3DS HTTP/S with Fiddler or similar?

Discussion in '3DS - Flashcards & Custom Firmwares' started by pcmantinker, Feb 2, 2015.

  1. pcmantinker
    OP

    pcmantinker Advanced Member

    Newcomer
    75
    11
    May 4, 2009
    United States
    Greater Atlanta Area
    Has anyone managed to install Fiddler's root certificate on the 3DS to decrypt SSL traffic? I managed to reverse engineer the HTTP/S traffic of some mobile apps using this technique. I would prefer doing it on Gateway emuNAND, but if someone has done it on their CFW, I would be interested in their findings. I want to understand the HTTP/S traffic sent to/from the 3DS so I can analyze applications such as Friends and potentially the eShop. It would be cool to provide some sort of public API for querying friends' online statuses or searching the eShop for instance.
     
    cearp likes this.
  2. pcmantinker
    OP

    pcmantinker Advanced Member

    Newcomer
    75
    11
    May 4, 2009
    United States
    Greater Atlanta Area
    Am I on the right track if I can successfully decrypt/unpack certs.db? I don't know much about 3DS NAND, but I saw on http://3dbrew.org/wiki/Title_Database that certs.db refers to certificates for verifying TMD and other certificates. It's possible that SSL certificates live here too, but I'm not sure. Can anyone shed some light on this?
     
  3. cearp

    cearp the ticket master

    Member
    7,406
    4,658
    May 26, 2008
    Tuvalu
    sure, but surely that too is signed, right? i don't think it would be so simple :) - but yeah try.
     
  4. pcmantinker
    OP

    pcmantinker Advanced Member

    Newcomer
    75
    11
    May 4, 2009
    United States
    Greater Atlanta Area
    After some time, I'm afraid that I don't quite have knowledge currently to decrypt, encrypt and sign certificates as needed. It would be really great to view HTTP traffic though as we could confirm what gets sent from any application or game on the 3DS. It could solve the mystery of whether 3DZ game headers are sent with HTTP requests to Nintendo's servers. I can see this being beneficial for other uses too. Eventually, we could reverse engineer enough HTTP traffic to create custom game servers. Of course, each game probably has its own protocol, but getting the HTTP messages would be a good start.
     
  5. Oishikatta

    Oishikatta GBAtemp Advanced Fan

    Member
    971
    545
    Oct 30, 2014
    United States
    cearp do you have any hints for getting 3DS stuff loaded into IDA?
     
  6. shinyquagsire23

    shinyquagsire23 SALT/Sm4sh Leak Guy

    Member
    1,961
    3,231
    Nov 18, 2012
    United States
    Las Vegas
    code.bin is loaded into 0x100000 by default I believe. Not sure about anything else though.
     
  7. cearp

    cearp the ticket master

    Member
    7,406
    4,658
    May 26, 2008
    Tuvalu
    ha i am the last person to ask! :)