Hacking Blocking 3DS updates via firewall

[SweetieBelle]

Hi there, Search didn't prove fruitful so I thought I would ask..

Does anyone have the update server addresses so that we can add them to a firewall block list and has anyone done this, and had it work?

I would like to play games via the net and the latest versions all now auto update, I do not have a DS lite to repatch of it goes wrong >.>

Any help is appreciated, thanks.
~SweetieBelle

 

[rondoh70]

The idea I have to just put the nintendo server name or ip address into your firewall and it should block all incoming connections from the website.

 

[SweetieBelle]

The idea I have to just put the nintendo server name or ip address into your firewall and it should block all incoming connections from the website.

It will from the website yes, however I suspect the server is elsewhere online and is likely a direct connection to an IP address as opposed to connecting to something.nintendo.com, otherwise I could just block *nintendo*.

 

[shoyrumaster11]

The idea I have to just put the nintendo server name or ip address into your firewall and it should block all incoming connections from the website.

It will from the website yes, however I suspect the server is elsewhere online and is likely a direct connection to an IP address as opposed to connecting to something.nintendo.com, otherwise I could just block *nintendo*.

But wait, we don't know the IP for the Nintendo 3DS/DSi/WII/WII-U update service or the Nintendo Eshops and DSiWare shops. I just think IP blocking for services like these require you to actually block the reversed IP address!

 

[Foxi4]

Does your router support traffic status checks?

Before your 3DS requests an update, (I'm guessing here) it pings the regional or global update server to cross-check version numbers of the firmware. The adress should pop-up in your router's log then, assigned to your 3DS's MAC and/or ID, even before you Accept/Decline.

But wait, we don't know the IP for the Nintendo 3DS/DSi/WII/WII-U update service or the Nintendo Eshops and DSiWare shops. I just think IP blocking for services like these require you to actually block the reversed IP address!

On the Wii it was actually NUS.shop.wii.com (209.67.106.201) as far as I remember - how do you thing NUS Downloader works?

 

[shoyrumaster11]

Does your router support traffic status checks?

Before your 3DS requests an update, (I'm guessing here) it pings the regional or global update server to cross-check version numbers of the firmware. The adress should pop-up in your router's log then, assigned to your 3DS's MAC and/or ID, even before you Accept/Decline.

But wait, we don't know the IP for the Nintendo 3DS/DSi/WII/WII-U update service or the Nintendo Eshops and DSiWare shops. I just think IP blocking for services like these require you to actually block the reversed IP address!

On the Wii it was actually NUS.shop.wii.com (209.67.106.201) as far as I remember - how do you thing NUS Downloader works?

Tried going to NUS with my computer. Got a blank page!

 

[Foxi4]

Tried going to NUS with my computer. Got a blank page!

Of course you got a blank page - it's a computer, not a Wii. It runs a check on the browser.

It used to work normally on certain browsers - in fact, you could even access the shop, but it was later patched. Now you need direct URL's to access files.

http://gbatemp.net/t...ocess-analyzed/

Here's more 3DS-specific update info that could be useful.

In any case, according to Cyan's findings, the servers are:

conntest.nintendowifi.net - used for testing the connection
nus.cdn.c.shop.nintendowifi.net - stores actual updates (EUR region? Not sure if global or not)

The connection test itself appears to be accessible on the PC as well by entering this adress: http://conntest.nint...i.net/test.html

 

[shoyrumaster11]

Tried going to NUS with my computer. Got a blank page!

Of course you got a blank page - it's a computer, not a Wii. It runs a check on the browser.
It used to work normally on certain browsers - in fact, you could even access the shop, but it was later patched. Now you need direct URL's to access files.

Guess that Nintendo patched it knowing that hackers could crack easier like this!

 

[Foxi4]

Guess that Nintendo patched it knowing that hackers could crack easier like this!

They didn't do a very good job - all they did was using a check whether the browser is the same version of Opera as on the Wii - you could fool it with relative ease. Later they added another fix based on some kind of an authentication protocol, so the shop is no longer accessible. That said, the NUS server still is AFAIK.

http://wiibrew.org/w...Channel_From_PC

 

[shoyrumaster11]

Guess that Nintendo patched it knowing that hackers could crack easier like this!

They didn't do a very good job - all they did was using a check whether the browser is the same version of Opera as on the Wii - you could fool it with relative ease. Later they added another fix based on some kind of an authentication protocol, so the shop is no longer accessible. That said, the NUS server still is AFAIK.

http://wiibrew.org/w...Channel_From_PC

All I get now is a 403 error on all "working" pages!

 

[Foxi4]

All I get now is a 403 error on all "working" pages!

As of October 23rd, 2008 access to the Wii Shop using a PC and a web browser has been locked down. Nintendo moved away from oss.shop.wii.com(requiring only that you accept the Server Certificate) to oss-auth.shop.wii.com (e.g. https://oss-auth.sho...s/serv/W_01.jsp for the main WiiShop page; you are required to prove your identity with a client-side certificate, also note the new URL structure). You can no longer access the WiiShop from a browser without the required Client Certificate installed in your web browser. Oh, and not that it really matters anymore, but the User Agent is "Opera/9.30 (Nintendo Wii; U; ; 2071; Wii Shop Channel/13.0(A); en)". That is all.

403 - Access Forbidden.

Oh, and just before you all get excited that you can block the updates server - this does not mean that you will be able to access the eShop with an outdated 3DS firmware - all that's going to pop up is an error message of some sort. No mirracles are going to happen, this is just a less cumbersome way of avoiding online updates without clicking Decline.

Remember that you're still vulnerable as far as cartridge-based updates are concerned.

 

[shoyrumaster11]

All I get now is a 403 error on all "working" pages!

As of October 23rd, 2008 access to the Wii Shop using a PC and a web browser has been locked down. Nintendo moved away from oss.shop.wii.com(requiring only that you accept the Server Certificate) to oss-auth.shop.wii.com (e.g. https://oss-auth.sho...s/serv/W_01.jsp for the main WiiShop page; you are required to prove your identity with a client-side certificate, also note the new URL structure). You can no longer access the WiiShop from a browser without the required Client Certificate installed in your web browser. Oh, and not that it really matters anymore, but the User Agent is "Opera/9.30 (Nintendo Wii; U; ; 2071; Wii Shop Channel/13.0(A); en)". That is all.

403 - Access Forbidden.

Ok. Makes sense. I just don't know how exactly warez groups make pirated copies of downloadable games and apps now. I mean. Doesen't companies like Nintendo block Warez group IPs? If you know how this works, a PM would be accepted by me!

 

[Foxi4]

Ok. Makes sense. I just don't know how exactly warez groups make pirated copies of downloadable games and apps now. I mean. Doesen't companies like Nintendo block Warez group IPs? If you know how this works, a PM would be accepted by me!

No need for a PM, really. The Wii is pretty much wide-open at this point, they just download the unsigned content from the shop and pack it into a .WAD - at this point, the Wii doesn't even mind what it installs when it's softmodded.

 

[shoyrumaster11]

Ok. Makes sense. I just don't know how exactly warez groups make pirated copies of downloadable games and apps now. I mean. Doesen't companies like Nintendo block Warez group IPs? If you know how this works, a PM would be accepted by me!

No need for a PM, really. The Wii is pretty much wide-open at this point, they just download the unsigned content from the shop and pack it into a .WAD - at this point, the Wii doesn't even mind what it installs when it's softmodded.

I was just thinking of a PM just because I wanted somewhat in depth and technical info. Plus, don't warez groups decrypt signed content and release an unsigned copy of it or something like that.

PS: My interest in the warez scene came from my interest in the "demoscene"

 

[Foxi4]

I was just thinking of a PM just because I wanted somewhat in depth and technical info. Plus, don't warez groups decrypt signed content and release an unsigned copy of it or something like that.

PS: My interest in the warez scene came from my interest in the "demoscene"

AFAIK, the content bought in the shop is signed on the console itself - knowing the ins and outs of the protocol, you can just conveniently forget to sign it. It's a normal purchase with a normal download ticket.

That said, I may be wrong, so get a second opinion.

 

[shoyrumaster11]

I was just thinking of a PM just because I wanted somewhat in depth and technical info. Plus, don't warez groups decrypt signed content and release an unsigned copy of it or something like that.

PS: My interest in the warez scene came from my interest in the "demoscene"

AFAIK, the content bought in the shop is signed on the console itself - knowing the ins and outs of the protocol, you can just conveniently forget to sign it. It's a normal purchase with a normal download ticket.

That said, I may be wrong, so get a second opinion.

Well, I trust what you are saying, I mean. I guess it can explain part of the reason that downloading from the 3DS Eshop is slow. The 3DS is probably encrypting downloaded data and uploading user info.

 

[Foxi4]

Well, I trust what you are saying, I mean. I guess it can explain part of the reason that downloading from the 3DS Eshop is slow. The 3DS is probably encrypting downloaded data and uploading user info.

It would make sense to me. Otherwise, they'd have to send the key used for signing for a particular system as a part of the ticket, and that would pretty much focus the eyes of the entire hacking world on the ticket mechanism.

 

[justinkb]

Well, I trust what you are saying, I mean. I guess it can explain part of the reason that downloading from the 3DS Eshop is slow. The 3DS is probably encrypting downloaded data and uploading user info.

It would make sense to me. Otherwise, they'd have to send the key used for signing for a particular system as a part of the ticket, and that would pretty much focus the eyes of the entire hacking world on the ticket mechanism.

i doubt the 3ds signs the package itself, that would be a huge hole... and neimod would have already been able to abuse this if that were the case. he'd just breakpoint before the signing starts, dump the raw data, then overwrite some memory containing the signing key with some other 3ds's key and sign it for another 3ds. there's nothing to stop this, unless the signing procedure is a black box hardware chip, instead of software based.

for the record, in this case, they wouldn't have to send the actual encryption key, since it is most likely assymmetric crypto. they'd send some sort of unique identifier (could be the corresponding public key or something else entirely), and nintendo would know which private key to sign the package with.

still, obviously, all proper eshop traffic in the world is encrypted in the first place, so this isn't really interesting.

 

[Foxi4]

i doubt the 3ds signs the package itself, that would be a huge hole... and neimod would have already been able to abuse this if that were the case. he'd just breakpoint before the signing starts, dump the raw data, then overwrite some memory containing the signing key with some other 3ds's key and sign it for another 3ds. there's nothing to stop this, unless the signing procedure is a black box hardware chip, instead of software based.

for the record, in this case, they wouldn't have to send the actual encryption key, since it is most likely assymmetric crypto. they'd send some sort of unique identifier (could be the corresponding public key or something else entirely), and nintendo would know which private key to sign the package with.

still, obviously, all proper eshop traffic in the world is encrypted in the first place, so this isn't really interesting.

The encryption key is never available in memory in a "plain" form - it's not easily "dumped" as you think it is - it's always randomly scattered, as it should on most properly secured systems. I'm pretty sure the 3DS signs its files on the spot - creating an infrastructure which signs the downloads for each and every corresponding unit on-the-fly would be at the very least cumbersome to use and prone to attack.

EDIT: It would appear that I was right, at least as far as the Wii is concerned, according this release: http://lse.epita.fr/...eek/wii_sec.pdf

The Wii has two security coprocessors which allows

for fast encryption and hashing:
The first one: an AES coprocessor which encrypts
and decrypts data blocks with a 128 bit key
The second one: a SHA1 coprocessor which hashes
data blocks in very few cycles

...which would suggest that the Wii encrypts things all by itself. Now, with the Wii, they made a mistake. The encryption coprocessor temporarily stored the key in Main RAM - it did not have direct access to the OTP chip where the key was stored. I would assume that Nintendo corrected that with the 3DS, so that the encryption and decryption takes place outside of main memory and within the dedicated hardware. If that's the case, then the private key is never in RAM at all. The 3DS would merely have to call for an encryption/decryption and forward an address.

//Totally off-topic, I'll be good now though.

 

[justinkb]

...which would suggest that the Wii encrypts things all by itself. Now, with the Wii, they made a mistake. The encryption coprocessors temporarily stored the key in Main RAM - they did not have direct access to the OTP chip where the key was stored. I would assume that Nintendo corrected that with the 3DS, so that the encryption and decryption takes place outside of main memory and within the dedicated hardware. If that's the case, then the private key is never in RAM at all. The 3DS would merely have to call for an encryption/decryption and forward an address.

//Totally off-topic, I'll be good now though.

very interesting. what a dumb oversight with the wii ;-) still, this gives us the possibility of a modchip based on neimod's hardware, to:

a) get unsigned packages from eshop, directly from memory, before they are encrypted ("ripping")

and then later (on another 3ds, also "chipped")

b) inject them into ram, overwriting another (random) package about to be signed (say, a free demo you are downloading)

of course, this would only be interesting for pirating, not homebrew.