Hacking Using custom launcher.dat with Gateway Go

[AtlanticBit]

The title is self-explanatory. I have read a little bit about this and I thought that we just could try to remake GW's launcher and then change it's code to reflect what we want to do.

 

[y03usw6e]

The title is self-explanatory.

No, title is misleading. I thought for a second that you actually had something useful to contribute.

 

[AtlanticBit]

Why not just try? With some work we may RE it. Someday...

 

[AtlanticBit]

No, title is misleading. I thought for a second that you actually had something useful to contribute.

Sorry, I suck at titling my posts.
<-------Look here: Newcomer

 

[y03usw6e]

Why not just try? With some work we may RE it. Someday...

By "we may RE it", you mean other people will do the work for you, right?

 

[Reisyukaku]

I already tried that days ago, lol.. you're better off writting a custom ROP

 

[Nollog]

the new launcher has already been understood, someone just has to use it properly.

 

[AtlanticBit]

Damn, I would love to contribute but the problem is that I don't know anything about 3DS hacking and I am very basic at C/C++ programming...

 

[AtlanticBit]

By "we may RE it", you mean other people will do the work for you, right?

Nah, I meant the 3DS community. (I'm just guessing and asking if something like this is <semienglish>doable</semienglish>)

 

[AtlanticBit]

I think the browser exploit itself does an unpassable checksum to make sure it is a GW launcher.dat. On the other hand, if you downgrade and use the ds profile exploit you can run custom launchers.

I think that I should try wgetting it with a 3ds 4.5(my version) client. Then I will try to understand the code in there(i mean the JS). I actually want to buy a ds mode flashcart but I just want to save 9$ for something I will use just to boot the exploit.

 

[AtlanticBit]

It is doable, it's just hard. Also, doable is a normal english word...

heh i actually thought it didn't exist xdd

 

[AtlanticBit]

I am getting my GW today with the blue card that I don't need since I have a DSTWO, i would give it to you (jk)

I am n00b to forums and I don't know what jk means(Yes, I'm socially awkward).

 

[AtlanticBit]

Well, it seems that it's time to order a DS flashcart....

 

[st4rk]

The structure was changed , the first stage is just a ROP which load the Launcher.dat + Fseek(0x1200), with total of 0x4000(~= 16kb), it will be loaded in "Heap" region(http://3dbrew.org/wiki/Memory_layout#NATIVE_FIRM.2FSAFE_MODE_FIRM_Userland_Memory), after it, it will do a FOR and de-obfuscate it, and jump to this new rop, which do some checking and get ARM11 user-land code execution and after it kernel-code execution, to get a "Custom Launcher.dat", you will need edit the ROP Chain's.

 

[MRJPGames]

The webkit exploit used by Gateway has been RE'd which means that in theory someone smart enough to rewrite it to launch "unsigned" launcher.dat's could do it!
http://yifan.lu/2015/01/10/reversing-gateway-ultra-first-stage-part-1/
http://yifan.lu/2015/01/12/reversing-gateway-ultra-first-stage-part-2/
http://yifan.lu/2015/01/15/reversing-gateway-ultra-stage-2-owning-arm11-kernel/
Also useful: http://smealum.net/?p=517 (As gpuhax/gspwn is used by both NINJHAX and GW (both have it as their second stage))

 

[st4rk]

So how hard would it be to edit the rop chain to get a custom launcher.dat running?

Not much(ARM11 user-land/Kernel-Code), probably will be hard REing the ROP(the second )

Ah, there is just 9kb if i am not mistaken to code, but it can be fixed i think.

 

[yifan_lu]

It's pretty easy actually. Compile your ARM11 userland code (make sure it starts with a NOP), encrypt it with the shitty stream cipher described in my first post (along with the original part 2). Find the offset to the encrypted payload for your FW version (diff my annotated ROP payload with the go hax for your FW version, the gadgets are the same) and replace it with part 2 + your custom ARM code. and it will run.

Or what I did was replace two words in the first stage to skip the decryption. Then you don't have to bother encrypting/decrypting each time you make a change.

 

[st4rk]

It's pretty easy actually. Compile your ARM11 userland code (make sure it starts with a NOP), encrypt it with the shitty stream cipher described in my first post (along with the original part 2). Find the offset to the encrypted payload for your FW version (diff my annotated ROP payload with the go hax for your FW version, the gadgets are the same) and replace it with part 2 + your custom ARM code. and it will run.

Or what I did was replace two words in the first stage to skip the decryption. Then you don't have to bother encrypting/decrypting each time you make a change.

Is not necessary the code start with "NOP" ?

 

[yifan_lu]

Well, the second part verifies that the code is copied correctly by checking for the NOP.

 

[shutterbug2000]

It's pretty easy actually. Compile your ARM11 userland code (make sure it starts with a NOP), encrypt it with the shitty stream cipher described in my first post (along with the original part 2). Find the offset to the encrypted payload for your FW version (diff my annotated ROP payload with the go hax for your FW version, the gadgets are the same) and replace it with part 2 + your custom ARM code. and it will run.

Or what I did was replace two words in the first stage to skip the decryption. Then you don't have to bother encrypting/decrypting each time you make a change.

Would it be possible to make a "tool" to automatically do this? Like, supply the homebrew and the GW launcher.dat, and it automatically make it? I don't really understand this, and if you don't want to make that(understandable), could you assist me in converting homebrew into this?