Homebrew Save Nintendo WiFi - A project to save online servers for DS (and Wii) games

Lakster

Member
Newcomer
Joined
Jan 18, 2013
Messages
8
Trophies
0
Age
31
XP
71
Country
United States
Quick question: Would it be possible to use AR codes to do the NoSSL patching for NDS like the one that FIX94 made for the Wii? You'd still have to have an AR/Flashcard to play the games online once the official servers went down, but you'd at least be able to use original carts instead of just ROMs on a flashcard. Although, since it seems like the placement of the online portion of the game's code is different between games (different overlays, in the arm9, etc) there would probably have to be slightly different codes for each game (or at least, several different codes that could work on multiple games) most likely. Of course, that's something that shouldn't be focused on now while you're still developing the server and capturing packets for games, but I would be curious to know if something like that would be possible.
 

FAST6191

Techromancer
Editorial Team
Joined
Nov 21, 2005
Messages
36,798
Trophies
3
XP
28,284
Country
United Kingdom
Yeah it should be possible Lakster.

The overlays are always loaded into the same place in memory for the game. With that you can then do a check to see if the overlay is in memory (it is not the best but cheat devices do have check if something and act accordingly functionality) and then if it is you can fire off a list of cheats that change it -- I would not try deleting something and padding out and instead just writing the change in.
 

FAST6191

Techromancer
Editorial Team
Joined
Nov 21, 2005
Messages
36,798
Trophies
3
XP
28,284
Country
United Kingdom
Assuming they even used the library most Wii/DS games would probably have been compiled before the bug was introduced, and even then it would only give you the option to view the memory of the Wii/DS and that is something basically anybody can do (action replay, emulators, DStwo/ismm cheat finding options, practically anything with savestate support....). Unless you mean to take a shot at the servers, not a great thing to suggest on a public forum but I guess there is a possibility they will let the servers get run into the ground so they may have been left unpatched. For most things though SSL seems to be an utterly minor speedbump, sure Nintendo's private keys could be worse things to have but it is not crucial by the looks of things here.
 

Toad King

Well-Known Member
OP
Member
Joined
Aug 19, 2009
Messages
374
Trophies
0
XP
546
Country
United States
If you are still running into issues with the SSL....You could always check if the Wii/DS has that heartbleed vulnerability that's been all over the news lately. :P
Heartbleed is a server bug, not a client bug. Not only is using Heartbleed to steal server keys very illegal, Nintendo's/GameSpy's servers seem to run Windows server, so are not susceptible to Heartbleed.
 

daicon

Well-Known Member
Member
Joined
Feb 16, 2014
Messages
290
Trophies
1
Age
38
XP
307
Country
United States
I wonder why this thread isn't a sticky.. It really does deserve to be promoted in some capacity.
 

madeinair

Well-Known Member
Newcomer
Joined
Jul 16, 2011
Messages
50
Trophies
0
XP
81
Country
This thread is truly awesome, I check it many times each day, in hopes to see a new awesome update in this hacking scene :D
 

Asfand

Member
Newcomer
Joined
Aug 5, 2012
Messages
18
Trophies
0
XP
32
Country
United States
I sent a few packets to you Toad, had a question too. Unfortunately, I didn't record myself when doing it tho.
 

Toad King

Well-Known Member
OP
Member
Joined
Aug 19, 2009
Messages
374
Trophies
0
XP
546
Country
United States
Got them.

It looks like the Star Force games use different servers between the two different versions. Do the two games not interact like Pokemon games do?
 

Asfand

Member
Newcomer
Joined
Aug 5, 2012
Messages
18
Trophies
0
XP
32
Country
United States
Yes they do interact like the pokemon games. The SF3s with each other, 2s, 1s etc. P.S., if they do, do you want me to access wifi from the zerker profiles as well?
 

Toad King

Well-Known Member
OP
Member
Joined
Aug 19, 2009
Messages
374
Trophies
0
XP
546
Country
United States
Oh my mistake, I thought the packets were just for SF3, not all three games.

It does looks like 2 and 3 at least are region locked online, judging by games specifically having US in the server names.
 

Asfand

Member
Newcomer
Joined
Aug 5, 2012
Messages
18
Trophies
0
XP
32
Country
United States
Oh my mistake, I thought the packets were just for SF3, not all three games.

It does looks like 2 and 3 at least are region locked online, judging by games specifically having US in the server names.


Yeah, I can get the Japan versions as well when I find the time. So, if 2 uses the same server, do I need to get you packets from the Zerker profiles as well or will the ones from the Ninja and Saurian profiles work?
 

Toad King

Well-Known Member
OP
Member
Joined
Aug 19, 2009
Messages
374
Trophies
0
XP
546
Country
United States
Probably not, the games' online features seem simple enough and don't use anything outside of GameSpy servers which we already know a lot about.
 

pleonex

Well-Known Member
Member
Joined
Jan 16, 2009
Messages
204
Trophies
1
Location
Spain & Switzerland
Website
github.com
XP
523
Country
Switzerland
Hi!
This is pretty good! I could not imagine that this would happening here...

I am working in the translation of Ninokuni DS game, and it has a part of wifi connection where you can download a file with some "magic news" and activate new missions and objects. I have been able to get the decrypted data by finding the RC4 (the symmetric key algorithm used) encoding / decoding asm routine. Since all the data to be sent must be encrypted and all the data received must be decrypted and the same algorithm is used for both operations it was easy to dump everything. It was then when I found this post... xD

I have already modified DeSmuME to dump automatically all the data that pass through the RC4 routine into an external text file (it's data, not package), but as the address of that routine change with every game it only works with Ninokuni.

Now I am working in a more compatible modification: dump all the packets that are sent and received into PCAP format (Wireshark format). The problem is that it would dump the data encrypted. For this reason I want to do a program to patch automatically every game, including games with ARM9 / overlays compressed (as I have already done it for the Ninokuni translation it is easy).

Another thing I would like to try it's to find the RC4 routine automatically by an external tool, pass that address to DeSmuME (for instance as a terminal argument) and use the first method of dumping data. In this way it would be no need to use NO SSL patches (for instance in Ninokuni, for the downloading server it must connect with HTTPS otherwise it will never connect).

If I finally get it working, it would be so easy to get logs, as easy as play to any game in DeSmuME.
Let's do it!
 

Toad King

Well-Known Member
OP
Member
Joined
Aug 19, 2009
Messages
374
Trophies
0
XP
546
Country
United States
Does the Ninokuni game use custom servers? Most of the RC4 encrypted stuff should come from HTTPS connections to Nintendo/GameSpy servers, in which case it's easy to patch it out. However, if it uses encrypted over some other protocol I don't think one common tool will work.
 

pleonex

Well-Known Member
Member
Joined
Jan 16, 2009
Messages
204
Trophies
1
Location
Spain & Switzerland
Website
github.com
XP
523
Country
Switzerland
It uses HTTPS, RC4 is the algorithm for SSL. But it connects to another server dls1.nintendowifi.net to download the file. And I have check that if the game tries to connect to that server using HTTP, the server won't reply. That is, if the TCP packet SYNC sent goes to the port 80, the server won't start a communication.

Here is the log I could dump when downloading the "magic news" file. (the file is sent in binary form, but I have converted it into a hex stream to be able to analyze it without using hex editors).
 

Attachments

  • wifi_log_news.txt
    16.6 KB · Views: 406

Toad King

Well-Known Member
OP
Member
Joined
Aug 19, 2009
Messages
374
Trophies
0
XP
546
Country
United States
Yeah, to connect to the download server over HTTP you need to use a SSL tunnel. I have one on my site that you can use to get unencrypted dumps that way.

The actual content of the file is probably game-specific and will have to be decoded on a game-by-game basis. I know SSB:B also uses the download server on connection for something (I think it used to have a pic of the day feature, but it tries to find two different files) and other games probably have some too.
 

Asfand

Member
Newcomer
Joined
Aug 5, 2012
Messages
18
Trophies
0
XP
32
Country
United States
Hey Toad, for SF2 Japan version, I can only get my hands on a ZerkerxNinja save to the point where I can go on wifi on the Ninja profile (wifi features are unlocked at a certain point in the game). Is it alright if I only give you those packets? Since ZerkerxNinja and ZerkerxSaurian interact with each other in Japan too.

Also, I see that on the list on your website, you don't have packets for many Pokemon games, especially probably the most popular ones for DS, BW/BW2. No one has sent those in?
 

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
    LeoTCK @ LeoTCK: yes for nearly a month i was officially a wanted fugitive, until yesterday when it ended