Nintendo Video analysis

Discussion in '3DS - Flashcards & Custom Firmwares' started by popoffka, Jul 14, 2011.

Jul 14, 2011

Nintendo Video analysis by popoffka at 9:16 AM (14,647 Views / 0 Likes) 45 replies

  1. popoffka
    OP

    Member popoffka GBAtemp Fan

    Joined:
    Jun 9, 2009
    Messages:
    341
    Location:
    Riga
    Country:
    Latvia
    Hi everybody.
    I'm currently trying to analyse the way 3DS communicates with Nintendo Video servers, and there seems to be some plain HTTP communication there, so it's possible that we might alter it.
    The problem is that I'm from Latvia and Nintendo Video is not available here, so I can't see everything.
    Because of that, I'm asking for your help, Temp. Is there anybody here who has a 3DS (preferably european one), a device to capture packets over WiFi (e.g. a rooted Android phone) and a desire to waste a few minutes trying to help me? Also, it would be very good if you don't have anything against removing Nintendo Video from your 3DS and then installing it again, so that I can see the first connection (when it checks your location). If you need any help capturing packets, I'll provide it.
     


  2. markvn

    Member markvn GBAtemp Regular

    Joined:
    Mar 14, 2009
    Messages:
    205
    Country:
    Netherlands
    Well, your country is not a problem [​IMG]
    Just go to Settings->Profile, and change your country to a country where Nintendo Video is available.
    You can choose The Netherlands, UK or Germany, and then get all content available in that country.
    The only thing you have to do is start Nintendo Video after changing your country.
    Some pop-ups will come, just say 'yes' and 'agree' to all of them [​IMG]
    This should fix your problem [​IMG]
     
  3. popoffka
    OP

    Member popoffka GBAtemp Fan

    Joined:
    Jun 9, 2009
    Messages:
    341
    Location:
    Riga
    Country:
    Latvia
    My region is already set to UK, but it doesn't help. I guess that Nintendo Video uses my IP address to determine the location, not the profile settings.
     
  4. markvn

    Member markvn GBAtemp Regular

    Joined:
    Mar 14, 2009
    Messages:
    205
    Country:
    Netherlands
    Awh, that sucks [​IMG]
    Have you tried deleting it and downloading it from the UK shop again?
    Or do you always have UK set as your country?
     
  5. popoffka
    OP

    Member popoffka GBAtemp Fan

    Joined:
    Jun 9, 2009
    Messages:
    341
    Location:
    Riga
    Country:
    Latvia
    I've always had UK set as my country, so my Nintendo Video has already been downloaded from the UK shop.
    I'm currently trying to analyse network packets sent from 3DS to the Nintendo Video and vice-versa. I might also try to use a proxy to access Video.
     
  6. dark_day

    Newcomer dark_day Newbie

    Joined:
    Apr 21, 2007
    Messages:
    6
    Country:
    Australia
    This actually sounds like a somewhat interesting idea... let us know how it goes. Maybe i could set up a temp circumventor style proxy for you to borrow (aus). though i'm not sure if any 3d vids are available in AUS anymore. did'nt nity retract the demo vid with the new FW update?


    After thinking about it some more, why not attempt a full blown MITM attack? can you poison the DNS somehow, or set one up locally? if so then we can try to set up a local nty vid server. Might be an interesting idea if no one's tried it.
     
  7. popoffka
    OP

    Member popoffka GBAtemp Fan

    Joined:
    Jun 9, 2009
    Messages:
    341
    Location:
    Riga
    Country:
    Latvia
    This really depends on whether the connection is fully encrypted or not.
    The most likely scenario is that it's fully encrypted, however, I saw some plaintext connections to pubeu-p.est.c.app.nintendowifi.net in my logs.
     
  8. Snailface

    Member Snailface My frothing demand for 3ds homebrew is increasing

    Joined:
    Sep 20, 2010
    Messages:
    4,324
    Location:
    Engine Room with Cyan, watching him learn.
    Country:
    Antarctica
  9. popoffka
    OP

    Member popoffka GBAtemp Fan

    Joined:
    Jun 9, 2009
    Messages:
    341
    Location:
    Riga
    Country:
    Latvia
    Here's what I was able to achieve with some DNS spoofing:
    [​IMG]
    (I just happened to have a printed Latvian flag near me :3)
    This didn't actually allow me to download any videos, though, but I'll keep on trying.

    Here's the list of files the 3DS tried to download from pubeup-p.est.c.app.nintendowifi.net over plain HTTP (i.e. without any encryption):
    Code:
    GET /1/110/1/ESP_MD1 HTTP/1.1
    GET /1/110/1/ESP_MD2 HTTP/1.1
    GET /1/110/1/ESP_MD3 HTTP/1.1
    GET /1/110/1/ESP_MD4 HTTP/1.1
    GET /1/110/1/CHECK HTTP/1.1
    The server gives me a 403 error when I try to download these files, and I guess that this 403 means that my region isn't allowed to use Video (I've checked it with a sniffer: 3DS only makes requests to these files, gets 403 answer and then tells me my country isn't allowed). However, I redirected all requests for pubeup-p.est.c.app.nintendowifi.net to another server, which gave 404 errors, and then the 3DS said everything's OK.

    UPD: I've tried creating text files named "/1/110/1/CHECK", "/1/110/1/ESP_MD1", "/1/110/1/ESP_MD2", "/1/110/1/ESP_MD3", "/1/110/1/ESP_MD4" containing a single word on my server. When I pressed "Connection test" on my 3DS, it downloaded the "/1/110/1/CHECK" file successfully and then gave me the 004-2010 error. Interesting.

    UPD: Using a server located in the UK, I've been able to find out following stuff:
    /1/110/1/CHECK, /1/110/1/ESP_MD3 and /1/110/1/ESP_MD4 give me the 404 error.
    However, I was able to download /1/110/1/ESP_MD1 and /1/110/1/ESP_MD2. I have no time to look at them today, but I will try to analyse them tomorrow.
     
  10. loco365

    Member loco365 GBAtemp Guru

    Joined:
    Sep 1, 2010
    Messages:
    5,459
    What proxy did you connect to? I want to try spoofing that as well, but I have no clue what to connect to or how to set up a DNS.
     
  11. popoffka
    OP

    Member popoffka GBAtemp Fan

    Joined:
    Jun 9, 2009
    Messages:
    341
    Location:
    Riga
    Country:
    Latvia
    So, it seems that, as I guessed, the /1/110/1/CHECK file should return 403 if region is not supported, 404 otherwise. /1/110/1/ESP_MDi returns 403 if region is not supported, ith video otherwise (404 if there's no such video). It seems that support for only four videos is hardcoded into Nintendo Video.
    Here's a video proof that I've been able to succesfully spoof NVideo server and make my Latvian 3DS play videos (there's some explanation on what's going on in annotations):
    [youtube]Tl8QYofL1tg[/youtube]
    I don't think that videos are encrypted or signed in any way, so I'll try to analyse the file format right now.

    @Team Fall: I've set up my own DNS server and my own HTTP server to do that.
     
  12. Rayder

    Former Staff Rayder Mostly lurking lately....

    Joined:
    Jan 14, 2007
    Messages:
    6,613
    Location:
    USA
    Country:
    United States
    I don't know about the hacking stuff (I'm no hacker), but I will wish GOOD LUCK on hacking the 3DS as it's tantamount to my ever getting one.
     
  13. WiiUBricker

    Member WiiUBricker Insert Custom Title

    Joined:
    Sep 19, 2009
    Messages:
    5,827
    Location:
    Espresso
    Country:
    Argentina
    Videos downloaded from the Nintendo Video application are saved to SD card, but can only be played with the Nintendo Video application. It's not exactly a streaming service like Netflix. The videos are somewhat "cached" to SD card and they will be overwritten when new videos are available. So, if they really are not encrypted, they can be dumped right off SD card and be analysed.
     
  14. dark_day

    Newcomer dark_day Newbie

    Joined:
    Apr 21, 2007
    Messages:
    6
    Country:
    Australia
    Damn fine work there mate [​IMG]

    I had a suspicion you could spoof the video server DNS. This could lead to some interesting conclusions. If you're correct and the video's are not encrypted, it could possibly lead to an exploit or at least being able to upload custom videos. If its not too much trouble, can you let us know what apps/settings your using to set up your DNS and HTTP servers?

    Keep up the great work [​IMG]
     
  15. popoffka
    OP

    Member popoffka GBAtemp Fan

    Joined:
    Jun 9, 2009
    Messages:
    341
    Location:
    Riga
    Country:
    Latvia
    I'm writing an article about Nintendo Video for the 3DBrew right now, it will contain all the data I found including domains, file structure and everything else.
     
  16. WiiUBricker

    Member WiiUBricker Insert Custom Title

    Joined:
    Sep 19, 2009
    Messages:
    5,827
    Location:
    Espresso
    Country:
    Argentina
    Since they are 3D videos, even decrypted most video players won't play them. mpo is the file format of decrypted 3D images, but what is the file format of decrypted 3D videos?
     
  17. popoffka
    OP

    Member popoffka GBAtemp Fan

    Joined:
    Jun 9, 2009
    Messages:
    341
    Location:
    Riga
    Country:
    Latvia
  18. loco365

    Member loco365 GBAtemp Guru

    Joined:
    Sep 1, 2010
    Messages:
    5,459
    Well, I'll have to try this soon. Living in Canada, and if it checks the IP, I could spoof it to a European country and get Nintendo Video. Maybe.

    I wonder if you can spoof shops as well using your technique.
     
  19. bailli

    Member bailli GBAtemp Regular

    Joined:
    Oct 16, 2006
    Messages:
    179
    Country:
    Germany
  20. popoffka
    OP

    Member popoffka GBAtemp Fan

    Joined:
    Jun 9, 2009
    Messages:
    341
    Location:
    Riga
    Country:
    Latvia

Share This Page