Well... .global _start ?
Anyway, why no write a new ROP-Chain in browser to load a file without obfuscation, get the File(16kb) of Launcher.dat(and remove the obfuscation), go to "0x1B90", and write a new code in this ? (build a .bin in ARM11 and copy in 0x1B90 + ).
Ah! a little hint, if you wanna use GSPGPU Services you will need the gspGPuHandle, and this in 4.x version's is on "0x003B643C", you can write something like:
Code:getGspGpuHandle: LDR r0, =0x003B643C BX LR
"I am curious about something, the gw file is around 4mb but the space where the rop is a lot more limited... so how can they load the extra ~3mb ?"
It won't load complete file, the rest of file is the other arm9 payloads(very little) and the firmware patched.
So, about the 0x003B643C. Is that for the top, or the bottom screen? If its the bottom... I may be onto something here *evil smile*
Also, what is the address for the top screen, if its the bottom?