Basically we use GW's entrypoint to get ROP (not code execution, either userland or kernel) under spider (that's what the browser applet is called). From there, we use the GPU DMA vuln to take over the download play application (this is done by overwriting the GSP interrupt handler funcptr table). The download play application has access to the ns:s service (spider does not), and we use that service to launch our out-of-region game.
For more detail on the webkit/spider exploit, visit http://yifan.lu/2015/01/10/reversing-gateway-ultra-first-stage-part-1/
For more detail on the GPU DMA exploit, visit http://smealum.net/?p=517
To build the ROP, use Kingcom's armips assembler https://github.com/Kingcom/armips
Credits- All original ROP and code on this repo written by smea
- ns:s region free booting trick found by yellows8
- Neatly packaged spider exploit by Gateway
- Bond697, sm, yifanlu for working on the GW payload so I wouldn't have to.
- Myria for helping with testing.
- sbJFn5r for porting the ROP to 4.x firmware versions