Tutorial
Updated
Blocking online updates and play online with CCProxy
Introduction
If you want to use an online filtering method instead of keeping your computer powered, you should follow the OpenDNS guide. But be aware that OpenDNS IS NOT SAFE and works with your router's IP, it will render your 3DS/WiiU vulnerable if you are not at home.
Using a proxy on your computer will have better blocking assurance as online will not be possible at all without being near it.
INFORMATION :
NOTE:
The Proxy setting is NOT always used to access internet.
The proxy setting is there to be used by applications which want to use it. Some applications (vWii, USBLoaders on vWii, Netflix once launched, Xenoblade X, etc.) are NOT using the proxy information and are connected to internet directly. They are completely ignoring this feature.
NOT ALL YOUR TRAFFIC will be filtered!!! Only part of it. Nintendo could even bypass proxy use to update the console if they feel like it in a future System version. Currently (up to 5.3.2, maybe 5.4.0) the proxy is used to access eshop and updates so you can safely filter updates with this tutorial.
NOTE:
If you use Tubehax DNS in your WiiU settings and use CCProxy at the same time, tubehax filtering will not work.
When using a proxy, the console doesn't resolves the server's IP but let the proxy do it, so it will NOT filter the update servers.
To enable Tubehax DNS filtering while using CCProxy, you need to set the Tubehax DNS IP into CCproxy filter menu.
The solution :
- Block onlines updates
- Keep Webkit exploit.
- Only need a PC on Windows XP or newer that all ! (No router to configure).
Requirements
- The same Wifi Access on PC and Wii U (but not power on the Wii U too long during the process AND NOT BEFORE PC STEP -> or you can be auto-updated)
- Need a PC always on to keep access to internet.
- Download and install CCProxy v8.0 (http://www.youngzsoft.net/ccproxy/proxy-server-download.htm) (free up to 3 EXTERNAL/REMOTE user's accounts) (Completely Free for Local/LAN access)
Tutorial
CCProxy Setup
Click on "Options"
Fill it like the picture :
- Set the proxy port for HTTP to 8080, it will edit all the related ports at the same time.
- or set a different port number for HTTP if 8080 is already used by another application (808, 1080, etc.)
Click on "Advanced", then choose "Networks" or "Miscellaneous" tab.
Check "Disable External Users" for security reasons.
If you want to allow external users (friend, family, internet) to use your proxy server, uncheck this.
Note: if you use v8, "Disable External Users" option is located in the "Networks" tab instead of "Miscellaneous".
Click on "OK" and again on "OK".
You come back here :
Click on "Account"
Set the option to "Permit only" users using your Proxy based on they "MAC address".
Set to "IP+Mac" to filter by IP if you plan to allow external users from internet. (only for advanced users)
Click on "Web filter"
Fill it like the picture :
- Set a name for your filter
- Check "Site Filter"
- Set "Forbidden Sites" radio choice
- Fill the filtered/forbidden URL, separated by semicolon :
Code:
cbvc.cdn.nintendo.net;*.cdn.shop.wii.com;*.wup.shop.nintendo.net;*.c.shop.nintendowifi.net;*.deploy.static.akamaitechnologies.com;*.deploy.akamaitechnologies.com
If you want to block different URLs or servers, look in the spoiler below to get a detailed list of possible URLs to block.
Alternatively, you can use a file with a list of URLs
The file have one URL per line.
Here is an example with multiple URLs gathered all over the forum. Enable/disable the one you want.
Nintendo_filter (with comments).txt
Code:
// Nintendowifi.net
*.conntest.nintendowifi.net; // Don't block to allow "Active" network status
conntest.nintendowifi.net; // Don't block to allow "Active" network status
nasc.nintendowifi.net;
c.app.nintendowifi.net; // doesn't resolves, only subdomains URLs do.
*.c.app.nintendowifi.net;
npul.c.app.nintendowifi.net;
nppl.c.app.nintendowifi.net;
*.cdn.nintendowifi.net; // don't block to play online
npdl.cdn.nintendowifi.net; // don't block to play online
eou.cdn.nintendowifi.net;
cp3s.cdn.nintendowifi.net;
c.shop.nintendowifi.net; // doesn't resolves, only subdomains URLs do.
*.c.shop.nintendowifi.net;
cas.c.shop.nintendowifi.net;
pls.c.shop.nintendowifi.net;
cp3s-auth.c.shop.nintendowifi.net;
ecs.c.shop.nintendowifi.net;
nus.c.shop.nintendowifi.net;
*.cdn.c.shop.nintendowifi.net; // doesn't resolves, only subdomains URLs do.
nus.cdn.c.shop.nintendowifi.net; // Update download server for 3DS
// Wii.com
cdn.shop.wii.com; // doesn't resolves, only subdomains URLs do.
*.cdn.shop.wii.com;
nus.cdn.shop.wii.com; // Update download server for Wii and WiiU
// Nintendo.net
account.nintendo.net; // needed for launching online applications (netflix, etc.) and NNID checking
wup.shop.nintendo.net; // doesn't resolves, only subdomains URLs do.
*.wup.shop.nintendo.net; // eshop access (used for Update download too)
nus.wup.shop.nintendo.net; // Ping Update servers - check if server is available before updating
*.nus.wup.shop.nintendo.net;
cdn.wup.shop.nintendo.net; // doesn't resolves, only subdomains URLs do.
*.cdn.wup.shop.nintendo.net;
nus.cdn.wup.shop.nintendo.net; // Nintendo Update Server
ccs.cdn.wup.shop.nintendo.net; // Content C...... Server (DLC or updates from eshop)
ecs.wup.shop.nintendo.net; // Download environment check
ccs.wup.shop.nintendo.net; // eShop title information (no active download needed to trigger)
ias.wup.shop.nintendo.net; // ping while downloading system updates?
tagaya.wup.shop.nintendo.net; // update environment check (find latest update version for each titles)
pushmore.wup.shop.nintendo.net;
ninja.wup.shop.nintendo.net; // eshop ressources
samurai.wup.shop.nintendo.net; // eshop ressources
*.samurai.wup.shop.nintendo.net;
cdn.nintendo.net; // doesn't resolves, only subdomains URLs do.
*.cdn.nintendo.net; // eshop ressources (Content Delivery Network)
geisha-wup.cdn.nintendo.net; // eshop ressources
samurai-wup.cdn.nintendo.net; // eshop ressources
kanzashi-wup.cdn.nintendo.net; // eshop ressources
idbe-wup.cdn.nintendo.net; // eshop ressources
mii-secure.cdn.nintendo.net; // Mii registering on the network -- Don't block to play online / launch apps.
mii-images.cdn.nintendo.net; // Miiverse ressources -- Mii pictures
olveu.cdn.nintendo.net; // Miiverse ressources
cbvc.cdn.nintendo.net; // Browser version check, used to block the browser until a system update is performed
npdi.cdn.nintendo.net; // Online play access in games (SSBU)
*.olv.nintendo.net; // miiverse
portal-eu.olv.nintendo.net; // miiverse ressources
discovery.olv.nintendo.net; // miiverse ressources
*.app.nintendo.net; //
nppl.app.nintendo.net; // check runs at apps launch (check for game updates etc.)
npts.app.nintendo.net; // check runs at apps launch (check for game updates etc.)
// NUS only - Nintendo Update Server
nus.cdn.shop.wii.com; // Update download server for Wii and WiiU
nus.wup.shop.nintendo.net; // used to check network availability. If can't reach then an error is displayed and no update triggered.
nus.cdn.wup.shop.nintendo.net; // Update download server for Wii and WiiU
nus.c.shop.nintendowifi.net;
nus.cdn.c.shop.nintendowifi.net; // Update download server for 3DS (>>NOT<< in tubehax DNS filtering list)
// Tubehax DNS filtered URLs - Redirects to 127.0.0.1
// cbvc.cdn.nintendo.net; // Browser version check, used to block the browser until a system update is performed
// nus.cdn.shop.wii.com; // Update download server for Wii and WiiU
// nus.wup.shop.nintendo.net; // used to check network availability. If can't reach then an error is displayed and no update triggered.
// nus.cdn.wup.shop.nintendo.net; // Update download server for Wii and WiiU
// nus.c.shop.nintendowifi.net;
// youtube.com // redirects to tubebax DNS servers to serves the 3DS hax applications
// omtrdc.net - Adobe analytics
*.omtrdc.net; // Miiverse
nintendojp.d1.sc.omtrdc.net; // Miiverse user page
// Cloudfront.net
*.cloudfront.net; // Miiverse (https)
d3esbfg30x759i.cloudfront.net;
// digicert.com
*.digicert.com // Miiverse
ocsp.digicert.com // POST HTTP1.1 reply : 400 bad request
// Akamai
*.e.akamai.net;
a248.e.akamai.net;
*.deploy.akamaitechnologies.com;
*.deploy.static.akamaitechnologies.com;
// IPs
96.17.161.145; // a96-17-161-145.deploy.akamaitechnologies.com
184.50.229.158; // a184-50-229-158.deploy.static.akamaitechnologies.com
184.50.229.137; // a184-50-229-137.deploy.static.akamaitechnologies.com
23.43.242.90; // a23-43-242-90.deploy.static.akamaitechnologies.com
It should look like this:
Nintendo_filter OK to use with CCProxy.txt
Example:
This list below block everything but allows netflix launching, by allowing "conntest and account".
The list contains server's IP, server's DNS resolved names, and some descriptions.
Code:
//conntest.nintendowifi.net; // 69.25.139.140
//*.conntest.nintendowifi.net;
//account.nintendo.net; // 198.62.122.136 --- disable the filter to launch netflix (or other installed apps on system menu)
nasc.nintendowifi.net; // 192.195.204.139
*.c.app.nintendowifi.net; // doesn't resolves, only subdomains URLs do.
npul.c.app.nintendowifi.net; // 202.32.117.172
nppl.c.app.nintendowifi.net; // 52.26.24.115 elb-us-live-proxy-main-ctr-994933322.us-west-2.elb.amazonaws.com or "np"
*.cdn.nintendowifi.net; // doesn't resolves, only subdomains URLs do.
npdl.cdn.nintendowifi.net; // 2.19.85.79 e1267.d.akamaiedge.net "npnp" or "np"
eou.cdn.nintendowifi.net; // 2.19.85.79 e1267.d.akamaiedge.net or "eoeo" or "eo"
cp3s.cdn.nintendowifi.net; // 2.19.85.79 e1267.d.akamaiedge.net or "cpcp" or "cp"
c.shop.nintendowifi.net; // doesn't resolves, only subdomains URLs do.
*.c.shop.nintendowifi.net;
cas.c.shop.nintendowifi.net; // 69.25.139.160
pls.c.shop.nintendowifi.net; // 52.10.143.86 pls.ctr.eshop.nintendo.net or "pl"
cp3s-auth.c.shop.nintendowifi.net; // 69.25.139.167
ecs.c.shop.nintendowifi.net; // 69.25.139.162
nus.c.shop.nintendowifi.net; // 69.25.139.164 ---> redirected to 127.0.0.1 by tubehax dns
cdn.c.shop.nintendowifi.net; // doesn't resolves, only subdomains URLs do.
*.cdn.c.shop.nintendowifi.net;
nus.cdn.c.shop.nintendowifi.net; // 23.78.220.43 user-att-107-211-136-0.a743.d.akamai.net or "nunu" or "nu" ---> NOT redirected or filtered by tubehax dns
nus.cdn.c.shop.nintendowifi.net; // 90.84.55.51 a743.d.akamai.net
cdn.shop.wii.com; // doesn't resolves, only subdomains URLs do.
*.cdn.shop.wii.com;
nus.cdn.shop.wii.com; // 174.35.24.78 nus.cdn.shop.wii.com.cdngc.net or "nu" ---> redirected to 127.0.0.1 by tubehax dns
nus.cdn.shop.wii.com; // 174.35.25.12 nus.cdn.shop.wii.com.cdngc.net or "nu" ---> redirected to 127.0.0.1 by tubehax dns
wup.shop.nintendo.net; // doesn't resolves, only subdomains URLs do.
*.wup.shop.nintendo.net;
nus.wup.shop.nintendo.net; // 69.25.139.188 -- update environment check ---> redirected to 127.0.0.1 by tubehax dns -- Ping Update servers - check if server is available before updating
*.nus.wup.shop.nintendo.net;
cdn.wup.shop.nintendo.net; // doesn't resolves, only subdomains URLs do.
*.cdn.wup.shop.nintendo.net;
nus.cdn.wup.shop.nintendo.net; // 81.52.140.16 a1796.g.akamai.net or "nunu" or "nu" -- Nintendo update server ---> redirected to 127.0.0.1 by tubehax dns
samurai.wup.shop.nintendo.net; // 54.191.234.5 samurai.wup.shop.nintendo.net or "sa"
*.samurai.wup.shop.nintendo.net;
ccs.cdn.wup.shop.nintendo.net; // 184.26.62.122 http://ccs.cdn.wup.shop.nintendo.net/ccs/download/<titleID>/<filename> (download DLC or updates from eshop)
ecs.wup.shop.nintendo.net; // 39.25.139.185
ccs.wup.shop.nintendo.net; // 39.25.139.184
ias.wup.shop.nintendo.net; // 39.25.139.183
tagaya.wup.shop.nintendo.net; // 54.200.128.254 tagaya.wup.shop.nintendo.net or "ta"
ninja.wup.shop.nintendo.net; // 54.148.137.96 ninja.wup.eshop.nintendo.net or "ni"
geisha-wup.cdn.nintendo.net; // 23.43.242.90 user-att-107-211-136-0.e6022.d.akamaiedge.net or "gege" or "ge"
samurai-wup.cdn.nintendo.net; // 23.43.242.90 user-att-107-211-136-0.e6022.d.akamaiedge.net or "sasa" or "sa"
kanzashi-wup.cdn.nintendo.net; // user-att-107-211-136-0.e6022.d.akamaiedge.net or "kawu" or "wu"
idbe-wup.cdn.nintendo.net; // 23.43.242.90 user-att-107-211-136-0.e6022.d.akamaiedge.net or "idid" or "id"
mii-secure.cdn.nintendo.net; // 23.72.142.123 or user-att-107-211-136-0.e10534.g.akamaiedge.net or "mist" or "st"
cbvc.cdn.nintendo.net; // use 107.211.140.065 youtubhax dns to redirect to 127.0.0.1 -- Browser version check, used to block the browser until a system update is performed
96.17.161.145; // a96-17-161-145.deploy.akamaitechnologies.com
184.50.229.158; // a184-50-229-158.deploy.static.akamaitechnologies.com
184.50.229.137; // a184-50-229-137.deploy.static.akamaitechnologies.com
23.43.242.90; // a23-43-242-90.deploy.static.akamaitechnologies.com
*.e.akamai.net;
a248.e.akamai.net;
*.deploy.akamaitechnologies.com;
*.deploy.static.akamaitechnologies.com;
nintendojp.d1.sc.omtrdc.net; // 192.243.250.16 nintendojp.d1.sc.omtrdc.net
*.nintendojp.d1.sc.omtrdc.net;
npts.app.nintendo.net; // 184.31.135.146 user-att-107-211-136-0.e10127.a.akamaiedge.net ---> Online access in SSBU
npdi.cdn.nintendo.net; // 23.43.242.90 user-att-107-211-136-0.e6022.d.akamaiedge.net ---> Online access in SSBU
wup-axfj-live.s3.amazonaws.com; // 54.231.225.58 s3-ap-northeast-1-w.amazonaws.com ---> Online access in SSBU
//107.211.140.065 youtubhax dns --> 107-211-140-53.lightspeed.hstntx.sbcglobal.net
CCProxy filter to block updates but allows eShop access
Code:
// CCProxy filter - eShop access
//
// This filter's rules allow Eshop access with NNU patcher,
// but block NUS update servers to prevent system updates.
//
// You can also set Tubehax DNS IP (107.211.140.65) into CCproxy
// filter's rule page, in the DNS field, for additional security.
//
// **********************************************************
// ** never block this, needed to launch apps (like netflix, etc.)
//account.nintendo.net;
//
// ** same URLs than the ones blocked by Tubehax DNS
cbvc.cdn.nintendo.net; // Browser version check, used to block the browser until a system update is performed
nus.cdn.shop.wii.com; // filtered by tubehax dns
nus.wup.shop.nintendo.net; // Ping Update servers - check if server is available before updating
nus.cdn.wup.shop.nintendo.net; // Nintendo update server
nus.c.shop.nintendowifi.net; // filtered by tubehax dns
// ** Additional URLs NOT filtered by tubehax dns
nus.cdn.c.shop.nintendowifi.net; // another NUS server
tagaya.wup.shop.nintendo.net; // update environment check. Verify if there are new Title's updates to ask for update when launching a game. Blocking this lets you run the game without update warning even if there's a new update available.
ATTENTION :
To prevent triggering the update, be sure to block at least :
ccs.wup.shop.nintendo.net
and/or
nus.wup.shop.nintendo.net
That's the two minimal URLs to filter if you want to block updates.
Click on "OK".
You come back here :
Click on "New"
Fill it like the picture :
- Set a User name for this account
- Enable this account
- Filter by MAC Address (enter the WiiU or 3DS MAC address here)
- Check "Web Filter" and select the previously defined filter rule.
In this picture, the MAC address for CCProxy is 8ccde8886572 ! (no space, hyphen or colon)
Click on "OK".
You can create another Account for another console if you want.
If you have multiple consoles which share the same setup (web filter, quota, protocol, scheduler, etc.), you can create a "Group" account.
- Set a Group name (For example : "NintendoConsoles" for all Nintendo consoles, WiiU, 3DS, Switch, etc.)
- Set the account "As Group"
- Set the Web Filter and all the settings for this group
- Click "OK"
- Edit your User Account to specify wich Group it belongs to.
- Click "OK"
Now you can set all your 3DS and WiiU consoles to "Nintendo" group.
If you want to edit the blocked servers, edit the filter list and it will affect all consoles set to that group.
Now PC Solution is okay !
Next is for the WiiU...
Wii U Setup
Go to "Console Settings" then "Internet" and then "Internet Connection".
Setup your connexion as usual.
Go to 3rd page, click on "Proxy server".
Set to "yes" and fill the LAN IP address of your computer (for example :192.168.1.2) and 8080 (or whatever you chose in CCProxy) for the port.
You might want to set your Computer's IP to a fixed IP instead of using DHCP, or you'll have to edit the computer's IP every time the router provides it with a new IP.
Now your Wii U or 3DS are protected against auto-updates...
- You can see the number of connected users and active connections on the main CCProxy screen.
- Double click the main screen graphics to see current access log from CCProxy users.
If you use an old version (6.4.1 like in the screenshot) it doesn't tell if accessed URL is allowed or blocked.
Update to CCProxy 8.x to see proper blocked information.
- To analyze older log, Select "Log analysis", pick a log date in the drop down menu and click on "Analysis".
ADVANCED SETUP
information for advanced users
This section is only informative, it's not part of the tutorial.
The console is doing two different connections to initiate a system update:
CONNECT nus.c.shop.nintendowifi.net:443
and
GET nus.cdn.c.shop.nintendowifi.net/ccs/download/TitleID_high/TitleID_low
If CONNECT command fails, no system update is triggered and you receive an error message on your console.
If CONNECT succeed, then the console will initiate a series of GET to download all the files required for the update.
When CCProxy filters an URL it returns an HTTP answer 403 forbidden code, and a text message in html.
The WiiU (and probably other Nintendo's consoles) will NOT stop on HTTP error code and still stores the data returned by the GET command as if it was the expected content downloaded from Nintendo's update server, and will download next file until it reaches the end of the download list.
After all the updated files are downloaded it will attempt to update the console. As the files are not the expected data it will display a message telling you that the console couldn't be updated, and will tell you to reboot.
On next reboot, a new message will tell you "please wait...", while it's in fact deleting the bad downloaded update files.
After few seconds you are back to your current system menu with no update information in your update log. (Home>Update progress)
Customize error message seen by the console
If you want, you can customize the html content served by CCProxy when a website is blocked.
Option > Advanced > Customize (at the bottom)
The default message for filtered website on CCProxy 8.0 is :
Code:
<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /></head><body><h1>Web site unauthorized...</h1>
<h2>Account Name: %UserName%<br>
Site: %HostName%<br>
Referer: %Referer%<br>
Filter Name: %FilterName%<br>
Filter Type: %Permit%<br>
Filter Item: %Item%</h2></body></html>
I suggest to delete that content in order to not serve any content when hitting a blocked URL.
This way the console will download a 0 byte file instead of an error message.
On older version of CCProxy, the error message can be edited manually in ccproxy.ini file.
On the latest version of CCProxy 8.0 (2015-10-09 and newer), you can now change the error code to return. Instead of 403, you should set it to 404 and the console will not download any fake files.
You can see the difference when using the browser to access a filtered url.
ATTENTION:
As it seems to not brick the WiiU console (I did it 4 times), it hasn't been tested on 3DS.
I don't recommend performing this, use it at your own risk.
Edit : This tutorial, need additional pictures, and some fixes, but should works
Edit2 : Same in French, for French : http://tgames.fr/tutoswiiu/bloquer-les-mises-a-jours-et-jouer-en-ligne-t11954.html
Edit3 : This tutorial fixed by Cyan, using english screenshot (but from v6.4.1 instead of v8.0.0)
Edit4 : Cyan updated his CCproxy program to 8.0 did some tests. Added Advanced setup chapter.
Edit5 : Tutorial updated with new information for advanced setup, and added chapter's titles.
Edit6 : Added information about unproxied elements.
Edit7 : Updated Full filtered URLs list and descriptions
Edit8 : Updated Full filtered URLs list and descriptions (not the links, only the urls in the code tags)
Edit9 : simplified the "advanced" paragraph, removed unneeded info. Added a "eshop access" filter.txt in the spoiler section. Added CCProxy DNS info to use both TubeHax DNS and CCProxy at the same time.
Edit10 : 2022 05 01 : Cyan Restored dead IMG links and missing .txt filter files from Filetrip, attached to the post
Attachments
Last edited by Cyan,