Homebrew nds-constrain't - Taking advantage of a flaw in the Nintendo DS(i) SSL library

[shutterbug2000]

Introducing nds-constraint!​

After many years of trying to find a solution for hackless custom Nintendo Wi-Fi Connection servers, a solution has finally been found for the Nintendo DS and the Nintendo DSi system families!
Details on how it works, instructions on how to set it up for yourself, and Kaeru Team's official Kaeru WFC server that utilizes this new method can be found below:

https://github.com/KaeruTeam/nds-constraint

For those who just want to play online, here's the DNS server info:
Primary: 178.62.43.212
Secondary: 1.1.1.1 or 8.8.8.8

 

[ry755]

Awesome!

 

[slaphappygamer]

So now we can play Mario kart online?

 

[THEGUY3ds]

Hopefully these servers will have many people using them.

 

[Astoria]

So does this work for every game?

 

[Tarmfot]

I just don't understandt it well but it seems a very good news.
No need to patch and no wiimfi for ds then!

 

[Coto]

I just don't understandt it well but it seems a very good news.
No need to patch and no wiimfi for ds then!

the SSL is just a layer on top the HTTP layer that adds a safe client - server handshake without being MITM´d.

Since the Nintendo WFC has been reverse engineered and implemented in the server side that still required some sort of manipulation on the client side so the client implementation would just discard the SSL context.
The way the Nintendo WFC games were written, these still required the SSL (SSLv3) layer implemented. Thus a simple server redirection wouldn't work if the games weren't tampered with.

SSL certs are built on the key-pair principle.

Certificate Signing Request:
- A public key and a certificate is forged from a private key (that only the owner has). The CA (Certificate Authority) issuer builds a certificate to be later used by the client and the server in the SSL certificate chain. The idea is that the CA is the owner of the secured connection. And it seems there is a flag to toggle the CA validity to off. So you can sign your own server certs and send them to the DS. So the chain of trust (being part of the SSL implementation, bundled with the game ROM as ARM assembly) goes as intended.

SSL handshake:
- once the client asks for the server SSL certificate, the public key bundled with is used to decrypt the digital signature of the cert earlier forged by the private key. If the decryption is successful then the connection takes place.

 

[firke_the_one]

Nice, if only mkds was compatible with wpa :/

 

[banjo2]

Yay, now I can finally use that extra copy of Metroid Prime Hunters to mess around with online. Now to decrypt this madness into noob speak so I can do it without downloading unnecessary stuff.

 

[Funky_3000]

Hi, does this work if i use NDSi++ ( DS/DSi emulator for 3DS ) please ?

 

[RocketRobz]

Hi, does this work if i use NDSi++ ( DS/DSi emulator for 3DS ) please ?

Yes.
Also, DSiMenu++ isn't an emulator. It runs DS games natively.

 

[firke_the_one]

Found a way to play online (for people that can't make a WEP hotspot):
If you have a newer phone, you can probably only make a WPA2 hotspot, but I found a way how to make it work.
You need to make your network open and you need to add your DS mac address and put "Allowed devices only". You can then connect your DS without a problem to your hotspot and play any game you want online. Tried it with MKDS and played a game with someone online and it worked great!

Hope this helps

 

[tech3475]

Found a way to play online (for people that can't make a WEP hotspot):
If you have a newer phone, you can probably only make a WPA2 hotspot, but I found a way how to make it work.
You need to make your network open and you need to add your DS mac address and put "Allowed devices only". You can then connect your DS without a problem to your hotspot and play any game you want online. Tried it with MKDS and played a game with someone online and it worked great!

Hope this helps

For the record, Mac address filtering isn't really recommended as a security option, although better than nothing in this case.

You may be better off long term looking for something like an old router and isolating it on the LAN (more complicated but more secure).

 

[Lenoor]

Is there hope for Wii's multi ? I'd like to play Meownster Hunter Tri again.

 

[nl255]

For the record, Mac address filtering isn't really recommended as a security option, although better than nothing in this case.

You may be better off long term looking for something like an old router and isolating it on the LAN (more complicated but more secure).

Though to be fair Mac address filtering is only slightly worse than WEP (as at least cracking WEP can't easily be done with most smartphones due to a lack of support for the required features*).


*Yes, I know you can use certain external usb wifi cards to work around it but that is a pain in the ass due to compatibility issues.

 

[Searinox]

Now waiting for a new class of DSi and 3DS jailbreak exploits involving running legit DS titles on the console with a custom DNS, connecting to a hax server for online play, and feeding the console corrupt data overflowing one thing or another in order to run arbitrary code.

 

[tech3475]

Though to be fair Mac address filtering is only slightly worse than WEP (as at least cracking WEP can't easily be done with most smartphones due to a lack of support for the required features*).

*Yes, I know you can use certain external usb wifi cards to work around it but that is a pain in the ass due to compatibility issues.

I was speaking in general and then compared to open wifi.

I think if you plan to do anything like this, it would be better to use a method which isolates the DS as much as possible from a known good device/network.

 

[firke_the_one]

I was speaking in general and then compared to open wifi.

I think if you plan to do anything like this, it would be better to use a method which isolates the DS as much as possible from a known good device/network.

I was just saying if you don't have any other options, you could do my method. Since I don't have any other routers in my house and I'm unable to make a WEP hotspot and everyone in my country is dumb af so an open wifi hotspot is just okay for what I need

 

[FAST6191]

Nice writeup/work those responsible. I am not sure how much practical use it will be in the end but the option is very much appreciated. Looks like I also have some reading to do on the full SSL implementation.

For the record, Mac address filtering isn't really recommended as a security option, although better than nothing in this case.

You may be better off long term looking for something like an old router and isolating it on the LAN (more complicated but more secure).

Were you not around for the times we needed custom mac addresses for various hacks (the streetpass thing being the most notable)? I have quite literally had an easier time teaching people to figure out WEP keys.

I agree though getting an older router, doing a decent setup there and powering it on whenever you fancy is probably the better route if security is a concern.

 

[tech3475]

Were you not around for the times we needed custom mac addresses for various hacks (the streetpass thing being the most notable)? I have quite literally had an easier time teaching people to figure out WEP keys.

I agree though getting an older router, doing a decent setup there and powering it on whenever you fancy is probably the better route if security is a concern.

I'm not familiar with those hacks, never cared for spotpass.

The reason why MAC address filtering is not recommended as a security measure is because they can be sniffed and spoofed.

I wasn't talking WEP vs MAC but, again, in general and in the context of open wifi.