Hacking Using custom launcher.dat with Gateway Go

[Falo]

IFile_Write is 0x00168764 on 9.x

Can you make an example?
I tried it as browser rop and as launcher rop, but both are doing nothing else than crashing...
my code: (browser rop)

08B88400: 0x0010C2FC:
        POP {R0,PC}
        POP(0x001050B3)
08B88408: 0x0019CA34:
        FS_MOUNTSDMC()  //FS_MOUNTSDMC("dmc:")
        POP {R3-R5,PC}
        POP(0x33333333)
        POP(0x44444444)
        POP(0x55555555)
08B88418: 0x001946EB:
        POP {R0-R4,R7,PC}
        POP(0x08F10000)
        POP(0x08B88484)
        POP(0x00000006)
        POP(0x33333333)
        POP(0x44444444)
        POP(0x77777777)
08B88434: 0x0022FE0C:
        IFile_Open() //IFile_Open(0x08F10000, "dmc:/ramdump.bin", 6)
        POP {R4-R7,PC}
        POP(0x44444444)
        POP(0x55555555)
        POP(0x66666666)
        POP(0x77777777)
08B88448: 0x001946EB:
        POP {R0-R4,R7,PC}
        POP(0x08F10000)
        POP(0x08F10020)
        POP(0x00100000)
        POP(0x00300000)
        POP(0x44444444)
        POP(0x77777777)
08B88464: 0x00168764:
        IFile_Write() //IFile_Write(0x08F10000, 0x08F10020, 0x00100000, 0x00300000)
        POP {R4-R9,PC}
        POP(0x44444444)
        POP(0x55555555)
        POP(0x66666666)
        POP(0x77777777)
        POP(0x88888888)
        POP(0x99999999)
08B88480: 0xFFFFFFFF: ???    //Crash browser
08B88484: 0x006D0064: ???    "dmc:/ramdump.bin"
08B88488: 0x003A0063: ???
08B8848C: 0x0072002F: ???
08B88490: 0x006D0061: ???
08B88494: 0x00750064: ???
08B88498: 0x0070006D: ???
08B8849C: 0x0062002E: ???
08B884A0: 0x006E0069: ???

i tried to make the same ram dumper as this 4.x code:

# file_open(0x270000, "YS:/DUMP.BIN", 6)
r.call(0x1B82AC, [0x279000, Ref("fname"), 6], 5)
# file_write(0x270000, 0x279020, 0x100000, 0x300000)
r.call(0x1B3B54, [0x279000, 0x279020, 0x100000, 0x300000], 9)

 

[Bug_Checker_]

If it help, in 4.x the IFile_Write is: 0x00311D90

I thought it was 0x1B3B54

 

[st4rk]

I thought it was 0x1B3B54

Well, i am not getting crazy, the address is really 0x311D90

RAM:00311D90 FS_SDMC_Write                           ; CODE XREF: sub_300C90+14Cp
RAM:00311D90
RAM:00311D90 var_30          = -0x30
RAM:00311D90 var_28          = -0x28
RAM:00311D90 arg_0           =  0
RAM:00311D90
RAM:00311D90                 STMFD           SP!, {R4-R11,LR}
RAM:00311D94                 SUB             SP, SP, #0x14
RAM:00311D98                 MOVS            R4, R3
RAM:00311D9C                 MOV             R5, R0
[code]

 

[sbJFn5r]

Here's an example of using file open and file write on 4.x through launcher.dat.
http://pastebin.com/RdiLF4PA

I used that when porting smea's regionthree to 4.x to track down some problems I was having(dlplay program is shifted back 0x4000 bytes in FCRAM on 4.x).

 

[WateredFire19]

So we can loader custom launcher.dat 's now?

 

[AquaX101]

So we can loader custom launcher.dat 's now?

Not yet.

 

[WateredFire19]

Damn.. I really want to use MT's launcher on 7.2.0 :-( without a GW or MT

 

[shutterbug2000]

So, Falo? Any progress?

 

[Astoria]

Question: if we ever manage to use a custom launcher.dat, would it work in 9.4, like regionthree?

 

[st4rk]

Question: if we ever manage to use a custom launcher.dat, would it work in 9.4, like regionthree?

The DMA flaw wasn't patched in the last NATIVE_FIRM update, so probably will work , but nothing special i think.

 

[shutterbug2000]

So, any progress lately with custom launchers?

 

[Falo]

Nope, can't get it to work, no matter what i try the browser just crashes without any file dumped to sd.

What i tried:
- use 9.x gadgets from gateway -> fail
- use 9.x gadgets from smea/sbJFn5r -> fail
- use both -> fail
- use the exact same code as sbJFn5r in his sample, just with 9.x gadgets -> fail

Whatever i'm doing wrong, i don't get it and i'm giving up on this.

 

[naxil]

Exist a program for patch any launcher.dat for gw ds hack... its called hbconv if i remember right... we need some for go exploit

 

[krisztian1997]

Nope, can't get it to work, no matter what i try the browser just crashes without any file dumped to sd.

What i tried:
- use 9.x gadgets from gateway -> fail
- use 9.x gadgets from smea/sbJFn5r -> fail
- use both -> fail
- use the exact same code as sbJFn5r in his sample, just with 9.x gadgets -> fail

Whatever i'm doing wrong, i don't get it and i'm giving up on this.

How does your ROP code look ? I set up armips to compile some code, but after I encrypt it and put in inside the launcher.dat I just crash back to browser.
Edit: and while using my own encrypter I lost my asm code, gg me.
Edit2: have you noticed that sometimes if you open the system settings after the browser crashes and then exit, the console gets blackscreen and I have to longpress the power button to power off... weird

 

[shutterbug2000]

"Progress" report: I've injected homebrew code into the 7.x-9.4 portion of the Launcher, and it still gives the same results as 4.2 3ds. On... 9.4!! So, my thought is: figure out how to refresh the screen. and see if it will output to screen. If I get the same results, I would think we "could" run the Homebrew on 9.4, if we could just figure that out... Any ideas?

Edit: Hmm.. Maybe Falo's decrypter/encrypter's "debug" txt files could help us figure out how to refresh? I would look, but I know absolutely nothing about asm, especially arm asm.

 

[shutterbug2000]

Just in case someone wants to take a look, the program talked about above is here

 

[shutterbug2000]

Would a copy of the Launcher.dat that is providing this effect be helpful to anyone?

 

[shutterbug2000]

Alright, just so everyone can see what exactly is happening, i'm going to upload a video for anyone interested.

 

[tony_2018]

"Progress" report: I've injected homebrew code into the 7.x-9.4 portion of the Launcher, and it still gives the same results as 4.2 3ds. On... 9.4!! So, my thought is: figure out how to refresh the screen. and see if it will output to screen. If I get the same results, I would think we "could" run the Homebrew on 9.4, if we could just figure that out... Any ideas?

Edit: Hmm.. Maybe Falo's decrypter/encrypter's "debug" txt files could help us figure out how to refresh? I would look, but I know absolutely nothing about asm, especially arm asm.

It seams like you're getting close. You just have to get past that buggie screen to load your menu I guess.

 

[shutterbug2000]

Falo, could you possibly supply me with a .bin of your ram dumper? I'll try to load it, and see what happens.