wololo.net/talk

Gaming/Programming community
http://wololo.net/talk/

Gateway 3DS Installer Analysis

http://wololo.net/talk/viewtopic.php?f=82&t=34390

Page 1 of 2

Gateway 3DS Installer Analysis

Posted: Tue Aug 13, 2013 4:20 am
by 173210
I analyzed GW_INSTALL.nds (Gateway 3DS Installer) to learn how Gateway 3DS work.

----How I analyzed GW_INSTALL.nds----
I used a modified DeSmuME and NDS Disassembler 2nd [NDSDIS2].
I executed GW_INSTALL.nds. After that, I dumped the nds firmware and compared it with a firmware which was dumped before the emulator execute GW_INSTALL.nds.
I also checked SPICNT(0x040001C0), which is used to control SPI.

----Result of the Analysis----
I found it modified the firmware.
It set 1 to bit 8-9 of SPICNT to modify the firmware.
That means it tried to access the firmware.
gw_install_spicnt.png
gw_install_spicnt.png (10.5 KiB) Viewed 8473 times
And there are some differences between the firmware after execute GW_INSTALL.nds and the firmware before that.
I show addresses and the firmware which was modified by GW_INSTALL.nds.

0x0787A-0x07897

Code: Select all

0x07870: E9 FF 67 49 F9 E4 47 97 30 93 F8 6D BC 5D 1D BC
0x07880: AA 26 BD 8E 8D 5F BE 32 FE 5E DC 97 FF B1 A2 DC
0x07890: 4B 76 6D 6E 3F CC DC 25 97 0F 44 C5 EE 17 BD 5C
0x1FE00-0x1FEDB

Code: Select all

0x1FE00: B9 F2 10 00 AE 2B 27 00 ED 0D DC BA 9C F1 18 00
0x1FE10: 90 B6 10 00 00 B0 FA 00 00 02 20 00 B9 F2 10 00
0x1FE20: 00 90 27 00 01 00 00 00 E1 49 15 00 38 6F 27 00
0x1FE30: AC 82 1B 00 DC D5 18 00 40 83 27 00 00 02 10 00
0x1FE40: CC 48 00 00 60 3D 14 00 B9 F2 10 00 00 90 27 00
0x1FE50: 00 00 2B 00 F9 02 10 00 F9 02 10 00 F9 02 10 00
0x1FE60: F9 02 10 00 F9 02 10 00 F9 02 10 00 E1 49 15 00
0x1FE70: 51 00 CD C2 E1 49 15 00 20 90 27 00 8C 53 10 00
0x1FE80: 00 90 00 00 58 39 1B 00 E5 04 21 00 00 DA 19 00
0x1FE90: 00 75 01 00 86 DF 21 00 00 C1 1A 00 22 DA 1D 00
0x1FEA0: 91 FE 16 00 00 01 10 00 BC 4C 14 00 00 00 2B 00
0x1FEB0: 00 90 00 00 E1 49 15 00 AC EF 22 00 88 5C 10 00
0x1FEC0: 00 00 0E 00 90 03 25 00 C0 FA 1E 00 91 FE 16 00
0x1FED0: 8C 53 10 00 24 6B 03 00 60 3D 14 00 CD 05 0E AA
0x1FE00-0x1FE6F is written at 0x9EA8-0x9F17 in GW_INSTALL.nds.
0x1FE74-0x1FEDB is written at 0x9F1C-0x9F83 in GW_INSTALL.nds.


0x1FEFE-0x1FEFF

Code: Select all

0x1FEF0: DF 39 77 03 28 30 CC 79 4E 43 87 E8 F6 6C A2 31
0x1FF50-0x1FF51

Code: Select all

0x1FF50: 6E 00 A5 42 F2 AA 44 20 F5 94 EC 77 74 4B 46 1A
0x1FF70-0x1FF73

Code: Select all

0x1FF70: 52 00 A1 B6 EE 52 4D FE 54 5C 5E 5C 5A 97 92 6A
0x1FFB4-0x1FFDB

Code: Select all

0x1FFB0: BB 15 DE 97 B9 F2 10 00 00 FE 01 00 00 01 00 00
0x1FFC0: E1 49 15 00 00 94 27 00 FC 34 13 00 D0 8C 1E 00
0x1FFD0: 8C 53 10 00 9C 94 27 F0 60 3D 14 00 66 1D F8 A0
0x1FFB4-0x1FFDB is written at 0x9E7C-0x9EA3 in GW_INSTALL.nds.

0x1FFFE-0x1FFFF

Code: Select all

0x1FFE0: A9 03 68 77 1A DA 5B E2 4F 5F 12 BE FF AC 6E 95
0x233D9-0x233F4

Code: Select all

0x233D0: 0F C1 0E CF FF AE A3 05 5D 60 B6 85 A1 AA DF 12
0x233E0: E6 EF 5F 5A BF 94 43 93 39 1E A3 D5 17 1B EB 50
0x233F0: 0D 95 D1 9B 5E 13 73 DA A0 F1 FC 62 C0 5C 96 A2
I couldn't understand this binary. It may use to exploit 3DS.

I uploaded those firmwares.
ORIG_FIRM.BIN
GW_INSTALL_FIRM.BIN

EDIT: I got DS firmware and tested again. I wrote the result.

Re: Gateway 3DS Installer Analysis

Posted: Tue Aug 13, 2013 3:11 pm
by metalliphyll
Nice find pal :D

Re: Gateway 3DS Installer Analysis

Posted: Tue Aug 13, 2013 4:33 pm
by kepling5001
Nice stuff...do these still only load one game per micro stick?

Re: Gateway 3DS Installer Analysis

Posted: Wed Aug 14, 2013 5:43 am
by popsdeco
Thank you for the info.
Comparing with Gateway Guide, now it is obvious that this uses buffer overflow on NDS profile parser.
0x1FE00 and 0x1FF00 are profile entries.
According to http://sourceforge.net/p/devkitpro/libn ... s/system.h tPERSONAL_DATA, 0x1FF50 is profile message size (must be 0x1A or less, but here 0x6E intentionally).
Also I remember 0x1FF72 is checksum (CRC16).
NDS Message and Name are written using UTF-16, so some conversion might be related to payload.
Perhaps I'll need to run NDS firmware on DeSMuME to dump the "converted message", since direct conversion to UTF8 didn't seem meaningful.

Re: Gateway 3DS Installer Analysis

Posted: Wed Aug 14, 2013 11:19 pm
by 173210
popsdeco wrote:Thank you for the info.
Comparing with Gateway Guide, now it is obvious that this uses buffer overflow on NDS profile parser.
0x1FE00 and 0x1FF00 are profile entries.
According to http://sourceforge.net/p/devkitpro/libn ... s/system.h tPERSONAL_DATA, 0x1FF50 is profile message size (must be 0x1A or less, but here 0x6E intentionally).
Also I remember 0x1FF72 is checksum (CRC16).
NDS Message and Name are written using UTF-16, so some conversion might be related to payload.
Perhaps I'll need to run NDS firmware on DeSMuME to dump the "converted message", since direct conversion to UTF8 didn't seem meaningful.
Yes, we should run NDS firmware but I don't have DS so I couldn't get it.
The best way is to run Gateway 3DS Installer and dump firmware on 3DS.
I'm looking for a person who have a 3DS which is not patched and a flashcart.

Re: Gateway 3DS Installer Analysis

Posted: Thu Aug 15, 2013 5:12 am
by popsdeco
Although they are not willing, since firmware contains confidential info such as MAC address, I'm going to ask my colleagues.

By the way this is the pseudo-homebrewed version of NDS firmware (extracted from my fw.bin).
If you specify external firmware image from emulation menu, this fw.nds works like real firmware.
https://www.dropbox.com/s/r3xhc2vrn4vaxnz/fw.nds

Re: Gateway 3DS Installer Analysis

Posted: Tue Nov 26, 2013 1:57 pm
by Mathieulh
It's an overflow used to store a ROP chain payload into the 3DS stack, that eventually decrypts the launcher.dat using bytes from the system menu as the key, then you have another larger ROP chain in the launcher.dat used mostly for obfuscation purposes, which in the end uses the ASIC to decrypt the final payload.

The obfuscation mostly relies on the fact that you need a RAM dump in order to make sense of the ROP chains.
Then you also need to get the actual encrypted payload through the ASIC to have all its decrypts counterpart.

You get the idea xD

Re: Gateway 3DS Installer Analysis

Posted: Thu Nov 28, 2013 9:25 pm
by Acid_Snake
Mathieulh wrote:It's an overflow used to store a ROP chain payload into the 3DS stack, that eventually decrypts the launcher.dat using bytes from the system menu as the key, then you have another larger ROP chain in the launcher.dat used mostly for obfuscation purposes, which in the end uses the ASIC to decrypt the final payload.

The obfuscation mostly relies on the fact that you need a RAM dump in order to make sense of the ROP chains.
Then you also need to get the actual encrypted payload through the ASIC to have all its decrypts counterpart.

You get the idea xD
Basically the lack of ASRL is what f-ed them up. Has this thing been decrypted yet? I wish I had a 3DS, I'd totally get into hacking it.

Re: Gateway 3DS Installer Analysis

Posted: Thu Nov 28, 2013 11:33 pm
by Timber
I have a 3DS XL with an R4i Gold card, it's really awesome and easy to use. I'm still deciding whether to get a Gateway or a 3DS Link, not sure which is better yet.

Re: Gateway 3DS Installer Analysis

Posted: Fri Aug 28, 2015 8:56 am
by Dwtechzhope
Gateway 3ds is the first 3ds game card, now can emunand 9.9 with ultra firmware. but only support 9.2~4.1 or you can buy sky3ds working on any 3ds /new 3ds handhold
All times are UTC
Page 1 of 2
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/