Poryhack

NAS going down will of course stop it from working. :frown:

Have you seen Pipians work from earlier in this thread? He's got some very promising things going on that front.

Nice!

As a side-note, if you have a Wii you can softmod it and use an ISO launcher to play Gamecube games with AR codes enabled.

The current problem is that save file encryption uses an RSA key which is 0'd at at FIRM launch. To recover the information needed to actually decrypt these saves we need: a 6.0+ exploit, a hardware ram dumper, or a dump of the bootrom. Right now we have none of these and there's no promises we'll get any of those any time soon.

Datel must have one of the above for their save editing service to work, right? (I'm assuming you were responding to scarfaceguns and myself; if not, ignore me.)

BTW thanks for the work you and bond have been doing!

Well, it's nice to hear this is being attempted, at least.

Question: A couple of people have said this could work with retail carts with the help of an Action Replay code to do what the ROM-hacking would accomplish. Is that likely to be true? Because buying an AR to continue using Pokecheck or what have you wouldn't be too bad, probably.

Don't waste your money. If you're gonna buy anything buy a flashcart. They're cheaper than ARs and way more useful.

Just curious but if someone was to upload their own pokemon X/Y save and send it to someone who owns a modded 3ds that can decrypt their own save be able to decrypt it and modify and be able to send it back without issues?

I am aware retail carts have their saves locked to its desired cart but i am curious if its possible now.. or if we would have to wait to crack that save lock first if at all possible.

I could see something similar to powersave happening as a paid service that could really make a lot of money off of ppl IF there is any plans to make it all public.

I proposed the same thing a week ago. OmegaDonut mentioned that he'd set aside a 3DS for the idea as well. I can think of a few issues though. It'll require some specialized software and potentially hardware as well. Someone would have to develop that (or get it designed and built in the case of hardware). All the while we'd be hoping that no other way to edit saves comes about or whoever invested would be out money.

I hope we find a way before the deadline

Did you read Pipian's post? The information he's compiling is enough to allow anyone to trade freely without the need for any of the services that are about to be shut down.

Would it be worthwhile for someone (or the community as a whole) to try to set up their own 3DS farm (or perhaps just 1 3DS with a queue system) and open it up to the public? It could be a reasonably priced paid service at least until the initial cost of a 3DS and whatever specialized hardware/software necessary is recouped. There's not some other magical solution to the save encryption problem "just around the corner" is there?

I've been continuing to update my findings on the Wi-Fi Club protocol for Diamond and Pearl on the previously linked page. My understanding is now complete enough for me to have successfully conducted a trading session this evening without referring to Nintendo's servers at all. There are a few minor services I still need to test, but otherwise I'm about ready to move on to documenting and testing Platinum/HeartGold/SoulSilver (I'm going to be foregoing documenting the packets for this at the moment in the interest of capturing as much as possible now)

I've only skimmed your write up, but I just wanted to say that you're doing excellent work. Thanks!

An exploit is now available here. I tried it against the domains I mentioned in the last post and they all came back negative. They may have never been vulnerable or they have been already updated to the latest OpenSSL.

I was reading up on this myself earlier this morning and obviously it sounds promising. THere are already tests to check if your server is affected by the bug - for example on http://filippo.io/Heartbleed/ - what they do there: they inject a message into the TLS handshake and check if that message is being returned. Nicely enough servers I manage at work for clients were affected so I had to upgrade OpenSSL on many of them in the last hour. Most webpages I randomly checked seem to be already fixed (or they used old OpenSSL versions to begin with which aren't affected).

This particular test seems to fail on Nintendo's servers ("Uh-oh, something went wrong."). 3ds1-us.pokemon-gl.com however tests fine, and doesn't appear to be vulnerable. EDIT: Appears to be hosted on Amazon EC2, which has already addressed the bug.

Here's a small subset of domains worth testing:

nppl.c.app.nintendowifi.net

nasc.nintendowifi.net

account.nintendo.net

mii-secure.account.nintendo.net

npdl.cdn.nintendowifi.net

tagaya-ctr.cdn.nintendo.net

pls.c.shop.nintendowifi.net

npul.c.app.nintendowifi.net

nus.c.shop.nintendowifi.net

ecs.c.shop.nintendowifi.net

Another critical bug has been found (this time in OpenSSL) that could allow us to actually gain access to the private keys Nintendo's servers use to authenticate themselves to the 3DS. This is significantly different from what I described in my first post as it doesn't take advantage of the client (3DS) TLS implementation; it steals the private keys right out of server memory. With the private keys we wouldn't need to rely on a flawed client implementation. We could mimic the server with 100% accuracy. As far as I can tell there are no public exploits available yet, but they will surely come soon.

The AES MAC requires the keyscrambler and the AES Engine, which haven't been translated to code (because they rely on hardware not software). XORpad too.

What would it take to reverse-engineer the signing key from the hardware? I'm assuming whatever it is isn't very feasible but I'm still curious. Would the (failed) chip decapping fundraiser have been of any help in this?

Annnnnd now I feel stupid. I'm gonna try to save some face and say that it was 3/31 when I made that last comment.

Trololololol!

Now that Datel allows exporting of Decrypted Save files and will fix them upon writing to the cart (thanks Datel!), PKHeX can now insert to Slot 1 Box 1 of the save file.

Thanks Datel indeed. That's great news! And props to Kaphotics and company for the update!

EDIT: Has Datel made any mention as to why they opened this up? It'd be pretty cool if it was just because of the efforts on PP.

hey whats is this and is this new?

http://us.codejunkies.com/Products/Wii-LAN-Adapter__EF000257.aspx

Does this help for Wii users after the wifi goes down?

No. The Wii has had a LAN peripheral for ages, there's even an official Nintendo model. It has nothing to do with the shutting down of online services though.

I stand corrected. Looking forward to seeing how Pokecheck will work.

What's the advantage of using this over KeySAV/Mass Dumper?

Physical cart users don't need a Powersaves for this. There is no benefit for digital copy users.

I know that Pokecheck will do that by the end of this month, but is there any way to transport PKX file to my XY rom now?

No. And, as an FYI, Pokecheck has already had that message for 2+ months. I don't know the developer and I can't speak for his/her situation, but I wouldn't get my hopes up about XY support in Pokecheck if I were you.

The only disadvantage is that Pokemon would require a hacked ROM file to do all this because retail carts will necessarily require the HTTPS server to be up.

It's definitely a bummer but there's still a lot of value in this work even for retail cart users. Documenting the authentication server as well as possible now will be crucial if a TLS workaround is ever found for the DS.

In the last two weeks there has been news of two critical flaws in TLS implementations; one affecting iOS/OS X and another affecting GnuTLS (Linux). Both flaws have allowed 3rd parties with man in the middle access to effectively defeat TLS. This is disastrous from a security standpoint, but if the implementation of TLS on the 3DS is similarly flawed it opens up a vector for PKX sniffing/injection (amongst other less interesting things) that wouldn't require the end-user to have specialized hardware.

Based on the legal notices on page 99 of the 3DS manual Nintendo is using OpenSSL (a direct competitor to GnuTLS), Ubiquitous TCP/IP+SSL, and RSA BSAFE. All three appear to be equipped to handle TLS operations which makes it hard to say which implementation the 3DS actually uses for TLS. Nintendo could also have a homegrown implementation but it seems unlikely. Its worth noting that RSA BSAFE has been referenced as far back as the original DS while OpenSSL and Ubiquitous only go back to the DSi.

I freely admit that defeating TLS seems like a less promising avenue to a gen 6 editor than existing work already being done with save decryption and unsigned code execution, but I wanted to point out the possibility to all who may be interested.

Thanks for the info. Bummer that Datel is doing everything server-side, although I can understand their desire to protect their methods/profits. If I were them I would work on a fully featured server-side pokemon editor. Perhaps they are doing that now (or waiting on the PP community to do the hard work of mapping out the format for them first lol).

KeySAV doesn't need the key - it instead operates on a simple concept which involves rearranging slot data and knowing how save files are encrypted.

The trick which was used to reveal more contents of the save file didn't need a key either; it's essentially KeySAV's exploit pushed a little further in terms of rearranging data.

News to me. Thanks. The whole thing makes a lot more sense now.

Nope. We can get the encryption keys used for a single cartridge, but we do not know how the keys are generated.

I'm probably woefully ignorant of the facts here, so forgive me, but I asked because KeySAV is seemingly managing to decrypt the save files. What I was wondering is if there was any information available on how this is done (short of decompiling it).

It doesn't matter how simple or complex a change is - if we can't fix the save file checksum(s) AND re-encrypt it properly, we can't do anything at all to edit it.

Of course, but Datel's devices is doing this, correct? So we know it's at least doable? I think that's what VGZXR was asking.

Is there any documentation on the decryption process?