28, 2013
    The other thread is getting fulled with stuff like "halp me plz, it don't works", so I thought on create another thread to talk about the GO exploit...
    Going to the website with no 3DS webAgent you get what the memory block is fulled with "counter+4 08 0E" (http://gyazo.com/77fb2460da8543a36e8ebed1d4f30037), when you activate the 3DS UserAgent you get the exploit. Seems the *exploit* is copying a lot of times 0x200 bytes to memory, making overflow or something and then run the *second stage*.
    At first look it seems to be a ROPLoader (like on MSetHax). Here we can see "dmc:/Launcher.dat" coded on UTF-16, so this ROPLoader isn't obfuscated, well. A good way to continue studying how it works is getting a RAM dump with browser applet open, it should be easy with the released CFW.
    Hope we can get Kernel Execution on FW 4.0-9.2

    PD: There's some paste with title "GW_GO_Exploit.bin" with download link of the exploit binary
     
    Margen67, VinsCool, jocopoco and 2 others like this.
  2. ken28

    ken28 GBAtemp Advanced Fan

    Member
    731
    188
    Oct 21, 2010
    Germany
    well why not trying to launch the ninjhax launcher with it, instead of launcher.dat?
    Just an idea.
     
  3. Kylecito

    Kylecito eats warnings for breakfast

    Member
    344
    379
    May 6, 2009
    Cote d'Ivoire

    Not the same ROP chain, I doubt it.

    Has anyone tried to copy the site as-is to a local folder, set up a web server and run it locally? Having to rely on an Internet connection might be a risky business
     
  4. Zidapi

    Zidapi GBAtemp Psycho!

    Member
    3,038
    1,821
    Dec 1, 2002
    It looks like the "GO Exploit" is the Swebug exploit that the enigmatic MathewE documented on this pastebin in early December, as it mentions the 0x200 bytes in the notes.

    The Swebug 3DS bug
    Code:
    Bug found: 12/6/14 9:24 PM
    Posted: 12/8/14 12:36 AM
    Updated: 12/8/2014 7:32 PM
    
    Bug tested on:
    -New 3DS 9.2.0-20J
    -2DS 9.0.0-20E
    -3DS 4.5.0-4U
    --EmuNAND 9.2.0-20U
    -3DS 5.0.0-11E
    -3DS 6.3.0-12J
    -3DS 9.1.0-20J
    -3DS XL 9.0.0-20U
    --EmuNAND 9.2.0-20U
    -3DS XL 9.2.0-20U
    -Dev 3DS (2)
    -New 3DS 9.0.0-20E
    -New 3DS 9.3.0-21J
    
    Bug worked:
    -New 3DS 9.2.0-20J
    -New 3DS 9.0.0-20E
    -New 3DS 9.3.0-21J
    
    Bug location:
    Internet Browser
    Repeating CTR Savegame
    
    "boot.12.8.14.zip" MD5: CE CE F5 8B 99 47 C5 61 DA 52 44 D3 72 3D 85 39
    "revision.12.8.14.zip" MD5: 23 CE 1B 24 4E 56 E7 0C 9D A8 17 31 F4 5F 24 00
    
    Contents:
    "webkit_root.zip" webkit bug
    "savetest_multi.zip" pre-written savegame bug (AQNx) (ACVx)
    "savecreate_root.zip" savegame bug
    "extdata_root.zip" savegame bug for extdata
    "hellow_world.khb" test homebrew
    The notes
    Code:
    savegame bug:
    rop:
    set 0x00 as start instead of 0x2000
    0x00000100
    0x00000010
    0x00004120
    0x00000200
    0x0000FF20
    0x01111110 
    0x00001210
    0x00000100
    0x0023A010
    0x0023A010
    0x00000100
    0x0000FF20
    0x0023A010
    0x0B1BCE90
    0x0000FF20
    0x0000FF20
    0x0023A010
    0x0000A1B0
    0x0000A1B0
    0x0000A1B0
    0x0000A1B0
    0x0000A1B0
    0x0000A1B0
    0x00000100
    0x0023A010
    0x0023A010
    0x0023A010
    0x00000100
    0x00000100
    0x0BIBCE90
    0x00000100
    0x0A121730 
    0x0000FCF0
    0x0000FCF0
    0x0000FCF0
    0x0A121730 
    0x0A121730 
    0x0A121730 
    0x00000100
    0x00004120
    0x00004120
    0x00004120
    0x00004120
    jump to internetBrowser
    
    webkit bug:
    localhost.***/savegame/gameID/1112/bug.html
    FF FF FF FF 01 22 00 20
    byte 4
    FF^0x1
    0xF(G)/FF 01/(02)
    (0x0102 02 01)
     
  5. hias

    hias Member

    Newcomer
    27
    9
    Jun 16, 2014
    Argentina
    Nice work. If this is not more than you found that means we can mirror Gateways files on a local webserver and can start the launcher even when Gateway Go is down?
    Or is there still a payload that gets downloaded on boot?

    Would be nice if you could try this, thanks :)
     
    Margen67 likes this.
  6. CalebW

    CalebW Fellow Temper

    Member
    634
    154
    Jun 29, 2012
    United States
    Interesting, does anyone know who this MathewE fellow is?
     
  7. ken28

    ken28 GBAtemp Advanced Fan

    Member
    731
    188
    Oct 21, 2010
    Germany
    A well know ps3 hacker. Matthew cfw and so on if I remember right
     
  8. Dartz150

    Dartz150 GBATemp Official Lolicon Onii-chan™

    Member
    1,406
    844
    May 5, 2010
    Mexico
    On a Strange Journey
    So in order to make Ninjhax work with the new 4.0-9.2 browser exploit, the launher.dat needs to be updated specifically for this exploit?
     
  9. Dr Eggman

    Dr Eggman I am THE Eggman.

    Member
    228
    27
    Jul 12, 2008
    Canada
    Eggmanland! (Toronto IRL)

    How did this go unnoticed??

    Hopefully the ROP chain is friendly so we can get homebrew up and running ASAP :)

    [user]ernilos[/user] what CFW are you talking about for this RAM dumping?
     
    Margen67 likes this.
  10. Bug_Checker_

    Bug_Checker_ GBAtemp Advanced Fan

    Member
    950
    444
    Jun 10, 2006
    United States

    It did not go unnoticed. just unmentioned until https://gbatemp.net/threads/3ds-softmod.378018/#post-5264571
     
  11. Vappy

    Vappy GBAtemp Advanced Maniac

    Member
    1,508
    1,155
    May 23, 2012
    It'd been mentioned prior to that, by piratesephiroth and a few other people, but it kind of went unnoticed or just forgotten about because no one knew who MathewE was, or how to get in contact with him. And it's almost certain he won't be publicly releasing his work either way. :P
     
  12. PewnyPL

    PewnyPL GBAtemp Advanced Fan

    Member
    595
    257
    Feb 2, 2014
    Poland
    So, as this exploit launches Launcher.dat from SD card... does anyone know if Gateway's exploit could be used to load Homebrew? Anyone tried?
     
    Margen67 likes this.
  13. OuahOuah

    OuahOuah GBAtemp Maniac

    Member
    1,008
    201
    Oct 2, 2006
    France
    France
    GW can run homebrew directly ;)
     
  14. WaryLouka

    WaryLouka Official Representative of the SuperCard Team

    Banned
    216
    91
    Jun 22, 2013
    United States
    NO RECORDS

    But if we could execute homebrew/binaries only using a specially crafted launcher file?
    It would be useful for those who wants to play homebrew without a Gateway.
     
    Margen67 likes this.
  15. PewnyPL

    PewnyPL GBAtemp Advanced Fan

    Member
    595
    257
    Feb 2, 2014
    Poland
    Well yeah, it can. But this would be for people WITHOUT Gateway (and without Cubic Ninja)
     
    Margen67 likes this.
  16. Vappy

    Vappy GBAtemp Advanced Maniac

    Member
    1,508
    1,155
    May 23, 2012
    You'd need to reverse the Launcher.dat to find the exploit it uses. Without that, you're limited to basic ROP with the browser.
     
    Margen67 likes this.
  17. ernilos
    OP

    ernilos GBAtemp Regular

    Member
    152
    140
    Aug 28, 2013
    http://gbatemp.net/index.php?posts/5144453
    It has some commands really usefulls for developers and that stuff ^-^
     
    Margen67 likes this.
  18. cearp

    cearp the ticket master

    Member
    7,550
    4,813
    May 26, 2008
    Tuvalu
    but not with pure 100% nand access
     
  19. PewnyPL

    PewnyPL GBAtemp Advanced Fan

    Member
    595
    257
    Feb 2, 2014
    Poland
    But is the ROP chain of the bowser identical to MSET ROP chain? Or even more limited (as in, the actual exploit to launch unsigned code is in Launcher.dat this time)
     
  20. Vappy

    Vappy GBAtemp Advanced Maniac

    Member
    1,508
    1,155
    May 23, 2012
    Functionally similar, if not identical, both confined to usermode ROP, no arbitrary execution.
    No real ARM9 access either, I believe, which is why there was never a .3ds or .cia of the decryptor homebrews.