MetalMario

Seeing that Kaphotics and Hozu have both viewed this thread

If this is the case, I would like to express my interest in hosting the Pokécheck battle video database on my own server.

Since I only finished my crawler 3 days before the close, I was only able to save 3564 Gen5 videos before the close. Since I recall you guys having in the tens of thousands of videos saved, it would be a great boon to the community to have some place to host them.

Battle video services are up. Connect to altwfc and it should just work.

But this exploit is for MITM only.

Edit: And both client and server need to be vulnerable to allow for reading cleartext.

Edit2: If we can modify the client then we don't even need an exploit to document the protocol. This is how custom DS wifi servers were made. So breaking TLS is moot if this is possible. (but certainly *not* moot for getting unmodified clients to connect)

As we all know from Instacheck, any MITM exploit on the official servers can and will be patched. I'd hedge my bets on the game breaking pkm injection being client-only, like breaking save file signing or however the hell Datel does it.

It seems to deal with forcing the client to use weak session keys, so it doesn't appear to be of any help in implementing custom servers. Also I don't think the DS/3DS use OpenSSL?

Not mine, but the AltWFC servers should allow direct trading and battling. They proxy my GTS anyway so there's not much point in using my DNS anymore.

Edit: To clarify, accessing any custom server on a retail cartridge requires an AR code. You can find a generator here.

Memory Link over WFC went down when the Global Link went down. It's possible to implement but would require a ton of disassembly work. Since you can still do it locally, it's not much of a priority. Direct trading, battling, and access to fGTS are available through http://www.altwfc.net/

I'm working on a server to access them with. Provided you're set up with the NoSSL patch (necessary for any Wi-fi communications now), you'll be able to access battle videos in the usual way. Only videos my crawler has saved, plus newly uploaded videos, will be accessible.

If you want your Generation IV battle videos saved onto my server (for viewing after NWFC goes away), please add their codes into this form:

http://foundations-gts.cloudapp.net/BattleVideo.aspx

Generation V support coming maybe.

You've heard about my GTS?

http://foundations-gts.cloudapp.net

I've also got Generation IV battle videos cracked but Generation V ones have some kind of pseudo-SSL which is causing problems.

I have a crawler for Generation IV battle videos running and I'll be adding them to my custom server once it's made.

What would really help with my crawling is if anyone has a complete list of GTS country and region codes. I could build a list myself but it would take way longer than I have time for.

Pipian: There's a fairly lengthy discussion going on at gbatemp.net. We also have an IRC discussion at #altwfc on Rizon.

Short answer: Yes.

After May 20th, you will need a ROM hack to access it, which kind of defeats the purpose since you can also save file edit if you have those tools.

I am seriously looking at a way around but it won't be ready in time for May 20.

Anything that doesn't use your Internet connection will work. Anything that's done inside 3DS software (like Transfer) will work.

Anything done on the Internet with DS software (other than DSi shop) won't.

To answer your questions:

1. Yes

2. No. The NWFC shutdown is almost certainly because of the shutdown of the Gamespy network, on which they depend.

They use a different CA for 3DS as opposed to DS and Wii. DS is also unpatchable and a Wii patch seems unlikely at this point. Since their official servers are shutting down, issuing a patch blocking all online activity seems especially troll and unlikely.

As long as we don't attempt to crack (or at least release publicly) their 3DS CA's private key, it shouldn't prompt them to issue a patch. In absence of any bad key generation, cracking an 1024 bit RSA would take hundreds of years with current technology.

Forging individual certificates is going to be much easier than breaking a private key.

I'm not sure. I've seen the 3DS accept SHA256-RSA. My best guess is that the DS does accept MD5.

The only significance is that MD5 computes faster so would be easier to use for a brute force preimage search.

Again, not sure. I can difinitively say from my own testing though that 3DS titles do care about the subject field and not just being signed by the correct CA.

Pipian will probably need to answer this. If the DS/Wii don't care very much about the subject then it might be possible to use the same (forged) certificate for both their authentication servers.

I don't see any mention of Bitcoin in that article, where are you getting that part?

I meant it as a generic term for lots of spare compute power that can be diverted from relatively useless tasks like bitcoin mining.

The RSA common factors attack also requires that they did a bad job generating their key. This being Nintendo (in 2005), who knows.

All this is idle speculation in absence of more facts.

Update: GenV support added, and it's live for testing. It's such a beta I make no promises it will do anything sane with your pokemon.

http://foundations-gts.cloudapp.net/

Question: Does the DS accept X.509 certificates using signing algorithms other than SHA1-RSA? Like perhaps MD5? Also, does it care what's contained in the subject or just that it's signed by Nintendo CA?

Edit: Found this in a Google search for "factoring RSA":

http://windowsontheory.org/2012/05/15/979/

Basically, if either Nintendo CA's public key or that of any of the certificates they've signed share a common factor with any random public key we can find on the internet, it can be broken in a reasonable time if enough people have bitcoin mining clusters they're willing to lend.

but if you change the NDS for things like the GTS doesn't that mean that it'll come from that other server?

http://en.wikipedia.org/wiki/X.509

In short, the DS can tell whether a server it visits is the official one or an impostor. (Impersonating the server perfectly would require a secret number kept in the basement of Nintendo HQ guarded by Magikoopas or something.)

The reason we can fake the GTS is because Game Freak opted not to use those protections (SSL) for the GTS. But since they're still used for the login stage of connecting to the GTS, all fake GTSes will become inaccessible once Nintendo Wifi shuts down.

One option is to get a flashcard and hack the ROM to turn off SSL. Pipian is working on a custom server which can be used in this way.

The other is to defeat the DS's security on the serverside. This is hard but something I'm interested in.

AFAIK his work still requires a ROM hack to strip the SSL. I'd love to hear from him anyhow.

I'm really interested in figuring out whatever we can do to save online play. For the past two and a half weeks, I've been working on a full replacement for the GTS based on Project Pokémon's documentation and a lot of my own Wiresharking to fill in the blanks. Right now I have it working for Generation IV running off my laptop and have conducted a trade with it.

https://github.com/mm201/pkmnFoundations/tree/master/gts

NAS going down will of course stop it from working. :frown:

I'm really optimistic we can find an SSL exploit. The GameSpy HTTP client they're using is already many years old. I'm just rather dumb stupid when it comes to disassembly. I'd rather stick to developing replacement servers but I'd be glad to lend a hand in any way.

One of the other things I had been researching is Platinum's "upload a box" function. (It would be very cool to be able to Pokécheck 30 Pokémon at a time!) The data seems to be encoded with a rather crappy RNG with a period of 256 bytes. Cracking it (or hard coding the entire pad) wouldn't be difficult but I stopped when it became apparent that it wasn't sending entire pkm data anyway. It was only sending barely enough to display the teasers they show you.

When using AppLocale, Pokesav always says my .sav files are of an invalid format.