Nintendo WiFi Protocol Analysis

[Sabresite]

Randomly poking around the overlay files from platinum I ran into these..they seem like certificates I think.

I just shat and pissed my pants!

Edit: Okay this is slightly (and by slightly I mean really far away) from my skills, however from what I gather, we have two viable options here.

1) Jiggy and I will be working with SCV to make an ARDS code to clone the other person's pokemon during a trade on Wifi, while looking at their trading partner's pokemon's summary.

and the second, more long term project

2) We can use the certificate that kaarosu found to fake a server certificate. If the NDS does not employ sufficient verification of the certificate (or we fake that as well), we can do the following:
NDS <--- real NDS certificate, fake WFC server certificate --> Machine in the Middle <--- real certificate that NDS --> WFC
So the machine in the middle will have a plausible fake certificate which will decrypt the information to plaintext, then pass it using the real NDS certificate to the WFC. Then take the WFC information and decrypt it using the real NDS certificate, and encrypt it using the fake WFC certificate, then send it to the NDS. While complex/difficult, this is viable.

The end goal is to set up the wireless of the NDS manually so that the DNS server is that of a computer on the same wireless network. The computer will be set up with a custom program that will redirect the nintendo servers to itself, and then perform the machine in the middle as explained above. While the person is viewing their trading partner's pokemon, the pokemon itself will be extracted during the machine in the middle plaintext decryption from the WFC, and then displayed on the computer along with its legality.

Who is up for this challenge?

[AngelSL]

I has a quick look into this today, using a slightly different method. I was still using Wireshark for the packet-logging, but I was using a APR spoofer to intercept communications between the DS and router.

With this in place I went into the Global Trade Station in Jubilife City, connected to the GTS, deposited a Pokemon for trade and then searched for a couple of other Pokemon.

This fired off a load of connections to various servers owned by Akamai Technologies (a company that, amongst other things, provides network services for MMO games and such).

I haven't done any analysis on this yet as I'm having trouble getting Wireshark to give me any reasonable data beyond the packet headers?!

But, I didn't notice any UDP data flying around, which is different to AngelSI's findings. AngelSI: did we follow roughly the same procedure or were you trying to trade using the normal wireless communications (i.e. a non-GTS trade)?

If not, are you treating lower-level protocols such as ARP and DHCP as UDP. Anything relating to ARP, DHCP or ICMP can be disregarded - it's all standard connection and address negotiation stuff.

Andy

I'm not too sure, this was a long time ago. But yes I still have the equipment to sniff the data going through my PC (my PC acts as a wireless access point for my DS), so if you still need it, I can do it.

I'll check the pcaps.

EDIT: Yes, there were UDP stuff with Wireshark's description "Source port: xxx Destination port: xxx", and no I was NOT using the GTS

[Sabresite]

If someone wants to take a stab at faking the server's certificate using OpenSSL, please go for it. I think that would be our best bet, according to some academic papers online.

[Scarface]

Well good luck to you two if you can make this work i may have a heart attack or something lets hope we can get this to work

[derrick]

this is going to be so awsome i hope this isint forgoten about because for people who cant use ar most of the time this would be like a dream come true !!

[LeoI]

I have a DS with R4 (so I can play any version of pokemon) and a router.
I'm reading a good book about hacking/sniffing PC connections, so I can help you although I'm still learning.

[Sabresite]

We can theoretically take the certificate, and the private/public key and spoof the client. However to get somewhere we would need to know how to respond to the packets.

Debugging the game as it is running is still our best option.

[LeoI]

Maybe the iDeaS emulator can be used. I remember that it can debug the game while playing...

[COBHC]

yeah so someone might be able to host pokemon events two from there computer
that would be sweet i could never figuer out how to get my deoxys game stop event cart to work so this would help a lot

u r right

[Jiggy-Ninja]

Maybe the iDeaS emulator can be used. I remember that it can debug the game while playing...

We need to debug it while connecting to Wifi. No emulator has the ability to connect to WFC yet, which is why we need a hardware debugger.

[NTR-AAQE-USA]

We need to debug it while connecting to Wifi. No emulator has the ability to connect to WFC yet, which is why we need a hardware debugger.

Hardware debugger? You have a lot of money my friend.

[Poryhack]

I don't think he means an official box, if that's what you're getting at. The time and hardware required for a DIY debugger is still considerable though.

[Jiggy-Ninja]

Hardware debugger? You have a lot of money my friend.

I said we need one, not that we have one.

[evandixon]

I said we need one, not that we have one.

Would a Trainer Toolkit work, or is that not what you are aiming for?

[Poryhack]

I brought that up to Sabre and the others but it seems the debugging features are rather lacking compared to a "true" debugger.