Toggle sidebar

Hacking Using custom launcher.dat with Gateway Go

  • Thread starter Thread starter AtlanticBit
  • Start date Start date
  • Views Views 35,935
  • Replies Replies 219
  • Likes Likes 1
i wish i could have brought the gateway red card alone for cheaper. i have a dstwo and it is going to be sitting in the box while i load it it with my dstwo
 
Any progress with this? For me, The exploit seems to be crashing very... interestingly.When I load a normal exploit(the "official" gateway one) on my 9.4 3ds, it crashes completely. Meaning I have to hold the power button for at least 10-20 seconds. Not the case here. On my 4.2(downgraded) 3ds, it crashes the same way, but it doesn't require that long of a button press. And...what would seem to mean it's still running... the wireless led is still flashing. Not often, but it is. Could this mean... the system didn't actually crash???​
 
I don't understand one thing.

If someone want to use the web expolit to load custom code and really knows how it works, why shold use the GW way, full of obfuscation, instead of writing a simpler rop that only loads a clear bin file?

You have all the rop gadget ready, you anly have to remove the loading offset and the crappy decoding cycle from the rop.

Working with unencrypted files will make debugging easier (if something a three steps exploit can be easy :lol: ).
 
I think I'm onto something here. Like I said earlier, the 3ds doesn't "crash", wireless led still blinks, can turn off wireless, etc.(look at my prev. post). But, the screen just stays like that(messed up bottom screen, top screen stays as the browser). I've tried a couple different homebrews, they all seem to do the same thing. But, what has made me write this post, is that when there is "improperly compiled"(because I'm bad at using a compiler), the 3ds kicks me back to the home menu. So, the code IS executing. I just need a way to "refresh" the screens, and allow it to output to the display.
 
shutterbug2000 said:
I think I'm onto something here. Like I said earlier, the 3ds doesn't "crash", wireless led still blinks, can turn off wireless, etc.(look at my prev. post). But, the screen just stays like that(messed up bottom screen, top screen stays as the browser). I've tried a couple different homebrews, they all seem to do the same thing. But, what has made me write this post, is that when there is "improperly compiled"(because I'm bad at using a compiler), the 3ds kicks me back to the home menu. So, the code IS executing. I just need a way to "refresh" the screens, and allow it to output to the display.
Click to expand...

That could very well be true indeed, if we have a disassembled gateway bin we can look how they refresh the screen.
 
  • Like
Reactions: Margen67
nop90 said:
I don't understand one thing.

If someone want to use the web expolit to load custom code and really knows how it works, why shold use the GW way, full of obfuscation, instead of writing a simpler rop that only loads a clear bin file?

You have all the rop gadget ready, you anly have to remove the loading offset and the crappy decoding cycle from the rop.

Working with unencrypted files will make debugging easier (if something a three steps exploit can be easy :lol: ).
Click to expand...

I'm already doing that and i have a program ready to do that, i also released it here on gbatemp with full source, just nobody noticed it...
The problem is, it doesn't work ^^
Just knowing how it works and what all rop's are doing isn't enough to do anything, there are lots of missing memory gadgets (example: IFile_Write) to make my own ram dumps.

The main problem is, you NEED ram dumps to get any code working...

About the obfuscation:
If you know all rop gadgets, then you will see, that most of it is not even obfuscated, just painful long to read.

Example: (only fw 7.1-9.X)

this gadget: 0x0023FF9C
translates to:
Code: 
memcpy(R0, R1, R2)
BX LR
But what is gateway actually doing to call this gadget?:

step1: POP R0-R4, R7, PC //<- this loads the R0-R2 values for memcpy
step2: POP R4-R12, PC //<- this writes a NOP to R12
step3: POP R4-R6,LR then BX R12 //<- this writes a value to LR and then uses the NOP in R12 to jump into the next gadget
step4: memcpy then BX LR //it ends in BX LR, that's why they do step2&3 to load a NOP into LR...

if you translate these gadgets into actual code you get something like this: (note: gateway fills the unused register with junk data)

memcpy(0x08F02894, 0x08F028D8, 0x00000044) =
Code: 
08F01874: 0x001946EB:
        POP {R0-R4,R7,PC}
        POP(0x08F02894)
        POP(0x08F028D8)
        POP(0x00000044)
        POP(0x001CCC64)
        POP(0x00354850)
        POP(0x00101408)
08F01890: 0x001065A8:
        POP {R4-R12,PC}
        POP(0x002104E5)
        POP(0x002CCF7C)
        POP(0x00184700)
        POP(0x00116400)
        POP(0x001B4300)
        POP(0x00113200)
        POP(0x0007B800)
        POP(0x0021E630)
        POP(0x001057C4)
08F018B8: 0x002C5AE0:
        POP {R4-R6,LR}
        BX R12
        POP(0x0010322C)
        POP(0x0022FE44)
        POP(0x00100B5C)
        POP(0x001057C4)
08F018CC: 0x0023FF9C:
        memcpy()
        BX LR
 
Falo said:
I'm already doing that and i have a program ready to do that, i also released it here on gbatemp with full source, just nobody noticed it...
The problem is, it doesn't work ^^
Just knowing how it works and what all rop's are doing isn't enough to do anything, there are lots of missing memory gadgets (example: IFile_Write) to make my own ram dumps.

The main problem is, you NEED ram dumps to get any code working...

About the obfuscation:
If you know all rop gadgets, then you will see, that most of it is not even obfuscated, just painful long to read.

Example: (only fw 7.1-9.X)

this gadget: 0x0023FF9C
translates to:
Code: 
memcpy(R0, R1, R2)
BX LR
But what is gateway actually doing to call this gadget?:

step1: POP R0-R4, R7, PC //<- this loads the R0-R2 values for memcpy
step2: POP R4-R12, PC //<- this writes a NOP to R12
step3: POP R4-R6,LR then BX R12 //<- this writes a value to LR and then uses the NOP in R12 to jump into the next gadget
step4: memcpy then BX LR //it ends in BX LR, that's why they do step2&3 to load a NOP into LR...

if you translate these gadgets into actual code you get something like this: (note: gateway fills the unused register with junk data)

memcpy(0x08F02894, 0x08F028D8, 0x00000044) =
Code: 
08F01874: 0x001946EB:
        POP {R0-R4,R7,PC}
        POP(0x08F02894)
        POP(0x08F028D8)
        POP(0x00000044)
        POP(0x001CCC64)
        POP(0x00354850)
        POP(0x00101408)
08F01890: 0x001065A8:
        POP {R4-R12,PC}
        POP(0x002104E5)
        POP(0x002CCF7C)
        POP(0x00184700)
        POP(0x00116400)
        POP(0x001B4300)
        POP(0x00113200)
        POP(0x0007B800)
        POP(0x0021E630)
        POP(0x001057C4)
08F018B8: 0x002C5AE0:
        POP {R4-R6,LR}
        BX R12
        POP(0x0010322C)
        POP(0x0022FE44)
        POP(0x00100B5C)
        POP(0x001057C4)
08F018CC: 0x0023FF9C:
        memcpy()
        BX LR
Click to expand...

That memcpy is done to copy FW specific pointers and offsets (used in stage2/3) to a known location in memory. There's a memcpy later one that's just used to confuse you.
 
  • Like
Reactions: mmn, Margen67, SLiV3R and 1 other person
yifan_lu said:
That memcpy is done to copy FW specific pointers and offsets (used in stage2/3) to a known location in memory. There's a memcpy later one that's just used to confuse you.
Click to expand...
I know but it's not really confusing if you write a rop debug output of the whole program.

There are other problems, like in stage2:
Code: 
            AddLabel("payload_start");
            POP_PC(fw); //dummy
            POP_PC(fw); //dummy
            POP_PC(fw); //dummy
 
            POP_R4_to_R10_PC(fw, new List<object>() {
                0x00008040, 0x00001940, 0x7333A746, 0x9177B73C, 0x5BDCF265, 0x6CA07555, 0x00000000
            }); // dummy in this rop, but gets used in a later stage!, maybe aes key?
before reversing the arm11 payload, i did think it was just some dummy data, but it gets used...

krisztian1997 said:
Falo can you pm me with your decryption program ? I tried to make my own one but its sh*t and doesn't works.
Click to expand...

C#:
Code: 
        public static byte[] Stage2Decrypt(byte[] data)
        {
            byte[] result = null;
            uint key = 0;
            uint value = 0;
 
            using (var ms = new MemoryStream(data))
            using (var ms2 = new MemoryStream())
            using (var br = new BinaryReader(ms))
            using (var bw = new BinaryWriter(ms2))
            {
                for (int i = 0; i < 0x1000; i++)
                {
                    key += 0xD5828281;
                    value = br.ReadUInt32();
                    value += key;
                    bw.Write(value);
                }
                result = ms2.ToArray();
            }
 
            return result;
        }
 
  • Like
Reactions: Margen67
Falo said:
Just knowing how it works and what all rop's are doing isn't enough to do anything, there are lots of missing memory gadgets (example: IFile_Write) to make my own ram dumps.

The main problem is, you NEED ram dumps to get any code
Click to expand...

Have you looked at NTR CFW? It's a plugin based CFW that (I think) provides a ram dumping functionality.
 
Falo said:
I know but it's not really confusing if you write a rop debug output of the whole program.

There are other problems, like in stage2:
Code: 
            AddLabel("payload_start");
            POP_PC(fw); //dummy
            POP_PC(fw); //dummy
            POP_PC(fw); //dummy
 
            POP_R4_to_R10_PC(fw, new List<object>() {
                0x00008040, 0x00001940, 0x7333A746, 0x9177B73C, 0x5BDCF265, 0x6CA07555, 0x00000000
            }); // dummy in this rop, but gets used in a later stage!, maybe aes key?
before reversing the arm11 payload, i did think it was just some dummy data, but it gets used...



C#:
Code: 
        public static byte[] Stage2Decrypt(byte[] data)
        {
            byte[] result = null;
            uint key = 0;
            uint value = 0;
 
            using (var ms = new MemoryStream(data))
            using (var ms2 = new MemoryStream())
            using (var br = new BinaryReader(ms))
            using (var bw = new BinaryWriter(ms2))
            {
                for (int i = 0; i < 0x1000; i++)
                {
                    key += 0xD5828281;
                    value = br.ReadUInt32();
                    value += key;
                    bw.Write(value);
                }
                result = ms2.ToArray();
            }
 
            return result;
        }
Click to expand...

Well, I was testing earlier(mentioned this in prev. posts) that when I loaded a custom launcher, the 3ds was "still running", aka it hadn't actually crashed. What we need is to be able to refresh the screen, to see if it is indeed running.
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Why did the price of 3ds shoot up ?

Hacking Homebrew Project  BlazerTube - a YouTube 3DS revival using the REAL app!

Homebrew app Emulator  [Release] 3DS-CLI - Run a real RISC-V Linux environment on the Nintendo 3DS

Gaming  any good rpgs on 3ds?

Hardware  2 Broken 3DSes, need help

Website for finding alternative games for 3DS

Hacking  Modding Reassurance

GodMode9 wont launch, holding START just goes to home screen