[Tutorial] Add custom root certs to the Wii U's browser

Discussion in 'Wii U - Tutorials' started by aplumafreak500, Apr 19, 2017.

  1. aplumafreak500
    OP

    aplumafreak500 Member

    Newcomer
    31
    15
    Dec 20, 2014
    United States
    Meyersdale, PA
    NOTE: I am not responsible if you brick.

    Hi there. This tutorial will allow you to use custom SSL certs in the Wii U's browser. This will not need signature patches to run, but it does require them to make the modification.

    This has been tested with a 5.5.1U system with Haxchi enabled.

    1. Activate CFW or signature patches using Mocha, Haxchi, or CHBC.
    2. Go into FTPii Everywhere.
    3. On an FTP client, navigate to /storage_mlc/sys/title/00050030/10012x0a/content/browser where x is 0 for Japan, 1 for America, and 2 for Europe.
    4. Download the file rootCA.pem.
    5. Open this file in a text editor.
    6. Find some root certificates (in PEM format) to add to the file. If they aren't in PEM format, convert it using OpenSSL. Personally, I would recommend adding Fiddler's root cert, and the DST Root CA X3 root cert (which will make Let's Encrypt sites, such as GBATemp, work with the Wii U). PEM certificates can also be obtained (in Windows) by exporting them from the "Copy to File" dialog which comes up when you view a certificate's properties.
    7. Append the desired certificates to rootCA.pem and save it.
    8. Upload it back to the Wii U.
    9. Test it by opening the browser, and visiting a site that uses your certificates. If it worked, you should not be prompted to manually allow SSL connections to hosts that use those certificates.
    I hope you found this tutorial useful! Feel free to reply with any questions!
     
    Last edited by aplumafreak500, Apr 22, 2017
  2. THEELEMENTKH

    THEELEMENTKH AN ANGRY GIRAFFE!

    Member
    927
    583
    May 31, 2016
    Spain
    Hell
    Sweet! But what can we do with this? :unsure:
     
    TarkinMX likes this.
  3. ShadowOne333

    ShadowOne333 GBAtemp Guru

    Member
    7,064
    4,475
    Jan 17, 2013
    Mexico
    Access certain websites which cannot be accessed through the normal Wii U's Browser due to new SSL certificates.
    Some examples I can think of are Starmen.net's Forums and the other being Libretro.com and all of it's related links, including the buildbot.

    @aplumafreak500 do you happen to know what exactly do I need to do to access those two sites specifically?
    I've been wanting to do this for a long time, and now that's it possible I am greatly interested in reenable access to those two sites through my Wii U Browser.

    Btw, I don't think posting links to the PEM files for the cetificates is against the rules, so here:
    https://github.com/kivy/kivy-sdk-packager/blob/master/win/DST Root CA X3.pem

    That's the one for DST Root CA X3 certificate in PEM format, I am only lacking the Fiddler's one.
     
    Last edited by ShadowOne333, Apr 20, 2017
  4. aplumafreak500
    OP

    aplumafreak500 Member

    Newcomer
    31
    15
    Dec 20, 2014
    United States
    Meyersdale, PA
    @ShadowOne333 Basically, append the desired PEM certificates to rootCA.pem as described above. Analysis of those two sites show that they use a certificate chain with AddTrust External CA as its root. Idk if it's in the certificate store, but by following the steps above, they can be "trusted" by the Wii U browser.
     
    ShadowOne333 likes this.
  5. ShadowOne333

    ShadowOne333 GBAtemp Guru

    Member
    7,064
    4,475
    Jan 17, 2013
    Mexico
    How do you check the sites for the certificate?
    It's these two in particular:
    https://forum.starmen.net/
    https://libretro.com/

    They both throw:
    I talked to the main admins in both sites and error started occurring right when they updated their SSL certificates as mentioned here:
    https://forum.starmen.net/forum/Fan...Wii-U-but-I-can-access-just-fine-on-my-laptop

    Btw do you have a link to Fiddler's root cert?
    I'm missing that one out of the two you mention in the OP.
     
    Last edited by ShadowOne333, Apr 22, 2017
  6. Felek666

    Felek666 Demonically Uncontrollable

    Member
    3,509
    3,930
    Jan 3, 2017
    Poland
    reddit.com/r/satania/
     
  7. aplumafreak500
    OP

    aplumafreak500 Member

    Newcomer
    31
    15
    Dec 20, 2014
    United States
    Meyersdale, PA
    We're dealing with the Wii U's stores, not those of a PC. However, obtaining Fiddler's certificate is the same. We download the cert by going to http://10.0.0.20:8888/FiddlerRoot.cer (replace 10.0.0.20:8888 with the host name and port of your Fiddler machine). It's in DER format though so we have to make it PEM format before importing it.

    As for the error code, I assume it isn't related to the certificates, and it is instead an unsupported TLS protocol. I'll try it tonight and report back.
     
    ShadowOne333 likes this.
  8. aplumafreak500
    OP

    aplumafreak500 Member

    Newcomer
    31
    15
    Dec 20, 2014
    United States
    Meyersdale, PA
    Sorry for double post. I found out that the server closes the connection due to an SSL handshake error, which occurs before the server even presents its certificate. It seems to be related to the cipher suite the browser presents, which seems to be incompatible with the remote server.

    So, this means that this particular error is unrelated to the certificates.

    TL;DR Ask the site's admins about changing its SSL cipher suite.
     
    ShadowOne333 likes this.
  9. ShadowOne333

    ShadowOne333 GBAtemp Guru

    Member
    7,064
    4,475
    Jan 17, 2013
    Mexico
    Thanks! That'll help to narrow it down for them :)
     
  10. Noctosphere

    Noctosphere Moon furries | Official follower of Skiddon't-ism

    Member
    2,059
    1,981
    Dec 30, 2013
    Canada
    Between three furries women
    I have a problem, In FTPiiU I get only "sd" folder, not "storage"
     
  11. aplumafreak500
    OP

    aplumafreak500 Member

    Newcomer
    31
    15
    Dec 20, 2014
    United States
    Meyersdale, PA
    You have to be running FTPiiU Everywhere under a CFW or signature patched environment. The regular FTPiiU does not have MLC access, hence the lack of storage_* folders.