plutooo and lightenup were the first, who managed it. They did it completely without any doc about the NVRAM ROP. They said "we figured it out by staring at the NVRAM payload.". To be honest, we had a doc about all gadgets. The only problem left, was to find a way to dump memory to reverse the Launcher.dat ROP (the doc only described, what the NVRAM ROP-gadgets do).