Hacking Patching deviceID on CFW boot: Is it possible and would any devs be interested in implementing it?

[shinyquagsire23]

Device ID is linked to your serial and client certificates, eShop and other online services won't grant access unless all three are from the same console (and all three are sent in most if not all Nintendo Network requests, along with a bunch of other information). Your NNID is also linked to your device. You cannot unban without another console and another NNID.

 

[jimmyleen]

Device ID is linked to your serial and client certificates, eShop and other online services won't grant access unless all three are from the same console (and all three are sent in most if not all Nintendo Network requests, along with a bunch of other information). Your NNID is also linked to your device. You cannot unban without another console and another NNID.

Okay fine than I don't see why we can't create a piece of software to run on our cellphone in order to make our 3ds and 2ds think that our phones are 3ds consoles.

 

[shinyquagsire23]

Okay fine than I don't see why we can't create a piece of software to run on our cellphone in order to make our 3ds and 2ds think that our phones are 3ds consoles.

Device IDs are assigned by Nintendo. Serial numbers are assigned by Nintendo. Client certificates are signed by Nintendo. You can't generate any of those three, there is no way to unban without a new console.

 

[jimmyleen]

Device IDs are assigned by Nintendo. Serial numbers are assigned by Nintendo. Client certificates are signed by Nintendo. You can't generate any of those three, there is no way to unban without a new console.

Are any of those three things stored on Nintendo servers? If so I think something like ciangel could help.

Edit: by that I mean using newly unreleased and generated Device IDs, Serial numbers, and Client certificates

 

[Roomsaver]

Are any of those three things stored on Nintendo servers? If so I think something like ciangel could help.

Edit: by that I mean using newly unreleased and generated Device IDs, Serial numbers, and Client certificates

CIAngel downloads games through tickets. It doesn't generate Device IDs, serial numbers, or client certificates.

 

[N7Kopper]

With such harsh bans for repeated Miiverse conduct violations, it seems that Nintendo aren't worried about what you're posting, they're worried about what you can post.

If you can post in any community while running any application, that means you can post while running Nintendo 3DS Camera. If you can do that, imagine what you could flood Miiverse with. "Using stamps from other games" isn't even the beginning of it. Nintendo have a legitimate reason to be worried. Miiverse only barely scrapes by as a child-friendly forum as it is.

And I can think of many different varieties of legal, harmless pornography that would make most adults want to vomit, never mind children. And it gets worse.

Why are you being banned from the eShop too? Probably because their present strongest 3DS ban includes that, and they have no legally enforced reason to change that.

 

[Roboman]

I'n the op could you swap "...MCIT users..." with "...MCIT (Miiverse Custom Image Tool) users..."
It's the first time I've heard that acronym and it took me a bit of confused reading to figure it out.

On a more on topic note, I think you might be able to spoof the three credentials if you dumped them from another console. There isn't a way to forge our own.

 

[3than_H]

If I have a second console (a9lh 2ds not banned) is there a way to dump the three credentials and use them on my first console? (banned)

 

[gamesquest1]

i actually have a console that is perma banned for messing about with cheats on the badge arcade (of all the things for ninty to get ban happy about, this has to be the crappiest), donor details wouldn't be a issue for me, but i could understand if dev's wouldn't want to implement such a feature though....but i guess with the donor console details being a requirement it wouldn't really make miiverse and online cheating/douchbaggery any easier really as most people probably wouldn't have junky consoles lying about to obtain the donor details

 

[uyjulian]

It would be nice to also spoof client certificates + nintendo network id so we can transfer nnid to new console without complaining to Nintendo cs

 

[Deleted member 355359]

It would be nice to also spoof client certificates + nintendo network id so we can transfer nnid to new console without complaining to Nintendo cs

You mean client certificates are unique per console? Miiverse's (https://3ds-us.olv.nintendo.net) client certificate is a p12 file located in the app, unless you're talking about the NNID/eShop access certificate.

 

[uyjulian]

You mean client certificates are unique per console? Miiverse's (https://3ds-us.olv.nintendo.net) client certificate is a p12 file located in the app, unless you're talking about the NNID/eShop access certificate.

I'm talking about NNID/eShop access certificate.

 

[Deleted member 355359]

I'm talking about NNID/eShop access certificate.

Alright. Speaking of which, do you know how to decrypt them?

 

[uyjulian]

Alright. Speaking of which, do you know how to decrypt them?

Nope...

 

[CrimsonMaple]

The idea is there. I don't think it can be implemented like the op said. But i can look into it. (I'm not fully seasoned so don't expect much from me.)

Yeah nope. After reading shiny's post. I don't think this is a thing you can fix by slapping on a patch. As two of the 3 verifications are set by nintendo when they make your console.

 

[Quantumcat]

The idea is there. I don't think it can be implemented like the op said. But i can look into it. (I'm not fully seasoned so don't expect much from me.)

Yeah nope. After reading shiny's post. I don't think this is a thing you can fix by slapping on a patch. As two of the 3 verifications are set by nintendo when they make your console.

If it was something you could spoof you could probably also spoof a console with an NNID with hundreds of games on it, sign into the NNID and download them all :-p

 

[CrimsonMaple]

If it was something you could spoof you could probably also spoof a console with an NNID with hundreds of games on it, sign into the NNID and download them all :-p

I think nintendo would notice this rather quickly and ban both 3ds. But yeah. If you could spoof it. All i know is that it would need to be done with arm9. As deviceid is located there. Changing serial numbers is possible. And i think deviceid may be able to be tinkered with. (And im not willing to test) But both the deviceid and the serial number would need to match. (Could be wrong here as well) this would essentally make your 3ds into an entirely different 3ds at this point. And each time this was device was banned you would need to repeat.

 

[Deleted member 355359]

I think it's pretty much clear at this point that the deviceID can't really be patched, or else we would not even get access to Nintendo Network.
In a (Wii U) account.nintendo.net request header, these strings are sent:
X-Nintendo-Client-ID: xxxxxxxxxxxxxxxx
X-Nintendo-Client-Secret: xxxxxxxxxxxxxxx
X-Nintendo-Country: US
X-Nintendo-Device-Cert: xxxxxxxxxxxxx
X-Nintendo-Device-ID: xxxxxxxxxxxxxxx

I'm wondering, what's "Client-ID" and "Client-Secret"? This is a Wii U header because we can't dump a 3DS one via Fiddler at the moment. Not sure if I recognize anything in this.
I also doubt these can be forged, they may be able to be replaced by genuine ones from other consoles if there are no mismatches. If one of these could be forged (not deviceID or cert for sure), that would be awesome, but probably not happening.

--------------------- MERGED ---------------------------

All i know is that it would need to be done with arm9. As deviceid is located there.

How do you know that, and what else is in the arm9 if the deviceID is there?

 

[CrimsonMaple]

I think it's pretty much clear at this point that the deviceID can't really be patched, or else we would not even get access to Nintendo Network.
In a (Wii U) account.nintendo.net request header, these strings are sent:
X-Nintendo-Client-ID: xxxxxxxxxxxxxxxx
X-Nintendo-Client-Secret: xxxxxxxxxxxxxxx
X-Nintendo-Country: US
X-Nintendo-Device-Cert: xxxxxxxxxxxxx
X-Nintendo-Device-ID: xxxxxxxxxxxxxxx

I'm wondering, what's "Client-ID" and "Client-Secret"? This is a Wii U header because we can't dump a 3DS one via Fiddler at the moment. Not sure if I recognize anything in this.
I also doubt these can be forged, they may be able to be replaced by genuine ones from other consoles if there are no mismatches. If one of these could be forged (not deviceID or cert for sure), that would be awesome, but probably not happening.

--------------------- MERGED ---------------------------


How do you know that, and what else is in the arm9 if the deviceID is there?

Its on 3dbrew. All of the documentation is in the memory layouts. Its part of the arm9 itcms.

 

[I pwned U!]

I have a very important update for everyone!

As most of you probably know, my DeviceID patching idea has started to become a reality with @PF2M's NTR-based Nintendo Network unbanning method and the experimental Luma build by @Nanquitas. Shortly after these developments, Nintendo started checking the spoofed DeviceIDs against the ones in the signed certs of the devices using the spoof, thus negating the development.

Client certificates are signed by Nintendo.

Fortunately for us, an unbelievable discovery has been made earlier today:

I was going to start work on reverse-engineering the Wii networking and then starting work on the 3DS Device-Certs, but then I found something.
There was a file on Dolphin's NAND called device.cert.

Man, this looks familiar!
I tried this for the lelz. I thought it wouldn't work, but it's worth a try. I converted it to Base64, got the DeviceID, set the platform to Wii U, and..
it worked.

The most unexpected thing to happen happened.

This means 2 things:
1. This was solved a while ago. A LONG while ago, like 5 years ago. If Dolphin can generate device certs, we can, especially if it's using an old cert from 2006 and was achieved a long time ago. This further supports that generating movable.seds is very possible.
2. There is hope! Making a method from this wouldn't be impossible.
But, we haven't made anything like a quick patch for this in NTR yet. I mean, I discovered this 2 minutes ago, but just wanted to report this.
That's (mostly) all.

Yes, you read that right.

Nintendo made certs interchangable between their platforms!

I realized that device.cert files can't actually be generated
I feel worse that I jumped to this conclusion that they can and spread it pretty quickly.
I am so sorry

But, that was from a Wii and not a Wii U.
The point is
that Wii certificates do work. Obviously, Nintendo wouldn't have an OpenSSL vulnerability exploited.
I'm assuming DSi certs work too, but we're not at that point in DSi hax yet.
But, this is still hope, because if you have a Wii, that means you can unban yourself, and pretty much everyone on the planet has a Wii.
Since this works with setting the platform ID to a Wii U, this means that there is a possibility that the cert is shared between the Wii U's regular mode and the vWii mode.
So
Since the Wii has no online services except for the Wii Shop Channel (let's face it, nobody uses it, and if you do care, you have a Wii U), once we get a method up to change DeviceID and Device-Cert, you can dump your Wii NAND in BootMii, extract it, get the Device-Cert and actually use it.

This doesn't really mean that all hope is lost, it just means I̶ ̶r̶e̶a̶l̶l̶y̶ ̶n̶e̶e̶d̶ ̶t̶o̶ ̶s̶t̶o̶p̶ ̶j̶u̶m̶p̶i̶n̶g̶ ̶t̶o̶ ̶c̶o̶n̶c̶l̶u̶s̶i̶o̶n̶s̶ ̶o̶r̶ ̶e̶l̶s̶e̶ ̶t̶h̶e̶ ̶a̶b̶o̶v̶e̶ ̶w̶i̶l̶l̶ ̶h̶a̶p̶p̶e̶n̶.̶.̶ that it's just going to be a bit harder. MOST PROBABLY everyone here has a Wii, and dumping the device cert isn't much of a hassle or a risk.


Oh, and if you want to help me and PF2M in our Miiverse hax magic, you know who to contact.
In all seriousness, the worst that can happen is your Wii Shop Channel not working, if we even do get it banned, well, unless you dump it from a vWii, then your entire Wii U will be banned if we ban it if you give us your cert.. yeah.



Um.. yeah, really sorry for this.
But they are interchangable, that is right. Nintendo isn't always stupid, they're just trying.
And you know what? They fuckin' deserve it for even thinking console bans were a good idea!



But anyway, if @Joom can actually modify DeviceID in ITCM and have it work, that would be great.
I can't find the signature at the bottom in ITCM, whereas I can find everything else in ITCM.

We can use certs dumped from a Wii in addition to the 3DS ones!

It's probably a matter of days until we have a full method for this.
For now, this is a concept/a huge glimmer of hope.
I wonder if we can generate DSi certs.

Regarding the chances of this getting fixed:

The only real way would be to use the CTCert database, but I don't think they'll do it, and here's why.
They can't just put all CTCerts in there. They're constantly being created from production. What if someone buys a Wii U, gets home and finds out that Nintendo hadn't put their CTCert in the database and they have to wait 24 hours?
And that's another thing. They cannot really combine the 3DS/WiiU/DSi/Wii database into one, it's impossible.
So, this has a very very rare chance of actually being patched now, aside from something like adding a header via a software update, but that brings another problem to the table for Nintendo: people not being able to connect because they have an old firmware, and people who can't update.

So if I understand this part correctly, you mean that adding a header requirement would render users unable to do a System Update over the internet? If that is the case, then it is definitely game over for Nintendo!

Remember:

Never underestimate Nintendo's stupidity when it comes to security.