Page 1 of 1

Gateway 2.0b2 decoder

Posted: Tue Apr 29, 2014 2:16 pm
by tpu
We know that Gateway 2.0b2 has brick code inside. I made some research for this.
Gateway's code have many stage:
stage 1: ropchains run on arm11. this will trigger the arm9 exploit and run stage2.
stage 2: use arm9 kernel func to load and run stage 3 from sdmmc.
stage 3: this stage has hardware sdmmc code and tiny fatfs library. It loads stage 4.
stage 4: this is final stage. It load a patched kernel(arm9 and arm11), and do a soft reset.

With version 1.x, stage 4 is plain arm code. On version 2.x, stage4 have a tiny emulator. most of function will be run on it.
This emulator is a mips machine, but the order of opcode is remaped. I have write a tool to convert it to normal mips instruction.
There have a extra instruction: multu $rd, $rs, $rt. This cant be map to stander mips opcode space.


=====


gw20b2_final.bin will be load at 0x080a0000. the mips code start form 0xa000.