Hacking Is it possible to block system update via hosts file (on a virtual network)?

d0k3

3DS Homebrew Legend
OP
Member
Joined
Dec 3, 2004
Messages
2,786
Trophies
1
XP
3,875
Country
Germany
Now, something for the more tech savy among us.

You may have read about setting up a virtual private network on your Windows 7/8/8.1 PC. When following the instructions correctly, you are able to use the WiFi adapter of your PC as an actual WiFi hotspot. It (the WiFi adapter) can even stay connected with the router while doing so, so it handles both the internet connection and the 3DS. We can use that for Homepass, using MACycle along with it.

Instructions for setting up the virtual WiFi adapter are found here.

We can also block certain domains using the hosts file on your computer (this is f.e. also used by SpyBots 'immunize' function). Instruction for blocking domains via hosts file are found here.

Now, we may use the instructions above to add these lines to our hosts file:
Code:
# hosts file block entries to stop 3DS update by d0k3
# explanations:
# NUS -> Nintendo Update Server or Net Update SOAP
# CDN -> Content Delivery Network
# ECS -> ECommerce SOAP
# IAS -> Identity Authification SOAP
# CAS -> CAtaloging SOAP
# SOAP -> Simple Object Access protocol, http://en.wikipedia.org/wiki/SOAP
# NintendoWifi.net -> Nintendos dedicated 3DS domain
 
# this domain checks for an update (important!)
127.0.0.1  nus.c.shop.nintendowifi.net
# this domain hosts the update content (important!)
127.0.0.1  nus.cdn.c.shop.nintendowifi.net
# seems to be another significant one (according to Yifan Lu)
127.0.0.1  ecs.c.shop.nintendowifi.net
# this blocks eShop authentication (might as well get rid of that too)
127.0.0.1  cp3s-auth.c.shop.nintendowifi.net
 
# this is a connection test (what will happen if we disable this?)
# 127.0.0.1  http://conntest.nintendowifi.net/
 
# what follows is the overkill list, this might disable stuff you actually
# wanted to keep using. Uncomment if you're feeling adventurous.
#127.0.0.1  cas.c.shop.nintendowifi.net
#127.0.0.1  ccs.c.shop.nintendowifi.net
#127.0.0.1  ccs.cdn.c.shop.nintendowifi.net
#127.0.0.1  ias.c.shop.nintendowifi.net
#127.0.0.1  pls.c.shop.nintendowifi.net
#127.0.0.1  npul.c.app.nintendowifi.net
#127.0.0.1  cp3s.cdn.nintendowifi.net
#127.0.0.1  eou.cdn.nintendowifi.net
#127.0.0.1  npdl.cdn.nintendowifi.net

The list above is updated from this post, but you may find the original list, inside the spoiler below. It will also work, but use the one above, it's more precise.
Code:
127.0.0.1  nus.c.shop.nintendowifi.net
127.0.0.1  nus.cdn.c.shop.nintendowifi.net
127.0.0.1  nus.cdn.wup.shop.nintendo.net
127.0.0.1  c.shop.nintendowifi.net
127.0.0.1  nus.cdn.shop.wii.com
127.0.0.1  nus.wup.shop.nintendo.net
127.0.0.1  ecs.wup.shop.nintendo.net
127.0.0.1  ccs.wup.shop.nintendo.net
127.0.0.1  ias.wup.shop.nintendo.net
127.0.0.1  tagaya.wup.shop.nintendo.net
Lifted from this thread. May block too much / too little, no guarantees.
And, en voilà, a safe internet connection / homepass relay for your 3DS, using hardware almost everyone has access to and without the need to install any additional tools. At least in theory. At the moment I'm too scared to even accept the Nintendo Network agreement on my shiny new N3DS.

So, will that work? My experiments with other hardware in a virtual network say yes, but then the 3DS might somehow circumvent this by accessing the DNS server directly. Maybe someone with EmuNAND can try (I'm a Sky3DS user atm, sorry)?
 
  • Like
Reactions: Margen67

Tjessx

Well-Known Member
Member
Joined
Dec 3, 2014
Messages
1,160
Trophies
0
Age
25
XP
924
Country
Belgium
I will try out this list in a moment.
Some routers/modems have a DNS server built in, in this case you can just add these links to that list,
It would be great if someone could put a DNS server online, with these links redirected to localhost or something.
This way you just have to add that DNS server in your internet connection settings on your 3DS, and you don't have to put up your windows wifi hotspot.
I would do it myself, but i'm pretty broke at the moment.
Here in belgium it would cost about 1.5 euros/month, if someone would want to sponsor that i can set it up, but i don't have the money for it myself ATM.
 
  • Like
Reactions: d0k3

d0k3

3DS Homebrew Legend
OP
Member
Joined
Dec 3, 2004
Messages
2,786
Trophies
1
XP
3,875
Country
Germany
I will try out this list in a moment.
Some routers/modems have a DNS server built in, in this case you can just add these links to that list,

Thanks a ton! Well, I don't have access to the Routers configuration and my 3DS is blocked via MAC filtering on that, so I need to be inventive. I do hope the hosts file is enough to block it without having to setup any additional stuff in the 3DS.
 

Tjessx

Well-Known Member
Member
Joined
Dec 3, 2014
Messages
1,160
Trophies
0
Age
25
XP
924
Country
Belgium
I just realized that i don't have a wifi card in my pc, so i won't be able to setup a hotspot, but i'm going to try to use the hosts file in my router.
 

GaaraPrime

Well-Known Member
Member
Joined
Apr 11, 2007
Messages
791
Trophies
0
XP
1,326
Country
India
That is pretty amazing, but, you know, KARL3DS is not ready yet ;).

I know. I know. But it's good to know that this kinda thing is possible and once it gets released, hopefully Gateway will take que and "incorporate" all of that stuff into their code :P
 

d0k3

3DS Homebrew Legend
OP
Member
Joined
Dec 3, 2004
Messages
2,786
Trophies
1
XP
3,875
Country
Germany
Okay, after some further testing of this method on my Nexus 4, it seems to work fine. Domains can be safely blocked or redirected to other IPs, with no exceptions.

I have left the IP settings (in the phone, for the virtual WiFi) on DHCP, which on Android (Lollipop) means that the DNS configuration is fetched automatically as well. On 3DS hardware, this should correspond to DNS setting 'Auto'. If I manually set a DNS (f.e. 8.8.8.8) on the phone, the blocking won't work.

Anyone (preferably someone with EmuNAND) willing to test this on real hardware?

Possible problems (help needed!):
  • The 3DS may use Nintendos IPs instead of the domain names, in which case this method wouldn't help (highly unlikely, though).
  • DNS configuration 'Auto' might mean something else entirely on a 3DS (f.e. automatically use some DNS Nintendo specified).
  • The list of domains to block might be incomplete to block updates for all regions. Anyone got something to add?
 

Tjessx

Well-Known Member
Member
Joined
Dec 3, 2014
Messages
1,160
Trophies
0
Age
25
XP
924
Country
Belgium
  • DNS configuration 'Auto' might mean something else entirely on a 3DS (f.e. automatically use some DNS Nintendo specified)

This shouldn't matter, because the DNS server on your hotspot will filter this out before it even got to their possible DNS server.
 

d0k3

3DS Homebrew Legend
OP
Member
Joined
Dec 3, 2004
Messages
2,786
Trophies
1
XP
3,875
Country
Germany
This shouldn't matter, because the DNS server on your hotspot will filter this out before it even got to their possible DNS server.
But, if I manually set a DNS server on my phone (such as the one from Google, 8.8.8.8), the hosts file on the PC is circumvented. Doesn't that mean that the DNS server on my hotspot (which would be the PC then) can't filter this out?

Also about domains to block, here's a new list, lifted from this thread:
Code:
*.cdn.c.shop.nintendowifi.net
*.c.shop.nintendowifi.net
*.c.shop.nintendowifi.net
*.c.app.nintendowifi.net
*.e.akamai.net
nus.cdn.c.shop.nintendowifi.net
nus.c.shop.nintendowifi.net
cp3s-auth.c.shop.nintendowifi.net
ecs.c.shop.nintendowifi.net
cp3s.cdn.nintendowifi.net
cas.c.shop.nintendowifi.net
eou.cdn.nintendowifi.net
pls.c.shop.nintendowifi.net
npul.c.app.nintendowifi.net
ecs.c.shop.nintendowifi.net
a248.e.akamai.net
nppl.c.app.nintendowifi.net
conntest.nintendowifi.net
*.conntest.nintendowifi.net
Completely different list here, the nintendo.net domain is not even included. Problem here is, the hosts file can't handle asterisks as wildcards. Also, it might not be a good idea to block that much of the Akamai domain.
 
  • Like
Reactions: GaaraPrime

Tjessx

Well-Known Member
Member
Joined
Dec 3, 2014
Messages
1,160
Trophies
0
Age
25
XP
924
Country
Belgium
But, if I manually set a DNS server on my phone (such as the one from Google, 8.8.8.8), the hosts file on the PC is circumvented. Doesn't that mean that the DNS server on my hotspot (which would be the PC then) can't filter this out?


Normaly the routers DNS server should overide this, and if the domain doesn't exist in the DNS server it is send to the next one.
 

d0k3

3DS Homebrew Legend
OP
Member
Joined
Dec 3, 2004
Messages
2,786
Trophies
1
XP
3,875
Country
Germany
I wonder if the 3ds have a hosts-like file.

It's pretty common on most other devices.
Yup, that's what I wondered about as well. That would enable us to block it at the source ;). Though, the 3DS OS is most likely not UNIX based, so it doesn't have to.

Anyways, here's some more progress. I did investigate some more, and it turned out that a lot of the stuff in my first list is actually not even 3DS related (only the nintendowifi.net domain is), but the second list is overkill. My new list follows, but these are my sources:
Anyways, here's the new list, ready to be added to your hosts file, with explanations in #comments. Hint: you won't be able to use the eShop, as that thing stops working as soon as the update servers are no more reachable. So, it's either staying on your good FW version or access to your (future?) purchases. Say sayonara to the eShop, or use EmuNAND for that.
Code:
# hosts file block entries to stop 3DS update by d0k3
# explanations:
# NUS -> Nintendo Update Server or Net Update SOAP
# CDN -> Content Delivery Network
# ECS -> ECommerce SOAP
# IAS -> Identity Authification SOAP
# CAS -> CAtaloging SOAP
# SOAP -> Simple Object Access protocol, http://en.wikipedia.org/wiki/SOAP
# NintendoWifi.net -> Nintendos dedicated 3DS domain
 
# this domain checks for an update (important!)
127.0.0.1  nus.c.shop.nintendowifi.net
# this domain hosts the update content (important!)
127.0.0.1  nus.cdn.c.shop.nintendowifi.net
# seems to be another significant one (according to Yifan Lu)
127.0.0.1  ecs.c.shop.nintendowifi.net
# this blocks eShop authentication (might as well get rid of that too)
127.0.0.1  cp3s-auth.c.shop.nintendowifi.net
 
# this is a connection test (what will happen if we disable this?)
# 127.0.0.1  http://conntest.nintendowifi.net/
 
# what follows is the overkill list, this might disable stuff you actually
# wanted to keep using. Uncomment if you're feeling adventurous.
#127.0.0.1  cas.c.shop.nintendowifi.net
#127.0.0.1  ccs.c.shop.nintendowifi.net
#127.0.0.1  ccs.cdn.c.shop.nintendowifi.net
#127.0.0.1  ias.c.shop.nintendowifi.net
#127.0.0.1  pls.c.shop.nintendowifi.net
#127.0.0.1  npul.c.app.nintendowifi.net
#127.0.0.1  cp3s.cdn.nintendowifi.net
#127.0.0.1  eou.cdn.nintendowifi.net
#127.0.0.1  npdl.cdn.nintendowifi.net
So, that's it. If you read it correctly, you see that only four domains are actually blocked. Of these four, I think only the first one is absolutely needed, and it makes good sense to add the second one.

Now, anyone willing to try? Less tech savy users may just copy & paste this to their hosts file, more tech savy users may try commenting / uncommenting stuff and test the results. I advice being on EmuNAND for this, as this is not well enough tested yet, and under some circumstance the update nag may still come through. You can get rid of that, though.
 

BullyWiiPlaza

Nintendo Hacking <3
Member
Joined
Aug 2, 2014
Messages
1,932
Trophies
0
XP
2,446
Country
Germany
This will probably work, nice topic.

I won't try, because I already did the router IP blocking way which is easy when your router supports it.
 

d0k3

3DS Homebrew Legend
OP
Member
Joined
Dec 3, 2004
Messages
2,786
Trophies
1
XP
3,875
Country
Germany
This will probably work, nice topic.

I won't try, because I already did the router IP blocking way which is easy when your router supports it.
Thank you! Well, I also think that it will work, but it needs testing. Could you tell me which domains you blocked? Did you go the overkill route? What works now, what doesn't?
 

BullyWiiPlaza

Nintendo Hacking <3
Member
Joined
Aug 2, 2014
Messages
1,932
Trophies
0
XP
2,446
Country
Germany
Thank you! Well, I also think that it will work, but it needs testing. Could you tell me which domains you blocked? Did you go the overkill route? What works now, what doesn't?

Ah, I realized that I just did it for the Wii U. I'll try adding the 3DS urls then. Let's see if the update nag is suppressed forever.
 

d0k3

3DS Homebrew Legend
OP
Member
Joined
Dec 3, 2004
Messages
2,786
Trophies
1
XP
3,875
Country
Germany
Ah, I realized that I just did it for the Wii U. I'll try adding the 3DS urls then. Let's see if the update nag is suppressed forever.
Great! I think you only need to block these two:
Code:
nus.c.shop.nintendowifi.net
nus.cdn.c.shop.nintendowifi.net
... but you may also add these:
Code:
ecs.c.shop.nintendowifi.net
cp3s-auth.c.shop.nintendowifi.net
... or experiment with the others as in my last post. Also keep in mind that you have to get rid of the update first if it is already locally stored.

Let me know how it worked for you!
 

You may also like...

General chit-chat
Help Users
  • No one is chatting at the moment.
    M4x1mumReZ @ M4x1mumReZ: Gotta skidaddle +1