Hacking GW multirom demo

[gamesquest1]

I am doubtful about the chance being higher considering the data they check is stored in ram (they aren't checking the whole file afaik, they are checking various parts of the payloads they run). I am not sure if the date attributes for the actual files get refreshed in memory, or how often that happens. They'd have to constantly read the attributes from the SD card if they forcefully kept refreshing it, that would hinder performances by quite a bit.

They could be reading the dates of save files as they are loaded from the SD to the cart

 

[mathieulh]

They could be reading the dates of save files as they are loaded from the SD to the cart

What does it have to do with this ?

 

[gamesquest1]

Well instead of checking files constantly they could just check the date of when the save being loaded was modified as their date trigger

 

[profi200]

But that's not bad. If they would just use the system date, that would be to easy to change.

 

[gamesquest1]

Actually thinking about it, didn't some people get bricked just using the region free mod, so there would be no save files :s
Maybe it is just based on system time then....although they might of just been hit by the data integrity check

 

[Pablo007]

Here is another pseudo source code. And i say it again, it's only pseudo source code:

checkGW()
{
          if(crcOK)return;
          if(random)return;
          if(no_filebefore0x4444)return;
          brick()
}

Could you give me a sequence how it works? Step by step?

 

[w0dash]

Is the launcher.dat not our own or patched? -> Are you unlucky? -> Has the first file that starts with a "L" a timestamp after 4th of februar? -> Brick.

 

[Cyberdrive]

Could you give me a sequence how it works? Step by step?

From top to bottom, I'd assume.
crcOK() and random():

Gateway put a code in their launcher.dat which roughly works like this:

if(<low 4bits u32 output from random-number-generator are zero> && <checksum over arm9 code is invalid>)
brick();

The random-number-generator uses the console date for initialization. That's why all the bricks occured after a certain date. The second part checks whether the launcher.dat file itself is legit. Any modification makes the checksum fail and therefore bricks the console.

brick():

Possible that the trigger for the Bricking code has been in the Gateway launcher as to why Official bricks are occurring

and relates to any file on the SD card being dated 4th Feb 2014 or later
so if someone either has a file with that date on there SD card or Puts Forward there Internal clock (for play coin cheating) thus when the 3DS next saves to the SD it creates a file with the date 4th Feb or Later then a Brick could occur

possible Kill Code found

0x10410,0x10) MMC_SET_BLOCKLEN
 
0x50c1b,0) //PROGRAM_CSD
 
0x50c2a,0x0) setpass
 
0x10410,0x200) MMC_SET_BLOCKLEN

 

[profi200]

Could you give me a sequence how it works? Step by step?

checkGW()
{
          if(crcOK)return;                // Check if the CRC is ok. If the CRC is ok, return and don't execute the other checks
          if(random)return;               // Generate a random number and check, if the number matches the requirement's. If they don't match, return and don't execute the other checks
          if(no_filebefore0x4444)return;  // Check the date of the first file beginning with "L". If the date is before the 04. Feb., return and don't execode the brick routine
          brick()                         // If all checks before don't return, the brick code is executed
}

 

[gamesquest1]

Which gives us a deadline for 2.0 final

 

[mathieulh]

checkGW()
{
          if(crcOK)return;                // Check if the CRC is ok. If the CRC is ok, return and don't execute the other checks
          if(random)return;              // Generate a random number and check, if the number matches the requirement's. If they don't match, return and don't execute the other checks
          if(no_filebefore0x4444)return;  // Check the date of the first file beginning with "L". If the date is before the 04. Feb., return and don't execode the brick routine
          brick()                        // If all checks before don't return, the brick code is executed
}

Err... 0x4444 isn't February 4, I don't know where you saw that.
0x4444 is an hexadecimal encoded date which translates to Thu, 01 Jan 1970 04:51:16 GMT in the Gregorian calendar.
I am guessing this is a check to make sure they don't brick someone's 3DS if the RTC was reset (the internal battery gone wrong/depleted) or the like.

 

[Gabbo04]

They can simply change the date on the final 2.0 (ex: 05 May) so that means nothing, maybe they're waiting for the deadline just to see how many users are gonna brick their console.

I'm not expecting that release before the second week of February. (if the date in the code really means 04 Feb).

 

[profi200]

Err... 0x4444 isn't February 4, I don't know where you saw that.
0x4444 is an hexadecimal encoded date which translates to Thu, 01 Jan 1970 04:51:16 GMT in the Gregorian calendar.

The date encoding is the same as on the old Nintendo DS. To be honest, i have not looked, what date this exactly is. That's from ichfly.

 

[tyons]

waitwaitwait. does all this mean that if I create a file named something like "L-" with a timestamp prior to february 4 in the SD card, my 3ds with gateway's official launcher will never brick? that would be cool, ahaha

edit: even "Launchar.dat" would work >_>
does the code use alphabetical order?

 

[Huntereb]

waitwaitwait. does all this mean that if I create a file named something like "L-" with a timestamp prior to february 4 in the SD card, my 3ds with gateway's official launcher will never brick? that would be cool, ahaha

Even if that's the case, I wouldn't test it.

 

[profi200]

The date encoding is unclear. It seems. So it can be both the old DS encoding or the new encoding. I will look, which one the filesystem services use.

 

[tyons]

The date encoding is unclear. It seems. So it can be both the old DS encoding or the new encoding. I will look, which one the filesystem services use.

were you, by chance, replying to me? >_>
what do you think about what i wrote? is it theorically possible?

 

[Deleted User]

The date encoding is unclear. It seems. So it can be both the old DS encoding or the new encoding. I will look, which one the filesystem services use.

The date encoding is the same as on the old Nintendo DS. To be honest, i have not looked, what date this exactly is. That's from ichfly.

You come here stating the date as 4th February as fact but you seem pretty confused yourself. You may as well be pulling it out of thin air. It looks to me you're just parroting what ichfly says without understanding what it means. Makes me wonder what else you say is truth or fiction...

 

[profi200]

That has no effect on the first check which runs already since almost a month.

 

[profi200]

It looks to me you're just parroting what ichfly says without understanding what it means. Makes me wonder what else you say is truth or fiction...

I just said, what he said to me.

Then don't believe it. That makes Gateway even more happy to make more money.