Using custom launcher.dat with Gateway Go

Discussion in '3DS - Flashcards & Custom Firmwares' started by AtlanticBit, Jan 16, 2015.

  1. MRJPGames

    MRJPGames Pretty great guy

    Member
    7
    Aug 17, 2013
    Netherlands
    The Netherlands
    no
     
  2. krisztian1997

    krisztian1997 GBAtemp Fan

    Member
    3
    Dec 14, 2013
    Romania
    yifan_lu already explained it several times how to do it, but you have to know some assembly and C to do it, also the launcher.dat used by smea is a bit different because its only a smaller part of the big exploit (the kernel exploit part is fixed in >9.2 firmwares).
     
  3. shutterbug2000

    shutterbug2000 Cubic NINJHAX!

    Member
    12
    Oct 11, 2014
    United States
    I know, I just don't understand how to actually pull it off. If anyone can write an "easy to follow" guide, it would be much appreciated!
     
  4. shutterbug2000

    shutterbug2000 Cubic NINJHAX!

    Member
    12
    Oct 11, 2014
    United States

    I still can't figure out how to do this. If anyone could provide a file/ guide, I would really like that.
     
  5. ChrisRX

    ChrisRX GBAtemp Fan

    Member
    4
    Nov 8, 2006
    Without trying to sound rude, if those statements you quoted don't make any sense to you then you don't have the knowledge to do this.
    There is no "easy to follow" guide until someone smart enough creates the tools to do so.
     
    Zidapi likes this.
  6. shutterbug2000

    shutterbug2000 Cubic NINJHAX!

    Member
    12
    Oct 11, 2014
    United States
    Well, I understand what they're saying, it's just:

    1.Where is the payload for a specific firmware(as in, what are the offsets for 4.5, etc.)?

    2. How would I encrypt the program with the "stream cipher"?

    P.S: No offense taken! :lol:
     
  7. tony_2018

    tony_2018 GBAtemp Psycho!

    Member
    7
    Jan 3, 2014
    United States
    Start a thread with an idea................check
    Find other people to do the work ..........W.I.P.
     
  8. shutterbug2000

    shutterbug2000 Cubic NINJHAX!

    Member
    12
    Oct 11, 2014
    United States
    Waiitttt... I have an idea here. If someone can just explain the "part 2 + your custom ARM code" part. Is that like, combining it in a hex editor? If so, which would go first?
     
  9. KazoWAR

    KazoWAR GBAtemp Advanced Maniac

    Member
    8
    Aug 12, 2008
    United States
    Winter Haven
    I just wish smealum would make the hombrew launcher work from the web exploit.
     
    AquaX101, SLiV3R and Margen67 like this.
  10. shutterbug2000

    shutterbug2000 Cubic NINJHAX!

    Member
    12
    Oct 11, 2014
    United States
    Well, it's "Partially" working now. It begins to load, but when the white screen slides in, it freezes, and I have to reset the system. This is farther then before, and if anyone knows what may be going on, please let me know!
     
    Margen67 and Sizednochi like this.
  11. Falo

    Falo GBAtemp Fan

    Member
    7
    Jul 22, 2012
    Germany
    - compile ARM11 code with armips or just write it in plain assembler (if you know what you do), load address is 0x009D2000
    - copy decrypted stage2 in front of your arm11 code to forge a payload
    - add padding to make it 0x4000 byte
    this means
    0x0 - 0x1B8F = original rop code or your own
    0x1B90 - 0x3FFF = your arm11 code + padding
    - then encrypt it with the pseudo-rng encryption
    - finally copy it to the launcher.dat offset, based on your firmware, example: 7.1 - 9.4 is 0x1A000

    Note: you get arm11 code execution, but this is not enough to do anything else than what is possible with ninjhax

    to 1: 0x12000
    to 2: write some code in vb/c/c++/c#/python/java/whatever...

    This means your system crashed and nothing else, you did something wrong and it's impossible to guess what the cause was.
     
    Ra1d, Zidapi and yifan_lu like this.
  12. shutterbug2000

    shutterbug2000 Cubic NINJHAX!

    Member
    12
    Oct 11, 2014
    United States
    Ok, one last question: How do I get the "decrypted stage2", and what do I do if the homebrew is larger than that size?
     
  13. NCDyson

    NCDyson Hello Boys...

    Member
    3
    Nov 9, 2009
    United States
    wait for someone else to figure it out and make a cfw installer/launcher.
     
  14. krisztian1997

    krisztian1997 GBAtemp Fan

    Member
    3
    Dec 14, 2013
    Romania
    I understood all of that but I am having problems with decrypting it on pc, I tried writting a program in C# and then in C++ to read 4 bytes and add the addcipher to it but I get a lot of gibberish with both of the programs in the output file instead of ASM.
     
  15. 0xFFFF

    0xFFFF Advanced Member

    Newcomer
    1
    Jan 17, 2015
    Saint Kitts and Nevis
    Could you post the source (or solution, if you are using C#) of your program?
    We might find the 'gibberish' problem.
     
    Margen67 likes this.
  16. 0xFFFF

    0xFFFF Advanced Member

    Newcomer
    1
    Jan 17, 2015
    Saint Kitts and Nevis
    The "white screen slides in" part is actually a feature of Gateway's launcher. It's for cleaning the graphical artifacts generated from the exploit. aka either you are a lying douche or you accidently used Gateway's launcher.
     
  17. krisztian1997

    krisztian1997 GBAtemp Fan

    Member
    3
    Dec 14, 2013
    Romania
    I am not an expert in working with files in c++ so my code is very ugly http://pastebin.com/RDSQcUj8
     
  18. 0xFFFF

    0xFFFF Advanced Member

    Newcomer
    1
    Jan 17, 2015
    Saint Kitts and Nevis
    should be

     
  19. krisztian1997

    krisztian1997 GBAtemp Fan

    Member
    3
    Dec 14, 2013
    Romania
    Why ? I first have to read the 4 bytes from the file then add the cipher.
     
  20. 0xFFFF

    0xFFFF Advanced Member

    Newcomer
    1
    Jan 17, 2015
    Saint Kitts and Nevis

    uses a buffer of 0 in the original src
     
Loading...