Advertising (This ad goes away for registered users. You can Login or Register)

Gateway 3DS Installer Analysis

Underground 3DS Discussions
Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
173210
Guru
Posts: 195
Joined: Fri Jul 15, 2011 11:32 pm

Gateway 3DS Installer Analysis

Post by 173210 »

I analyzed GW_INSTALL.nds (Gateway 3DS Installer) to learn how Gateway 3DS work.

----How I analyzed GW_INSTALL.nds----
I used a modified DeSmuME and NDS Disassembler 2nd [NDSDIS2].
I executed GW_INSTALL.nds. After that, I dumped the nds firmware and compared it with a firmware which was dumped before the emulator execute GW_INSTALL.nds.
I also checked SPICNT(0x040001C0), which is used to control SPI.

----Result of the Analysis----
I found it modified the firmware.
It set 1 to bit 8-9 of SPICNT to modify the firmware.
That means it tried to access the firmware.
gw_install_spicnt.png
gw_install_spicnt.png (10.5 KiB) Viewed 17551 times
And there are some differences between the firmware after execute GW_INSTALL.nds and the firmware before that.
I show addresses and the firmware which was modified by GW_INSTALL.nds.

0x0787A-0x07897

Code: Select all

0x07870: E9 FF 67 49 F9 E4 47 97 30 93 F8 6D BC 5D 1D BC
0x07880: AA 26 BD 8E 8D 5F BE 32 FE 5E DC 97 FF B1 A2 DC
0x07890: 4B 76 6D 6E 3F CC DC 25 97 0F 44 C5 EE 17 BD 5C
0x1FE00-0x1FEDB

Code: Select all

0x1FE00: B9 F2 10 00 AE 2B 27 00 ED 0D DC BA 9C F1 18 00
0x1FE10: 90 B6 10 00 00 B0 FA 00 00 02 20 00 B9 F2 10 00
0x1FE20: 00 90 27 00 01 00 00 00 E1 49 15 00 38 6F 27 00
0x1FE30: AC 82 1B 00 DC D5 18 00 40 83 27 00 00 02 10 00
0x1FE40: CC 48 00 00 60 3D 14 00 B9 F2 10 00 00 90 27 00
0x1FE50: 00 00 2B 00 F9 02 10 00 F9 02 10 00 F9 02 10 00
0x1FE60: F9 02 10 00 F9 02 10 00 F9 02 10 00 E1 49 15 00
0x1FE70: 51 00 CD C2 E1 49 15 00 20 90 27 00 8C 53 10 00
0x1FE80: 00 90 00 00 58 39 1B 00 E5 04 21 00 00 DA 19 00
0x1FE90: 00 75 01 00 86 DF 21 00 00 C1 1A 00 22 DA 1D 00
0x1FEA0: 91 FE 16 00 00 01 10 00 BC 4C 14 00 00 00 2B 00
0x1FEB0: 00 90 00 00 E1 49 15 00 AC EF 22 00 88 5C 10 00
0x1FEC0: 00 00 0E 00 90 03 25 00 C0 FA 1E 00 91 FE 16 00
0x1FED0: 8C 53 10 00 24 6B 03 00 60 3D 14 00 CD 05 0E AA
0x1FE00-0x1FE6F is written at 0x9EA8-0x9F17 in GW_INSTALL.nds.
0x1FE74-0x1FEDB is written at 0x9F1C-0x9F83 in GW_INSTALL.nds.


0x1FEFE-0x1FEFF

Code: Select all

0x1FEF0: DF 39 77 03 28 30 CC 79 4E 43 87 E8 F6 6C A2 31
0x1FF50-0x1FF51

Code: Select all

0x1FF50: 6E 00 A5 42 F2 AA 44 20 F5 94 EC 77 74 4B 46 1A
0x1FF70-0x1FF73

Code: Select all

0x1FF70: 52 00 A1 B6 EE 52 4D FE 54 5C 5E 5C 5A 97 92 6A
0x1FFB4-0x1FFDB

Code: Select all

0x1FFB0: BB 15 DE 97 B9 F2 10 00 00 FE 01 00 00 01 00 00
0x1FFC0: E1 49 15 00 00 94 27 00 FC 34 13 00 D0 8C 1E 00
0x1FFD0: 8C 53 10 00 9C 94 27 F0 60 3D 14 00 66 1D F8 A0
0x1FFB4-0x1FFDB is written at 0x9E7C-0x9EA3 in GW_INSTALL.nds.

0x1FFFE-0x1FFFF

Code: Select all

0x1FFE0: A9 03 68 77 1A DA 5B E2 4F 5F 12 BE FF AC 6E 95
0x233D9-0x233F4

Code: Select all

0x233D0: 0F C1 0E CF FF AE A3 05 5D 60 B6 85 A1 AA DF 12
0x233E0: E6 EF 5F 5A BF 94 43 93 39 1E A3 D5 17 1B EB 50
0x233F0: 0D 95 D1 9B 5E 13 73 DA A0 F1 FC 62 C0 5C 96 A2
I couldn't understand this binary. It may use to exploit 3DS.

I uploaded those firmwares.
ORIG_FIRM.BIN
GW_INSTALL_FIRM.BIN

EDIT: I got DS firmware and tested again. I wrote the result.
Advertising
Last edited by 173210 on Thu Aug 15, 2013 1:22 am, edited 1 time in total.
Donate!
Bitconin: 1Aq3NruiohEvUsGJAmHoXjTq764HDS5zef
Paypal: http://173210.github.io/
metalliphyll
Posts: 10
Joined: Thu Apr 26, 2012 11:56 am

Re: Gateway 3DS Installer Analysis

Post by metalliphyll »

Nice find pal :D
Advertising
kepling5001
Posts: 25
Joined: Sat Jul 06, 2013 5:59 pm

Re: Gateway 3DS Installer Analysis

Post by kepling5001 »

Nice stuff...do these still only load one game per micro stick?
[spoiler]:D[/spoiler]
popsdeco
Posts: 92
Joined: Sat Jul 02, 2011 4:57 pm

Re: Gateway 3DS Installer Analysis

Post by popsdeco »

Thank you for the info.
Comparing with Gateway Guide, now it is obvious that this uses buffer overflow on NDS profile parser.
0x1FE00 and 0x1FF00 are profile entries.
According to http://sourceforge.net/p/devkitpro/libn ... s/system.h tPERSONAL_DATA, 0x1FF50 is profile message size (must be 0x1A or less, but here 0x6E intentionally).
Also I remember 0x1FF72 is checksum (CRC16).
NDS Message and Name are written using UTF-16, so some conversion might be related to payload.
Perhaps I'll need to run NDS firmware on DeSMuME to dump the "converted message", since direct conversion to UTF8 didn't seem meaningful.
173210
Guru
Posts: 195
Joined: Fri Jul 15, 2011 11:32 pm

Re: Gateway 3DS Installer Analysis

Post by 173210 »

popsdeco wrote:Thank you for the info.
Comparing with Gateway Guide, now it is obvious that this uses buffer overflow on NDS profile parser.
0x1FE00 and 0x1FF00 are profile entries.
According to http://sourceforge.net/p/devkitpro/libn ... s/system.h tPERSONAL_DATA, 0x1FF50 is profile message size (must be 0x1A or less, but here 0x6E intentionally).
Also I remember 0x1FF72 is checksum (CRC16).
NDS Message and Name are written using UTF-16, so some conversion might be related to payload.
Perhaps I'll need to run NDS firmware on DeSMuME to dump the "converted message", since direct conversion to UTF8 didn't seem meaningful.
Yes, we should run NDS firmware but I don't have DS so I couldn't get it.
The best way is to run Gateway 3DS Installer and dump firmware on 3DS.
I'm looking for a person who have a 3DS which is not patched and a flashcart.
Donate!
Bitconin: 1Aq3NruiohEvUsGJAmHoXjTq764HDS5zef
Paypal: http://173210.github.io/
popsdeco
Posts: 92
Joined: Sat Jul 02, 2011 4:57 pm

Re: Gateway 3DS Installer Analysis

Post by popsdeco »

Although they are not willing, since firmware contains confidential info such as MAC address, I'm going to ask my colleagues.

By the way this is the pseudo-homebrewed version of NDS firmware (extracted from my fw.bin).
If you specify external firmware image from emulation menu, this fw.nds works like real firmware.
https://www.dropbox.com/s/r3xhc2vrn4vaxnz/fw.nds
Mathieulh
Guru
Posts: 49
Joined: Thu Jan 06, 2011 6:17 am
Contact:

Re: Gateway 3DS Installer Analysis

Post by Mathieulh »

It's an overflow used to store a ROP chain payload into the 3DS stack, that eventually decrypts the launcher.dat using bytes from the system menu as the key, then you have another larger ROP chain in the launcher.dat used mostly for obfuscation purposes, which in the end uses the ASIC to decrypt the final payload.

The obfuscation mostly relies on the fact that you need a RAM dump in order to make sense of the ROP chains.
Then you also need to get the actual encrypted payload through the ASIC to have all its decrypts counterpart.

You get the idea xD
---
PGP Fingerprint: DF46 8C79 5D1A 76FF 75B2 C345 4679 EDEF 1B5B B192
Public Key: https://pgp.mit.edu/pks/lookup?op=get&search=0x1B5BB192

Proof: https://keybase.io/mathieulh
Acid_Snake
Retired Mod
Posts: 3100
Joined: Tue May 01, 2012 11:32 am
Location: Behind you!

Re: Gateway 3DS Installer Analysis

Post by Acid_Snake »

Mathieulh wrote:It's an overflow used to store a ROP chain payload into the 3DS stack, that eventually decrypts the launcher.dat using bytes from the system menu as the key, then you have another larger ROP chain in the launcher.dat used mostly for obfuscation purposes, which in the end uses the ASIC to decrypt the final payload.

The obfuscation mostly relies on the fact that you need a RAM dump in order to make sense of the ROP chains.
Then you also need to get the actual encrypted payload through the ASIC to have all its decrypts counterpart.

You get the idea xD
Basically the lack of ASRL is what f-ed them up. Has this thing been decrypted yet? I wish I had a 3DS, I'd totally get into hacking it.
Timber
Posts: 82
Joined: Tue Mar 13, 2012 7:06 pm
Location: VT USA via England

Re: Gateway 3DS Installer Analysis

Post by Timber »

I have a 3DS XL with an R4i Gold card, it's really awesome and easy to use. I'm still deciding whether to get a Gateway or a 3DS Link, not sure which is better yet.
Dwtechzhope
Posts: 14
Joined: Wed Oct 29, 2014 9:17 am

Re: Gateway 3DS Installer Analysis

Post by Dwtechzhope »

Gateway 3ds is the first 3ds game card, now can emunand 9.9 with ultra firmware. but only support 9.2~4.1 or you can buy sky3ds working on any 3ds /new 3ds handhold
Locked

Return to “Programming and Security”