Using custom launcher.dat with Gateway Go

Discussion in '3DS - Flashcards & Custom Firmwares' started by AtlanticBit, Jan 16, 2015.

  1. xdarkmario

    xdarkmario Philosopher

    Member
    6
    Dec 30, 2010
    United States
    Mushroom Kingdom
    i wish i could have brought the gateway red card alone for cheaper. i have a dstwo and it is going to be sitting in the box while i load it it with my dstwo
     
  2. shutterbug2000

    shutterbug2000 Cubic NINJHAX!

    Member
    12
    Oct 11, 2014
    United States
    Any progress with this? For me, The exploit seems to be crashing very... interestingly.When I load a normal exploit(the "official" gateway one) on my 9.4 3ds, it crashes completely. Meaning I have to hold the power button for at least 10-20 seconds. Not the case here. On my 4.2(downgraded) 3ds, it crashes the same way, but it doesn't require that long of a button press. And...what would seem to mean it's still running... the wireless led is still flashing. Not often, but it is. Could this mean... the system didn't actually crash???​
     
  3. gudenau

    gudenau Largely ignored

    Member
    10
    GBAtemp Patron
    gudenau is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    Jul 7, 2010
    United States
    /dev/random
    TL;DR
    The browsee exploit blindly loads the bin, the Launcher.dat is what has the hashing stuff.
     
  4. nop90

    nop90 GBAtemp Advanced Maniac

    Member
    11
    Jan 11, 2014
    Italy
    Rome
    I don't understand one thing.

    If someone want to use the web expolit to load custom code and really knows how it works, why shold use the GW way, full of obfuscation, instead of writing a simpler rop that only loads a clear bin file?

    You have all the rop gadget ready, you anly have to remove the loading offset and the crappy decoding cycle from the rop.

    Working with unencrypted files will make debugging easier (if something a three steps exploit can be easy :lol: ).
     
  5. shutterbug2000

    shutterbug2000 Cubic NINJHAX!

    Member
    12
    Oct 11, 2014
    United States
    I think I'm onto something here. Like I said earlier, the 3ds doesn't "crash", wireless led still blinks, can turn off wireless, etc.(look at my prev. post). But, the screen just stays like that(messed up bottom screen, top screen stays as the browser). I've tried a couple different homebrews, they all seem to do the same thing. But, what has made me write this post, is that when there is "improperly compiled"(because I'm bad at using a compiler), the 3ds kicks me back to the home menu. So, the code IS executing. I just need a way to "refresh" the screens, and allow it to output to the display.
     
  6. MRJPGames

    MRJPGames Pretty great guy

    Member
    7
    Aug 17, 2013
    Netherlands
    The Netherlands
    That could very well be true indeed, if we have a disassembled gateway bin we can look how they refresh the screen.
     
    Margen67 likes this.
  7. Sizednochi

    Sizednochi GBAtemp Advanced Fan

    Member
    5
    Dec 16, 2012
    Brazil
    Margen67 likes this.
  8. shutterbug2000

    shutterbug2000 Cubic NINJHAX!

    Member
    12
    Oct 11, 2014
    United States
  9. WateredFire19

    WateredFire19 Banned

    Banned
    3
    Aug 23, 2014
    United States
    Can't wait to load 3DSPong Launcher.dat with Go expoit >:D
     
    Margen67 and SLiV3R like this.
  10. shutterbug2000

    shutterbug2000 Cubic NINJHAX!

    Member
    12
    Oct 11, 2014
    United States
    Has anyone looked at the pastebin? I really don't know much assembly.
     
  11. Falo

    Falo GBAtemp Fan

    Member
    7
    Jul 22, 2012
    Germany
    I'm already doing that and i have a program ready to do that, i also released it here on gbatemp with full source, just nobody noticed it...
    The problem is, it doesn't work ^^
    Just knowing how it works and what all rop's are doing isn't enough to do anything, there are lots of missing memory gadgets (example: IFile_Write) to make my own ram dumps.

    The main problem is, you NEED ram dumps to get any code working...

    About the obfuscation:
    If you know all rop gadgets, then you will see, that most of it is not even obfuscated, just painful long to read.

    Example: (only fw 7.1-9.X)

    this gadget: 0x0023FF9C
    translates to:
    Code:
    memcpy(R0, R1, R2)
    BX LR
    But what is gateway actually doing to call this gadget?:

    step1: POP R0-R4, R7, PC //<- this loads the R0-R2 values for memcpy
    step2: POP R4-R12, PC //<- this writes a NOP to R12
    step3: POP R4-R6,LR then BX R12 //<- this writes a value to LR and then uses the NOP in R12 to jump into the next gadget
    step4: memcpy then BX LR //it ends in BX LR, that's why they do step2&3 to load a NOP into LR...

    if you translate these gadgets into actual code you get something like this: (note: gateway fills the unused register with junk data)

    memcpy(0x08F02894, 0x08F028D8, 0x00000044) =
    Code:
    08F01874: 0x001946EB:
            POP {R0-R4,R7,PC}
            POP(0x08F02894)
            POP(0x08F028D8)
            POP(0x00000044)
            POP(0x001CCC64)
            POP(0x00354850)
            POP(0x00101408)
    08F01890: 0x001065A8:
            POP {R4-R12,PC}
            POP(0x002104E5)
            POP(0x002CCF7C)
            POP(0x00184700)
            POP(0x00116400)
            POP(0x001B4300)
            POP(0x00113200)
            POP(0x0007B800)
            POP(0x0021E630)
            POP(0x001057C4)
    08F018B8: 0x002C5AE0:
            POP {R4-R6,LR}
            BX R12
            POP(0x0010322C)
            POP(0x0022FE44)
            POP(0x00100B5C)
            POP(0x001057C4)
    08F018CC: 0x0023FF9C:
            memcpy()
            BX LR
     
  12. yifan_lu

    yifan_lu @yifanlu

    Member
    9
    Apr 28, 2007
    United States
    IFile_Write is 0x00168764 on 9.x
     
    Margen67, Bug_Checker_ and SLiV3R like this.
  13. krisztian1997

    krisztian1997 GBAtemp Fan

    Member
    3
    Dec 14, 2013
    Romania
    Falo can you pm me with your decryption program ? I tried to make my own one but its sh*t and doesn't works.
     
  14. st4rk

    st4rk nah

    Member
    6
    Feb 11, 2014
    Brazil
    If it help, in 4.x the IFile_Write is: 0x00311D90
     
  15. yifan_lu

    yifan_lu @yifanlu

    Member
    9
    Apr 28, 2007
    United States
    That memcpy is done to copy FW specific pointers and offsets (used in stage2/3) to a known location in memory. There's a memcpy later one that's just used to confuse you.
     
    mmn, Margen67, SLiV3R and 1 other person like this.
  16. shutterbug2000

    shutterbug2000 Cubic NINJHAX!

    Member
    12
    Oct 11, 2014
    United States
    It's on the other thread that was linked before(I've downloaded it).
     
  17. krisztian1997

    krisztian1997 GBAtemp Fan

    Member
    3
    Dec 14, 2013
    Romania
    ahh found it, thanks.
     
  18. Falo

    Falo GBAtemp Fan

    Member
    7
    Jul 22, 2012
    Germany
    I know but it's not really confusing if you write a rop debug output of the whole program.

    There are other problems, like in stage2:
    Code:
                AddLabel("payload_start");
                POP_PC(fw); //dummy
                POP_PC(fw); //dummy
                POP_PC(fw); //dummy
     
                POP_R4_to_R10_PC(fw, new List<object>() {
                    0x00008040, 0x00001940, 0x7333A746, 0x9177B73C, 0x5BDCF265, 0x6CA07555, 0x00000000
                }); // dummy in this rop, but gets used in a later stage!, maybe aes key?
    
    before reversing the arm11 payload, i did think it was just some dummy data, but it gets used...

    C#:
    Code:
            public static byte[] Stage2Decrypt(byte[] data)
            {
                byte[] result = null;
                uint key = 0;
                uint value = 0;
     
                using (var ms = new MemoryStream(data))
                using (var ms2 = new MemoryStream())
                using (var br = new BinaryReader(ms))
                using (var bw = new BinaryWriter(ms2))
                {
                    for (int i = 0; i < 0x1000; i++)
                    {
                        key += 0xD5828281;
                        value = br.ReadUInt32();
                        value += key;
                        bw.Write(value);
                    }
                    result = ms2.ToArray();
                }
     
                return result;
            }
    
     
    Margen67 likes this.
  19. Zidapi

    Zidapi GBAtemp Psycho!

    Member
    10
    Dec 1, 2002
    Have you looked at NTR CFW? It's a plugin based CFW that (I think) provides a ram dumping functionality.
     
  20. shutterbug2000

    shutterbug2000 Cubic NINJHAX!

    Member
    12
    Oct 11, 2014
    United States
    Well, I was testing earlier(mentioned this in prev. posts) that when I loaded a custom launcher, the 3ds was "still running", aka it hadn't actually crashed. What we need is to be able to refresh the screen, to see if it is indeed running.
     
Loading...