Jump to content

GTS: website research


Recommended Posts

By disabling https i was able to capture the data sent to nas.nintendowifi.net

Log1:

POST /ac HTTP/1.0
Content-type: application/x-www-form-urlencoded
Host: nas.nintendowifi.net
User-Agent: Nitro WiFi SDK/2.2
HTTP_X_GAMECD: CPUE
Connection: close
Content-Length: 270
action=bG9naW4*&gsbrcd=&sdkver=MDAyMDAy&userid=MDk1Njc3MTk3NjUxNg**&passwd=NTcx&bssid=MDAxNGJmZDk1NjBi&apinfo=MDE6MDAwMDAwMC0wMA**&gamecd=Q1BVRQ**&makercd=MDE*&unitcd=MA**&macadr=MDAxYjdhNWU4YWRh&lang=MDE*&birth=MDkxZA**&devtime=MTAxMjEzMTQwOTA3&devname=VgBlAHQAbABlAA**

Reply1:

HTTP/1.1 200 OK
Content-Type: text/plain
Content-Length: 235
Date: Mon, 13 Dec 2010 13:10:00 GMT
Connection: close
Server: GameCube
challenge=T0hYWlRHQlk*&locator=Z2FtZXNweS5jb20*&retry=MA**&returncd=MDAx&token=TkRTdkExY0crUWtRUUthWGx3ZFBmbjZHU0dnNFZuV1VyL1dhT3BLUHhzaXF4d3cvZzkrYVp6SEpLd3FrbGdsZ3lwYlp0ZVo4ZjBkWTc0UVcrbk5uRjJaVEE9PQ**&datetime=MjAxMDEyMTMxMzEwMDE*

Log2:

POST /ac HTTP/1.0
Content-type: application/x-www-form-urlencoded
Host: nas.nintendowifi.net
User-Agent: Nitro WiFi SDK/2.2
HTTP_X_GAMECD: CPUE
Connection: close
Content-Length: 270
action=bG9naW4*&gsbrcd=&sdkver=MDAyMDAy&userid=MDk1Njc3MTk3NjUxNg**&passwd=NTcx&bssid=MDAxNGJmZDk1NjBi&apinfo=MDE6MDAwMDAwMC0wMA**&gamecd=Q1BVRQ**&makercd=MDE*&unitcd=MA**&macadr=MDAxYjdhNWU4YWRh&lang=MDE*&birth=MDkxZA**&devtime=MTAxMjEzMTQxOTUy&devname=VgBlAHQAbABlAA**

Reply2:

HTTP/1.1 200 OK
Content-Type: text/plain
Content-Length: 235
Date: Mon, 13 Dec 2010 13:20:44 GMT
Connection: close
Server: GameCube
challenge=UjFTRkJPQVU*&locator=Z2FtZXNweS5jb20*&retry=MA**&returncd=MDAx&token=TkRTSHFSaWVKT1dKTmlOdzBmWnU4bER2Y1BDRnh4WWh2S2hTZzFjUnAwdzhSOGxGemVhSDF3U1BYZlVRdi9PTWF5clMwYlRmenprSkRYaWNxa0QxajR3SWc9PQ**&datetime=MjAxMDEyMTMxMzIwNDU*

Log3:

POST /ac HTTP/1.0
Content-type: application/x-www-form-urlencoded
Host: nas.nintendowifi.net
User-Agent: Nitro WiFi SDK/2.2
HTTP_X_GAMECD: CPUE
Connection: close
Content-Length: 270
action=bG9naW4*&gsbrcd=&sdkver=MDAyMDAy&userid=MDk1Njc3MTk3NjUxNg**&passwd=NTcx&bssid=MDAxNGJmZDk1NjBi&apinfo=MDE6MDAwMDAwMC0wMA**&gamecd=Q1BVRQ**&makercd=MDE*&unitcd=MA**&macadr=MDAxYjdhNWU4YWRh&lang=MDE*&birth=MDkxZA**&devtime=MTAxMjEzMTQyOTQ3&devname=VgBlAHQAbABlAA**

Reply3:

HTTP/1.1 200 OK
Content-Type: text/plain
Content-Length: 235
Date: Mon, 13 Dec 2010 13:30:40 GMT
Connection: close
Server: GameCube
challenge=MlBQWlJNRjc*&locator=Z2FtZXNweS5jb20*&retry=MA**&returncd=MDAx&token=TkRTdHkzRGFEcVBGdk9IY0dkd2tDMWtoOEhBMzlGMWVRM1JkT3RuMWJQRUtuajV2RnlHY3V6OGVSTzRENFZtdFljdzVKTjNJV0U1ODVrTGF2QkRhSERBVHc9PQ**&datetime=MjAxMDEyMTMxMzMwNDA*

?pid=160846812

Im using Pokemon platinum, ssid is linksys using wep with the password 6E0C9157B3

could this be used for something useful?

Link to comment
Share on other sites

  • Replies 652
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Posted Images

Nice flaw in their implementation of HTTPS.

Data is base64-encoded with "=" replaced with "*", so it is easy to decode.

Too bad it doesn't work for the wondercard server, indeed; it would have been really helpful.

Here are the decoded requests/replies (\x00 is the null-byte):

Log1:

POST /ac HTTP/1.0
Content-type: application/x-www-form-urlencoded
Host: nas.nintendowifi.net
User-Agent: Nitro WiFi SDK/2.2
HTTP_X_GAMECD: CPUE
Connection: close
Content-Length: 270
action=login&gsbrcd=&sdkver=002002&userid=0956771976516&passwd=571&bssid=0014bfd9560b&apinfo=01:0000000-00&gamecd=CPUE&makercd=01&unitcd=0&macadr=001b7a5e8ada&lang=01&birth=091d&devtime=101213140907&devname=V\x00e\x00t\x00l\x00e\x00

Reply1:

HTTP/1.1 200 OK
Content-Type: text/plain
Content-Length: 235
Date: Mon, 13 Dec 2010 13:10:00 GMT
Connection: close
Server: GameCube
challenge=OHXZTGBY&locator=gamespy.com&retry=0&returncd=001&token=NDSvA1cG+QkQQKaXlwdPfn6GSGg4VnWUr/WaOpKPxsiqxww/g9+aZzHJKwqklglgypbZteZ8f0dY74QW+nNnF2ZTA==&datetime=20101213131001

Log2:

POST /ac HTTP/1.0
Content-type: application/x-www-form-urlencoded
Host: nas.nintendowifi.net
User-Agent: Nitro WiFi SDK/2.2
HTTP_X_GAMECD: CPUE
Connection: close
Content-Length: 270
action=login&gsbrcd=&sdkver=002002&userid=0956771976516&passwd=571&bssid=0014bfd9560b&apinfo=01:0000000-00&gamecd=CPUE&makercd=01&unitcd=0&macadr=001b7a5e8ada&lang=01&birth=091d&devtime=101213141952&devname=V\x00e\x00t\x00l\x00e\x00

Reply2:

HTTP/1.1 200 OK
Content-Type: text/plain
Content-Length: 235
Date: Mon, 13 Dec 2010 13:20:44 GMT
Connection: close
Server: GameCube
challenge=R1SFBOAU&locator=gamespy.com&retry=0&returncd=001&token=NDSHqRieJOWJNiNw0fZu8lDvcPCFxxYhvKhSg1cRp0w8R8lFzeaH1wSPXfUQv/OMayrS0bTfzzkJDXicqkD1j4wIg==&datetime=20101213132045

Log3:

POST /ac HTTP/1.0
Content-type: application/x-www-form-urlencoded
Host: nas.nintendowifi.net
User-Agent: Nitro WiFi SDK/2.2
HTTP_X_GAMECD: CPUE
Connection: close
Content-Length: 270
action=login&gsbrcd=&sdkver=002002&userid=0956771976516&passwd=571&bssid=0014bfd9560b&apinfo=01:0000000-00&gamecd=CPUE&makercd=01&unitcd=0&macadr=001b7a5e8ada&lang=01&birth=091d&devtime=101213142947&devname=V\x00e\x00t\x00l\x00e\x00

Reply3:

HTTP/1.1 200 OK
Content-Type: text/plain
Content-Length: 235
Date: Mon, 13 Dec 2010 13:30:40 GMT
Connection: close
Server: GameCube
challenge=2PPZRMF7&locator=gamespy.com&retry=0&returncd=001&token=NDSty3DaDqPFvOHcGdwkC1kh8HA39F1eQ3RdOtn1bPEKnj5vFyGcuz8eRO4D4VmtYcw5JN3IWE585kLavBDaHDATw==&datetime=20101213133040

The "token" value in replies is another base64-encoded value preceded by "NDS".

It is raw data when decoded, like random bytes.

Edited by M@T
Added decoded logs.
Link to comment
Share on other sites

after removing the static "NDS" from the token, it can be decoded using any base64 decoder.

NDSHqRieJOWJNiNw0fZu8lDvcPCFxxYhvKhSg1cRp0w8R8lFzeaH1wSPXfUQv/OMayrS0bTfzzkJDXicqkD1j4wIg==

>

HqRieJOWJNiNw0fZu8lDvcPCFxxYhvKhSg1cRp0w8R8lFzeaH1wSPXfUQv/OMayrS0bTfzzkJDXicqkD1j4wIg==

>

1e a4 62 78 3f 3f 24 d8 3f c3 47 d9 bb c9 43 bd		.¤bx??$Ø?ÃGÙ»ÉC½
c3 c2 17 1c 58 3f f2 a1 4a 0d 0a 5c 46 3f 30 f1		ÃÂ..X?ò¡J..\F?0ñ
1f 25 17 37 3f 1f 5c 12	3d 77 d4 42 ff ce 31 ac		.%.7?.\.=wÔBÿÎ1¬
ab 4b 46 d3 7f 3c e4 24	35 e2 72 a9 03 d6 3e 30		«KFÓ.<ä$5âr©.Ö>0
22							"

-

action (client)

Using the GTS only "login" is used here.

gsbrcd (client)

not assigned to a value.

sdkver (client)

sdkver tells the server what version of the Nitro SDK the game is using in the following format:

XXXYYY

where 2.2 is

002002

bssid (client)

mac address of your router where ":" is removed. mac address:

00:14:bf:d9:56:0b

becomes

0014bfd9560b

apinfo (client)

In the wifi menu, there is 3 diffrent AP's you can set, it starts counting from 0. format used:

XX:0000000-00

example when connected to the middle AP

01:0000000-00

i think the wifi connector will be id 3 but im not sure.

gamecd (client)

identifies the card by its ID, for pokemon platinum this is

CPUE

makercd (client)

The id of the game maker.

Nintendo uses id

01

unitcd (client)

0 says a lot.

macadr (client)

Sends the mac address where ":" is removed. mac address:

00:1b:7a:5e:8a:da

becomes

001b7a5e8ada

lang (client)

Your language. English is

01

devname (client)

Your name, where each character is followed by a null byte

V\x00e\x00t\x00l\x00e\x00

devtime (client)

microsecounds since adventure start?

-

challenge (server)

8 bytes long, mixed with numbers and upper case letters. - does not seem to be used later. might be used to verify the server.

changes even if the request from the client stays the same.

locator (server)

gamespy.com - something to do with the user agent used when using the gts?

might be requesting gamespy.com/download using https

token (server)

"NDS" + base64(random) - does not seem to be used later. might be used to verify the server.

changes even if the request from the client stays the same.

datetime (server)

NOTE: GMT

datetime displays the date and time when the request was sent formated like this:

YYYYMMDDHHMMSS

example:

20101216003946

NOTE: encrypt values with base64

Edited by Vetle
misread previous post
Link to comment
Share on other sites

  • 3 weeks later...

I downloaded hypergts the other day. I looked up how to go about using it and gave it a shot. I have no problem getting my IP address and inputting it into the DNS box. All ports have been forwarded properly and I double checked to make sure I did it correctly. Also my firewall isn't interfering in any way. The only issue I'm having is with hypergts itself. I can start the DNS without a problem however it will not let me start the GTS. I don't know if I'm using something wrong or what but it's driving me nuts. Any help would be greatly appreciated.

Link to comment
Share on other sites

  • 2 weeks later...
I wish soon we have a server working, i have been waiting for 2 months already and nothing out.

There are people working on it, You really need to have some patience. It took years for them to crack it on 4th Gen, we're lucky as it is that we can even send pokemon to our games

Link to comment
Share on other sites

  • 2 weeks later...
Hi everyone !

I made two VB.NET console applications, one for the DNS Server part, and the other for the Pokémon sending part (fake GTS).

It was ready for quite a while, but I couldn't test it until Saturday.

Now it's been tested and it works well, I was able to send a Pokémon to a friend of mine across the Internet without problem.

I made the GTS server working with threads, so several connections are possible simultaneously.

It is mainly a copypasta of the Python script, but it can be easily improved and included in a window application.

For example, I was planning to make a GUI that would include the ability to make a list of Pokémon to send.

I attached a ZIP file containing the sources and the binaries of the two programs.

Thanks a lot for that. A friend of mine was looking for something like this.

Link to comment
Share on other sites

Regarding the new Black & White GTS...

I've managed to get the details how the games and the server are communicating ;)

Which are the following:

  • Checksum is XORed with 0x2db842b2 instead of 0x4a3b2c1d
  • Hash is calculated from SHA1("HZEdGCzcGGLvguqUEKQN" + token) instead of "sAdeqWo3voLeC5r16DYv" + token
  • The request from the DS to the BW server is not encrypted (unlike the GRNG with the checksum as seed in DPPt)
  • Length of the request is 0x0E or 0x0F:
    • 0x00 - 0x03: PID Trainer
    • 0x04 - 0x07: Total length of the following statements
    • 0x08 - 0x09: Pokémon ID
    • 0x0A: Gender
    • 0x0B: Min. Level
    • 0x0C: Max. Level
    • 0x0D: Unknown
    • 0x0E: Total results
    • 0x0F: Country

    [*]Host for BW is the same as DPPt: http://gamestats2.gs.nintendowifi.net/

    [*]Root directory is different: /syachi2ds/web/worldexchange/

    [*]Game ID of Black is 0x14, White is 0x15.

    [*]GTS return data is 296 bytes:

    • 0x000 - 0x001: unknown (2 bytes)
    • 0x002 - 0x0DD: Pokémon data (220 bytes)
    • 0x0DE - 0x0ED: unknown (always zero?) (16 bytes)
    • 0x0EE - 0x127: GTS specific data (58 bytes)
      • The only difference is:
      • 0x20 - 0x21: Trainer ID
      • 0x22 - 0x23: Secret ID
      • 0x24 - 0x33: Trainer Name
      • For everything behind this point, add 0x02 to the DPPt server

Have fun with it!

Oh... if someone's interested, I've created a program which can search the GTS for a Pokémon like the game itself does. It's B&W compatible as well.

Grtzz!!

Grovyle91

P.S.: For anyone who's using my Mystery Gift Editor, I'm sorry I've been absent for the last six (?) months. Due some personal reasons I wasn't able to be online and fully working on the final version.

Could you post that program please? I am interested.

Link to comment
Share on other sites

  • 3 weeks later...

Just dropping a little note because of a problem I had (and solved), so that others might not have the same problem:

GTS wouldn't start because port 80 was supposedly being used, netstat gave me PID4, and then tasklist gave me SYSTEM (not very useful).

Long story short, it was World Wide Web Publishing Service (W3SVC) that was occupying the port. Disabled the service and the GTS started - no problem.

While you may not be hosting any webpages or anything, you may not notice that service is running in the background (possibly the computer is second-hand and came with the OS installed already and the service was running, or you simply turned it on at some point by accident somehow), so might be worth checking for.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...