Is it possible to block system update via hosts file (on a virtual network)?

Discussion in '3DS - Flashcards & Custom Firmwares' started by d0k3, Mar 30, 2015.

  1. d0k3
    OP

    d0k3 3DS Homebrew Legend

    Member
    2,672
    2,676
    Dec 3, 2004
    Gambia, The
    Now, something for the more tech savy among us.

    You may have read about setting up a virtual private network on your Windows 7/8/8.1 PC. When following the instructions correctly, you are able to use the WiFi adapter of your PC as an actual WiFi hotspot. It (the WiFi adapter) can even stay connected with the router while doing so, so it handles both the internet connection and the 3DS. We can use that for Homepass, using MACycle along with it.

    Instructions for setting up the virtual WiFi adapter are found here.

    We can also block certain domains using the hosts file on your computer (this is f.e. also used by SpyBots 'immunize' function). Instruction for blocking domains via hosts file are found here.

    Now, we may use the instructions above to add these lines to our hosts file:
    Code:
    # hosts file block entries to stop 3DS update by d0k3
    # explanations:
    # NUS -> Nintendo Update Server or Net Update SOAP
    # CDN -> Content Delivery Network
    # ECS -> ECommerce SOAP
    # IAS -> Identity Authification SOAP
    # CAS -> CAtaloging SOAP
    # SOAP -> Simple Object Access protocol, http://en.wikipedia.org/wiki/SOAP
    # NintendoWifi.net -> Nintendos dedicated 3DS domain
     
    # this domain checks for an update (important!)
    127.0.0.1  nus.c.shop.nintendowifi.net
    # this domain hosts the update content (important!)
    127.0.0.1  nus.cdn.c.shop.nintendowifi.net
    # seems to be another significant one (according to Yifan Lu)
    127.0.0.1  ecs.c.shop.nintendowifi.net
    # this blocks eShop authentication (might as well get rid of that too)
    127.0.0.1  cp3s-auth.c.shop.nintendowifi.net
     
    # this is a connection test (what will happen if we disable this?)
    # 127.0.0.1  http://conntest.nintendowifi.net/
     
    # what follows is the overkill list, this might disable stuff you actually
    # wanted to keep using. Uncomment if you're feeling adventurous.
    #127.0.0.1  cas.c.shop.nintendowifi.net
    #127.0.0.1  ccs.c.shop.nintendowifi.net
    #127.0.0.1  ccs.cdn.c.shop.nintendowifi.net
    #127.0.0.1  ias.c.shop.nintendowifi.net
    #127.0.0.1  pls.c.shop.nintendowifi.net
    #127.0.0.1  npul.c.app.nintendowifi.net
    #127.0.0.1  cp3s.cdn.nintendowifi.net
    #127.0.0.1  eou.cdn.nintendowifi.net
    #127.0.0.1  npdl.cdn.nintendowifi.net
    
    The list above is updated from this post, but you may find the original list, inside the spoiler below. It will also work, but use the one above, it's more precise.
    Warning: Spoilers inside!
    And, en voilĂ , a safe internet connection / homepass relay for your 3DS, using hardware almost everyone has access to and without the need to install any additional tools. At least in theory. At the moment I'm too scared to even accept the Nintendo Network agreement on my shiny new N3DS.

    So, will that work? My experiments with other hardware in a virtual network say yes, but then the 3DS might somehow circumvent this by accessing the DNS server directly. Maybe someone with EmuNAND can try (I'm a Sky3DS user atm, sorry)?
     
    Margen67 likes this.
  2. Tjessx

    Tjessx GBAtemp Maniac

    Member
    1,157
    508
    Dec 3, 2014
    Belgium
    It will probs work, But i'm pretty sure you won't be able to access the eshop.
     
  3. d0k3
    OP

    d0k3 3DS Homebrew Legend

    Member
    2,672
    2,676
    Dec 3, 2004
    Gambia, The
    I think accessing the eShop without risking a connection to the update server is possible, as it is possible with PSVProxy as well. I guess not with my list, though, but at the moment that's the least of my concerns.
     
  4. Tjessx

    Tjessx GBAtemp Maniac

    Member
    1,157
    508
    Dec 3, 2014
    Belgium
    I will try out this list in a moment.
    Some routers/modems have a DNS server built in, in this case you can just add these links to that list,
    It would be great if someone could put a DNS server online, with these links redirected to localhost or something.
    This way you just have to add that DNS server in your internet connection settings on your 3DS, and you don't have to put up your windows wifi hotspot.
    I would do it myself, but i'm pretty broke at the moment.
    Here in belgium it would cost about 1.5 euros/month, if someone would want to sponsor that i can set it up, but i don't have the money for it myself ATM.
     
    d0k3 likes this.
  5. d0k3
    OP

    d0k3 3DS Homebrew Legend

    Member
    2,672
    2,676
    Dec 3, 2004
    Gambia, The
    Thanks a ton! Well, I don't have access to the Routers configuration and my 3DS is blocked via MAC filtering on that, so I need to be inventive. I do hope the hosts file is enough to block it without having to setup any additional stuff in the 3DS.
     
  6. Tjessx

    Tjessx GBAtemp Maniac

    Member
    1,157
    508
    Dec 3, 2014
    Belgium
    I just realized that i don't have a wifi card in my pc, so i won't be able to setup a hotspot, but i'm going to try to use the hosts file in my router.
     
  7. ravihpa

    ravihpa GBAtemp Advanced Fan

    Member
    605
    242
    Apr 11, 2007
    India
  8. d0k3
    OP

    d0k3 3DS Homebrew Legend

    Member
    2,672
    2,676
    Dec 3, 2004
    Gambia, The
  9. ravihpa

    ravihpa GBAtemp Advanced Fan

    Member
    605
    242
    Apr 11, 2007
    India
    I know. I know. But it's good to know that this kinda thing is possible and once it gets released, hopefully Gateway will take que and "incorporate" all of that stuff into their code :P
     
  10. d0k3
    OP

    d0k3 3DS Homebrew Legend

    Member
    2,672
    2,676
    Dec 3, 2004
    Gambia, The
    Okay, after some further testing of this method on my Nexus 4, it seems to work fine. Domains can be safely blocked or redirected to other IPs, with no exceptions.

    I have left the IP settings (in the phone, for the virtual WiFi) on DHCP, which on Android (Lollipop) means that the DNS configuration is fetched automatically as well. On 3DS hardware, this should correspond to DNS setting 'Auto'. If I manually set a DNS (f.e. 8.8.8.8) on the phone, the blocking won't work.

    Anyone (preferably someone with EmuNAND) willing to test this on real hardware?

    Possible problems (help needed!):
    • The 3DS may use Nintendos IPs instead of the domain names, in which case this method wouldn't help (highly unlikely, though).
    • DNS configuration 'Auto' might mean something else entirely on a 3DS (f.e. automatically use some DNS Nintendo specified).
    • The list of domains to block might be incomplete to block updates for all regions. Anyone got something to add?
     
  11. Tjessx

    Tjessx GBAtemp Maniac

    Member
    1,157
    508
    Dec 3, 2014
    Belgium
    This shouldn't matter, because the DNS server on your hotspot will filter this out before it even got to their possible DNS server.
     
  12. d0k3
    OP

    d0k3 3DS Homebrew Legend

    Member
    2,672
    2,676
    Dec 3, 2004
    Gambia, The
    But, if I manually set a DNS server on my phone (such as the one from Google, 8.8.8.8), the hosts file on the PC is circumvented. Doesn't that mean that the DNS server on my hotspot (which would be the PC then) can't filter this out?

    Also about domains to block, here's a new list, lifted from this thread:
    Code:
    *.cdn.c.shop.nintendowifi.net
    *.c.shop.nintendowifi.net
    *.c.shop.nintendowifi.net
    *.c.app.nintendowifi.net
    *.e.akamai.net
    nus.cdn.c.shop.nintendowifi.net
    nus.c.shop.nintendowifi.net
    cp3s-auth.c.shop.nintendowifi.net
    ecs.c.shop.nintendowifi.net
    cp3s.cdn.nintendowifi.net
    cas.c.shop.nintendowifi.net
    eou.cdn.nintendowifi.net
    pls.c.shop.nintendowifi.net
    npul.c.app.nintendowifi.net
    ecs.c.shop.nintendowifi.net
    a248.e.akamai.net
    nppl.c.app.nintendowifi.net
    conntest.nintendowifi.net
    *.conntest.nintendowifi.net
    Completely different list here, the nintendo.net domain is not even included. Problem here is, the hosts file can't handle asterisks as wildcards. Also, it might not be a good idea to block that much of the Akamai domain.
     
    ravihpa likes this.
  13. Nollog

    Nollog GBAtemp Addict

    Member
    2,703
    472
    Oct 10, 2008
    I wonder if the 3ds have a hosts-like file.

    It's pretty common on most other devices.
     
    d0k3 likes this.
  14. Tjessx

    Tjessx GBAtemp Maniac

    Member
    1,157
    508
    Dec 3, 2014
    Belgium

    Normaly the routers DNS server should overide this, and if the domain doesn't exist in the DNS server it is send to the next one.
     
  15. d0k3
    OP

    d0k3 3DS Homebrew Legend

    Member
    2,672
    2,676
    Dec 3, 2004
    Gambia, The
    Yup, that's what I wondered about as well. That would enable us to block it at the source ;). Though, the 3DS OS is most likely not UNIX based, so it doesn't have to.

    Anyways, here's some more progress. I did investigate some more, and it turned out that a lot of the stuff in my first list is actually not even 3DS related (only the nintendowifi.net domain is), but the second list is overkill. My new list follows, but these are my sources:
    Anyways, here's the new list, ready to be added to your hosts file, with explanations in #comments. Hint: you won't be able to use the eShop, as that thing stops working as soon as the update servers are no more reachable. So, it's either staying on your good FW version or access to your (future?) purchases. Say sayonara to the eShop, or use EmuNAND for that.
    Code:
    # hosts file block entries to stop 3DS update by d0k3
    # explanations:
    # NUS -> Nintendo Update Server or Net Update SOAP
    # CDN -> Content Delivery Network
    # ECS -> ECommerce SOAP
    # IAS -> Identity Authification SOAP
    # CAS -> CAtaloging SOAP
    # SOAP -> Simple Object Access protocol, http://en.wikipedia.org/wiki/SOAP
    # NintendoWifi.net -> Nintendos dedicated 3DS domain
     
    # this domain checks for an update (important!)
    127.0.0.1  nus.c.shop.nintendowifi.net
    # this domain hosts the update content (important!)
    127.0.0.1  nus.cdn.c.shop.nintendowifi.net
    # seems to be another significant one (according to Yifan Lu)
    127.0.0.1  ecs.c.shop.nintendowifi.net
    # this blocks eShop authentication (might as well get rid of that too)
    127.0.0.1  cp3s-auth.c.shop.nintendowifi.net
     
    # this is a connection test (what will happen if we disable this?)
    # 127.0.0.1  http://conntest.nintendowifi.net/
     
    # what follows is the overkill list, this might disable stuff you actually
    # wanted to keep using. Uncomment if you're feeling adventurous.
    #127.0.0.1  cas.c.shop.nintendowifi.net
    #127.0.0.1  ccs.c.shop.nintendowifi.net
    #127.0.0.1  ccs.cdn.c.shop.nintendowifi.net
    #127.0.0.1  ias.c.shop.nintendowifi.net
    #127.0.0.1  pls.c.shop.nintendowifi.net
    #127.0.0.1  npul.c.app.nintendowifi.net
    #127.0.0.1  cp3s.cdn.nintendowifi.net
    #127.0.0.1  eou.cdn.nintendowifi.net
    #127.0.0.1  npdl.cdn.nintendowifi.net
    So, that's it. If you read it correctly, you see that only four domains are actually blocked. Of these four, I think only the first one is absolutely needed, and it makes good sense to add the second one.

    Now, anyone willing to try? Less tech savy users may just copy & paste this to their hosts file, more tech savy users may try commenting / uncommenting stuff and test the results. I advice being on EmuNAND for this, as this is not well enough tested yet, and under some circumstance the update nag may still come through. You can get rid of that, though.
     
  16. BullyWiiPlaza

    BullyWiiPlaza Nintendo Hacking <3

    Member
    1,799
    1,464
    Aug 2, 2014
    Germany
    This will probably work, nice topic.

    I won't try, because I already did the router IP blocking way which is easy when your router supports it.
     
  17. d0k3
    OP

    d0k3 3DS Homebrew Legend

    Member
    2,672
    2,676
    Dec 3, 2004
    Gambia, The
    Thank you! Well, I also think that it will work, but it needs testing. Could you tell me which domains you blocked? Did you go the overkill route? What works now, what doesn't?
     
  18. BullyWiiPlaza

    BullyWiiPlaza Nintendo Hacking <3

    Member
    1,799
    1,464
    Aug 2, 2014
    Germany
    Ah, I realized that I just did it for the Wii U. I'll try adding the 3DS urls then. Let's see if the update nag is suppressed forever.
     
  19. d0k3
    OP

    d0k3 3DS Homebrew Legend

    Member
    2,672
    2,676
    Dec 3, 2004
    Gambia, The
    Great! I think you only need to block these two:
    Code:
    nus.c.shop.nintendowifi.net
    nus.cdn.c.shop.nintendowifi.net
    ... but you may also add these:
    Code:
    ecs.c.shop.nintendowifi.net
    cp3s-auth.c.shop.nintendowifi.net
    ... or experiment with the others as in my last post. Also keep in mind that you have to get rid of the update first if it is already locally stored.

    Let me know how it worked for you!
     
  20. Jao Chu

    Jao Chu GBAtemp Advanced Maniac

    Member
    1,921
    1,211
    Aug 20, 2013
    straya m8
    Let thy paranoia of updating flow through thee.