Jump to content

Nintendo WiFi Protocol Analysis

Recommended Posts

The WFC is completely different then the GTS. Using the GTS is like searching through a website, its kind of weird.

With the WFC, its fairly straight foward:

The DS cartridge has a certificate for SSLv3, and it uses some type of information to salt a big number which is sent to the WFC server. A number is sent back to the DS as well. With these numbers, a private key and public key are generated on both ends. The public key the DS has is to encrypt the information that it sends. The private key is to decrypt the information that it receives.

Getting that certificate and salting algorithm is already in the ROM, somewhere.

It may be in the ARM9 file, so that would take a little bit to find.

Link to comment
Share on other sites

  • Replies 71
  • Created
  • Last Reply

Top Posters In This Topic

... though I dont know if I have anything to grab packets and such ...

if just grab packets, use wireshark, or wpe pro..

use your router to get the destination address from NDS Wifi Connection, then sniff it use that tool.. somehow I manage to get the packets when trading through GTS, but I don't understand it.. *so i decided to abadon it*

Another way.. use router to find destination IP and Port, create a simple program to listen to that port.. change your Computer IP match the packet destination IP, use your router to redirect it..

hope help.. :bidoof::bidoof:

Link to comment
Share on other sites

Randomly poking around the overlay files from platinum I ran into these..they seem like certificates I think.

I just shat and pissed my pants!

Edit: Okay this is slightly (and by slightly I mean really far away) from my skills, however from what I gather, we have two viable options here.

1) Jiggy and I will be working with SCV to make an ARDS code to clone the other person's pokemon during a trade on Wifi, while looking at their trading partner's pokemon's summary.

and the second, more long term project

2) We can use the certificate that kaarosu found to fake a server certificate. If the NDS does not employ sufficient verification of the certificate (or we fake that as well), we can do the following:

NDS <--- real NDS certificate, fake WFC server certificate --> Machine in the Middle <--- real certificate that NDS --> WFC

So the machine in the middle will have a plausible fake certificate which will decrypt the information to plaintext, then pass it using the real NDS certificate to the WFC. Then take the WFC information and decrypt it using the real NDS certificate, and encrypt it using the fake WFC certificate, then send it to the NDS. While complex/difficult, this is viable.

The end goal is to set up the wireless of the NDS manually so that the DNS server is that of a computer on the same wireless network. The computer will be set up with a custom program that will redirect the nintendo servers to itself, and then perform the machine in the middle as explained above. While the person is viewing their trading partner's pokemon, the pokemon itself will be extracted during the machine in the middle plaintext decryption from the WFC, and then displayed on the computer along with its legality.

Who is up for this challenge?

Edited by Sabresite
Link to comment
Share on other sites

I has a quick look into this today, using a slightly different method. I was still using Wireshark for the packet-logging, but I was using a APR spoofer to intercept communications between the DS and router.

With this in place I went into the Global Trade Station in Jubilife City, connected to the GTS, deposited a Pokemon for trade and then searched for a couple of other Pokemon.

This fired off a load of connections to various servers owned by Akamai Technologies (a company that, amongst other things, provides network services for MMO games and such).

I haven't done any analysis on this yet as I'm having trouble getting Wireshark to give me any reasonable data beyond the packet headers?!

But, I didn't notice any UDP data flying around, which is different to AngelSI's findings. AngelSI: did we follow roughly the same procedure or were you trying to trade using the normal wireless communications (i.e. a non-GTS trade)?

If not, are you treating lower-level protocols such as ARP and DHCP as UDP. Anything relating to ARP, DHCP or ICMP can be disregarded - it's all standard connection and address negotiation stuff.


I'm not too sure, this was a long time ago. But yes I still have the equipment to sniff the data going through my PC (my PC acts as a wireless access point for my DS), so if you still need it, I can do it.

I'll check the pcaps.

EDIT: Yes, there were UDP stuff with Wireshark's description "Source port: xxx Destination port: xxx", and no I was NOT using the GTS

Link to comment
Share on other sites

We need to debug it while connecting to Wifi. No emulator has the ability to connect to WFC yet, which is why we need a hardware debugger.

The iDeaS emulator has a plugin to connect wirelessly. I haven't ever tried it, so I don't know how to use it.

Link to comment
Share on other sites

The iDeaS emulator has a plugin to connect wirelessly. I haven't ever tried it, so I don't know how to use it.

SAY WTF!?!?!?

---------- Post added at 12:20 PM ---------- Previous post was at 12:18 PM ----------

I brought that up to Sabre and the others but it seems the debugging features are rather lacking compared to a "true" debugger.

And unfortunately, the one I have doesn't work at all. :(

Link to comment
Share on other sites

Hmm... Once this is cracked, would it be possible to use this to let a simulator (such as Shoddy Battle) or a fangame connect to Nintendo's servers, and battle against actual D/P/Pt carts? That would be quite interesting...

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...