Hacking [IN PROGRESS] New Homebrew Launcher Exploit for 3DS

[TheHomesk1llet]

Hello everyone,

I pretty recently analyzed the Gateway launcher and understand (mostly) how it works. In the spoiler is a basic rundown.

As of January 21, 2015, I have a new launcher, but it has not been tested yet. It is for 9.2 only.

Spoiler

The website exploit blindly runs the file "Launcher.dat" on the root of the SD card. I will not explain how the website exploit works. Since the website exploit does not have kernel access, it's up to the launcher to get access itself through another exploit, which in this case is gspwn. I'm not gonna explain how that works, either. After the initial payload has been successfully executed, the rest of the process is taken care of in the launcher. Here are the three stages of the launcher:

Stage 1: Basically setup. Code and information is copied to the memory to allow for referencing and execution later.

Stage 2: Owning the ARM11 kernel. This exploit overwrites the kernel data to allow for the exploitation of the ARM9 kernel.

Stage 3: Owning the ARM9 kernel. Basically causes the ARM11 kernel to overwrite data at a specific memory location from a pointer to code that was agreed to be valid by both kernels. After the data is overwritten, the ARM11 kernel resets, and the ARM9 waits for the kernel to boot again. After it is ready, ARM9 executes the code at the location that has the overwritten code. This code can (probably) be anything since it is being executed by the ARM9 kernel, which always has full permission to execute any code. This is the most interesting stage.

Knowing all of this, functions located at various parts in memory, and where gateway stores its data, I should be able to replace gateway's code with my own, which will be...I'm not sure yet. Probably a cfw or modification of a cfw since that will allow for the most stuff. I'm still considering exactly what to put in there and I may end up making my own thing that'll install a piece of software to allow execution of any launcher stored on the SD card (much like HBC). I might also write a piece of software that will take any existing launcher.dat and make it executable by the website exploit. I'll think about it.

Now, all I'm going to be doing with the exploit itself is modifying the gateway launcher since the website exploit doesn't allow for the execution of unsigned code, and the gateway launcher does.

I'll keep this thread updated with progress and a date/time.

 

[DavidKang]

Nice

 

[Aurora Wright]

Be wary that the gateway launcher (probably) still rewards you with bricks if it detects tampering (but if you reversed it up to that point you knew it for sure).

 

[r5xscn]

Please disable/bypass launcher.dat's "Gateway red card checking" when entering Gateway mode. If you got this working, then it will be basically a CFW since we can install CIA. Thanks for your effort! .

 

[TheHomesk1llet]

Be wary that the gateway launcher (probably) still rewards you with bricks if it detects tampering (but if you reversed it up to that point you knew it for sure).

Yeah, I'm making sure to watch out for that. I'm also going to edit every last piece of the exploit to see where the brick code is, and remove it.

Actually, to clarify, we're rewriting the whole thing using (sort of) our own code. It'll be in C, and we're taking into consideration what Gateway has already written and what Yifan said.

Please disable Gateway red card check before entering Gateway mode in the launcher.dat. If you got this working, then it will be basically a CFW since we can install CIA. Thanks for your effort! .

There can't be a red card check if there's no red card c:

This exploit requires no extra hardware. You only need an internet connection and an SD card.

 

[LoneGrenade]

Good luck, and godspeed sk1llet.

 

[Rhokk222]

Sounds fantastic!

 

[Deleted-355425]

I'm definitely following this thread, if you can get done what you want/aim for then this is really huge for all users. Awesome sauce.

 

[Rob Blou]

good luck

 

[yunneg]

There can't be a red card check if there's no red card c:

This exploit requires no extra hardware. You only need an internet connection and an SD card.

I think he talk about entering Gateway mode without gateway card, we all know that no need flash card to run GO exploit.

 

[naxil]

I dont think latest gw code have the brick code... we really need a way for use browser hack with custom .dat

 

[Shubshub]

So will this only allow Homebrew then? or Piracy also
and will it work similar to regionthree and on the latest firmware?

 

[TheHomesk1llet]

I think he talk about entering Gateway mode without gateway card, we all know that no need flash card to run GO exploit.

Yeah, I'm not making another gateway, I'm making an exploit BASED on gateway that can run any code.

 

[TheHomesk1llet]

I dont think latest gw code have the brick code... we really need a way for use browser hack with custom .dat

Lucky for you, that's what this is.

So will this only allow Homebrew then? or Piracy also
and will it work similar to regionthree and on the latest firmware?

The launcher that I will provide will install a homebrew launcher application onto the 3DS. From there, you can execute it like any other 3DS software. I'll make it so that you can have multiple apps on the SD card in separate folders for you to launch individually. These apps can be anything you want.

 

[Shubshub]

Lucky for you, that's what this is.

The launcher that I will provide will install a homebrew launcher application onto the 3DS. From there, you can execute it like any other 3DS software. I'll make it so that you can have multiple apps on the SD card in separate folders for you to launch individually. These apps can be anything you want.

Make it so we can launch region locked games please

 

[yunneg]

Yeah, I'm not making another gateway, I'm making an exploit BASED on gateway that can run any code.

Sound great! I thinks you've just start a new hype train. haha

 

[r5xscn]

Lucky for you, that's what this is.

The launcher that I will provide will install a homebrew launcher application onto the 3DS. From there, you can execute it like any other 3DS software. I'll make it so that you can have multiple apps on the SD card in separate folders for you to launch individually. These apps can be anything you want.

This is better than what I requested. Good luck. Can you share what tools I can use to reverse engineering and compile my code? Thank you.

 

[congzing]

Hello everyone,

In case you missed the most recent thread I posted on launching homebrew using the Gateway Go exploit, I pretty recently analyzed the Gateway launcher and understand (mostly) how it works. In the spoiler is a basic rundown.

Spoiler

The website exploit blindly runs the file "Launcher.dat" on the root of the SD card. I will not explain how the website exploit works. Since the website exploit does not have kernel access, it's up to the launcher to get access itself through another exploit, which in this case is gspwn. I'm not gonna explain how that works, either. After the initial payload has been successfully executed, the rest of the process is taken care of in the launcher. Here are the three stages of the launcher:

Stage 1: Basically setup. Code and information is copied to the memory to allow for referencing and execution later.

Stage 2: Owning the ARM11 kernel. This exploit overwrites the kernel data to allow for the exploitation of the ARM9 kernel.

Stage 3: Owning the ARM9 kernel. Basically causes the ARM11 kernel to overwrite data at a specific memory location from a pointer to code that was agreed to be valid by both kernels. After the data is overwritten, the ARM11 kernel resets, and the ARM9 waits for the kernel to boot again. After it is ready, ARM9 executes the code at the location that has the overwritten code. This code can (probably) be anything since it is being executed by the ARM9 kernel, which always has full permission to execute any code. This is the most interesting stage.

Knowing all of this, functions located at various parts in memory, and where gateway stores its data, I should be able to replace gateway's code with my own, which will be...I'm not sure yet. Probably a cfw or modification of a cfw since that will allow for the most stuff. I'm still considering exactly what to put in there and I may end up making my own thing that'll install a piece of software to allow execution of any launcher stored on the SD card (much like HBC). I might also write a piece of software that will take any existing launcher.dat and make it executable by the website exploit. I'll think about it.

Now, all I'm going to be doing with the exploit itself is modifying the gateway launcher since the website exploit doesn't allow for the execution of unsigned code, and the gateway launcher does.

I'll keep this thread updated with progress and a date/time.

As of January 20, 2015, I have gathered two people to help me translate the pseudo code that Yifan Lu has made into working C that can be compiled into ASM format. The first stage of the payload has been translated and is ready. We are now working on the second stage.

I can help you if you plan write the program by C language

 

[pdaboy]

What firmware is this going to be for?

 

[plasma]

Will this allow installation of DevMenu/BBB without a flashcard?