Poryhack

Have you seen Pipians work from earlier in this thread? He's got some very promising things going on that front.

Nice! As a side-note, if you have a Wii you can softmod it and use an ISO launcher to play Gamecube games with AR codes enabled.

Datel must have one of the above for their save editing service to work, right? (I'm assuming you were responding to scarfaceguns and myself; if not, ignore me.) BTW thanks for the work you and bond have been doing!

Don't waste your money. If you're gonna buy anything buy a flashcart. They're cheaper than ARs and way more useful.

I proposed the same thing a week ago. OmegaDonut mentioned that he'd set aside a 3DS for the idea as well. I can think of a few issues though. It'll require some specialized software and potentially hardware as well. Someone would have to develop that (or get it designed and built in the case of hardware). All the while we'd be hoping that no other way to edit saves comes about or whoever invested would be out money.

Did you read Pipian's post? The information he's compiling is enough to allow anyone to trade freely without the need for any of the services that are about to be shut down.

Would it be worthwhile for someone (or the community as a whole) to try to set up their own 3DS farm (or perhaps just 1 3DS with a queue system) and open it up to the public? It could be a reasonably priced paid service at least until the initial cost of a 3DS and whatever specialized hardware/software necessary is recouped. There's not some other magical solution to the save encryption problem "just around the corner" is there?

I've only skimmed your write up, but I just wanted to say that you're doing excellent work. Thanks!

An exploit is now available here. I tried it against the domains I mentioned in the last post and they all came back negative. They may have never been vulnerable or they have been already updated to the latest OpenSSL.

This particular test seems to fail on Nintendo's servers ("Uh-oh, something went wrong."). 3ds1-us.pokemon-gl.com however tests fine, and doesn't appear to be vulnerable. EDIT: Appears to be hosted on Amazon EC2, which has already addressed the bug. Here's a small subset of domains worth testing: nppl.c.app.nintendowifi.net nasc.nintendowifi.net account.nintendo.net mii-secure.account.nintendo.net npdl.cdn.nintendowifi.net tagaya-ctr.cdn.nintendo.net pls.c.shop.nintendowifi.net npul.c.app.nintendowifi.net nus.c.shop.nintendowifi.net ecs.c.shop.nintendowifi.net

Another critical bug has been found (this time in OpenSSL) that could allow us to actually gain access to the private keys Nintendo's servers use to authenticate themselves to the 3DS. This is significantly different from what I described in my first post as it doesn't take advantage of the client (3DS) TLS implementation; it steals the private keys right out of server memory. With the private keys we wouldn't need to rely on a flawed client implementation. We could mimic the server with 100% accuracy. As far as I can tell there are no public exploits available yet, but they will surely come soon.

What would it take to reverse-engineer the signing key from the hardware? I'm assuming whatever it is isn't very feasible but I'm still curious. Would the (failed) chip decapping fundraiser have been of any help in this?

Annnnnd now I feel stupid. I'm gonna try to save some face and say that it was 3/31 when I made that last comment. Trololololol!

Thanks Datel indeed. That's great news! And props to Kaphotics and company for the update! EDIT: Has Datel made any mention as to why they opened this up? It'd be pretty cool if it was just because of the efforts on PP.

Thanks Kaphotics. For what it's worth, I doubt this had anything to do with Pokecheck. The attack described is only useful in a situation where A) the client deliberately connects to the attacker's server and B) the target server requires client authentication. A isn't possible in the context of Pokemon X/Y running on an unmodified 3DS and B isn't true of Pokemon X/Y's current online infrastructure. Nevertheless, this is terrific work and I wouldn't be too surprised if someone as capable as xfr could find a hole in Nintendo's TLS implementation. We're lucky to have him.

Any specifics on this publication? I wouldn't mind checking it out.

No. The Wii has had a LAN peripheral for ages, there's even an official Nintendo model. It has nothing to do with the shutting down of online services though.

I stand corrected. Looking forward to seeing how Pokecheck will work.

Physical cart users don't need a Powersaves for this. There is no benefit for digital copy users.

No. And, as an FYI, Pokecheck has already had that message for 2+ months. I don't know the developer and I can't speak for his/her situation, but I wouldn't get my hopes up about XY support in Pokecheck if I were you.

It's definitely a bummer but there's still a lot of value in this work even for retail cart users. Documenting the authentication server as well as possible now will be crucial if a TLS workaround is ever found for the DS.

In the last two weeks there has been news of two critical flaws in TLS implementations; one affecting iOS/OS X and another affecting GnuTLS (Linux). Both flaws have allowed 3rd parties with man in the middle access to effectively defeat TLS. This is disastrous from a security standpoint, but if the implementation of TLS on the 3DS is similarly flawed it opens up a vector for PKX sniffing/injection (amongst other less interesting things) that wouldn't require the end-user to have specialized hardware. Based on the legal notices on page 99 of the 3DS manual Nintendo is using OpenSSL (a direct competitor to GnuTLS), Ubiquitous TCP/IP+SSL, and RSA BSAFE. All three appear to be equipped to handle TLS operations which makes it hard to say which implementation the 3DS actually uses for TLS. Nintendo could also have a homegrown implementation but it seems unlikely. Its worth noting that RSA BSAFE has been referenced as far back as the original DS while OpenSSL and Ubiquitous only go back to the DSi. I freely admit that defeating TLS seems like a less promising avenue to a gen 6 editor than existing work already being done with save decryption and unsigned code execution, but I wanted to point out the possibility to all who may be interested.

Thanks for the info. Bummer that Datel is doing everything server-side, although I can understand their desire to protect their methods/profits. If I were them I would work on a fully featured server-side pokemon editor. Perhaps they are doing that now (or waiting on the PP community to do the hard work of mapping out the format for them first lol).

News to me. Thanks. The whole thing makes a lot more sense now.

I'm probably woefully ignorant of the facts here, so forgive me, but I asked because KeySAV is seemingly managing to decrypt the save files. What I was wondering is if there was any information available on how this is done (short of decompiling it).