Advertising (This ad goes away for registered users. You can Login or Register)

PS Plus Heads up! PS Plus 12 Months subscription is $39.99 on Amazon for Prime Day. Get it while supplies last.

Gateway 2.0b2 decoder

Underground 3DS Discussions
Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
Post Reply
Posts: 24
Joined: Sat Jan 22, 2011 3:05 am

Gateway 2.0b2 decoder

Post by tpu » Tue Apr 29, 2014 2:16 pm

We know that Gateway 2.0b2 has brick code inside. I made some research for this.
Gateway's code have many stage:
stage 1: ropchains run on arm11. this will trigger the arm9 exploit and run stage2.
stage 2: use arm9 kernel func to load and run stage 3 from sdmmc.
stage 3: this stage has hardware sdmmc code and tiny fatfs library. It loads stage 4.
stage 4: this is final stage. It load a patched kernel(arm9 and arm11), and do a soft reset.

With version 1.x, stage 4 is plain arm code. On version 2.x, stage4 have a tiny emulator. most of function will be run on it.
This emulator is a mips machine, but the order of opcode is remaped. I have write a tool to convert it to normal mips instruction.
There have a extra instruction: multu $rd, $rs, $rt. This cant be map to stander mips opcode space.


gw20b2_final.bin will be load at 0x080a0000. the mips code start form 0xa000.
(38.61 KiB) Downloaded 356 times
Last edited by SMOKE on Wed Apr 30, 2014 8:14 pm, edited 1 time in total.
Reason: Merged posts

Post Reply

Return to “Programming and Security”