MITM Wii U SSL connections!

Discussion in 'Wii U - Tutorials' started by PokeAcer, Jul 18, 2017.

  1. PokeAcer
    OP

    PokeAcer Banned

    Banned
    1,430
    1,061
    May 28, 2015
    United Kingdom
    Wales
    Since I've been sitting on some of this for some time, I decided that it might be better if people who want to work more help with this.

    If you don't know what MITMing is, please don't ask; this is for people who know what to do.
    You can potentially brick with this if you mess up the SSL module - If you are enough of an idiot to do this, here is my guide to unbrick.

    Requirements
    • Charles Proxy or some other proxy with SSL MITM support, aswell as client certificate support. (Fiddler would work however I've personally had issues with it)
    • WUPServer with sys perms (Mocha CFW works, CBHC doesn't if I recall correctly)
    • The Nintendo Wii U Client Certificate - this can be obtained via Arian Kordi's website at https://ariankordi.net/cert
    Steps (These have been written for Charles Proxy, but should work with tweaks on other proxies)
    1. Download the Client Certificate, and optionally install Nintendo's Server Certificates.
    2. Open Charles Proxy, go to SSL Proxy; add *.nintendo.net port 443 to the domains to MITM.
    3. Add Wii U's common cert for client for *.nintendo.net port 443
    4. Enable HTTP proxy, but disable Browser and OS proxying
    5. Go to SSL proxy; export as a BINARY CERTIFICATE.
    6. Open WUPServer and run the command:
      Code:
      w.up("FILENAMEOFCERT.der", "/vol/storage_mlc01/sys/title/0005001b/10054000/content/scerts/CACERT_NINTENDO_CA_G3.der")
    7. Reboot your Wii U (or just go to System Settings and back)
    8. Connect your Wii U to the proxy, and test!
    A few notes:
    • Regular SSL without the proxy will no longer work for anything that uses the certificate you replaced.
    • Not all services use that one SSL certificate and thus not all services will work; at a later date (or if someone informs me) I can add a list of what services use what CA.
     
    Last edited by PokeAcer, Jul 18, 2017
  2. iAqua

    iAqua feel the... envy.

    Member
    GBAtemp Patron
    iAqua is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    2,720
    2,212
    Dec 7, 2015
    Canada
    oh my god I love you.

    btw the only reason no one responded is because you said if they don't know what mitm is they shouldn't respond.
     
    Last edited by iAqua, Jul 18, 2017
  3. PokeAcer
    OP

    PokeAcer Banned

    Banned
    1,430
    1,061
    May 28, 2015
    United Kingdom
    Wales
    xox gossip girl
     
    Anonymous456 and iAqua like this.
  4. Elveman

    Elveman B9S Shitpost Race Smogonite

    Member
    GBAtemp Patron
    Elveman is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    434
    255
    Feb 1, 2015
    Russia
    Moscow city
    So... can this be our first step to custom Wii U servers (like altwfc)?
     
    PokeAcer likes this.
  5. BullyWiiPlaza

    BullyWiiPlaza Nintendo Hacking <3

    Member
    1,723
    1,407
    Aug 2, 2014
    Germany
    Yeah
     
    Anonymous456 and Masterwin like this.
  6. povlur.

    povlur. GBAtemp Regular

    Member
    100
    75
    Aug 1, 2016
    Canada
    holy shit im so happy
     
  7. VinLark

    VinLark This machine kills bourgeois sentimentality.

    Member
    4,092
    4,782
    Jun 11, 2016
    Trinidad and Tobago
    4chan and other wonders of the internet
    I'm going to guess MITM means Man in the Middle Attack?

    Pretty cool. Life comes at you fast. This works on latest FW?
     
    Anonymous456 and PokeAcer like this.
  8. PokeAcer
    OP

    PokeAcer Banned

    Banned
    1,430
    1,061
    May 28, 2015
    United Kingdom
    Wales
    Yes, Man In The Middle, that allows SSL interception.
    It should work fine on latest FW, I've used it with 5.5.1 and the SSL module hasn't changed..
     
  9. GotKrypto67

    GotKrypto67 That one PHP guy

    Member
    380
    247
    Jul 21, 2015
    Saint Kitts and Nevis
    The Chamber of Kim
    Very good stuff! Thanks for posting it, I'll for sure have some fun with this.
     
    PokeAcer likes this.
  10. tunip3

    tunip3 [debugger active]

    Member
    783
    139
    Oct 31, 2016
    United Kingdom
    which certificates is it
     
  11. PokeAcer
    OP

    PokeAcer Banned

    Banned
    1,430
    1,061
    May 28, 2015
    United Kingdom
    Wales
    Define "which certificate"? You replace the certificate Nintendo CA - G3. You need Cafe's Common Client Cert, which you can get from Arian's site.
     
    iAqua likes this.
  12. tunip3

    tunip3 [debugger active]

    Member
    783
    139
    Oct 31, 2016
    United Kingdom
    so wiiu common prod 1
     
    PokeAcer likes this.
  13. PokeAcer
    OP

    PokeAcer Banned

    Banned
    1,430
    1,061
    May 28, 2015
    United Kingdom
    Wales
    Yes.
     
  14. ariankordi

    ariankordi GBATemp Greg Joswiak

    Member
    392
    243
    Oct 25, 2014
    United States
    /dev/null
    And the servers. Nintendo doesn't just have, like, 3 servers this time, and the account OAuth2 server is, well, OAuth2, but also way more complicated than anything Nintendo has done before (aside from e-commerce crypto maybe?) and also games will want their own servers, like Mario Kart TV stuff, and Splatoon wants to upload player + battle statistics after every match for SplatNet (by the way, more data than what EVEN SplatNet 2 shows is sent, so we could make a pretty sick SplatNet "Plus" server if we get to it).

    But, we can try. I think we can do it, with the power of the homebrew community.

    One of my ideas for integrating custom servers onto the Wii U is to either use a custom memory patcher that detects EVERYTHING and also patches EVERYTHING on the fly, OR to have a proxy that will use the custom servers for the system automatically only requiring the SSL setup of course, then we can make everyone use Let's Encrypt or something.
    I don't know.
     
    PokeAcer likes this.
  15. Anonymous456

    Anonymous456 Advanced Member

    Newcomer
    98
    15
    Jan 11, 2017
    United States
    I don't understand how to do this.
     
  16. GRAnimated

    GRAnimated Member

    Newcomer
    47
    11
    Jan 9, 2017
    United States
    Hey, so I followed the entire guide, but unfortunately I was unable to get it working (done on RedNAND). Whenever my Wii U uses an online service, proxy or no proxy connected, it errors.
     
  17. iAqua

    iAqua feel the... envy.

    Member
    GBAtemp Patron
    iAqua is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    2,720
    2,212
    Dec 7, 2015
    Canada
    Just noting that me and @GRAnimated did solve this problem, but here's some troubleshooting tips for anyone experiencing issues.
    • make sure you're exporting your certificate as a .der not a .cer
    • ensure all your urls are enabled for ssl proxying
    • also make sure you have the wii u client certificate in the ssl proxying settings too.
    if anyone else is having problems with this you can contact me on discord at (aqua#6063)