Hacking Homebrew Is it feasible to MITM the internet connection/module?

[hippy dave]

Like, to make specific games act as if aeroplane mode is enabled, while everything else carries on as normal.

Some games crash if DNS blocking is active, but run if you activate aeroplane mode. An example is the Arcade Archives series, another recent one is Tempest 4000. I've patched a few of the Arcade Archives ones to disable the internet connection so they run as cleanly as possible without having to turn aeroplane mode on and off every time, but it's a hassle to try and find a patch for every game so just getting the "please turn off aeroplane mode" screen but still being able to play would be a good compromise if it can be easily turned on for whatever games need it.

I could start researching the mitm process and whether it can be applied to this, but if someone just knows the answer that would save time on the first step at least. Cheers!

 

[SodaSoba]

Like, to make specific games act as if aeroplane mode is enabled, while everything else carries on as normal.

Some games crash if DNS blocking is active, but run if you activate aeroplane mode. An example is the Arcade Archives series, another recent one is Tempest 4000. I've patched a few of the Arcade Archives ones to disable the internet connection so they run as cleanly as possible without having to turn aeroplane mode on and off every time, but it's a hassle to try and find a patch for every game so just getting the "please turn off aeroplane mode" screen but still being able to play would be a good compromise if it can be easily turned on for whatever games need it.

I could start researching the mitm process and whether it can be applied to this, but if someone just knows the answer that would save time on the first step at least. Cheers!

GhostbladeHD also need aeroplane something like this would be amazing

 

[masagrator]

With mitm it would be complicated to achieve because this is done via applet call.

I think easier would be to make skyline/saltynx plugin. Since checking for connection is using nnSDK feature, it could be working across all games without any change. You would need only to figure out which function is used when system throws info about airplane mode, check what this function returns, hook it and force this function to always return the same code.

Main thread should be stuck in loop inside this function when waiting for applet being closed.

 

[hippy dave]

With mitm it would be complicated to achieve because this is done via applet call.

I think easier would be to make skyline/saltynx plugin. Since checking for connection is using nnSDK feature, it could be working across all games without any change. You would need only to figure out which function is used when system throws info about airplane mode, check what this function returns, hook it and force this function to always return the same code.

Main thread should be stuck in loop inside this function when waiting for applet being closed.

Thank you, that's great info, will look into it

 

[hippy dave]

Ok here's my first attempt at a SaltyNX plugin for this. It just replaces one function, nn::nifm::SubmitNetworkRequestAndWait, with a dummy function that does nothing and returns - edit: now it replaces two functions, the other is nn::nifm::Initialize. I've tested it with Tempest 4000 and with Arcade Archives Puzzle Bobble 2 (I already made an exefs patch for the latter which works more cleanly, but tested this without that patch). The OS throws an error, which you can close, edit: updated with new version which doesn't throw error - then the games carry on as normal as if they failed to connect to the internet, rather than crashing out. @SodaSoba feel free to test it with GhostbladeHD!

You need SaltyNX installed and working, then just unzip SaltyNoNet.elf and put it in /SaltyNX/plugins/ on your SD card.
(I think you could put it in /SaltyNX/plugins/<titleid>/ instead if you wanted it to only work for specific game(s), but I haven't tested that and I see no need for it as we're talking about an environment with DNS blocking so no games can connect anyway)
You don't need the -source zip if you just want to use the plugin.

I think I've got what I want for now at least, let me know if you have luck or not with any other games, maybe I'll make a proper release at some point or maybe not.
Thanks @masagrator for the suggestion above, and for your work on SaltyNX and the NX-FPS plugin source I based this on.

 

[aruto]

I think I've got what I want for now at least, let me know if you have luck or not with any other games, maybe I'll make a proper release at some point or maybe not.
Thanks @masagrator for the suggestion above, and for your work on SaltyNX and the NX-FPS plugin source I based this on.

Thank you for this, It worked on Ghost Blade HD but unfortunately it does not work with Disgaea 4 Complete+ which also needs airplane mode to be enabled in order to launch properly. Otherwise it would just display a black screen and crash after a few seconds. Any chance you can get a solution for it?

 

[masagrator]

Ok here's my first attempt at a SaltyNX plugin for this. It just replaces one function, nn::nifm::SubmitNetworkRequestAndWait, with a dummy function that does nothing and returns - edit: now it replaces two functions, the other is nn::nifm::Initialize. I've tested it with Tempest 4000 and with Arcade Archives Puzzle Bobble 2 (I already made an exefs patch for the latter which works more cleanly, but tested this without that patch). The OS throws an error, which you can close, edit: updated with new version which doesn't throw error - then the games carry on as normal as if they failed to connect to the internet, rather than crashing out. @SodaSoba feel free to test it with GhostbladeHD!

You need SaltyNX installed and working, then just unzip SaltyNoNet.elf and put it in /SaltyNX/plugins/ on your SD card.
(I think you could put it in /SaltyNX/plugins/<titleid>/ instead if you wanted it to only work for specific game(s), but I haven't tested that and I see no need for it as we're talking about an environment with DNS blocking so no games can connect anyway)
You don't need the -source zip if you just want to use the plugin.

I think I've got what I want for now at least, let me know if you have luck or not with any other games, maybe I'll make a proper release at some point or maybe not.
Thanks @masagrator for the suggestion above, and for your work on SaltyNX and the NX-FPS plugin source I based this on.

This approach is little nervewrecking on games if they are not checking for some errors in functions relying on those.
My approach explained earlier should not create those issues since all games seems to expect in some function error in case of not being connected to internet.

 

[hippy dave]

This approach is little nervewrecking on games if they are not checking for some errors in functions relying on those.
My approach explained earlier should not create those issues since all games seems to expect in some function error in case of not being connected to internet.

I couldn't find many other function calls of relevance in the game I was looking at, but I can keep checking some more.

 

[masagrator]

I recommend to test
bool nn::nifm::IsNetworkAvailable()
Result nn::nifm::HandleNetworkRequestResult()

The second one returns error value if request was not successfull.
Since there are nifm specific errors, I recommend to attach gdb and check result when network applet ( showing airplane mode is on) is closed.

 

[hippy dave]

I recommend to test
bool nn::nifm::IsNetworkAvailable()
Result nn::nifm::HandleNetworkRequestResult()

The second one returns error value if request was not successfull.
Since there are nifm specific errors, I recommend to attach gdb and check result when network applet ( showing airplane mode is on) is closed.

Thanks, will check that out.
Haven't tried attaching gdb yet but will give it a go when I have the chance. Haven't used it in so many years

 

[hippy dave]

I recommend to test
bool nn::nifm::IsNetworkAvailable()
Result nn::nifm::HandleNetworkRequestResult()

The second one returns error value if request was not successfull.
Since there are nifm specific errors, I recommend to attach gdb and check result when network applet ( showing airplane mode is on) is closed.

Back at my computer - the game I'm looking at (Tempest 4000) uses nn::nifm::HandleNetworkRequestErrorResult() instead of nn::nifm::HandleNetworkRequestResult(), and the former was one of the ones I was testing replacing earlier, which just led to the game sticking on a black screen. I do see nn::nifm::IsNetworkAvailable() in the same sequence of code, and am not sure how that got missed out from my testing list, but gonna try it out.

 

[SodaSoba]

I haven't been able to test it as of yet but I've just read someone confirmed it works on GhostbladeHD, congratulations I'll watch this for sure.

 

[hippy dave]

Last night I quickly tried just replacing nn::nifm::IsNetworkAvailable() to return 0 (false), and nothing else, worked perfectly for Tempest 4000 but Puzzle Bobble 2 crashed out the same as it does with no modification. Between that and the Disgea game someone mentioned not working with the plugin I uploaded, it's interesting/annoying to see so much variation in the coding of games with apparently the same problem.

 

[SodaSoba]

Is it possible to have a file with pregame settings? Similar to how ps2 emulation is handled on the ps3

 

[hippy dave]

Is it possible to have a file with pregame settings? Similar to how ps2 emulation is handled on the ps3

Yeah potentially the plugin could read a config file and do that, but another way would be to have different plugin versions, and put them in titleid folders to apply them to different games.

 

[masagrator]

I can test some things in this weekend with gdb.
I have one game that is crashing when airplane mode is not enabled - Sine Mora EX. It's old, so results won't be able to apply to newer titles, but you will get a grasp of know how.

I will try to follow step by step all nifm functions

 

[hippy dave]

I can test some things in this weekend with gdb.
I have one game that is crashing when airplane mode is not enabled - Sine Mora EX. It's old, so results won't be able to apply to newer titles, but you will get a grasp of know how.

I will try to follow step by step all nifm functions

That would be awesome, thanks!

 

[masagrator]

I am stupid. I forgot that you cannot use GDB without internet connection xD

Game is using only 3 nifm functions:

void nn::nifm::Initialize();
void nn::nifm::SubmitNetworkRequestAndWait();
Result nn::nifm::GetCurrentPrimaryIpAddress(void* &in_addr);

Last one seems to be only one function that can throw error. Hooked last function and was surprised that game throwed error before it.

So I went through backtrace and found this:

Result nn::account::EnsureNetworkServiceAccountAvailable(nn::account::UserHandle const&);

It seems that based on disassembled main - in case of any other result than 0x0 and 0x27C it throws error and crashes.
Hooked this function and outputted 0x27C, game didn't crash and showed that there is no connection available.
Added this error code to switchbrew wiki since it seems it was not added.

Weird is that since expected result was 0x0, then this shouldn't crash here.
On first loop it returns 0. But somehow it's getting past the comparison that throws error if anything else is returned. So I don'
t know why it crashes (it may be that just IDA decompiler is making a mistake here).

So I recommend to try do this:
- Hook nn::account::EnsureNetworkServiceAccountAvailable(nn::account::UserHandle const&) and return 0x27C instantly.

If this will work, you can make SaltyNX patch

_ZN2nn7account36EnsureNetworkServiceAccountAvailableERKNS0_10UserHandleE.asm64

that will be compatible with all 64-bit games.

804F80D2 //mov x0,#0x27C
C0035FD6 //ret
00000000 //null terminator
00000000 //null terminator

 

[hippy dave]

I am stupid. I forgot that you cannot use GDB without internet connection xD

Game is using only 3 nifm functions:

void nn::nifm::Initialize();
void nn::nifm::SubmitNetworkRequestAndWait();
Result nn::nifm::GetCurrentPrimaryIpAddress(void* &in_addr);

Last one seems to be only one function that can throw error. Hooked last function and was surprised that game throwed error before it.

So I went through backtrace and found this:

Result nn::account::EnsureNetworkServiceAccountAvailable(nn::account::UserHandle const&);

It seems that based on disassembled main - in case of any other result than 0x0 and 0x27C it throws error and crashes.
Hooked this function and outputted 0x27C, game didn't crash and showed that there is no connection available.
Added this error code to switchbrew wiki since it seems it was not added.

Weird is that since expected result was 0x0, then this shouldn't crash here.
On first loop it returns 0. But somehow it's getting past the comparison that throws error if anything else is returned. So I don'
t know why it crashes (it may be that just IDA decompiler is making a mistake here).

So I recommend to try do this:
- Hook nn::account::EnsureNetworkServiceAccountAvailable(nn::account::UserHandle const&) and return 0x27C instantly.

If this will work, you can make SaltyNX patch

_ZN2nn7account36EnsureNetworkServiceAccountAvailableERKNS0_10UserHandleE.asm64

that will be compatible with all 64-bit games.

804F8052 //mov w0,#0x27C
C0035FD6 //ret
00000000 //null terminator
00000000 //null terminator

Thank you! Will check this out soon, great work!

 

[masagrator]

Going deeper, found the culprit responsible for crashing.

    nn::account::AsyncContext::AsyncContext(); //Constructor
    v8 = nn::account::EnsureNetworkServiceAccountIdTokenCacheAsync(v6 + 216);
    if ( !v8 )
    {
      v43 = 0;
      v11 = nn::account::AsyncContext::GetSystemEvent(&v42);
      v37 = v11;
      if ( v11 )
      {
        v22 = v11 & 0x1FF;
        sub_7100168F34(&v37);
        v23 = "ctx.GetSystemEvent(&e)";
        v24 = 113LL;
        goto LABEL_56;
      }
      nn::os::WaitSystemEvent(&v42);
      v12 = nn::account::AsyncContext::GetResult();

nn::account::AsyncContext::GetResult() returns 0x3e8e9b which then results in jumping to crash.
I guess since it shares the same second part as when you're failing test connection because of DNS (2155-8007), it must mean that DNS probe fails.

You shouldn't hook this though since it seems to assure that game has true connection. Forcing it to return 0 will probably results in many errors going further