Advertising (This ad goes away for registered users. You can Login or Register)

Gateway 2.0b2 decoder

Underground 3DS Discussions
Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
Post Reply
tpu
Posts: 24
Joined: Sat Jan 22, 2011 3:05 am

Gateway 2.0b2 decoder

Post by tpu » Tue Apr 29, 2014 2:16 pm

We know that Gateway 2.0b2 has brick code inside. I made some research for this.
Gateway's code have many stage:
stage 1: ropchains run on arm11. this will trigger the arm9 exploit and run stage2.
stage 2: use arm9 kernel func to load and run stage 3 from sdmmc.
stage 3: this stage has hardware sdmmc code and tiny fatfs library. It loads stage 4.
stage 4: this is final stage. It load a patched kernel(arm9 and arm11), and do a soft reset.

With version 1.x, stage 4 is plain arm code. On version 2.x, stage4 have a tiny emulator. most of function will be run on it.
This emulator is a mips machine, but the order of opcode is remaped. I have write a tool to convert it to normal mips instruction.
There have a extra instruction: multu $rd, $rs, $rt. This cant be map to stander mips opcode space.


=====


gw20b2_final.bin will be load at 0x080a0000. the mips code start form 0xa000.
Advertising
Attachments
gw_mips.rar
(38.61 KiB) Downloaded 337 times
Last edited by SMOKE on Wed Apr 30, 2014 8:14 pm, edited 1 time in total.
Reason: Merged posts

Post Reply

Return to “Programming and Security”