Hacking [IN PROGRESS] New Homebrew Launcher Exploit for 3DS

Status
Not open for further replies.

TheHomesk1llet

Also known as "Kupo"
OP
Member
Joined
Apr 29, 2013
Messages
210
Trophies
0
Location
Cyberspace
XP
419
Country
United States
Hello everyone,

I pretty recently analyzed the Gateway launcher and understand (mostly) how it works. In the spoiler is a basic rundown.

As of January 21, 2015, I have a new launcher, but it has not been tested yet. It is for 9.2 only.


The website exploit blindly runs the file "Launcher.dat" on the root of the SD card. I will not explain how the website exploit works. Since the website exploit does not have kernel access, it's up to the launcher to get access itself through another exploit, which in this case is gspwn. I'm not gonna explain how that works, either. After the initial payload has been successfully executed, the rest of the process is taken care of in the launcher. Here are the three stages of the launcher:

Stage 1: Basically setup. Code and information is copied to the memory to allow for referencing and execution later.

Stage 2: Owning the ARM11 kernel. This exploit overwrites the kernel data to allow for the exploitation of the ARM9 kernel.

Stage 3: Owning the ARM9 kernel. Basically causes the ARM11 kernel to overwrite data at a specific memory location from a pointer to code that was agreed to be valid by both kernels. After the data is overwritten, the ARM11 kernel resets, and the ARM9 waits for the kernel to boot again. After it is ready, ARM9 executes the code at the location that has the overwritten code. This code can (probably) be anything since it is being executed by the ARM9 kernel, which always has full permission to execute any code. This is the most interesting stage.
Knowing all of this, functions located at various parts in memory, and where gateway stores its data, I should be able to replace gateway's code with my own, which will be...I'm not sure yet. Probably a cfw or modification of a cfw since that will allow for the most stuff. I'm still considering exactly what to put in there and I may end up making my own thing that'll install a piece of software to allow execution of any launcher stored on the SD card (much like HBC). I might also write a piece of software that will take any existing launcher.dat and make it executable by the website exploit. I'll think about it.

Now, all I'm going to be doing with the exploit itself is modifying the gateway launcher since the website exploit doesn't allow for the execution of unsigned code, and the gateway launcher does.

I'll keep this thread updated with progress and a date/time.
 

Aurora Wright

Well-Known Member
Member
Joined
Aug 13, 2006
Messages
1,549
Trophies
2
XP
4,251
Country
Italy
Be wary that the gateway launcher (probably) still rewards you with bricks if it detects tampering (but if you reversed it up to that point you knew it for sure).
 

TheHomesk1llet

Also known as "Kupo"
OP
Member
Joined
Apr 29, 2013
Messages
210
Trophies
0
Location
Cyberspace
XP
419
Country
United States
Be wary that the gateway launcher (probably) still rewards you with bricks if it detects tampering (but if you reversed it up to that point you knew it for sure).
Yeah, I'm making sure to watch out for that. I'm also going to edit every last piece of the exploit to see where the brick code is, and remove it.

Actually, to clarify, we're rewriting the whole thing using (sort of) our own code. It'll be in C, and we're taking into consideration what Gateway has already written and what Yifan said.

Please disable Gateway red card check before entering Gateway mode in the launcher.dat. If you got this working, then it will be basically a CFW since we can install CIA. Thanks for your effort! :D.
There can't be a red card check if there's no red card c:

This exploit requires no extra hardware. You only need an internet connection and an SD card.
 
D

Deleted-355425

Guest
I'm definitely following this thread, if you can get done what you want/aim for then this is really huge for all users. Awesome sauce.
 
  • Like
Reactions: Margen67

yunneg

Active Member
Newcomer
Joined
Oct 27, 2014
Messages
34
Trophies
0
Age
34
XP
45
Country
There can't be a red card check if there's no red card c:

This exploit requires no extra hardware. You only need an internet connection and an SD card.

I think he talk about entering Gateway mode without gateway card, we all know that no need flash card to run GO exploit.
 
  • Like
Reactions: cvskid

naxil

Well-Known Member
Member
Joined
Oct 26, 2011
Messages
808
Trophies
0
XP
505
Country
Italy
I dont think latest gw code have the brick code... we really need a way for use browser hack with custom .dat
 

TheHomesk1llet

Also known as "Kupo"
OP
Member
Joined
Apr 29, 2013
Messages
210
Trophies
0
Location
Cyberspace
XP
419
Country
United States
I dont think latest gw code have the brick code... we really need a way for use browser hack with custom .dat
Lucky for you, that's what this is.
So will this only allow Homebrew then? or Piracy also
and will it work similar to regionthree and on the latest firmware?
The launcher that I will provide will install a homebrew launcher application onto the 3DS. From there, you can execute it like any other 3DS software. I'll make it so that you can have multiple apps on the SD card in separate folders for you to launch individually. These apps can be anything you want.
 

Shubshub

The Shubinator
Member
Joined
Oct 16, 2009
Messages
1,044
Trophies
0
Age
26
Location
The dark part of your house
XP
2,011
Country
New Zealand
Lucky for you, that's what this is.

The launcher that I will provide will install a homebrew launcher application onto the 3DS. From there, you can execute it like any other 3DS software. I'll make it so that you can have multiple apps on the SD card in separate folders for you to launch individually. These apps can be anything you want.

Make it so we can launch region locked games please
 
  • Like
Reactions: Margen67

r5xscn

Well-Known Member
Member
Joined
Apr 8, 2014
Messages
303
Trophies
0
Location
On earth, somewhere
XP
1,732
Country
Antarctica
Lucky for you, that's what this is.

The launcher that I will provide will install a homebrew launcher application onto the 3DS. From there, you can execute it like any other 3DS software. I'll make it so that you can have multiple apps on the SD card in separate folders for you to launch individually. These apps can be anything you want.

This is better than what I requested. Good luck. Can you share what tools I can use to reverse engineering and compile my code? Thank you.
 
  • Like
Reactions: Margen67

congzing

Well-Known Member
Member
Joined
Dec 10, 2014
Messages
117
Trophies
0
Location
Chibaken
XP
142
Country
Hello everyone,

In case you missed the most recent thread I posted on launching homebrew using the Gateway Go exploit, I pretty recently analyzed the Gateway launcher and understand (mostly) how it works. In the spoiler is a basic rundown.

The website exploit blindly runs the file "Launcher.dat" on the root of the SD card. I will not explain how the website exploit works. Since the website exploit does not have kernel access, it's up to the launcher to get access itself through another exploit, which in this case is gspwn. I'm not gonna explain how that works, either. After the initial payload has been successfully executed, the rest of the process is taken care of in the launcher. Here are the three stages of the launcher:

Stage 1: Basically setup. Code and information is copied to the memory to allow for referencing and execution later.

Stage 2: Owning the ARM11 kernel. This exploit overwrites the kernel data to allow for the exploitation of the ARM9 kernel.

Stage 3: Owning the ARM9 kernel. Basically causes the ARM11 kernel to overwrite data at a specific memory location from a pointer to code that was agreed to be valid by both kernels. After the data is overwritten, the ARM11 kernel resets, and the ARM9 waits for the kernel to boot again. After it is ready, ARM9 executes the code at the location that has the overwritten code. This code can (probably) be anything since it is being executed by the ARM9 kernel, which always has full permission to execute any code. This is the most interesting stage.
Knowing all of this, functions located at various parts in memory, and where gateway stores its data, I should be able to replace gateway's code with my own, which will be...I'm not sure yet. Probably a cfw or modification of a cfw since that will allow for the most stuff. I'm still considering exactly what to put in there and I may end up making my own thing that'll install a piece of software to allow execution of any launcher stored on the SD card (much like HBC). I might also write a piece of software that will take any existing launcher.dat and make it executable by the website exploit. I'll think about it.

Now, all I'm going to be doing with the exploit itself is modifying the gateway launcher since the website exploit doesn't allow for the execution of unsigned code, and the gateway launcher does.

I'll keep this thread updated with progress and a date/time.

As of January 20, 2015, I have gathered two people to help me translate the pseudo code that Yifan Lu has made into working C that can be compiled into ASM format. The first stage of the payload has been translated and is ready. We are now working on the second stage.

I can help you if you plan write the program by C language
 
  • Like
Reactions: Margen67
Status
Not open for further replies.
General chit-chat
Help Users
  • No one is chatting at the moment.
    iDestroyRebels @ iDestroyRebels: having problems updating to newest version of PS3HEN. no idea what im doing, can't find any...