Pipian

I've talked with ToadKing once before (I contributed the Pearl and Diamond NoSSL patches to his website) but haven't talked to him lately. I know that a group of them have had some significant success in hosting a number of games now (largely mirroring my own findings, evidently). My current plan is to develop my own server independent of that effort (for a number of mostly personal reasons, but also a technical reason or two). I'll drop by though, as I'd like to coordinate my efforts to the greatest extent possible.

I'm sorry I've been quiet of late. I've unfortunately been hobbled a little by some external things as well as my laptop responsible for running the Nintendo Wi-Fi Connector going bad. At the moment I'm currently rushing to log as much as possible (with simultaneous video capture so that I can more easily sync activity with the PCAP dumps I've been working with). Platinum is pretty well understood, although I do need to make sure that NAT negotiation is the same (It's almost identical to Pearl/Diamond otherwise, though it would help if I could confirm the behavior of the Plaza Games and Poffin Cooking, which I will finish tonight). It'll also help if I do a clean friending/defriending log, but I plan on doing that when I confirm the behavior of HeartGold/SoulSilver tomorrow. Black and White are a little different behavior, but from a cursory glance at a previous log I made of some activity there, I think I have a good idea how they will work. That said, I still plan on recording them (especially Black 2/White 2) in some detail tomorrow. After the shutdown, I'll start going through my PCAP dumps and finishing the documentation of the protocols based on what I find within, as well as properly fleshing out those TODO packets that I haven't added yet. EDIT: Finally, I've been giving some thought to setting up a server for Nintendo Wi-Fi Connection purposes. I've got a domain, but am holding off on doing the dev work necessary to host it until after I've fully documented the underlying protocols.

Well, there's the caveat that you'll have to use a hacked ROM to do so because of the SSL-secured server that plays a role in the authentication process (no retail carts will work unless someone finds an exploit in the games themselves, which I find doubtful), but the goal is to have something which works reasonably well for that purpose, even if it's not documented well enough to allow other clients to exist.

I've been continuing to update my findings on the Wi-Fi Club protocol for Diamond and Pearl on the previously linked page. My understanding is now complete enough for me to have successfully conducted a trading session this evening without referring to Nintendo's servers at all. There are a few minor services I still need to test, but otherwise I'm about ready to move on to documenting and testing Platinum/HeartGold/SoulSilver (I'm going to be foregoing documenting the packets for this at the moment in the interest of capturing as much as possible now)

nas.nintendowifi.net (the server required to support online play with Pokemon Pearl/Diamond and others) apparently does not support the TLS heartbeat extension, and as such was never vulnerable to the attack.

I've written up some documentation about registering with the Nintendo Wi-Fi Connection on Gen IV. Since the GTS protocol has already been pretty well documented, I'm currently planning on working on the Wi-Fi Club protocol for Gen IV next.

You're absolutely right Purin, as I noted in my post. In fact, it was a post on these very forums that informed me of that. I've been pushing ahead with figuring out the authentication mechanism nevertheless, and there's a lot that can probably be shared with the ongoing work to make a Mario Kart Wii server, as both protocols use Gamespy to negotiate and create friend codes. I've gotten so far as creating a new GameSpy profile, and I suspect there's enough documentation between the MKWii wiki in the last link and various other projects designed to re-implement the GameSpy protocol to stand a good chance of having a working server for hacked ROMs to access at the very least. Right now I'm focusing on Gen IV games; I'm not sure how tricky getting Gen V up and running would be. The only disadvantage is that Pokemon would require a hacked ROM file to do all this because retail carts will necessarily require the HTTPS server to be up.

The only Wi-Fi communication that does not depend on the HTTPS server are local trades and battles. Anything that depends on your friend code (i.e. anything that goes through the Nintendo Wifi Connection) depends on the HTTPS server to initialize communications and will probably not be able to be faked with retail carts. (It may be possible to fake the NWC to work with hacked ROMs however)

Unfortunately, part of the authentication process (nas.nintendowifi.net, which is apparently used for ban-checking and generation of new friend codes) is encrypted using SSL. Furthermore, Pokemon Pearl (at the very least; and almost certainly others) validates that communications with this server are encrypted using a certificate signed by a certificate authority operated by NOA (in the US at least; it's probably different in other countries). It IS possible to edit the Pokemon Pearl ROM to validate against a different root certificate by swapping out the default public key for one of your own choosing. By substituting a public key of your choice at offsets 0x142250-0x1422CF and 0x145050-0x1450CF in the NA ROM (I don't know what .narc file those are in, or whether both are necessary or just one) and setting up an HTTPS server which uses a certificate signed by the appropriate root certificate corresponding to your chosen key (the issuer should be "C=US, ST=Washington, O=Nintendo of America Inc, OU=NOA, CN=Nintendo CA/emailAddress=ca@noa.nintendo.com" for an NA ROM), it's possible to apply a man-in-the-middle attack to help reverse-engineer the friend-code registration and authentication process. Funnily enough, it's evidently also possible to edit the URLs "https://nas.nintendowifi.net/ac" to instead read "http://nas.nintendowifi.net/ac\x00" to force an HTTP connection instead (note the extra null byte to ensure that offsets remain the same). The bigger problem is that there is no workaround for retail carts short of using an Action Replay codeset to deliberately overwrite the public key or https URL when they are loaded into memory (Well, okay, there's also factoring a 1024-bit RSA key to sign your own certificates as if you were NOA, but if you can do that, you've probably got more important things to be doing). The only faint sense of hope to hold out would be if nas.nintendowifi.net is kept up beyond the shutdown date. Unlike the Gamespy servers that provide for most NWC services for other games (and are supposedly the reason why the servers are going down in the first place), nas.nintendowifi.net is on a Nintendo-owned IP subnet and is hosted in a different data center. So are the GTS servers for that matter (as is well-known, they use an HTTP protocol rather than Gamespy). I wouldn't hold out hope for this though, as even GTS depends (if weakly) on Gamespy, if only for the fact that Gamespy is a crucial component of how friend-codes are generated (incidentally, the fact that generating a friend-code occurs simultaneously with the creation of a new Gamespy account for the game is probably why different DS games have different friend-codes on the same console). IN SHORT: It's possible to reverse engineer friend-code generation and authentication, but it's only going to be useful when used with hacked ROM files.