Thread Status:
Not open for further replies.
  1. TheHomesk1llet

    OP TheHomesk1llet Also known as "Kupo"
    Member

    Joined:
    Apr 29, 2013
    Messages:
    210
    Country:
    United States
    Hello everyone,

    I pretty recently analyzed the Gateway launcher and understand (mostly) how it works. In the spoiler is a basic rundown.

    As of January 21, 2015, I have a new launcher, but it has not been tested yet. It is for 9.2 only.


    The website exploit blindly runs the file "Launcher.dat" on the root of the SD card. I will not explain how the website exploit works. Since the website exploit does not have kernel access, it's up to the launcher to get access itself through another exploit, which in this case is gspwn. I'm not gonna explain how that works, either. After the initial payload has been successfully executed, the rest of the process is taken care of in the launcher. Here are the three stages of the launcher:

    Stage 1: Basically setup. Code and information is copied to the memory to allow for referencing and execution later.

    Stage 2: Owning the ARM11 kernel. This exploit overwrites the kernel data to allow for the exploitation of the ARM9 kernel.

    Stage 3: Owning the ARM9 kernel. Basically causes the ARM11 kernel to overwrite data at a specific memory location from a pointer to code that was agreed to be valid by both kernels. After the data is overwritten, the ARM11 kernel resets, and the ARM9 waits for the kernel to boot again. After it is ready, ARM9 executes the code at the location that has the overwritten code. This code can (probably) be anything since it is being executed by the ARM9 kernel, which always has full permission to execute any code. This is the most interesting stage.
    Knowing all of this, functions located at various parts in memory, and where gateway stores its data, I should be able to replace gateway's code with my own, which will be...I'm not sure yet. Probably a cfw or modification of a cfw since that will allow for the most stuff. I'm still considering exactly what to put in there and I may end up making my own thing that'll install a piece of software to allow execution of any launcher stored on the SD card (much like HBC). I might also write a piece of software that will take any existing launcher.dat and make it executable by the website exploit. I'll think about it.

    Now, all I'm going to be doing with the exploit itself is modifying the gateway launcher since the website exploit doesn't allow for the execution of unsigned code, and the gateway launcher does.

    I'll keep this thread updated with progress and a date/time.
     
  2. DavidKang

    DavidKang GBAtemp Regular
    Member

    Joined:
    Jun 23, 2012
    Messages:
    136
    Country:
  3. Aurora Wright

    Aurora Wright GBAtemp Advanced Maniac
    Member

    Joined:
    Aug 13, 2006
    Messages:
    1,549
    Country:
    Italy
    Be wary that the gateway launcher (probably) still rewards you with bricks if it detects tampering (but if you reversed it up to that point you knew it for sure).
     
  4. r5xscn

    r5xscn GBAtemp Regular
    Member

    Joined:
    Apr 8, 2014
    Messages:
    136
    Country:
    Antarctica
    Please disable/bypass launcher.dat's "Gateway red card checking" when entering Gateway mode. If you got this working, then it will be basically a CFW since we can install CIA. Thanks for your effort! :D.
     
  5. TheHomesk1llet

    OP TheHomesk1llet Also known as "Kupo"
    Member

    Joined:
    Apr 29, 2013
    Messages:
    210
    Country:
    United States
    Yeah, I'm making sure to watch out for that. I'm also going to edit every last piece of the exploit to see where the brick code is, and remove it.

    Actually, to clarify, we're rewriting the whole thing using (sort of) our own code. It'll be in C, and we're taking into consideration what Gateway has already written and what Yifan said.

    There can't be a red card check if there's no red card c:

    This exploit requires no extra hardware. You only need an internet connection and an SD card.
     
  6. LoneGrenade

    LoneGrenade IT Technician/Rookie Coder
    Member

    Joined:
    Mar 14, 2009
    Messages:
    157
    Country:
    Canada
    Good luck, and godspeed sk1llet.
     
    Margen67 likes this.
  7. Rhokk222

    Rhokk222 Member
    Newcomer

    Joined:
    Mar 14, 2008
    Messages:
    22
    Country:
    United States
    Sounds fantastic!
     
    Margen67 likes this.
  8. I'm definitely following this thread, if you can get done what you want/aim for then this is really huge for all users. Awesome sauce.
     
    Margen67 likes this.
  9. Rob Blou

    Rob Blou GBAtemp Advanced Fan
    Member

    Joined:
    Jul 16, 2013
    Messages:
    745
    Country:
    Canada
    good luck :)
     
    Margen67 likes this.
  10. yunneg

    yunneg Member
    Newcomer

    Joined:
    Oct 27, 2014
    Messages:
    34
    Country:
    I think he talk about entering Gateway mode without gateway card, we all know that no need flash card to run GO exploit.
     
    cvskid likes this.
  11. naxil

    naxil GBAtemp Advanced Fan
    Member

    Joined:
    Oct 26, 2011
    Messages:
    789
    Country:
    Italy
    I dont think latest gw code have the brick code... we really need a way for use browser hack with custom .dat
     
  12. Shubshub

    Shubshub The Shubinator
    Member

    Joined:
    Oct 16, 2009
    Messages:
    1,003
    Country:
    New Zealand
    So will this only allow Homebrew then? or Piracy also
    and will it work similar to regionthree and on the latest firmware?
     
    Margen67 likes this.
  13. TheHomesk1llet

    OP TheHomesk1llet Also known as "Kupo"
    Member

    Joined:
    Apr 29, 2013
    Messages:
    210
    Country:
    United States
    Yeah, I'm not making another gateway, I'm making an exploit BASED on gateway that can run any code.
     
    Some1CP and Margen67 like this.
  14. TheHomesk1llet

    OP TheHomesk1llet Also known as "Kupo"
    Member

    Joined:
    Apr 29, 2013
    Messages:
    210
    Country:
    United States
    Lucky for you, that's what this is.
    The launcher that I will provide will install a homebrew launcher application onto the 3DS. From there, you can execute it like any other 3DS software. I'll make it so that you can have multiple apps on the SD card in separate folders for you to launch individually. These apps can be anything you want.
     
  15. Shubshub

    Shubshub The Shubinator
    Member

    Joined:
    Oct 16, 2009
    Messages:
    1,003
    Country:
    New Zealand
    Make it so we can launch region locked games please
     
    Margen67 likes this.
  16. yunneg

    yunneg Member
    Newcomer

    Joined:
    Oct 27, 2014
    Messages:
    34
    Country:
    Sound great! I thinks you've just start a new hype train. haha
     
    Margen67 likes this.
  17. r5xscn

    r5xscn GBAtemp Regular
    Member

    Joined:
    Apr 8, 2014
    Messages:
    136
    Country:
    Antarctica
    This is better than what I requested. Good luck. Can you share what tools I can use to reverse engineering and compile my code? Thank you.
     
    Margen67 likes this.
  18. congzing

    congzing GBAtemp Regular
    Member

    Joined:
    Dec 10, 2014
    Messages:
    117
    Country:
    I can help you if you plan write the program by C language
     
    Margen67 likes this.
  19. pdaboy

    pdaboy Member
    Newcomer

    Joined:
    Jan 22, 2010
    Messages:
    45
    Country:
    What firmware is this going to be for?
     
  20. Plasma Shadow

    Plasma Shadow GBAtemp's Artificial Lifeform
    Member

    Joined:
    May 15, 2009
    Messages:
    1,577
    Country:
    United Kingdom
    Will this allow installation of DevMenu/BBB without a flashcard?
     
    Margen67 likes this.
Loading...

Hide similar threads Similar threads with keywords - PROGRESS], Homebrew, Launcher

Thread Status:
Not open for further replies.