3DS Save Data Transfer Tool potentially has an "End of Life" and seemingly a killswitch?

RedDucks

Well-Known Member
OP
Member
Joined
Apr 28, 2017
Messages
103
Trophies
0
Age
26
XP
774
Country
United States
It's not new information that the Save Data Transfer Tool (SDTT) requires an internet connection to function, but what is surprising is that it has an official EoL and what looks like a "killswitch"

TLDR: The SDTT, a local save data tool with no real need for online connectivity, makes several network requests to get multiple tokens which go unused during use of the tool, with the only apparent purpose being to act as a "killswitch" to end the tools ability to work even for those who have it downloaded post eShop closure (it is not available on the eShop anymore)

For context, I am the lead developer of a project called Pretendo Network. Our team reverse engineers the online communications for games on the WiiU and 3DS in an effort to provide open source replacement servers. So we are often monitoring our consoles traffic for things like this

A bit of backstory: Last night 2 other members of the team, @shutterbug2000 and @hauntii (no gbatemp account), were researching Pokémon and had used the SDTT and saw it downloaded a file from the BOSS server. BOSS is a service on the WiiU and 3DS that allows games to download additional content in the background (for example Splatfest data on the WiiU, and SpotPass data on the 3DS). The file downloaded was named fairy_bl.lrc, and contains what looks to be compressed or encrypted content. We assumed this is some kind of blacklist based on the name, and this was seemingly why the tool needed to go online at all, to check this assumed blacklist. So I began disassembling SDTT to take a closer look at what the file contained. This is where things got interesting

While looking around the app in Ghidra, I found several references to NEX/RendezVous. NEX is the software that Nintendo uses for all first party multiplayer games on the 3DS and WiiU (and some older Switch games). Nintendo did not make this software from scratch, it is based off another set of another piece of software called RendezVous which was originally developed by Canadian company Quazal and was heavily modified which is why there's references to both here (fun side fact, Quazal was later bought by Ubisoft who still uses RendezVous to this day, making all online first party 3DS and WiiU games almost compatible with Ubisofts servers too). This is VERY very odd to be seen here, seeing as SDTT is not a game nor does it have the ability to connect to other consoles at all. So we continued to look even further into things

Screenshot from 2023-07-11 04-35-43.png


Screenshot from 2023-07-11 04-34-54.png


Upon checking the network requests of the SDTT from boot, it indeed does request NEX details from the NASC server! NASC is the server the 3DS uses to request tokens for, and the locations of, servers for online games. This server is carried over from the Wii, and predates the NNID system and it's API (which is why you do not need a NNID for some online 3DS games). There are 2 types of requests a 3DS can make to NASC

1. A LOGIN request. This request indicates that the game is trying to connect to a NEX multiplayer server. If successful, the server sends back a locator value, which is the address of the game server in the format IP:PORT base64 encoded, and a token which is your login token

2. A SVCLOC request. This request indicates that the game uses an independent 3rd party service registered with Nintendo and would like to be able to identify the currently logged in user with that service. If successful, the server sends back a token which is your service token that the games independant API can use to know who you are (For example RPG Maker FES uses this to know who uploaded what RPG)

The SDTT requests BOTH of these tokens. The locator value in this case is set to 0.0.0.0:0, which indicates that there is no actual NEX game server and the game only wanted the NEX token. The use of this depends on the game, but it can often times be used as part of a larger token exchange system or a dirty "is this console banned" check. Requesting both tokens is odd, but not unheard of. Several other games also do this for some reason

@shutterbug2000 then monitored the SDTT for some time and did a save transfer, to see if it ever used these tokens for anything. And they go completely unused. So we decided to see what the tool does when the systems network is in various states (disabled, disconnected, etc)

When the 3DS wireless connection switch is disabled, or you have a bad/missing network connection, then the app tells you of these conditions independently of each other as expected

mrg_2023-07-11_12-12-23.578.png
mrg_2023-07-11_12-16-57.601.png


This, again, is not new information. I'm sure everyone has seen these screens at least once, and Nintendo's support page clearly states an internet connection is required

However when we tried to access the tool while our consoles were connected to the Pretendo Network servers, the SDTT clearly shows that it expects to have it's service ended one day based on how it handles this error. Given that the SDTT has special handling for the EoL error code (most titles do not have this, and only display the 3DS's default error popup which is shown by the console, not the game), and that it makes those 2 seemingly unused token requests, it seems clear that the purpose of these requests is to simply be a killswitch for the tool one day

mrg_2023-07-11_12-20-41.988.png



This is genuinely very surprising to us over at Pretendo, as the SDTT is, for all intents and purposes, a purely offline local experience. There doesn't seem to be any clear reason why this tool would need an EoL at all besides just Nintendo not caring about the users of their older consoles. They could, at any moment, pull the plug on what many consider an essential tool and for no other reason other than "because Nintendo doesn't want it around any longer"
 
Last edited by RedDucks,

Kwyjor

Well-Known Member
Member
Joined
May 23, 2018
Messages
4,702
Trophies
1
XP
4,787
Country
Canada
pull the plug on what many consider an essential tool
Interesting post, but I'm not sure why "many" would consider this an "essential tool", considering no more eShop games are going to be legally sold and no one's going to be downloading this tool anymore either. Probably only a tiny fraction of users were even aware it existed in the first place.

My inclination would be that they built the app off an existing framework and all this was included as an oversight, but who knows, really.
 

RedDucks

Well-Known Member
OP
Member
Joined
Apr 28, 2017
Messages
103
Trophies
0
Age
26
XP
774
Country
United States
I'm not sure why "many" would consider this an "essential tool", considering no more eShop games are going to be legally sold and no one's going to be downloading this tool anymore either. Probably only a tiny fraction of users were even aware it existed in the first place.

Obviously no one has exact stats on this, however in the communities I am in many people do use this tool

My inclination would be that they built the app off an existing framework and all this was included as an oversight, but who knows, really.
This is definitely not the case, as the tool has specific handling for this error showing it's own custom error message/screen for it. This handling was implemented intentionally
 

Imora

Member
Newcomer
Joined
Feb 9, 2021
Messages
5
Trophies
1
Age
20
XP
185
Country
Costa Rica
yeah its such a odd choice by nintendo... surprising that it even has a handler like that in the first place?
 

RedDucks

Well-Known Member
OP
Member
Joined
Apr 28, 2017
Messages
103
Trophies
0
Age
26
XP
774
Country
United States
I'm inclined to believe it's just to cover their ass in case an exploit was ever found in the tool, or if some country made weird legislation to make the transfer of save data illegal; they could disable it quickly, easily, and decisively this way.
This is definitely an interesting theory and something to consider, but I personally don't believe this to be the case. The theory of a region making weird legislation like this is purely just the "what if" game, seeing as there's no real evidence to back it up. Also when it comes to exploits, they don't have these kinds of server checks in other system titles which may be exploited or already have known exploits, and I'm not inclined to believe they only cared about this one specific app enough to have that in place

Though I won't ignore the fact that I usually always view things from the stance of Nintendo being malicious
 

RedDucks

Well-Known Member
OP
Member
Joined
Apr 28, 2017
Messages
103
Trophies
0
Age
26
XP
774
Country
United States
considering how easy and rampant piracy was on the Wii.
The SDTT only works by moving a save from a physical cartridge to digital copy of the game on the SD card. It only functions when a physical copy of the game exists in the hand of the user, I'm not buying that this has anything to do with piracy seeing as the tool does literally nothing without an actual physical copy of the game already being owned

Also regardless, the error shown here is about pulling the plug on the service entirely not locking specific users out. And if you're suggesting that Nintendo would opt to pull the plug on legitimate users for some piracy related thing done by others, then that doesn't make it any better on Nintendo's part
 

DaniElectra

Member
Newcomer
Joined
Jul 11, 2023
Messages
5
Trophies
0
XP
131
Country
Spain
I could somewhat get that it requires Internet the first time you open the application to download the blacklist. I don't know why it would always require online though?
 

XRTerra

What if instead of ohio, it was kai cenat land
Member
Joined
Jul 1, 2022
Messages
228
Trophies
0
Location
United States of America
XP
565
Country
United States
It's not new information that the Save Data Transfer Tool (SDTT) requires an internet connection to function, but what is surprising is that it has an official EoL and what looks like a "killswitch"

TLDR: The SDTT, a local save data tool with no real need for online connectivity, makes several network requests to get multiple tokens which go unused during use of the tool, with the only apparent purpose being to act as a "killswitch" to end the tools ability to work even for those who have it downloaded post eShop closure (it is not available on the eShop anymore)

For context, I am the lead developer of a project called Pretendo Network. Our team reverse engineers the online communications for games on the WiiU and 3DS in an effort to provide open source replacement servers. So we are often monitoring our consoles traffic for things like this

A bit of backstory: Last night 2 other members of the team, @shutterbug2000 and @hauntii (no gbatemp account), were researching Pokémon and had used the SDTT and saw it downloaded a file from the BOSS server. BOSS is a service on the WiiU and 3DS that allows games to download additional content in the background (for example Splatfest data on the WiiU, and SpotPass data on the 3DS). The file downloaded was named fairy_bl.lrc, and contains what looks to be compressed or encrypted content. We assumed this is some kind of blacklist based on the name, and this was seemingly why the tool needed to go online at all, to check this assumed blacklist. So I began disassembling SDTT to take a closer look at what the file contained. This is where things got interesting

While looking around the app in Ghidra, I found several references to NEX/RendezVous. NEX is the software that Nintendo uses for all first party multiplayer games on the 3DS and WiiU (and some older Switch games). Nintendo did not make this software from scratch, it is based off another set of another piece of software called RendezVous which was originally developed by Canadian company Quazal and was heavily modified which is why there's references to both here (fun side fact, Quazal was later bought by Ubisoft who still uses RendezVous to this day, making all online first party 3DS and WiiU games almost compatible with Ubisofts servers too). This is VERY very odd to be seen here, seeing as SDTT is not a game nor does it have the ability to connect to other consoles at all. So we continued to look even further into things

View attachment 382827

View attachment 382828

Upon checking the network requests of the SDTT from boot, it indeed does request NEX details from the NASC server! NASC is the server the 3DS uses to request tokens for, and the locations of, servers for online games. This server is carried over from the Wii, and predates the NNID system and it's API (which is why you do not need a NNID for some online 3DS games). There are 2 types of requests a 3DS can make to NASC

1. A LOGIN request. This request indicates that the game is trying to connect to a NEX multiplayer server. If successful, the server sends back a locator value, which is the address of the game server in the format IP:PORT base64 encoded, and a token which is your login token

2. A SVCLOC request. This request indicates that the game uses an independent 3rd party service registered with Nintendo and would like to be able to identify the currently logged in user with that service. If successful, the server sends back a token which is your service token that the games independant API can use to know who you are (For example RPG Maker FES uses this to know who uploaded what RPG)

The SDTT requests BOTH of these tokens. The locator value in this case is set to 0.0.0.0:0, which indicates that there is no actual NEX game server and the game only wanted the NEX token. The use of this depends on the game, but it can often times be used as part of a larger token exchange system or a dirty "is this console banned" check. Requesting both tokens is odd, but not unheard of. Several other games also do this for some reason

@shutterbug2000 then monitored the SDTT for some time and did a save transfer, to see if it ever used these tokens for anything. And they go completely unused. So we decided to see what the tool does when the systems network is in various states (disabled, disconnected, etc)

When the 3DS wireless connection switch is disabled, or you have a bad/missing network connection, then the app tells you of these conditions independently of each other as expected

View attachment 382835View attachment 382836

This, again, is not new information. I'm sure everyone has seen these screens at least once, and Nintendo's support page clearly states an internet connection is required

However when we tried to access the tool while our consoles were connected to the Pretendo Network servers, the SDTT clearly shows that it expects to have it's service ended one day based on how it handles this error. Given that the SDTT has special handling for the EoL error code (most titles do not have this, and only display the 3DS's default error popup which is shown by the console, not the game), and that it makes those 2 seemingly unused token requests, it seems clear that the purpose of these requests is to simply be a killswitch for the tool one day

View attachment 382837


This is genuinely very surprising to us over at Pretendo, as the SDTT is, for all intents and purposes, a purely offline local experience. There doesn't seem to be any clear reason why this tool would need an EoL at all besides just Nintendo not caring about the users of their older consoles. They could, at any moment, pull the plug on what many consider an essential tool and for no other reason other than "because Nintendo doesn't want it around any longer"

"or the service is not available in your region" seems to imply that it just depends on nintendo's servers in a given region. So if they want to shut down JP support but keep NA support, they could easily.

Not that they should though.
 

RedDucks

Well-Known Member
OP
Member
Joined
Apr 28, 2017
Messages
103
Trophies
0
Age
26
XP
774
Country
United States
The theoretical exploit comes from bogus data being injected into the savefile during the transfer, allowing ACE either when the save is next loaded by the game or while the tool is doing what integrity checks it does. Requiring ownership of a physical game doesn't mean anything.. are you saying no one bought Cubic Ninja to hack their 3DS?
You're once again just playing the "what if" game here, there's no evidence to back any of that up. I mentioned physical ownership because you mentioned piracy, which doesn't make any sense here so I assumed you were trying to imply that the SDTT somehow facilitated piracy directly

Again, there are many other titles with potential attack points that we could play the "what if" game with all day, some of which have far easier ways to interact with the title in exploitable ways and have known exploits already, such as Soundhax which exploits the 3DS Sound app using an M4A on the SD card. None of these other titles with known or potential risks have these checks, so again I highly doubt Nintendo only cared enough to put measures in place for this one specific title and I do not believe that this has anything to do with piracy/exploits whatsoever

Additionally, Nintendo has already removed the SDTT from the eShop, further verifying that this is just about them not wanting the tool in future users hands
Post automatically merged:

"or the service is not available in your region" seems to imply that it just depends on nintendo's servers in a given region. So if they want to shut down JP support but keep NA support, they could easily.

Not that they should though.

As you said, not that they should. It doesn't matter, imo, if it's per region or not. This tool is essentially an offline local-use-only tool. The only reason it even needs to bother with a server is for this check Nintendo decided to add, to an otherwise offline experience which honestly shouldn't talk to the internet at all
 

JaNDeRPeiCH

Well-Known Member
Member
Joined
Sep 19, 2019
Messages
274
Trophies
0
Location
Unknown
XP
1,623
Country
Mexico
Pirates dont worry about this because they have tools to prevent this,the real question from legit users can we fake our own server to override this killswitch?
 

RedDucks

Well-Known Member
OP
Member
Joined
Apr 28, 2017
Messages
103
Trophies
0
Age
26
XP
774
Country
United States
Pirates dont worry about this because they have tools to prevent this,the real question from legit users can we fake our own server to override this killswitch?
Absolutely. The title doesn’t actually do anything with the tokens, it seems to just check if a token can be requested at all. Over at Pretendo it’s just a matter of adding support for the title on our servers and it will run indefinitely (so long as your console is connected to our network). Besides that, since it seems to be a pretty simple check it should be theoretically possible to patch the title to always think it got a token back, no matter what the server says
 
  • Like
Reactions: JaNDeRPeiCH

Kwyjor

Well-Known Member
Member
Joined
May 23, 2018
Messages
4,702
Trophies
1
XP
4,787
Country
Canada
Obviously no one has exact stats on this, however in the communities I am in many people do use this tool
Why, tho? I thought the typical use case was for someone who bought the digital version of a game after buying the physical version, and who then wanted to sell off the physical version. If you're just going to keep the cart, why wouldn't you just keep saving to the cart instead of transfering your save data?

This is definitely not the case, as the tool has specific handling for this error showing it's own custom error message/screen for it. This handling was implemented intentionally
But that's just it – it's not a "custom message". "The service has ended or the service is not available in your region" is open to broad interpretation. They could have started with some sort of generic framework for an app that, among other things, phones home and can be be disabled remotely, and then have forgotten that it wouldn't make sense to include that functionality. But that's just speculation.
 

RedDucks

Well-Known Member
OP
Member
Joined
Apr 28, 2017
Messages
103
Trophies
0
Age
26
XP
774
Country
United States
But that's just it – it's not a "custom message". "The service has ended or the service is not available in your region" is open to broad interpretation. They could have started with some sort of generic framework for an app that, among other things, phones home and can be be disabled remotely, and then have forgotten that it wouldn't make sense to include that functionality. But that's just speculation.

Yes, it is custom. This is what the default "service has ended" error provided by the 3DS looks like

mrg_2023-07-11_12-20-11.298.png


The default error screen is shown as well in the SDTT, and then it additionally has it's own custom screen for displaying the message

mrg_2023-07-11_12-20-41.988.png


The message itself is generic, but the way it's displayed in the title is custom to the SDTT. Having looked into many other 3DS games, there is no "generic framework" for this like you're suggesting. Games either do nothing and only use the default error message provided by the console, or they implement this kind of handling themselves in different ways

Why, tho? I thought the typical use case was for someone who bought the digital version of a game after buying the physical version, and who then wanted to sell off the physical version. If you're just going to keep the cart, why wouldn't you just keep saving to the cart instead of transfering your save data?

I can only speak for the communities I have been in, but a common use case I have found is when a console needs to be formatted or a new one setup and you may not have a backed up save already. As I said in my original post my team and I do research with these consoles, and so often times we may buy additional consoles or format existing ones and being able to move save data from our cartridges in the event that we lose/forget to make a backup is very useful. It's also useful if the cartridge is the "main" copy of the game which gets used and then we can easily replicate the save onto any number of consoles by just plugging it in
 

Kwyjor

Well-Known Member
Member
Joined
May 23, 2018
Messages
4,702
Trophies
1
XP
4,787
Country
Canada
but a common use case I have found is when a console needs to be formatted or a new one setup and you may not have a backed up save already.
I'm afraid I still don't get it. I agree it would be useful to back up save data from an SD card to a cartridge, but we're talking about the tool that transfers data one-way from a cartridge to the SD card, and then wipes the save data from the cartridge, right?

https://www.nintendo.co.uk/Support/...at-is-the-Save-Data-Transfer-Tool-740818.html

It's also useful if the cartridge is the "main" copy of the game which gets used and then we can easily replicate the save onto any number of consoles by just plugging it in
But you can't replicate the save onto any number of consoles if the tool wipes the cartridge!?
 
Last edited by Kwyjor,

duwen

Old Man Toad
Member
Joined
Sep 6, 2013
Messages
3,274
Trophies
2
Location
Bullet Hell
Website
www.exophase.com
XP
4,552
Country
United Kingdom
But you can't replicate the save onto any number of consoles if the tool wipes the cartridge!?
If you used a 'Powersaves' device to back up the cart save first, you could subsequently reflash it to a cart after it's wiped... but the whole procedure seems kind of unnecessary tbh, as it would be far simpler to just backup a Checkpoint save that could be migrated more easily to any system.
 

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
    realtimesave @ realtimesave: don't need 4070 or whatever