Jump to content

GTS: website research


Recommended Posts

Weird first post, I know, I know.

But I downloaded the HyperGTS and it works great.

The thing is, it has been said on this topic that it was only meant for a single user.

Is there any reason I shouldn't use this for other people?

I thought it would be a great way to give a friend a gift when we have different schedules, etc.

Thanks.

Edited by Deutscher
formatting issue
Link to comment
Share on other sites

  • Replies 652
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Posted Images

That would be pretty hard. We'd need to get a private key that matches the public key the DS has (either that or we figure out how to change the certificate in the ROM, but that would be pointless, since if you can load a hacked ROM, ...). (and no it's not possible to get a private key from a public key). Best chance we have is brute forcing the key.

http://en.wikipedia.org/wiki/Transport_Layer_Security#Security. The DS<->GTS would fall under the first few applications there.

Are you sure the public key is hardcoded into the ROM? That would prevent them from ever changing the server's certificate right?

EDIT: You can probably disregard that. I'm still trying to get educated on SSL and I assumed you were talking about the server's public key. Now I see that the certificate is signed and you must've meant the signer's (Nintendo CA's) public key. So what the DS should/probably does check is that the certificate is signed by Ninty? Just wanna make sure I've got that right.

Edited by Poryhack
Link to comment
Share on other sites

IS there any way to backup pokewalker courses and send them back to your ds? Im planning to restart game. I wanted to share but since Yellow forest isnt shareable i cant. looks like some people need to wok o ngetting the ssl Certifacte or make a fake one that it acts like the real one.

Link to comment
Share on other sites

Hello everyone.

I am new to the forum and I have a problem. It's embarrassing but I am a bit desperate and I hope you can help me.

You see, I exchanged a Empoleon with Hyper GTS, everything seemed normal until I checked the pokémon. It status and Lv are distorted plus it has a Ball Capsule stuck. I can not move it to the PC and I can not release it.

I checked the .pkm file and the configuration is correct, there should have been no error.

What I can do? Is there any way to remove the Ball Capsule, or delete that pokémon?

Link to comment
Share on other sites

I've looked at some packets from the Mystery Gift/Wonder Card and i didn't see anything to lead me to believe that it's using SSL However it could be the software i'm using which is Wireshark.

You're doing something wrong. There will be a DNS query for dls1.nintendowifi.net; this is the mystery gift server. Shortly after that will be an SSLv3 handshake and then 2+ frames of encrypted application data.

Link to comment
Share on other sites

Are you sure the public key is hardcoded into the ROM? That would prevent them from ever changing the server's certificate right?

EDIT: You can probably disregard that. I'm still trying to get educated on SSL and I assumed you were talking about the server's public key. Now I see that the certificate is signed and you must've meant the signer's (Nintendo CA's) public key. So what the DS should/probably does check is that the certificate is signed by Ninty? Just wanna make sure I've got that right.

My guess is that they do this: (as quoted from wikipedia)

# The client may use the certificate authority's (CA's) public key to validate the CA's digital signature of the server certificate. If the digital signature can be verified, the client accepts the server certificate as a valid certificate issued by a trusted CA.

# The client verifies that the issuing CA is on its list of trusted CAs.

Nintendo or GameFreak would thus be the 'trusted CA'.

Link to comment
Share on other sites

My guess is that they do this: (as quoted from wikipedia)

# The client may use the certificate authority's (CA's) public key to validate the CA's digital signature of the server certificate. If the digital signature can be verified, the client accepts the server certificate as a valid certificate issued by a trusted CA.

# The client verifies that the issuing CA is on its list of trusted CAs.

Nintendo or GameFreak would thus be the 'trusted CA'.

Alright, that's what I thought.

Trying to bruteforce a key seems to be a fools errand. What we should go after isn't SSL itself but GAMEFREAK's implementation of it. I have two ideas:

This first one is more just wishful thinking than anything, because it shouldn't work, but since its a DS game we're talking about and not a web browser I'll allow myself the glimmer of hope. The DS tells the server that it supports the cipher suites RSA_WITH_RC4_128_MD5 and RSA_WITH_RC4_128_SHA, and the genuine Nintendo server selects MD5. I wonder what would happen if a fake server sent back the default/non-encrypted cipher suite NULL_WITH_NULL_NULL as its selection. Any SSL implementation worth using would terminate the connection at this point, but there's not any guarantee that one of the pokemon games would. On the incredibly low chance that that works, we could send the DS an unmodified version of the real server's certificate and it would start sending data assuming that it's secure from everyone but the real server. Of course it wouldn't be though, and we could send replies back without worrying about keys.

The second one I believe is a very real possibility, but not without someone who can do some dissembler work to lay the foundation (not me lol). We know that the pokemon games use RNGs that aren't really all that random. In fact they're so predictable people abuse them all the time to get the PIDs and IVs they want. A "secure" RNG is critical to the effective use of SSL because the pre-master secret is nothing but a random number encrypted with the server's public key. We need that number decrypted on the server side, which should only be possible with the server's private key, but since we can probably predict what the number is via a program like RNG Reporter (but set up to figure out this new RNG of course, assuming it is even a different RNG) we have the rest of the connection at our fingertips.

Thoughts anyone?

Link to comment
Share on other sites

Alright, that's what I thought.

Trying to bruteforce a key seems to be a fools errand. What we should go after isn't SSL itself but GAMEFREAK's implementation of it. I have two ideas:

This first one is more just wishful thinking than anything, because it shouldn't work, but since its a DS game we're talking about and not a web browser I'll allow myself the glimmer of hope. The DS tells the server that it supports the cipher suites RSA_WITH_RC4_128_MD5 and RSA_WITH_RC4_128_SHA, and the genuine Nintendo server selects MD5. I wonder what would happen if a fake server sent back the default/non-encrypted cipher suite NULL_WITH_NULL_NULL as its selection. Any SSL implementation worth using would terminate the connection at this point, but there's not any guarantee that one of the pokemon games would. On the incredibly low chance that that works, we could send the DS an unmodified version of the real server's certificate and it would start sending data assuming that it's secure from everyone but the real server. Of course it wouldn't be though, and we could send replies back without worrying about keys.

The second one I believe is a very real possibility, but not without someone who can do some dissembler work to lay the foundation (not me lol). We know that the pokemon games use RNGs that aren't really all that random. In fact they're so predictable people abuse them all the time to get the PIDs and IVs they want. A "secure" RNG is critical to the effective use of SSL because the pre-master secret is nothing but a random number encrypted with the server's public key. We need that number decrypted on the server side, which should only be possible with the server's private key, but since we can probably predict what the number is via a program like RNG Reporter (but set up to figure out this new RNG of course, assuming it is even a different RNG) we have the rest of the connection at our fingertips.

Thoughts anyone?

The first way will never work (unless you use the hosts file to spoof the domain AND manage to get the DS to transmit unencrypted).

The second way is more plausible but we still need to get past the problem of certificate.

Link to comment
Share on other sites

The first way will never work (unless you use the hosts file to spoof the domain AND manage to get the DS to transmit unencrypted).

The second way is more plausible but we still need to get past the problem of certificate.

As for the first one, I thought it was a given that we have to redirect traffic to the local machine (or maybe a remote one eventually) for ANY solution. It's not hard to do. I do have my doubts that the DS won't crash or something when it is told by the server to use no encryption though.

And for the second one, I don't think we do. Correct me if I'm wrong but we should be able to send the certificate without any modifications. Because we already know what the decrypted pre-master secret is (via RNG prediction) there is no need for the server's private key to figure it out. After that the entire connection is ours because everything stems from the pre-master secret.

Link to comment
Share on other sites

Exactly which means we now need to find someone willing to try the first method, I don't have the experience required to pull off such a trick however I'm sure someone here does.

As for the second method, it sounds like it'll be less complicated but still have more things that can go wrong. The first method is as simple as "It works or it doesn't"

Link to comment
Share on other sites

As for the first one, I thought it was a given that we have to redirect traffic to the local machine (or maybe a remote one eventually) for ANY solution. It's not hard to do. I do have my doubts that the DS won't crash or something when it is told by the server to use no encryption though.

And for the second one, I don't think we do. Correct me if I'm wrong but we should be able to send the certificate without any modifications. Because we already know what the decrypted pre-master secret is (via RNG prediction) there is no need for the server's private key to figure it out. After that the entire connection is ours because everything stems from the pre-master secret.

After doing more reading, I see what you mean - we figure out the premaster secret, and then just give the cert Nintendo uses.

Link to comment
Share on other sites

Exactly. =D

nicholas on IRC has said he might give the first method a shot. I'd like to try myself regardless, and I've been putting off solidly learning a programming language for too long. Not that writing something stupid like this would make it "solid" but it's a step in the right direction. Hopefully somebody can step in to help with the RNG because even if I were to start now I doubt I could figure that out in the foreseeable future. =/

Link to comment
Share on other sites

Exactly. =D

nicholas on IRC has said he might give the first method a shot. I'd like to try myself regardless, and I've been putting off solidly learning a programming language for too long. Not that writing something stupid like this would make it "solid" but it's a step in the right direction. Hopefully somebody can step in to help with the RNG because even if I were to start now I doubt I could figure that out in the foreseeable future. =/

I'm sure magical or someone else can figure out the RNG.

If not we can find someone who knows ARM assembly.. if not I'll see what I can do.

Method 1 should be easy: Packetlog the DS, then recreate that packetlog except screwing with the selected cipher. We'll need to see if Apache (I'm assuming the SSL part is HTTPS) works with it; if not we can try to write our own.

Link to comment
Share on other sites

Check your firewall, you may need to disable it.

I have allready tried it with firewall disabled but it still doesnt work:frown:

note:i have avast for firewall and virus protection

also i am using pokemon soulsliver

Edited by dsdude
Link to comment
Share on other sites

I'm using HyperGTS and I inputted my computer's IP Address into the required spot. I've started the DNS and GTS. How do I find out what DNS I put into my DS?

Thanks!

your computers ip address is what you put in for your dns on your ds

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...