Hacking Using custom launcher.dat with Gateway Go

shutterbug2000

shutterbug2000

Cubic NINJHAX!
Member
Level 14
Joined
Oct 11, 2014
Messages
1,088
Trophies
0
Age
29
XP
4,878
Country
United States
st4rk said:
Well... .global _start ?

Anyway, why no write a new ROP-Chain in browser to load a file without obfuscation, get the File(16kb) of Launcher.dat(and remove the obfuscation), go to "0x1B90", and write a new code in this ? (build a .bin in ARM11 and copy in 0x1B90 + ).

Ah! a little hint, if you wanna use GSPGPU Services you will need the gspGPuHandle, and this in 4.x version's is on "0x003B643C", you can write something like:

Code: 
getGspGpuHandle:
LDR r0, =0x003B643C
BX LR

:P

"I am curious about something, the gw file is around 4mb but the space where the rop is a lot more limited... so how can they load the extra ~3mb ?"

It won't load complete file, the rest of file is the other arm9 payloads(very little) and the firmware patched.
Click to expand...


So, about the 0x003B643C. Is that for the top, or the bottom screen? If its the bottom... I may be onto something here *evil smile*

Also, what is the address for the top screen, if its the bottom?
 
tHciNc

tHciNc

Total Random
Member
Level 9
Joined
Jan 14, 2006
Messages
861
Trophies
1
XP
1,690
Country
New Zealand
Slushie3DS said:
Hopefully, that is the case. I could have swore that Smea stated on his Twitter that it should work on 8.0-9.4, but 6.0-7.0 would have problems. Also, I think that Shiny has been making it more compatible.
Click to expand...

It works on 4.x - 9.x

region free loader for 3DS/3DSXL/2DS on firmware versions 4.0-9.4 this also allows you to bypass mandatory gamecard firmware updates
 
st4rk

st4rk

nah
Member
Level 6
Joined
Feb 11, 2014
Messages
542
Trophies
0
Website
st4rk.net
XP
815
Country
Brazil
krisztian1997 said:
Any tips/ideas where I could find the gpuhandle on 9.2 ? I understood what I have to do after that to draw on the screen but I can't find the gpu services in the memory.
Click to expand...


Ah, you can look for the GSPGPU Services, just look the command header in ctrulib, go to code and try find it, it will load the command header in a register.

The structure to service call is(GPU):
MRC p15, 0, <Reg>, c13, c0, 3
ADD <reg>, <reg>(/\), #0x80
LDR <reg>, 0x<command header>

and there is a BL to SendSyncRequest(SVC 0x32)

So, if you're using IDA, just press in the part of CODE XREF to back to the function which call the service and in the "R0" probably is the address of gspGpuHandle(if you're looking the GSPGPU of course), i belive which it should be the enough
 
shutterbug2000

shutterbug2000

Cubic NINJHAX!
Member
Level 14
Joined
Oct 11, 2014
Messages
1,088
Trophies
0
Age
29
XP
4,878
Country
United States
Hmmm... Hmm. need help here. If I'm using the OLD build script(build.bat, 3ds.ld, know what I'm talking about?), how do I output to screen? http://3dbrew.org/wiki/Memory_layout#VRAM_Map_While_Running_System_Applets would seem to tell me how, but that isn't working either. SHOULD be outputting, but its not. Do I need to do something to switch framebuffers, or anything else?
 
nop90

nop90

Well-Known Member
Member
Level 12
Joined
Jan 11, 2014
Messages
1,556
Trophies
0
Location
Rome
XP
3,036
Country
Italy
shutterbug2000 said:
Hmmm... Hmm. need help here. If I'm using the OLD build script(build.bat, 3ds.ld, know what I'm talking about?), how do I output to screen? http://3dbrew.org/wiki/Memory_layout#VRAM_Map_While_Running_System_Applets would seem to tell me how, but that isn't working either. SHOULD be outputting, but its not. Do I need to do something to switch framebuffers, or anything else?
Click to expand...

which FB addresses are you using? and are you trying to link the compiled files at the same base addrress of the previous launcher dat or you modifieed 3ds.ld?
 
shutterbug2000

shutterbug2000

Cubic NINJHAX!
Member
Level 14
Joined
Oct 11, 2014
Messages
1,088
Trophies
0
Age
29
XP
4,878
Country
United States
nop90 said:
which FB addresses are you using? and are you trying to link the compiled files at the same base addrress of the previous launcher dat or you modifieed 3ds.ld?
Click to expand...


Well, for the FB addresses, I'm using VRAM+the addresses at the bottom of that page. Not sure what to change in to 3ds.ld, so haven't modified that.
 
  • Like
Reactions: Kakkoii
nop90

nop90

Well-Known Member
Member
Level 12
Joined
Jan 11, 2014
Messages
1,556
Trophies
0
Location
Rome
XP
3,036
Country
Italy
The thread created in the exploit will likely have a new framebuffers set, you has to find them searching in memory.

To link the the code look in the GW decompiled source and find where the hack load the code than change the base address in 3ds.ld (previusly was 0x080C3EE0). maybe there tou can find the FB addresses too.

Good luck, I really don't want to switch again to barebone coding like a year ago .
 
  • Like
Reactions: Kakkoii
shutterbug2000

shutterbug2000

Cubic NINJHAX!
Member
Level 14
Joined
Oct 11, 2014
Messages
1,088
Trophies
0
Age
29
XP
4,878
Country
United States
nop90 said:
The thread created in the exploit will likely have a new framebuffers set, you has to find them searching in memory.

To link the the code look in the GW decompiled source and find where the hack load the code than change the base address in 3ds.ld (previusly was 0x080C3EE0). maybe there tou can find the FB addresses too.

Good luck, I really don't want to switch again to barebone coding like a year ago .
Click to expand...


Alright, thanks!
 
DarkKnightPT

DarkKnightPT

Well-Known Member
Member
Level 4
Joined
May 18, 2014
Messages
152
Trophies
0
Location
Sesimbra
XP
382
Country
Portugal
Hi guys, I have mt-card im thinking on getting a Nintendo 2ds.. so would it be possible to use this exploit to downgrade a Nintendo 2ds to fw 4.5 with gateway launcher, and than use the default Nintendo ds profile exploit with mtcard launcher to use mt card as any normal 3ds system nand 4.5?
 
shinyquagsire23

shinyquagsire23

SALT/Sm4sh Leak Guy
Member
Level 13
Joined
Nov 18, 2012
Messages
1,977
Trophies
2
Age
26
Location
Las Vegas
XP
3,765
Country
United States
DarkKnightPT said:
Hi guys, I have mt-card im thinking on getting a Nintendo 2ds.. so would it be possible to use this exploit to downgrade a Nintendo 2ds to fw 4.5 with gateway launcher, and than use the default Nintendo ds profile exploit with mtcard launcher to use mt card as any normal 3ds system nand 4.5?
Click to expand...

Nope, 2DS cannot downgrade.
 

Site & Scene News

Go to forum More news

Popular threads in this forum

After the 8th of April, will it still be possible to create a new NNID (Nintendo Network ID) and/or transfer a NNID from one console to another?

Is it possible...?

Need help

Hacking Homebrew  how to link pnid to 3ds/how to use juxtaposition?

Bricked new3dsXL?

Hacking  New 2ds Refuses to boot

Hacking Homebrew  A new way to experience StreetPass

Hacking Misc  VCRUNTIME140.dll UCRTBASED.dll Master Thread

General chit-chat
Help Users
  • No one is chatting at the moment.
  • Xdqwerty @ Xdqwerty:
    @Psionic Roshambo, idk
  • Xdqwerty @ Xdqwerty:
    also gonna install twilight menu in my r4 flashcard
  • Psionic Roshambo @ Psionic Roshambo:
    One thing that just occurred to me.... The sound on the 2600 sucked less back then the harsh sound we hear now is from infinitely better speakers we have now, back when the 2600 was new speakers produced a almost muffled sound, like CRTs made old graphics look slightly better.
  • Psionic Roshambo @ Psionic Roshambo:
    I wonder if I could recommend that to some emulation devs that perhaps the sound could use some smoothing out to simulate those old TVs
  • Psionic Roshambo @ Psionic Roshambo:
    I think a few of the early systems could benefit from that, at least up to the 8 bit generation, by the 16 bit generation I think TVs had gotten a lot better in almost every way
  • Xdqwerty @ Xdqwerty:
    i dont have an sd card adapter but I have an usb sd card adapter
  • K3Nv2 @ K3Nv2:
    Old people games
  • Xdqwerty @ Xdqwerty:
    its not the one that comes with the r4
  • Xdqwerty @ Xdqwerty:
    doesnt work (my flashcard is from r4isdhc.com)
  • Xdqwerty @ Xdqwerty:
    might install ysmenu first
  • Psionic Roshambo @ Psionic Roshambo:
    Try Wood firmware
  • Psionic Roshambo @ Psionic Roshambo:
    For your R4
  • Xdqwerty @ Xdqwerty:
    @Psionic Roshambo, why?
  • Psionic Roshambo @ Psionic Roshambo:
    It's old but it's the best firmware out for DS stuff
  • Xdqwerty @ Xdqwerty:
    it says it only works for the original R4, R4i Gold (r4ids.cn), R4iDSN (r4idsn.com) and Acekard R.P.G.
  • Xdqwerty @ Xdqwerty:
    nvm it does support mine
  • Xdqwerty @ Xdqwerty:
    but why choose it over ysmenu @Psionic Roshambo?
  • Xdqwerty @ Xdqwerty:
    bc im stupid?
  • Xdqwerty @ Xdqwerty:
    yea ik im stupid
  • Xdqwerty @ Xdqwerty:
    good night
  • Psionic Roshambo @ Psionic Roshambo:
    Just give it a try, but honestly if you have a 3DS you can play DS games without a card just off the internal SD card
  • Psionic Roshambo @ Psionic Roshambo:
    Slightly slower loading but a bit more convenient
  • BakerMan @ BakerMan:
    guys, my fuckin headphones have an out of place speaker
  • K3Nv2 @ K3Nv2:
    Did you try wearing them?
  • B @ btjunior:
    @Xdqwerty 16
    B @ btjunior: @Xdqwerty 16