Homebrew Homebrew Development

lambstone

lambstone

No. Nyet. 不. Non. Nein.
Banned
Level 3
Joined
Aug 14, 2011
Messages
614
Trophies
0
XP
310
Country
alirezay said:
well.....did you know how to program from ur birth?
its never late for learning!;)
you cant be doctor if u just tell urself that i know nothing and never start....
Click to expand...

That's the spirit! Though you've missed my point. This is no walk in the park what you're proposing
 
  • Like
Reactions: alirezay
P

profi200

Banned!
Banned
Level 3
Joined
Sep 3, 2011
Messages
330
Trophies
0
XP
282
Country
Gambia, The
I don't provide any service anymore.


I can't/want provide tools for running unsigned code, but i can test homebrew apps. If anyone want to start now to make homebrew apps, everything is there (ctrulib is not completed but already good enough to make some basic homebrew games as shown by smealum. And someone will release/leak a CFW anyway sometime, so don't think running apps will never be possible. Wait for smealum.). So, if one makes a homebrew app, i test it with my CFW and if needed i will make pics. If you include a banner and icon i will make a CIA file for you which you can release (i don't share CIAs build with the icon/banner i have, because they are not mine. They are from the SDK. And to be honest, they are boring and ugly.). But don't request me to test the apps for every little fix. Try to make it as stable as possible and try to fix as much bugs as possible, before you ask again. And of course, i can't handle 1000 requests per day.


What i need to make a CIA:

- The compiled ELF file
- A banner (if you want a CIA file)
- A icon (if you want a CIA file)
- A list of services you use (APT:U is one for example)


Maybe i upload a linker script later which works for building apps. If not, you need a linker script with the base address 0x00100000 and the sections ".text", ".data" and ".rodata". And maybe i upload the example .rsf file later. Then you can specify the accessible services list yourself. The tool to make CIAs is not ready yet, but if it is, it will be released. I'm btw not the creator of the tool, but i don't name the creator here, because he don't want to be spammed with PMs.


Links:

http://3dbrew.org/wiki/CIA
http://3dbrew.org/wiki/SMDH
http://3dbrew.org/wiki/CBMD (There is no page with the entire banner format, but banners use CBMD/CGFX)
http://3dbrew.org/wiki/CiTRUS (Can make banner and icon files)
 
  • Like
Reactions: tHciNc, Gadorach, aliak11 and 3 others
nop90

nop90

Well-Known Member
Member
Level 12
Joined
Jan 11, 2014
Messages
1,556
Trophies
0
Location
Rome
XP
3,136
Country
Italy
A question to the techies.

Instead of manipulating the content of the stack loaded with launcher.dat, I'm trying to call some of ours ROP gadget (opening and loading a file) from C at run time, and this theoretically shouldn't be difficoult leaving the compiler to manage stack and register with something like this:

Code: 
static void (*MyGadget)(unsigned long par1, char * par2, unsigned long par3);
 
int main (void) {
  char * par2  = "...";
 
  unsigned long par1 = ...;
 
  unsigned long par3 = ...;
 
  MyGadget = (void *) 0xCA6EFA11 ;
  MyGadget(Par1,Par2,Par3);
 
  return 0;
}

This is not working for me, but I don't have time and knowledge to load the memory dumps on IDA and trace the function call.

I'm totally wrong or there is some small thing i'm missing?

From what I can understand of ROP.py the function call should set the same register the Call macro does with the pop_r gadgets, and the called memory position shouldn't have Thumb instructions.

Peraphs I have to STM the full set of register before calling the gadget and LDM them at the end? Or the compiler use a different stack mode? (I just learned ARM can use all the four possible).

Any help will be aprecciated. Thanks.

NOP90
 
Cyan

Cyan

GBATemp's lurking knight
Former Staff
Level 25
Joined
Oct 27, 2002
Messages
23,749
Trophies
4
Age
46
Location
Engine room, learning
XP
15,662
Country
France
probably what you want:

Decrypt:
openssl enc -aes-128-cbc -d -K 580006192800C5F0FBFB04E06A682088 -iv 00000000000000000000000000000000 -in gateway.dat -out stage2.bin

Encrypt:
openssl enc -aes-128-cbc -K 580006192800C5F0FBFB04E06A682088 -iv 00000000000000000000000000000000 -in ROPLauncher.dat -out Launcher.dat

GW 1.0, 1.1, 1.2 = 580006192800C5F0FBFB04E06A682088
GW 2.0b1, 2.0b2 = 1166D40CCDC9BD6AE2F38E8A0D4FE128
 
  • Like
Reactions: st4rk
st4rk

st4rk

nah
Member
Level 6
Joined
Feb 11, 2014
Messages
542
Trophies
0
Website
st4rk.net
XP
815
Country
Brazil
I know it, but the IDA Pro doesn't find anything sub-routine in Gateway Decrypt(with this AES key) or i got a bad decrypt :/

I try it too in ROP and Work fine on IDA :c
 
Bond697

Bond697

Dies, died, will die.
Member
Level 4
Joined
Jun 7, 2009
Messages
350
Trophies
0
Age
39
Location
CT
XP
464
Country
United States
follow the rop chains until you hit the exploit and code decryption hidden in the launcher. alternatively, write some code to follow/parse the rop chains.
 
  • Like
Reactions: st4rk
Bond697

Bond697

Dies, died, will die.
Member
Level 4
Joined
Jun 7, 2009
Messages
350
Trophies
0
Age
39
Location
CT
XP
464
Country
United States
you could try asking around for the gateway's payloads instead. i'm told that someone leaked, or at least made available the 2.0b1 gateway payloads decrypted from the launcher. it's not me doing it since we were checking out 2.0b2, but you might get lucky if you ask around on irc or whatever.
 
  • Like
Reactions: st4rk
M

moosehunter

Well-Known Member
Member
Level 3
Joined
Nov 26, 2008
Messages
219
Trophies
0
XP
342
Country
United States
I'm not completely clear on this yet. Is it possible to get a RAM dump after playing an e-shop title on emuNAND or after playing a game with Gateway?
 
P

profi200

Banned!
Banned
Level 3
Joined
Sep 3, 2011
Messages
330
Trophies
0
XP
282
Country
Gambia, The
You can do it with the available tools, but you are limited to 4.X. "emuNAND" doesn't work here, because you need to switch the Launcher.dat and removing the SD card while in "emuNAND" is not a good idea.
 
M

moosehunter

Well-Known Member
Member
Level 3
Joined
Nov 26, 2008
Messages
219
Trophies
0
XP
342
Country
United States
I can't even get the RAM dumper to work without using Gateway. It just comes up with the error "an error has occurred forcing the software to close"
 
Roxas75

Roxas75

Well-Known Member
Member
Level 8
Joined
Oct 9, 2010
Messages
516
Trophies
0
XP
1,522
Country
Italy
Don't know what version of gw you used, but starting with 2.0b1 they used 6.x> NATIVE FIRM as base of their patches. So actually the bug was removedin those versions of the kernel, it was just present in 4.x version.
 
luigi90210

luigi90210

Well-Known Member
Member
Level 3
Joined
Mar 21, 2013
Messages
119
Trophies
0
Age
43
Location
San Diego, California
XP
274
Country
United States
profi200 said:
I can't/want provide tools for running unsigned code, but i can test homebrew apps. If anyone want to start now to make homebrew apps, everything is there (ctrulib is not completed but already good enough to make some basic homebrew games as shown by smealum. And someone will release/leak a CFW anyway sometime, so don't think running apps will never be possible. Wait for smealum.). So, if one makes a homebrew app, i test it with my CFW and if needed i will make pics. If you include a banner and icon i will make a CIA file for you which you can release (i don't share CIAs build with the icon/banner i have, because they are not mine. They are from the SDK. And to be honest, they are boring and ugly.). But don't request me to test the apps for every little fix. Try to make it as stable as possible and try to fix as much bugs as possible, before you ask again. And of course, i can't handle 1000 requests per day.


What i need to make a CIA:

- The compiled ELF file
- A banner (if you want a CIA file)
- A icon (if you want a CIA file)
- A list of services you use (APT:U is one for example)


Maybe i upload a linker script later which works for building apps. If not, you need a linker script with the base address 0x00100000 and the sections ".text", ".data" and ".rodata". And maybe i upload the example .rsf file later. Then you can specify the accessible services list yourself. The tool to make CIAs is not ready yet, but if it is, it will be released. I'm btw not the creator of the tool, but i don't name the creator here, because he don't want to be spammed with PMs.


Links:

http://3dbrew.org/wiki/CIA
http://3dbrew.org/wiki/SMDH
http://3dbrew.org/wiki/CBMD (There is no page with the entire banner format, but banners use CBMD/CGFX)
http://3dbrew.org/wiki/CiTRUS (Can make banner and icon files)
Click to expand...



ok i dont want to turn this into something its not, i know how this site can get

but why wouldnt you release CFW or at least the method on compiling our own CFW? cause doing this the way you are describing will not really help devs who want to make homebrew apps, yes it helps but its 1000X easier to have a 3ds that can run the unsigned code and be able to patch the code and see the results from said patch instead of your method of sending you the app, you running and logging, then emailing logs back to the dev, then dev patching and repeating the process
doing it that way is very time consuming
 
  • Like
Reactions: aliak11
P

profi200

Banned!
Banned
Level 3
Joined
Sep 3, 2011
Messages
330
Trophies
0
XP
282
Country
Gambia, The
luigi90210 said:
but why wouldnt you release CFW or at least the method on compiling our own CFW? cause doing this the way you are describing will not really help devs who want to make homebrew apps, yes it helps but its 1000X easier to have a 3ds that can run the unsigned code and be able to patch the code and see the results from said patch instead of your method of sending you the app, you running and logging, then emailing logs back to the dev, then dev patching and repeating the process
doing it that way is very time consuming
Click to expand...

1. I mentioned the piracy story already and i don't start to discuss this here again (It would allow everyone to install the released eShop warez, if there is a app installed which can install/deinstall other apps.). That's the worst scenario i can think of, if everyone is just able to install every shit he wants 4free. I'm not going to open the 3DS in this way just for homebrew (and no, i like homebrew). And i see, some of the homebrew coders here own a flashcard and it's obvious, for which reason. I think i don't need to mention what i think.

2. It has no useful functionality from itself than just be a OFW (with disabled signature checks) running from the SD card. To be useful a app to manage other apps must be installed and i don't provide these tools, which make installing apps out of nothing possible, to anyone other i'm not allowed to, because these are not mine. I would not even do it, if i made them myself.

3. I don't have any app to manage installed apps, which i could release. I'm not allowed to share the Dev Menu, because i don't have the right's to do so and i will not do it.

4. It is still unstable and boot like 1 of 5 tries because of a unknown bug.


I don't release the source, because it could enable every shitty clone manufacturer to flood the market with shit clones. I don't provide our code for others to make profit of it.
 
  • Like
Reactions: cearp and st4rk

Site & Scene News

Go to forum More news

Popular threads in this forum

Hacking Homebrew  A new way to experience StreetPass

Hacking Hardware  New Nintendo 3DS XL Louvre

Emulation  i have citra, i have my aes keys installed, how do i get the home menu

Hardware  Why does my 3DS take so long to turn off?

What's the best 3DS emulator (especially after Citra's shutdown)?

Tutorial  How to fix 007-2001

can't download system files on citra because im "not connected to the internet"

gacube emeleter

General chit-chat
Help Users
  • No one is chatting at the moment.
    NinStar @ NinStar: CRAZY HAMBURGER