Nintendo WiFi Protocol Analysis

[evandixon]

The WFC is completely different then the GTS. Using the GTS is like searching through a website, its kind of weird.

With the WFC, its fairly straight foward:

The DS cartridge has a certificate for SSLv3, and it uses some type of information to salt a big number which is sent to the WFC server. A number is sent back to the DS as well. With these numbers, a private key and public key are generated on both ends. The public key the DS has is to encrypt the information that it sends. The private key is to decrypt the information that it receives.

Getting that certificate and salting algorithm is already in the ROM, somewhere.

It may be in the ARM9 file, so that would take a little bit to find.

[BarkingFrog]

... though I dont know if I have anything to grab packets and such ...

if just grab packets, use wireshark, or wpe pro..

use your router to get the destination address from NDS Wifi Connection, then sniff it use that tool.. somehow I manage to get the packets when trading through GTS, but I don't understand it.. *so i decided to abadon it*

Another way.. use router to find destination IP and Port, create a simple program to listen to that port.. change your Computer IP match the packet destination IP, use your router to redirect it..

hope help.. :bidoof::bidoof:

[Vlad]

If someone leans how SSL works ( http://en.wikipedia.org/wiki/Transport_Layer_Security#How_it_works ) this will be doable.

[Kaarosu]

Randomly poking around the overlay files from platinum I ran into these..they seem like certificates I think.

[Poryhack]

Randomly poking around the overlay files from platinum I ran into these..they seem like certificates I think.

Don't see what else they'd be, with names like that. Great find!

[Sabresite]

Randomly poking around the overlay files from platinum I ran into these..they seem like certificates I think.

I just shat and pissed my pants!

Edit: Okay this is slightly (and by slightly I mean really far away) from my skills, however from what I gather, we have two viable options here.

1) Jiggy and I will be working with SCV to make an ARDS code to clone the other person's pokemon during a trade on Wifi, while looking at their trading partner's pokemon's summary.

and the second, more long term project

2) We can use the certificate that kaarosu found to fake a server certificate. If the NDS does not employ sufficient verification of the certificate (or we fake that as well), we can do the following:

NDS <--- real NDS certificate, fake WFC server certificate --> Machine in the Middle <--- real certificate that NDS --> WFC

So the machine in the middle will have a plausible fake certificate which will decrypt the information to plaintext, then pass it using the real NDS certificate to the WFC. Then take the WFC information and decrypt it using the real NDS certificate, and encrypt it using the fake WFC certificate, then send it to the NDS. While complex/difficult, this is viable.

The end goal is to set up the wireless of the NDS manually so that the DNS server is that of a computer on the same wireless network. The computer will be set up with a custom program that will redirect the nintendo servers to itself, and then perform the machine in the middle as explained above. While the person is viewing their trading partner's pokemon, the pokemon itself will be extracted during the machine in the middle plaintext decryption from the WFC, and then displayed on the computer along with its legality.

Who is up for this challenge?

Edited August 3, 2009 by Sabresite

[AngelSL]

I has a quick look into this today, using a slightly different method. I was still using Wireshark for the packet-logging, but I was using a APR spoofer to intercept communications between the DS and router.

With this in place I went into the Global Trade Station in Jubilife City, connected to the GTS, deposited a Pokemon for trade and then searched for a couple of other Pokemon.

This fired off a load of connections to various servers owned by Akamai Technologies (a company that, amongst other things, provides network services for MMO games and such).

I haven't done any analysis on this yet as I'm having trouble getting Wireshark to give me any reasonable data beyond the packet headers?!

But, I didn't notice any UDP data flying around, which is different to AngelSI's findings. AngelSI: did we follow roughly the same procedure or were you trying to trade using the normal wireless communications (i.e. a non-GTS trade)?

If not, are you treating lower-level protocols such as ARP and DHCP as UDP. Anything relating to ARP, DHCP or ICMP can be disregarded - it's all standard connection and address negotiation stuff.

Andy

I'm not too sure, this was a long time ago. But yes I still have the equipment to sniff the data going through my PC (my PC acts as a wireless access point for my DS), so if you still need it, I can do it.

I'll check the pcaps.

EDIT: Yes, there were UDP stuff with Wireshark's description "Source port: xxx Destination port: xxx", and no I was NOT using the GTS

[Sabresite]

If someone wants to take a stab at faking the server's certificate using OpenSSL, please go for it. I think that would be our best bet, according to some academic papers online.

[Scarface]

Well good luck to you two if you can make this work i may have a heart attack or something lets hope we can get this to work

[derrick]

this is going to be so awsome i hope this isint forgoten about because for people who cant use ar most of the time this would be like a dream come true !!

[LeoI]

I have a DS with R4 (so I can play any version of pokemon) and a router.

I'm reading a good book about hacking/sniffing PC connections, so I can help you although I'm still learning.

[Sabresite]

We can theoretically take the certificate, and the private/public key and spoof the client. However to get somewhere we would need to know how to respond to the packets.

Debugging the game as it is running is still our best option.

[LeoI]

Maybe the iDeaS emulator can be used. I remember that it can debug the game while playing...

[COBHC]

yeah so someone might be able to host pokemon events two from there computer

that would be sweet i could never figuer out how to get my deoxys game stop event cart to work so this would help a lot

u r right

[Jiggy-Ninja]

Maybe the iDeaS emulator can be used. I remember that it can debug the game while playing...

We need to debug it while connecting to Wifi. No emulator has the ability to connect to WFC yet, which is why we need a hardware debugger.

[NTR-AAQE-USA]

We need to debug it while connecting to Wifi. No emulator has the ability to connect to WFC yet, which is why we need a hardware debugger.

Hardware debugger? You have a lot of money my friend. :tongue:

[Poryhack]

I don't think he means an official box, if that's what you're getting at. The time and hardware required for a DIY debugger is still considerable though.

[Jiggy-Ninja]

Hardware debugger? You have a lot of money my friend. :tongue:

I said we need one, not that we have one.

[evandixon]

I said we need one, not that we have one.

Would a Trainer Toolkit work, or is that not what you are aiming for?

[Poryhack]

I brought that up to Sabre and the others but it seems the debugging features are rather lacking compared to a "true" debugger.

[LeoI]

We need to debug it while connecting to Wifi. No emulator has the ability to connect to WFC yet, which is why we need a hardware debugger.

The iDeaS emulator has a plugin to connect wirelessly. I haven't ever tried it, so I don't know how to use it.

[Jiggy-Ninja]

The iDeaS emulator has a plugin to connect wirelessly. I haven't ever tried it, so I don't know how to use it.

SAY WTF!?!?!?

---------- Post added at 12:20 PM ---------- Previous post was at 12:18 PM ----------

I brought that up to Sabre and the others but it seems the debugging features are rather lacking compared to a "true" debugger.

And unfortunately, the one I have doesn't work at all.

[Poryhack]

According to the iDeaS FAQ, the plugin does not actually allow you to connect to wifi.

[Neo]

Well that sucks. The one on the website apparently can...

[Wichu]

Hmm... Once this is cracked, would it be possible to use this to let a simulator (such as Shoddy Battle) or a fangame connect to Nintendo's servers, and battle against actual D/P/Pt carts? That would be quite interesting...