I’ve read the whole bootrom code and i have to admit, that big N has done a good job on hiding where and how it calls the AES code.
Finding the AES implementation is easy, it’s just before the ancast header check function and after the most useless function.
Finding how the AES implementation is called, is a little bit hard, for two reasons:
there are no cross references in the text segment; This means you will not see something like:
bl AES_Decrypt
there are no addresses saved in the data segment:
AES_offset: .long AES_Decrypt
So how to find it? you have to read the code, because the value is hardcoded and saved into a memory on an unknown address (like 0xE0000000); then a function will load that addresses to the count (CTR) register and jumps there.
I’ll make an example:

How normally should be:

1Screenshot 2014-03-07 11.20.17

How is obfuscated on the Wii U:

2Screenshot 2014-03-07 11.22.01

Deroad Said
The last thing:
I had a lot of fun on reverse the whole bootrom. You’ll find interesting stuff, there (but not keys :P).


No, this isn’t me ranting or hating these vile people, as its not coming from me, it is coming from some extremely credible sources, such as Crediar, who created a thread on GBATemp, which states this:

It has recently been found out that the Gateway team put code into their Beta 2 (clones: 3.2-3.3b) that purposely bricks 3DSs when the checksum of the launcher.dat fails.

That means even when using a real gateway card the code can trigger when the launcher.dat is corrupted in any way.

The code is written to trigger at a random point in time which is based on the time the file was copied onto the SD.

When the brick code triggers it bricks the firmware and reprograms the eMMC NAND to have a size of 0 bytes.

The post had originally said that Normmatt’s Region free patch was safe, but then it was changed to this:

Normmatt’s region free patch is not safe either!

This brick happens even if you are using the official Gateway card, it will leave you with a totally unusable 3DS.

Original Source
GBATemp Thread

Mathieulh and other devs have been looking at the Gateway and this is what he said when i pasted the “bricking code” i copied from the Original Source:
 photo math_zpsfd22031b.png

Most of you who will read this, know i hate Carts, ODDES and reDRM dongles, im not going to get into that debate here, because it is pointless for me to try and convince people or force my views on them, that’s why this news story is somewhat annoying for me to post, as it involves having to use a Gateway Cart, here is a quote from the story on GBATemp:

 photo ku-xlarge_zpsc6be5572.png

From Normmatt

Gateway 2.0B2 Launcher.dat (wont provide link at not allowed to GBATemp rules so no one please post)
Patched with the above Hex
Gateway Mode loads Retail Carts but with Region Free, you can even still use the EmuNAND so can have 7.1.0-14

this will not play ANY Roms, only official carts

You can use this without any need for a 3DS Flashcard also
so if you want your 4.1>4.5 Console to have EmuNAND and Region Free Patches only, this is for you


Download the File to Patch the Launhcer.dat (Grab From Source)

all you need is a DS Flashcard working on 3DS Firmwares 4.1>4.5 for this
because you can use the Gateway installer.nds to install the MSET Exploit and then load your new patched Launcher.dat

1. Download file
2. Copy GW’s launcher.dat into the same folder as the *.exe
3. Start the *.exe. It should show “file patched successfully”
4. Copy the Launcher.dat into the Root of your microSD card
5. Install the Exploit (with the GW_INSTALLER.NDS)
6. Now you can go to Settings -> General Settings -> User settings -> DS profile
7. Your 3DS is region free


From what i understand, once you install the hack, your 3DS will be region free, you will then be able to update your firmware and throw that awful Cart in the bin.
I would advice keeping an eye on the source thread and as always you can discuss the story on our forums here.

From source

Ive noticed alot of News sites appear to be reporting this WRONG when coming to updating to 7.1.0
Once the patch is applied DO NOT USE THE NORMAL UPDATE METHOD
you must first create a EmuNAND otherwise you will update your normal NAND and loose the Exploit
Please follow the Instructions included in the Gateway files on how to create the EmuNAND