Vetle
-
Posts
17 -
Joined
-
Last visited
Content Type
Profiles
Pokédex
Portal
Technical Documentation
Pages
Tutorials
Forums
Events
Downloads
Gallery
Blogs
Posts posted by Vetle
-
-
the url is sent to the client as
svchost=ZGxzMS5uaW50ZW5kb3dpZmkubmV0
decoding the base64 encrypted string gives you
dls1.nintendowifi.net
it would be possible to hex edit it to use http but, as you said
I've tried connecting to it without SSL before and it will refuse the connection, sadly.the server itself does not use http.
one possible solution would be to make a dns and a fake https server working like a proxy that redirects any data to the actual server as its logging actions.
Edit: At 0x0014e4c4 -0x0014e4d6 it says
https://%s/download
which is the url it requests.
also, some lines below i found the string
BE, GlobalSign nv-sa, Root CA, GlobalSign Root CA
followed by
da 0e e6 99 8d ce a3 e3 4f 8a 7e fb f1 8b 83 25 6b ea 48 1f f1 2a b0 b9 95 11 04 bd f0 63 d1 e2 67 66 cf 1c dd cf 1b 48 2b ee 8d 89 8e 9a af 29 80 65 ab e9 c7 2d 12 cb ab 1c 4c 70 07 a1 3d 0a 30 cd 15 8d 4f f8 dd d4 8c 50 15 1c ef 50 ee c4 2e f7 fc e9 52 f2 91 7d e0 6d d5 35 30 8e 5e 43 73 f2 41 e9 d5 6a e3 b2 89 3a 56 39 38 6f 06 3c 88 69 5b 2a 4d c5 a7 54 b8 6c 89 cc 9b f9 3c ca e5 fd 89 f5 12 3c 92 78 96 d6 dc 74 6e 93 44 61 d1 8d c7 46 b2 75 0e 86 e8 19 8a d5 6d 6c d5 78 16 95 a2 e9 c8 0a 38 eb f2 24 13 4f 73 54 93 13 85 3a 1b bc 1e 34 b5 8b 05 8c b9 77 8b b1 db 1f 20 91 ab 09 53 6e 90 ce 7b 37 74 b9 70 47 91 22 51 63 16 79 ae b1 ae 41 26 08 c8 19 2b d1 46 aa 48 d6 64 2a d7 83 34 ff 2c 2a c1 6c 19 43 4a 07 85 e7 d3 7c f6 21 68 ef ea f2 52 9f 7f 93 90 cf 01 00 01 00 d4 67 21 02 00 01 00 00 0c 68 21 02 03
which might be the private key
just below:
IE, Baltimore, CyberTrust, Baltimore CyberTrust Root
a3 04 bb 22 ab 98 3d 57 e8 26 72 9a b5 79 d4 29 e2 e1 e8 95 80 b1 b0 e3 5b 8e 2b 29 9a 64 df a1 5d ed b0 09 05 6d db 28 2e ce 62 a2 62 fe b4 88 da 12 eb 38 eb 21 9d c0 41 2b 01 52 7b 88 77 d3 1c 8f c7 ba b9 88 b5 6a 09 e7 73 e8 11 40 a7 d1 cc ca 62 8d 2d e5 8f 0b a6 50 d2 a8 50 c3 28 ea f5 ab 25 87 8a 9a 96 1c a9 67 b8 3f 0c d5 f7 f9 52 13 2f c2 1b d5 70 70 f0 8f c0 12 ca 06 cb 9a e1 d9 ca 33 7a 77 d6 f8 ec b9 f1 68 44 42 48 13 d2 c0 c2 a4 ae 5e 60 fe b6 a6 05 fc b4 dd 07 59 02 d4 59 18 98 63 f5 a5 63 e0 90 0c 7d 5d b2 06 7a f3 85 ea eb d4 03 ae 5e 84 3e 5f ff 15 ed 69 bc f9 39 36 72 75 cf 77 52 4d f3 c9 90 2c b9 3d e5 c9 23 53 3f 1f 24 98 21 5c 07 99 29 bd c6 3a ec e7 6e 86 3a 6b 97 74 63 33 bd 68 18 31 f0 78 8d 76 bf fc 9e 8e 5d 2a 86 a7 4d 90 dc 27 1a 39 01 00 01 00 24 69 21 02 80 00 00 00 74 69 21 02 03
and:
US, GTE Corporation, GTE CyberTrust Solutions, Inc., GTE CyberTrust Global Root
95 0f a0 b6 f0 50 9c e8 7a c7 88 cd dd 17 0e 2e b0 94 d0 1b 3d 0e f6 94 c0 8a 94 c7 06 c8 90 97 c8 b8 64 1a 7a 7e 6c 3c 53 e1 37 28 73 60 7f b2 97 53 07 9f 53 f9 6d 58 94 d2 af 8d 6d 88 67 80 e6 ed b2 95 cf 72 31 ca a5 1c 72 ba 5c 02 e7 64 42 e7 f9 a9 2c d6 3a 0d ac 8d 42 aa 24 01 39 e6 9c 3f 01 85 57 0d 58 87 45 f8 d3 85 aa 93 69 26 85 70 48 80 3f 12 15 c7 79 b4 1f 05 2f 3b 62 99 01 00 01 00 0c 6a 21 02 80 00 00 00 38 6a 21 02 03
next:
US, GTE Corporation, GTE CyberTrust Root
b8 e6 4f ba db 98 7c 71 7c af 44 b7 d3 0f 46 d9 64 e5 93 c1 42 8e c7 ba 49 8d 35 2d 7a e7 8b bd e5 05 31 59 c6 b1 2f 0a 0c fb 9f a7 3f a2 09 66 84 56 1e 37 29 1b 87 e9 7e 0c ca 9a 9f a5 7f f5 15 94 a3 d5 a2 46 82 d8 68 4c d1 37 15 06 68 af bd f8 b0 b3 f0 29 f5 95 5a 09 16 61 77 0a 22 25 d4 4f 45 aa c7 bd e5 96 df f9 d4 a8 8e 42 cc 24 c0 1e 91 27 4a b5 6d 06 80 63 39 c4 a2 5e 38 03 01 00 01 00 d0 6a 21 02 80 00 00 00 20 6b 21 02 03
US:
US, Washington, Nintendo of America Inc, NOA, Nintendo CA, ca@noa.nintendo.com
b3 cd 79 97 77 5d 8a af 86 a8 e8 d7 73 1c 77 df 10 90 1f 81 f8 41 9e 21 55 df bc fc 63 fb 19 43 f1 f6 c4 72 42 49 bd ad 44 68 4e f3 da 1d e6 4d d8 f9 59 88 dc ae 3e 9b 38 09 ca 7f ff dc 24 a2 44 78 78 49 93 d4 84 40 10 b8 ec 3e db 2d 93 c8 11 c8 fd 78 2d 61 ad 31 ae 86 26 b0 fd 5a 3f a1 3d bf e2 4b 49 ec ce 66 98 58 26 12 c0 fb f4 77 65 1b ea fb cb 7f e0 8c cb 02 a3 4e 5e 8c ea 9b 01 00 01 00 38 6c 21 02 80 00 00 00 b8 6b 21 02 03
last:
Western Cape, Cape Town, Thawte Consulting cc, Certification Services Division, Thawte Server CA, server-certs@thawte.com
d3 a4 50 6e c8 ff 56 6b e6 cf 5d b6 ea 0c 68 75 47 a2 aa c2 da 84 25 fc a8 f4 47 51 da 85 b5 20 74 94 86 1e 0f 75 c9 e9 08 61 f5 06 6d 30 6e 15 19 02 e9 52 c0 62 db 4d 99 9e e2 6a 0c 44 38 cd fe be e3 64 09 70 c5 fe b1 6b 29 b6 2f 49 c8 3b d4 27 04 25 10 97 2f e7 90 6d c0 28 42 99 d7 4c 43 de c3 f5 21 6d 54 9f 5d c3 58 e1 c0 e4 d9 5b b0 b8 dc b4 7b df 36 3a c2 b5 66 22 12 d6 87 0d 01 00 01 00 70 6e 21 02 80 00 00 00 f0 6d 21 02 03
im not sure if the certificate continues after the three nulls, so i didnt remove them
-
-
after removing the static "NDS" from the token, it can be decoded using any base64 decoder.
NDSHqRieJOWJNiNw0fZu8lDvcPCFxxYhvKhSg1cRp0w8R8lFzeaH1wSPXfUQv/OMayrS0bTfzzkJDXicqkD1j4wIg==
>
HqRieJOWJNiNw0fZu8lDvcPCFxxYhvKhSg1cRp0w8R8lFzeaH1wSPXfUQv/OMayrS0bTfzzkJDXicqkD1j4wIg==
>
1e a4 62 78 3f 3f 24 d8 3f c3 47 d9 bb c9 43 bd .¤bx??$Ø?ÃGÙ»ÉC½ c3 c2 17 1c 58 3f f2 a1 4a 0d 0a 5c 46 3f 30 f1 ÃÂ..X?ò¡J..\F?0ñ 1f 25 17 37 3f 1f 5c 12 3d 77 d4 42 ff ce 31 ac .%.7?.\.=wÔBÿÎ1¬ ab 4b 46 d3 7f 3c e4 24 35 e2 72 a9 03 d6 3e 30 «KFÓ.<ä$5âr©.Ö>0 22 "
-
action (client)
Using the GTS only "login" is used here.
gsbrcd (client)
not assigned to a value.
sdkver (client)
sdkver tells the server what version of the Nitro SDK the game is using in the following format:
XXXYYY
where 2.2 is
002002
bssid (client)
mac address of your router where ":" is removed. mac address:
00:14:bf:d9:56:0b
becomes
0014bfd9560b
apinfo (client)
In the wifi menu, there is 3 diffrent AP's you can set, it starts counting from 0. format used:
XX:0000000-00
example when connected to the middle AP
01:0000000-00
i think the wifi connector will be id 3 but im not sure.
gamecd (client)
identifies the card by its ID, for pokemon platinum this is
CPUE
makercd (client)
The id of the game maker.
Nintendo uses id
01
unitcd (client)
0 says a lot.
macadr (client)
Sends the mac address where ":" is removed. mac address:
00:1b:7a:5e:8a:da
becomes
001b7a5e8ada
lang (client)
Your language. English is
01
devname (client)
Your name, where each character is followed by a null byte
V\x00e\x00t\x00l\x00e\x00
devtime (client)
microsecounds since adventure start?
-
challenge (server)
8 bytes long, mixed with numbers and upper case letters. - does not seem to be used later. might be used to verify the server.
changes even if the request from the client stays the same.
locator (server)
gamespy.com - something to do with the user agent used when using the gts?
might be requesting gamespy.com/download using https
token (server)
"NDS" + base64(random) - does not seem to be used later. might be used to verify the server.
changes even if the request from the client stays the same.
datetime (server)
NOTE: GMT
datetime displays the date and time when the request was sent formated like this:
YYYYMMDDHHMMSS
example:
20101216003946
NOTE: encrypt values with base64
-
Asking for a wondercard, no wondercard found.
Request1:
POST /ac HTTP/1.0 Content-type: application/x-www-form-urlencoded Host: nas.nintendowifi.net User-Agent: Nitro WiFi SDK/2.2 HTTP_X_GAMECD: CPUE Connection: close Content-Length: 270 action=bG9naW4*&gsbrcd=&sdkver=MDAyMDAy&userid=MDk1Njc3MTk3NjUxNg**&passwd=NTcx&bssid=MDAxNGJmZDk1NjBj&apinfo=MDE6MDAwMDAwMC0wMA**&gamecd=Q1BVRQ**&makercd=MDE*&unitcd=MA**&macadr=MDAxYjdhNWU4YWRh&lang=MDE*&birth=MDkxZA**&devtime=MTAxMjE0MDExNTE2&devname=VgBlAHQAbABlAA**
Reply1:
HTTP/1.1 200 OK Content-Type: text/plain Content-Length: 235 Date: Tue, 14 Dec 2010 00:15:31 GMT Connection: close Server: GameCube challenge=Wk9OOVcwTEY*&locator=Z2FtZXNweS5jb20*&retry=MA**&returncd=MDAx&token=TkRTZXZ2L0ZjOGoreWdma3NXcndCeWJZMEhieDQ1RlQzdmRZUFZVZ2QvRWllUElxU0FoT2x0cWtFVjZhMW84djEzRityemoxTG5KSEhNRlJGaHhhVWV1ZkE9PQ**&datetime=MjAxMDEyMTQwMDE1MzE*
Request 1.2:
POST /ac HTTP/1.0 Content-type: application/x-www-form-urlencoded Host: nas.nintendowifi.net User-Agent: Nitro WiFi SDK/2.2 HTTP_X_GAMECD: CPUE Connection: close Content-Length: 275 sdkver=MDAyMDAy&userid=MDk1Njc3MTk3NjUxNg**&passwd=NTcx&bssid=MDAxNGJmZDk1NjBj&apinfo=MDE6MDAwMDAwMC0wMA**&gamecd=Q1BVRQ**&makercd=MDE*&unitcd=MA**&macadr=MDAxYjdhNWU4YWRh&lang=MDE*&birth=MDkxZA**&devtime=MTAxMjE0MDExNTE3&devname=VgBlAHQAbABlAA**&action=U1ZDTE9D&svc=OTAwMA**
Reply 1.2:
HTTP/1.1 200 OK Content-Type: text/plain Content-Length: 243 Date: Tue, 14 Dec 2010 00:16:09 GMT Connection: close Server: GameCube retry=MA**&returncd=MDA3&servicetoken=bU5tRmFjYXY3M2hGMnpyVDd4UkdyRDFrcjVoTDFtQWd5a2VoTWsrTWpGUlh0Z045NFd3bklRSE82VTVOV01lNnFST3VwU2c2Q2tuN0NmTzBSYWwxVVE9PQ**&statusdata=WQ**&svchost=ZGxzMS5uaW50ZW5kb3dpZmkubmV0&datetime=MjAxMDEyMTQwMDE2MDk*
-
By using a hex editor i replaced
withht tps://nas.nintendowifi.net/acht tp://nas.nintendowifi.net/ac + 00 byte at the endthe server itself has both http and https enabled and doesn't seem to care which one you use.
-
By disabling https i was able to capture the data sent to nas.nintendowifi.net
Log1:
POST /ac HTTP/1.0 Content-type: application/x-www-form-urlencoded Host: nas.nintendowifi.net User-Agent: Nitro WiFi SDK/2.2 HTTP_X_GAMECD: CPUE Connection: close Content-Length: 270 action=bG9naW4*&gsbrcd=&sdkver=MDAyMDAy&userid=MDk1Njc3MTk3NjUxNg**&passwd=NTcx&bssid=MDAxNGJmZDk1NjBi&apinfo=MDE6MDAwMDAwMC0wMA**&gamecd=Q1BVRQ**&makercd=MDE*&unitcd=MA**&macadr=MDAxYjdhNWU4YWRh&lang=MDE*&birth=MDkxZA**&devtime=MTAxMjEzMTQwOTA3&devname=VgBlAHQAbABlAA**
Reply1:
HTTP/1.1 200 OK Content-Type: text/plain Content-Length: 235 Date: Mon, 13 Dec 2010 13:10:00 GMT Connection: close Server: GameCube challenge=T0hYWlRHQlk*&locator=Z2FtZXNweS5jb20*&retry=MA**&returncd=MDAx&token=TkRTdkExY0crUWtRUUthWGx3ZFBmbjZHU0dnNFZuV1VyL1dhT3BLUHhzaXF4d3cvZzkrYVp6SEpLd3FrbGdsZ3lwYlp0ZVo4ZjBkWTc0UVcrbk5uRjJaVEE9PQ**&datetime=MjAxMDEyMTMxMzEwMDE*
Log2:
POST /ac HTTP/1.0 Content-type: application/x-www-form-urlencoded Host: nas.nintendowifi.net User-Agent: Nitro WiFi SDK/2.2 HTTP_X_GAMECD: CPUE Connection: close Content-Length: 270 action=bG9naW4*&gsbrcd=&sdkver=MDAyMDAy&userid=MDk1Njc3MTk3NjUxNg**&passwd=NTcx&bssid=MDAxNGJmZDk1NjBi&apinfo=MDE6MDAwMDAwMC0wMA**&gamecd=Q1BVRQ**&makercd=MDE*&unitcd=MA**&macadr=MDAxYjdhNWU4YWRh&lang=MDE*&birth=MDkxZA**&devtime=MTAxMjEzMTQxOTUy&devname=VgBlAHQAbABlAA**
Reply2:
HTTP/1.1 200 OK Content-Type: text/plain Content-Length: 235 Date: Mon, 13 Dec 2010 13:20:44 GMT Connection: close Server: GameCube challenge=UjFTRkJPQVU*&locator=Z2FtZXNweS5jb20*&retry=MA**&returncd=MDAx&token=TkRTSHFSaWVKT1dKTmlOdzBmWnU4bER2Y1BDRnh4WWh2S2hTZzFjUnAwdzhSOGxGemVhSDF3U1BYZlVRdi9PTWF5clMwYlRmenprSkRYaWNxa0QxajR3SWc9PQ**&datetime=MjAxMDEyMTMxMzIwNDU*
Log3:
POST /ac HTTP/1.0 Content-type: application/x-www-form-urlencoded Host: nas.nintendowifi.net User-Agent: Nitro WiFi SDK/2.2 HTTP_X_GAMECD: CPUE Connection: close Content-Length: 270 action=bG9naW4*&gsbrcd=&sdkver=MDAyMDAy&userid=MDk1Njc3MTk3NjUxNg**&passwd=NTcx&bssid=MDAxNGJmZDk1NjBi&apinfo=MDE6MDAwMDAwMC0wMA**&gamecd=Q1BVRQ**&makercd=MDE*&unitcd=MA**&macadr=MDAxYjdhNWU4YWRh&lang=MDE*&birth=MDkxZA**&devtime=MTAxMjEzMTQyOTQ3&devname=VgBlAHQAbABlAA**
Reply3:
HTTP/1.1 200 OK Content-Type: text/plain Content-Length: 235 Date: Mon, 13 Dec 2010 13:30:40 GMT Connection: close Server: GameCube challenge=MlBQWlJNRjc*&locator=Z2FtZXNweS5jb20*&retry=MA**&returncd=MDAx&token=TkRTdHkzRGFEcVBGdk9IY0dkd2tDMWtoOEhBMzlGMWVRM1JkT3RuMWJQRUtuajV2RnlHY3V6OGVSTzRENFZtdFljdzVKTjNJV0U1ODVrTGF2QkRhSERBVHc9PQ**&datetime=MjAxMDEyMTMxMzMwNDA*
?pid=160846812
Im using Pokemon platinum, ssid is linksys using wep with the password 6E0C9157B3
could this be used for something useful?
-
DSTwo saves in the raw format forced 512KB using the extension .sav
-
Btw made this (for fun) http://ziuo.net/portforward
but what if u browse the internet? how does the router knows what pc to send it to?
-
-
Still bugs in this version but overall it works for distribution. You get the idea at least, one is for DNS other is for the actual server ....
i was mainly looking for the logging feature, as i already got a xampp server setup.
-
I've played a bit around with this myself, thanks to the sample DNS server script LordLandon submitted and after some Python quick courses I managed to make a simple DNS redirect .py script that simply redirects all GTS related requests to a specific IP (webserver) thus you can by manually entering a DNS on the Pokemon game network settings, you can connect to a custom web-server and let it handle your client requests -rather than the official GTS.
It's not perfect but combining the DNS server with a simple PHP script it currently let's you be online without disconnecting (though no results are returned when you search, deposit only shows the visuals -no pokemon is actually deposited anywhere). With a simple on/off flag I can make anyone that connects "forcefully" receive a pokemon as if someone traded with them. Looking around and I see others are looking into the server side data, it's nice because if the _GET[data] can be decoded and information extracted, it's possible to even create a PKM file server where you "search" for a pokemon and you always find "people" that trade it away (funny enough it would simply be the server decoding your search and then for example forcing you to accept a pokemon as if someone traded it to you the normal way).
A lot of possibilities and I think there will be a projectpokemon.org official GTS DNS address everyone can input and fetch their legal pokemon at what ever level and gender they want.
Included my sources as an attachment, nothing big just another version of what LordLandon made only that this is for a webserver (PHP and Python to encode/decode pkm/bin).
By the way if you wanna try it out and see what awesome Pokémon you get by connecting to my GTS server, you actually can for tonight! Load the game, edit the network settings, set the DNS primary IP to my IP: 84.202.82.24. Save the changes and load the save, go to GTS (Goldenrod City, west of the Radio Station) and connect. So far the connection tests and "handshake" server(?) connections are not touched, but once it starts to read from the website it will be my own server and not Nintendos. If someone uses it tonight I'll check the logs and see how it went, just trying it out so won't be online after ~12 hours.
when i try to connect to the gts server, it works fine until the gamestats2 request.
ingame i get this message: "You were disconnected from the GTS. Returning to the reception counter."
i placed .htaccess in the root of my webserver. i edited so it points to /pokemon/egts/pokemondpds/index.php$1
i edited the index.php file server root to point to C:\xampp\htdocs
i edited the log to goto C:\xampp\htcods\pokemon\egts\pokemondpds\logs ect.
what did i do wrong?
-
select gift, messed up in the other post
-
i would go:
Event > Mystery gift > Load PGT
then
Export ARDS code > check wonder cards ids > check wc 1 > save
i dont have ards to test this, u should try going to the pokemart and hold L+R while entering the building. talk to the green man
-
-
On the pokewalker screen,
to restore: UP, R, Select
to reset: DOWN, L, X
reset is needed to connect to another pokewalker, ur save is still playable.
-
my fc is 2450 7102 5767
ready for trading
EDIT: leave me a message next time ur online
GTS: website research
in RAM - NDS Research & Development
Posted