evandixon Posted July 20, 2009 Posted July 20, 2009 The WFC is completely different then the GTS. Using the GTS is like searching through a website, its kind of weird.With the WFC, its fairly straight foward: The DS cartridge has a certificate for SSLv3, and it uses some type of information to salt a big number which is sent to the WFC server. A number is sent back to the DS as well. With these numbers, a private key and public key are generated on both ends. The public key the DS has is to encrypt the information that it sends. The private key is to decrypt the information that it receives. Getting that certificate and salting algorithm is already in the ROM, somewhere. It may be in the ARM9 file, so that would take a little bit to find.
BarkingFrog Posted July 22, 2009 Posted July 22, 2009 ... though I dont know if I have anything to grab packets and such ... if just grab packets, use wireshark, or wpe pro.. use your router to get the destination address from NDS Wifi Connection, then sniff it use that tool.. somehow I manage to get the packets when trading through GTS, but I don't understand it.. *so i decided to abadon it* Another way.. use router to find destination IP and Port, create a simple program to listen to that port.. change your Computer IP match the packet destination IP, use your router to redirect it.. hope help.. :bidoof::bidoof:
Vlad Posted July 29, 2009 Posted July 29, 2009 If someone leans how SSL works ( http://en.wikipedia.org/wiki/Transport_Layer_Security#How_it_works ) this will be doable.
Kaarosu Posted July 29, 2009 Posted July 29, 2009 Randomly poking around the overlay files from platinum I ran into these..they seem like certificates I think.
Poryhack Posted July 29, 2009 Posted July 29, 2009 Randomly poking around the overlay files from platinum I ran into these..they seem like certificates I think. Don't see what else they'd be, with names like that. Great find!
Sabresite Posted August 3, 2009 Posted August 3, 2009 (edited) Randomly poking around the overlay files from platinum I ran into these..they seem like certificates I think. I just shat and pissed my pants! Edit: Okay this is slightly (and by slightly I mean really far away) from my skills, however from what I gather, we have two viable options here. 1) Jiggy and I will be working with SCV to make an ARDS code to clone the other person's pokemon during a trade on Wifi, while looking at their trading partner's pokemon's summary. and the second, more long term project 2) We can use the certificate that kaarosu found to fake a server certificate. If the NDS does not employ sufficient verification of the certificate (or we fake that as well), we can do the following: NDS <--- real NDS certificate, fake WFC server certificate --> Machine in the Middle <--- real certificate that NDS --> WFC So the machine in the middle will have a plausible fake certificate which will decrypt the information to plaintext, then pass it using the real NDS certificate to the WFC. Then take the WFC information and decrypt it using the real NDS certificate, and encrypt it using the fake WFC certificate, then send it to the NDS. While complex/difficult, this is viable. The end goal is to set up the wireless of the NDS manually so that the DNS server is that of a computer on the same wireless network. The computer will be set up with a custom program that will redirect the nintendo servers to itself, and then perform the machine in the middle as explained above. While the person is viewing their trading partner's pokemon, the pokemon itself will be extracted during the machine in the middle plaintext decryption from the WFC, and then displayed on the computer along with its legality. Who is up for this challenge? Edited August 3, 2009 by Sabresite
AngelSL Posted August 3, 2009 Author Posted August 3, 2009 I has a quick look into this today, using a slightly different method. I was still using Wireshark for the packet-logging, but I was using a APR spoofer to intercept communications between the DS and router.With this in place I went into the Global Trade Station in Jubilife City, connected to the GTS, deposited a Pokemon for trade and then searched for a couple of other Pokemon. This fired off a load of connections to various servers owned by Akamai Technologies (a company that, amongst other things, provides network services for MMO games and such). I haven't done any analysis on this yet as I'm having trouble getting Wireshark to give me any reasonable data beyond the packet headers?! But, I didn't notice any UDP data flying around, which is different to AngelSI's findings. AngelSI: did we follow roughly the same procedure or were you trying to trade using the normal wireless communications (i.e. a non-GTS trade)? If not, are you treating lower-level protocols such as ARP and DHCP as UDP. Anything relating to ARP, DHCP or ICMP can be disregarded - it's all standard connection and address negotiation stuff. Andy I'm not too sure, this was a long time ago. But yes I still have the equipment to sniff the data going through my PC (my PC acts as a wireless access point for my DS), so if you still need it, I can do it. I'll check the pcaps. EDIT: Yes, there were UDP stuff with Wireshark's description "Source port: xxx Destination port: xxx", and no I was NOT using the GTS
Sabresite Posted August 3, 2009 Posted August 3, 2009 If someone wants to take a stab at faking the server's certificate using OpenSSL, please go for it. I think that would be our best bet, according to some academic papers online.
Scarface Posted August 4, 2009 Posted August 4, 2009 Well good luck to you two if you can make this work i may have a heart attack or something lets hope we can get this to work
derrick Posted August 5, 2009 Posted August 5, 2009 this is going to be so awsome i hope this isint forgoten about because for people who cant use ar most of the time this would be like a dream come true !!
LeoI Posted August 6, 2009 Posted August 6, 2009 I have a DS with R4 (so I can play any version of pokemon) and a router. I'm reading a good book about hacking/sniffing PC connections, so I can help you although I'm still learning.
Sabresite Posted August 10, 2009 Posted August 10, 2009 We can theoretically take the certificate, and the private/public key and spoof the client. However to get somewhere we would need to know how to respond to the packets. Debugging the game as it is running is still our best option.
LeoI Posted August 13, 2009 Posted August 13, 2009 Maybe the iDeaS emulator can be used. I remember that it can debug the game while playing...
COBHC Posted August 14, 2009 Posted August 14, 2009 yeah so someone might be able to host pokemon events two from there computerthat would be sweet i could never figuer out how to get my deoxys game stop event cart to work so this would help a lot u r right
Jiggy-Ninja Posted August 15, 2009 Posted August 15, 2009 Maybe the iDeaS emulator can be used. I remember that it can debug the game while playing... We need to debug it while connecting to Wifi. No emulator has the ability to connect to WFC yet, which is why we need a hardware debugger.
NTR-AAQE-USA Posted August 15, 2009 Posted August 15, 2009 We need to debug it while connecting to Wifi. No emulator has the ability to connect to WFC yet, which is why we need a hardware debugger. Hardware debugger? You have a lot of money my friend. :tongue:
Poryhack Posted August 15, 2009 Posted August 15, 2009 I don't think he means an official box, if that's what you're getting at. The time and hardware required for a DIY debugger is still considerable though.
Jiggy-Ninja Posted August 17, 2009 Posted August 17, 2009 Hardware debugger? You have a lot of money my friend. :tongue: I said we need one, not that we have one.
evandixon Posted August 19, 2009 Posted August 19, 2009 I said we need one, not that we have one. Would a Trainer Toolkit work, or is that not what you are aiming for?
Poryhack Posted August 19, 2009 Posted August 19, 2009 I brought that up to Sabre and the others but it seems the debugging features are rather lacking compared to a "true" debugger.
LeoI Posted August 22, 2009 Posted August 22, 2009 We need to debug it while connecting to Wifi. No emulator has the ability to connect to WFC yet, which is why we need a hardware debugger. The iDeaS emulator has a plugin to connect wirelessly. I haven't ever tried it, so I don't know how to use it.
Jiggy-Ninja Posted August 22, 2009 Posted August 22, 2009 The iDeaS emulator has a plugin to connect wirelessly. I haven't ever tried it, so I don't know how to use it. SAY WTF!?!?!? ---------- Post added at 12:20 PM ---------- Previous post was at 12:18 PM ---------- I brought that up to Sabre and the others but it seems the debugging features are rather lacking compared to a "true" debugger. And unfortunately, the one I have doesn't work at all.
Poryhack Posted August 22, 2009 Posted August 22, 2009 According to the iDeaS FAQ, the plugin does not actually allow you to connect to wifi.
Neo Posted August 22, 2009 Posted August 22, 2009 Well that sucks. The one on the website apparently can...
Wichu Posted August 23, 2009 Posted August 23, 2009 Hmm... Once this is cracked, would it be possible to use this to let a simulator (such as Shoddy Battle) or a fangame connect to Nintendo's servers, and battle against actual D/P/Pt carts? That would be quite interesting...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now