Hacking DNS to block the updates of the switch!

[Mr. Wizard]

it will be most likely executable on newer firmwares.

This is not guaranteed, especially if someone reports it to Nintendo for the reward and then Nintendo silently patches it.

I imagine we can't stay on 2.0 forever though, but I'm going to wait until it's absolutely necessary to update.

If you are really paranoid the best thing to do is get a second console and keep it on 2.0.

If an exploit is found on 2.0 in a year or so watch the mad rush of people going to buy another console in the hopes they are still sold with the 1.0 firmware haha! Then selling their updated one.

But then 1.0 doesn't have a browser lolz.

I'm guessing the first exploit will be a hard mod.

 

[Miller]

this is from the ReSwitched Discord

anyone willing to make a DNS that only blocks the update and not the eshop/game updates?

 

[Mr. Wizard]

this is from the ReSwitched Discord

anyone willing to make a DNS that only blocks the update and not the eshop/game updates?

Just block it yourself. Also I have never seen that server. I have seen atum.hac.lp1.d4c.nintendo.net though. Did that person misspell it? The one you posted is spelled different. Maybe it's a different region than NA?

I can confirm in NA that the sun.hac.lp1.d4c.nintendo.net server is the one you want to block for system updates. Which makes sense since everything revolves around the sun. Although the meaning of Atum is equally powerful. I wonder what it's for.

UPDATE: I can confirm atum.hac.lp1.d4c.nintendo.net is the game download server. I deleted snake pass and tried to redownload it with atum blocked and got an error.

 

[Switchssb]

Ok I had a quick look at your manual:

http://www.downloads.netgear.com/files/GDC/C6250/C6250_UM_EN.pdf

Chapter 5
Secure Your Network

Block Keywords and Domains for HTTP Traffic........Page 66

Clearly it states that you need to be using KEYWORDS or DOMAINS.

A keyword/domain being: sun.hac.lp1.d4c.nintendo.net

Do not enter anything else but that. You do not need http or https, just the keyword, a word that is in the url that you want to block.

For further example, if I wanted to block:

http://google.com

I would then enter into the block list:

google.com

And that is it.

You can also block IP address' under Service blocking, you can set up to block a tcp/udp service using the IP addess that http://sun.hac.lp1.d4c.nintendo.net:443 resolves to which in my area is 23.194.102.48.

You can easily find the IP by opening a command prompt and using the command:

ping sun.hac.lp1.d4c.nintendo.net

You will get this:

Pinging e4835.g.akamaiedge.net [23.194.102.48] with 32 bytes of data:
Reply from 23.194.102.48: bytes=32 time=12ms TTL=60
Reply from 23.194.102.48: bytes=32 time=12ms TTL=60
Reply from 23.194.102.48: bytes=32 time=9ms TTL=60
Reply from 23.194.102.48: bytes=32 time=12ms TTL=60

Ping statistics for 23.194.102.48:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 9ms, Maximum = 12ms, Average = 11ms

--------------------- MERGED ---------------------------

you could also use keywords such as

sun
hac
lp1
d4c

But in doing so they are not very specific and any website address you may want to visit with these words in them will be blocked.

--------------------- MERGED ---------------------------


tl:dr

Just enter sun.hac.lp1.d4c.nintendo.net without the http or https and it should work.

So i have an Asus DSL55U C1 and have access to url filtering, keyword, and network services

url filtering has a max of 27 characters, so i can't block it there

so instead i got my own ip for it which for australia is http://23.7.30.191/
and have blocked that using the network services filter. only problem is, that blocks everything including the eshop, which is not what i wanted. i just want the system update nag to go away, but still be able to access the eshop/friends, online if possible (which i think you mentioned is) Halp pls


http://puu.sh/v5cZA/3b0a207079.png

 

[Mr. Wizard]

So for all you that don't know how to use ping and want an equally easy non destructive way of testing to see if your router is blocking the update server you can just enter this url into any browser behind your router:

https://sun.hac.lp1.d4c.nintendo.net/

If it is being blocked you will get this:

If it is NOT being blocked you will get this:

If you get this it means you are accessing the http page, the Switch uses https. Some routers do not block https.

--------------------- MERGED ---------------------------

So i have an Asus DSL55U C1 and have access to url filtering, keyword, and network services

url filtering has a max of 27 characters, so i can't block it there

so instead i got my own ip for it which for australia is http://23.7.30.191/
and have blocked that using the network services filter. only problem is, that blocks everything including the eshop, which is not what i wanted. i just want the system update nag to go away, but still be able to access the eshop/friends, online if possible (which i think you mentioned is) Halp pls


http://puu.sh/v5cZA/3b0a207079.png

Have you tried updating your router's firmware?
Unfortunately it seems your router does not support blocking https sites. New firmware might change this.

You can try entering sun.hac.lp1.d4c.nintendo.net into the KEYWORD filter, but it may not work.


You can use:

Fiddler proxy - http://www.telerik.com/fiddler
SimpleDNS - http://simpledns.com/
MaraDNS - http://maradns.samiam.org/

These need to be run on a computer anytime you want internet access for the switch. (This is the method I use, way more advanced control than my routers.)


Also, your router is the one with the cable modem built in. It doesn't support custom firmware such as Tomato or DD-WRT which have more advanced options than the consumer version of Asus-WRT.

You can also bridge your router to basically turn it into just a modem, then buy a more advanced router.

The problem with just blocking an IP address is that it can change at any time.

 

[Cava]

So for all you that don't know how to use ping and want an equally easy non destructive way of testing to see if your router is blocking the update server you can just enter this url into any browser behind your router:

https://sun.hac.lp1.d4c.nintendo.net/

If it is being blocked you will get this:

If it is NOT being blocked you will get this:

If you get this it means you are accessing the http page, the Switch uses https. Some routers do not block https.

--------------------- MERGED ---------------------------



Have you tried updating your router's firmware?
Unfortunately it seems your router does not support blocking https sites. New firmware might change this.

You can try entering sun.hac.lp1.d4c.nintendo.net into the KEYWORD filter, but it may not work.


You can use:

Fiddler proxy - http://www.telerik.com/fiddler
SimpleDNS - http://simpledns.com/
MaraDNS - http://maradns.samiam.org/

These need to be run on a computer anytime you want internet access for the switch. (This is the method I use, way more advanced control than my routers.)


Also, your router is the one with the cable modem built in. It doesn't support custom firmware such as Tomato or DD-WRT which have more advanced options than the consumer version of Asus-WRT.

You can also bridge your router to basically turn it into just a modem, then buy a more advanced router.

The problem with just blocking an IP address is that it can change at any time.

Can you write please a how to guide to set up the fiddler or simpledns or maradns on windows?

 

[Mr. Wizard]

Can you write please a how to guide to set up the fiddler or simpledns or maradns on windows?

Done!

https://gbatemp.net/threads/tutorial-fiddler-setup-guide-for-blocking-update-server.466328/

 

[Cava]

Done!

https://gbatemp.net/threads/tutorial-fiddler-setup-guide-for-blocking-update-server.466328/

You DA MAN man!

 

[Switchssb]

So for all you that don't know how to use ping and want an equally easy non destructive way of testing to see if your router is blocking the update server you can just enter this url into any browser behind your router:

https://sun.hac.lp1.d4c.nintendo.net/

If it is being blocked you will get this:

If it is NOT being blocked you will get this:

If you get this it means you are accessing the http page, the Switch uses https. Some routers do not block https.

--------------------- MERGED ---------------------------



Have you tried updating your router's firmware?
Unfortunately it seems your router does not support blocking https sites. New firmware might change this.

You can try entering sun.hac.lp1.d4c.nintendo.net into the KEYWORD filter, but it may not work.


You can use:

Fiddler proxy - http://www.telerik.com/fiddler
SimpleDNS - http://simpledns.com/
MaraDNS - http://maradns.samiam.org/

These need to be run on a computer anytime you want internet access for the switch. (This is the method I use, way more advanced control than my routers.)


Also, your router is the one with the cable modem built in. It doesn't support custom firmware such as Tomato or DD-WRT which have more advanced options than the consumer version of Asus-WRT.

You can also bridge your router to basically turn it into just a modem, then buy a more advanced router.

The problem with just blocking an IP address is that it can change at any time.

So when entering that address i get http://puu.sh/v6dWl/f59304673f.png
and yeah i'll check and see if the modem has any firmware, also yeah it was a previous adsl2+ modem router. unfortunately not compatible with tomato :'C

 

[Mr. Wizard]

So when entering that address i get http://puu.sh/v6dWl/f59304673f.png
and yeah i'll check and see if the modem has any firmware, also yeah it was a previous adsl2+ modem router. unfortunately not compatible with tomato :'C

Looks like it's being blocked.

 

[rooshoes]

Have you tried updating your router's firmware?
Unfortunately it seems your router does not support blocking https sites. New firmware might change this.

You can try entering sun.hac.lp1.d4c.nintendo.net into the KEYWORD filter, but it may not work.

My Asus RT-AC68U says this too but it still blocks connections to the server when added to the URL filter list.

I honestly think this is a typo in the router's help text, because it doesn't make any sense: regardless of whether delivered compressed or HTTPS, a website's domain name is still communicated in plaintext. You wouldn't be able to filter a specific request to that domain if HTTPS is present, but in this case we want to block ALL requests to the server so that's not a concern. I'm glad it seems to work regardless of this warning.

 

[Mr. Wizard]

My Asus RT-AC68U says this too but it still blocks connections to the server when added to the URL filter list.

I honestly think this is a typo in the router's help text, because it doesn't make any sense: regardless of whether delivered compressed or HTTPS, a website's domain name is still communicated in plaintext. You wouldn't be able to filter a specific request to that domain if HTTPS is present, but in this case we want to block ALL requests to the server so that's not a concern. I'm glad it seems to work regardless of this warning.

I have that one too, awesome router. Ever thought of putting AdvancedTomato on it?

https://advancedtomato.com/

Tomato Firmware 1.28.0000 -3.4-138 K26ARM USB AIO-64K
USB support integration and GUI, IPv6 support, Linux kernel 2.6.36.4brcmarm and Broadcom Wireless Driver 6.37.14.86 (r456083)
Copyright (C) 2013-2014 Tomato-ARM Team

Tomato-ARM Team:
- Michał Rupental (Shibby)
- Ofer Chen (roadkill)
- Vicente Soriano (Victek)

AdvancedTomato
- Complete interface re-design
- GUI related improvements, optimizations and changes
- Various themes and color schemes
- AdvancedTomato logo by Jacky, re-vectored by WaLLy3K
- Based on Tomato by Shibby

Copyright (C) 2014 Jacky Prahec
OpenVPN integration and GUI
Copyright (C) 2010 Keith Moyer,
[email protected]
"Shibby" features
- Transmission 2.92 integration
- GUI for Transmission
- NFS utils integration and GUI
- Custom log file path
- SD-idle tool integration for kernel 2.6
- 3G Modem support (big thanks for @LDevil)
- MutliWAN feature (written by @Arctic, modified by @Shibby)
- SNMP integration and GUI
- APCUPSD integration and GUI (implemented by @arrmo)
- DNScrypt-proxy 1.4.0 integration and GUI
- TOR Project integration and GUI
- OpenVPN: Routing Policy
- TomatoAnon project integration and GUI
- TomatoThemeBase project integration and GUI
- Ethernet Ports State
- Extended MOTD (written by @Monter, modified by @Shibby)
- Webmon Backup Script

Copyright (C) 2011-2013 Michał Rupental
http://openlinksys.info
"JYAvenard" features
- OpenVPN enhancements & username/password only authentication
- PPTP VPN Client integration and GUI

Copyright (C) 2010-2012 Jean-Yves Avenard
[email protected]
"Victek" features
- Extended Sysinfo
- Captive Portal. (Based in NocatSplash)
- Web Server. (NGinX)

Copyright (C) 2007-2011 Ofer Chen & Vicente Soriano
http://victek.is-a-geek.com
"Teaman" features
- QOS-detailed & ctrate filters
- Realtime bandwidth monitoring of LAN clients
- Static ARP binding
- VLAN administration GUI
- Multiple LAN support integration and GUI
- Multiple/virtual SSID support (experimental)
- UDPxy integration and GUI
- PPTP Server integration and GUI

Copyright (C) 2011 Augusto Bott
Tomato-sdhc-vlan Homepage
"Lancethepants" features
- DNSSEC integration and GUI
- DNSCrypt-Proxy selectable/manual resolver
- Comcast DSCP Fix GUI - Tinc Daemon integration and GUI

Copyright (C) 2014 Lance Fredrickson
[email protected]
"Toastman" features
- Configurable QOS class names
- Comprehensive QOS rule examples set by default
- TC-ATM overhead calculation - patch by tvlz
- GPT support for HDD by Yaniv Hamo
- Tools-System refresh timer

Copyright (C) 2011 Toastman
Using QoS - Tutorial and discussion
"Tiomo" features
- IMQ based QOS Ingress
- Incoming Class Bandwidth pie chart

Copyright (C) 2012 Tiomo
"Victek/PrinceAMD/Phykris/Shibby" feature
- Revised IP/MAC Bandwidth Limiter
Tomato-hyzoom feature
- MySQL Server integration and GUI
Copyright (C) 2014 Bao Weiquan, Hyzoom, [email protected]

 

[RemixDeluxe]

@Mr. Wizard

I blocked out sun.hac.lp1.d4c.nintendo.net on my Switch and my PC. I tested it on my PC and the URL is definitely blocked but on the Switch the console says up to date but sometimes when I check I get error code: 2137-8007 rather than all the time. I'll use wireshark later but I believe just maybe there is another URL thats being pulled for updates. I'll post back if I come across anything new.

 

[Mr. Wizard]

@Mr. Wizard

I blocked out sun.hac.lp1.d4c.nintendo.net on my Switch and my PC. I tested it on my PC and the URL is definitely blocked but on the Switch the console says up to date but sometimes when I check I get error code: 2137-8007 rather than all the time. I'll use wireshark later but I believe just maybe there is another URL thats being pulled for updates. I'll post back if I come across anything new.

Interestingly enough I get a completely different error when going to "System Update". And I consistently get it every single time. Are you sure your blocking is functioning properly? How else have you tested it?

 

[RemixDeluxe]

Interestingly enough I get a completely different error when going to "System Update". And I consistently get it every single time. Are you sure your blocking is functioning properly? How else have you tested it?

I've been blocking the same way I did it for my Wii U.

I am also blocking these URLs for the Switch

receive-lp1.dg.srv.nintendo.net
receive-lp1.er.srv.nintendo.net
google-analytics.com
googletagmanager.com

 

[Mr. Wizard]

I've been blocking the same way I did it for my Wii U.

I am also blocking these URLs for the Switch

receive-lp1.dg.srv.nintendo.net
receive-lp1.er.srv.nintendo.net
google-analytics.com
googletagmanager.com

Yup, I am blocking the exact same URLs, I don't know what else to say. My friend's switch gets the same error as me when going to system update. And neither of us has gotten another nag screen yet since the update came out. Your experience seems different for some reason, I can only suspect it has something to do with the way you are trying to block them. How are you blocking them?

Also I had a weird eshop error one time I had to unblock google for a minute in order to get the eshop to display, after turning google blocking back on I have not received that error again for some reason.

 

[yahoo]

this is from the ReSwitched Discord

anyone willing to make a DNS that only blocks the update and not the eshop/game updates?

It's right here, from Daeken, the organizer of ReSwitched https://gbatemp.net/threads/reswitched-dns-update-blocker.466316/

 

[Cyan]

Mr. Wizard, thanks for keeping your first post updated with the purpose of each urls.
I added a note in the first post of the thread to look at your post for url lists.

edit:
3DS has that URL cbvc.cdn.nintendo.net used to check the latest browser version, and prevent using it if a new version was available.
I guess there's no real browser on switch, so they don't have similar check?

 

[Mr. Wizard]

Mr. Wizard, thanks for keeping your first post updated with the purpose of each urls.
I added a note in the first post of the thread to look at your post for url lists.

edit:
3DS has that URL cbvc.cdn.nintendo.net used to check the latest browser version, and prevent using it if a new version was available.
I guess there's no real browser on switch, so they don't have similar check?

Cool.

I haven't noticed the switch call to any nintendo servers when breaking into the captive portal browser. Maybe once they patch in a full browser? Then again they seem to be doing things different such as the nag screen and update are not persistent on the Switch, auto-updates can be turned off, you can block the firmware server without breaking the eshop.

Hopefully they are being a little too confident in their security.

 

[RemixDeluxe]

@Mr. Wizard My router is unable to block encrypted URLs. I called Linksys technical support and they told me my specific router model is unable to do it. I put in a ticket and they said to call back in a couple of months while they look into it.

For everyone else, if you arent getting Error Code: 2137-8056 then you arent blocking the updates.