Hacking Using custom launcher.dat with Gateway Go

Slushie3DS

Slushie3DS

Cold Beverage Lover
Member
Level 4
Joined
Jan 9, 2015
Messages
707
Trophies
0
Age
29
XP
420
Country
United States
shinyquagsire23 said:
For those wishing to develop their own custom launcher.dats (based on smea's regionthree or whatever), I made a site which lets you launch unencrypted unlaunch.dats instead. Before anyone asks:
  • No, this doens't let you launch older launcher.dats
  • No, this doesn't let you launch launcher.dats for GW on 9.4
  • No, this will not make you a pizza and materialize it from your 3DS
  • This is a development tool (or maybe a potential launch site for those who dislike Gateway and want easier launching)
That aside, you can launch your unlaunch.dats over at go.plxhack.us. It should work just fine, I just tested it with an unencrypted version of smea's regionthree and it worked perfectly with Cubic Ninja on 4.2.

EDIT:
  • No, this doesn't let you launch CFW launcher.dats, those are old launcher.dats. Use your brain.
  • No, this doesn't let you launch homebrew, although it technically could in the future if someone did it, idk
Also, if anyone wants to try regionthree through this, download the unlaunch.dat from here.
Click to expand...
You may have just cut my work in half. Thank you, SQ23.
 
Slushie3DS

Slushie3DS

Cold Beverage Lover
Member
Level 4
Joined
Jan 9, 2015
Messages
707
Trophies
0
Age
29
XP
420
Country
United States
st4rk said:
AFAIK there is no much space to do it, i dunno what is the size of .text of RO, but probably is not big and the .text of browser if i am not mistaken ² it's not in the GSP/LINEAR heap :/ (and you can't mapper other regions with RWX permission without other flaw).
Click to expand...
Smea has confirmed that spider .text is out of range, but there is a way to get ahold of code execution. It's through stage three and four of his exploit from his write-up. Basically, spider hack » RO hack » complete code execution.
 
shutterbug2000

shutterbug2000

Cubic NINJHAX!
Member
Level 14
Joined
Oct 11, 2014
Messages
1,088
Trophies
0
Age
29
XP
4,878
Country
United States
krisztian1997 said:
I looked at the video, its interesting because and I cant replicate the same thing on my 3ds, after the ROP (even if I use the gw ROP) it crashes back to home menu. Falo was working on the ram dumping now me, I was trying to write some text to a file but it didn't worked and accidentally deleted my code, and now I am too lazy to try to rewrite it.


Yup, and launching ninjahax like homebrews.
Click to expand...

Well, here's what I'm doing.

1. Extracting from 1A000-1BB8F(maybe inaccurate, not entirely sure right now, also only for 7.x to 9.4) in the GW launcher.

2. Combining a bin file with the data above, and a payload.bin from a Homebrew into another bin file, using a hex editor and placing the data above on top, and the payload.bin on the bottom(the bytes of the two :ha:)

3. Going to 1A000 in the GW launcher, and pasting WITH OVERWRITE(important, without this it will just crash back to home menu!), then copying this new Launcher.dat to the sd card, and loading go.gateway.com .

Does anyone see any faults in this process?
 
Slushie3DS

Slushie3DS

Cold Beverage Lover
Member
Level 4
Joined
Jan 9, 2015
Messages
707
Trophies
0
Age
29
XP
420
Country
United States
Also, it should be very well noted that hijacking Download Play via spider/SKATER is possible, as Smea did this in his Regionthree release.
 
T

tony_2018

Well-Known Member
Member
Level 7
Joined
Jan 3, 2014
Messages
3,107
Trophies
0
XP
1,012
Country
United States
Slushie3DS said:
Spider/SKATER has limited RAM privileges, friend. It'd be better to grab onto an application like Mii Plaza or Download Play from the browser applet. Smea was actually the one to tell me this.

My theory is to stuff a .CIA inside of Download Play's cache as it should stay there until reintroduced with another .CIA. This, sadly, has a few guards to bypass. I've been working on this, too.
Click to expand...


wtf...........
 
krisztian1997

krisztian1997

Well-Known Member
Member
Level 3
Joined
Dec 14, 2013
Messages
370
Trophies
0
Age
27
XP
300
Country
Romania
shutterbug2000 said:
Well, here's what I'm doing.

1. Extracting from 1A000-1BB8F(maybe inaccurate, not entirely sure right now, also only for 7.x to 9.4) in the GW launcher.

2. Combining a bin file with the data above, and a payload.bin from a Homebrew into another bin file, using a hex editor and placing the data above on top, and the payload.bin on the bottom(the bytes of the two :ha:)

3. Going to 1A000 in the GW launcher, and pasting WITH OVERWRITE(important, without this it will just crash back to home menu!), then copying this new Launcher.dat to the sd card, and loading go.gateway.com .

Does anyone see any faults in this process?
Click to expand...

I am not an expert in asm, but asm code has no main function/entrypoint ? and I am not sure if the ROP code directly launches whats after the 1BB8F, I think that you can do it like that... but like I said I don't know a lot about asm.
 
Slushie3DS

Slushie3DS

Cold Beverage Lover
Member
Level 4
Joined
Jan 9, 2015
Messages
707
Trophies
0
Age
29
XP
420
Country
United States
tony_2018 said:
wtf...........
Click to expand...

I had assumed, from your post, that you were intending to use the browser in some way, and I was just warning you that spider/SKATER (The browser applet) is very limited. This all, of course, is only implied if you meant to use the browser as a 'base.'
 
krisztian1997

krisztian1997

Well-Known Member
Member
Level 3
Joined
Dec 14, 2013
Messages
370
Trophies
0
Age
27
XP
300
Country
Romania
Slushie3DS said:
I had assumed, from your post, that you were intending to use the browser in some way, and I was just warning you that spider/SKATER (The browser applet) is very limited. This all, of course, is only implied if you meant to use the browser as a 'base.'
Click to expand...

I am curious about something, the gw file is around 4mb but the space where the rop is a lot more limited... so how can they load the extra ~3mb ?
 
st4rk

st4rk

nah
Member
Level 6
Joined
Feb 11, 2014
Messages
542
Trophies
0
Website
st4rk.net
XP
815
Country
Brazil
krisztian1997 said:
I am not an expert in asm, but asm code has no main function/entrypoint ? and I am not sure if the ROP code directly launches whats after the 1BB8F, I think that you can do it like that... but like I said I don't know a lot about asm.
Click to expand...


Well... .global _start ?

Anyway, why no write a new ROP-Chain in browser to load a file without obfuscation, get the File(16kb) of Launcher.dat(and remove the obfuscation), go to "0x1B90", and write a new code in this ? (build a .bin in ARM11 and copy in 0x1B90 + ).

Ah! a little hint, if you wanna use GSPGPU Services you will need the gspGPuHandle, and this in 4.x version's is on "0x003B643C", you can write something like:

Code: 
getGspGpuHandle:
LDR r0, =0x003B643C
BX LR

:P

"I am curious about something, the gw file is around 4mb but the space where the rop is a lot more limited... so how can they load the extra ~3mb ?"

It won't load complete file, the rest of file is the other arm9 payloads(very little) and the firmware patched.
 
krisztian1997

krisztian1997

Well-Known Member
Member
Level 3
Joined
Dec 14, 2013
Messages
370
Trophies
0
Age
27
XP
300
Country
Romania
st4rk said:
Well... .global _start ?

Anyway, why no write a new ROP-Chain in browser to load a file without obfuscation, get the File(16kb) of Launcher.dat(and remove the obfuscation), go to "0x1B90", and write a new code in this ? (build a .bin in ARM11 and copy in 0x1B90 + ).

Ah! a little hint, if you wanna use GSPGPU Services you will need the gspGPuHandle, and this in 4.x version's is on "0x003B643C", you can write something like:

Code: 
getGspGpuHandle:
LDR r0, =0x003B643C
BX LR
Click to expand...

I already have the custom ropchain with no obsfucation (shiny posted his version some pages ago) and the 16kb payload from the launcher.dat also decoded, but I don't know a lot of asm so I have no idea what to really do.
 
st4rk

st4rk

nah
Member
Level 6
Joined
Feb 11, 2014
Messages
542
Trophies
0
Website
st4rk.net
XP
815
Country
Brazil
krisztian1997 said:
I already have the custom ropchain with no obsfucation (shiny posted his version some pages ago) and the 16kb payload from the launcher.dat also decoded, but I don't know a lot of asm so I have no idea what to really do.[/quote

not need assembly to all, you can build the file using C.
Click to expand...
 
Slushie3DS

Slushie3DS

Cold Beverage Lover
Member
Level 4
Joined
Jan 9, 2015
Messages
707
Trophies
0
Age
29
XP
420
Country
United States
krisztian1997 said:
I am curious about something, the gw file is around 4mb but the space where the rop is a lot more limited... so how can they load the extra ~3mb ?
Click to expand...

That is a very good question, but I can not give you an answer, sadly. The Gateway team has split their stage one code in two to hide some of it, so knowledge of how it fully works is limited. I've been talking to Smea sparingly, but he's a bit distant, so gaining new knowledge from him is like a full time job.
 
  • Like
Reactions: mmn
6jarjar6

6jarjar6

Member
Newcomer
Level 1
Joined
Aug 5, 2013
Messages
6
Trophies
0
Website
dusk.co.nf
XP
95
Country
United States
shinyquagsire23 said:
For those wishing to develop their own custom launcher.dats (based on smea's regionthree or whatever), I made a site which lets you launch unencrypted unlaunch.dats instead. Before anyone asks:
  • No, this doens't let you launch older launcher.dats
  • No, this doesn't let you launch launcher.dats for GW on 9.4
  • No, this will not make you a pizza and materialize it from your 3DS
  • This is a development tool (or maybe a potential launch site for those who dislike Gateway and want easier launching)
That aside, you can launch your unlaunch.dats over at go.plxhack.us. It should work just fine, I just tested it with an unencrypted version of smea's regionthree and it worked perfectly with Cubic Ninja on 4.2.


EDIT:
  • No, this doesn't let you launch CFW launcher.dats, those are old launcher.dats. Use your brain.
  • No, this doesn't let you launch homebrew, although it technically could in the future if someone did it, idk
Also, if anyone wants to try regionthree through this, download the unlaunch.dat from here.
Click to expand...
Could I have the source?
 
Roxas75

Roxas75

Well-Known Member
Member
Level 8
Joined
Oct 9, 2010
Messages
516
Trophies
0
XP
1,522
Country
Italy
Btw, i looked at it really fast in these two days, they have really much stages in this exploit.
I focused on arm9 becouse it does all the fancy things, but the exploit itself isn't protected in any way. I mean, to exexute simple arm9 code you just have to overwrite their payload. The hash checks are done in later stages.
 
shinyquagsire23

shinyquagsire23

SALT/Sm4sh Leak Guy
Member
Level 13
Joined
Nov 18, 2012
Messages
1,977
Trophies
2
Age
26
Location
Las Vegas
XP
3,765
Country
United States
Slushie3DS said:
Can you confirm if this does work with games from our region? I just tried it with one, and it did not seem to work. I don't have any games from different regions, but it'd be nice to see it in action.
Click to expand...

Don't have any out of region games unfortunately. I just pushed a few fixes though which caused it to crash earlier, so maybe redownload the unlaunch.dat?

6jarjar6 said:
4 Questions
1. Does it say Moo cause I am on my PC? nvm I just cheched the php file
2. What's inside the gateway.dg file?
3. Could we use that for something other than a downgrade?
4. How about editing the file and putting in CFW or devmenu?
Click to expand...
  1. Moo.
  2. I don't know, never checked, probably never will
  3. I don't know, never checked, probably never will
  4. I don't know, never tried, never will.
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Hacking Homebrew  A new way to experience StreetPass

Hacking Hardware  New Nintendo 3DS XL Louvre

Emulation  i have citra, i have my aes keys installed, how do i get the home menu

Hardware  Why does my 3DS take so long to turn off?

What's the best 3DS emulator (especially after Citra's shutdown)?

Tutorial  How to fix 007-2001

can't download system files on citra because im "not connected to the internet"

gacube emeleter

General chit-chat
Help Users
    a_username_that_isnt_cool @ a_username_that_isnt_cool: Good morning!