Hacking Nintendo Video analysis

[popoffka]

Hi everybody.
I'm currently trying to analyse the way 3DS communicates with Nintendo Video servers, and there seems to be some plain HTTP communication there, so it's possible that we might alter it.
The problem is that I'm from Latvia and Nintendo Video is not available here, so I can't see everything.
Because of that, I'm asking for your help, Temp. Is there anybody here who has a 3DS (preferably european one), a device to capture packets over WiFi (e.g. a rooted Android phone) and a desire to waste a few minutes trying to help me? Also, it would be very good if you don't have anything against removing Nintendo Video from your 3DS and then installing it again, so that I can see the first connection (when it checks your location). If you need any help capturing packets, I'll provide it.

 

[markvn]

Hi everybody.
I'm currently trying to analyse the way 3DS communicates with Nintendo Video servers, and there seems to be some plain HTTP communication there, so it's possible that we might alter it.
The problem is that I'm from Latvia and Nintendo Video is not available here, so I can't see everything.
Because of that, I'm asking for your help, Temp. Is there anybody here who has a 3DS (preferably european one), a device to capture packets over WiFi (e.g. a rooted Android phone) and a desire to waste a few minutes trying to help me? Also, it would be very good if you don't have anything against removing Nintendo Video from your 3DS and then installing it again, so that I can see the first connection (when it checks your location). If you need any help capturing packets, I'll provide it.

Well, your country is not a problem

Just go to Settings->Profile, and change your country to a country where Nintendo Video is available.
You can choose The Netherlands, UK or Germany, and then get all content available in that country.
The only thing you have to do is start Nintendo Video after changing your country.
Some pop-ups will come, just say 'yes' and 'agree' to all of them

This should fix your problem

 

[popoffka]

My region is already set to UK, but it doesn't help. I guess that Nintendo Video uses my IP address to determine the location, not the profile settings.

 

[markvn]

My region is already set to UK, but it doesn't help. I guess that Nintendo Video uses my IP address to determine the location, not the profile settings.

Awh, that sucks

Have you tried deleting it and downloading it from the UK shop again?
Or do you always have UK set as your country?

 

[popoffka]

I've always had UK set as my country, so my Nintendo Video has already been downloaded from the UK shop.
I'm currently trying to analyse network packets sent from 3DS to the Nintendo Video and vice-versa. I might also try to use a proxy to access Video.

 

[dark_day]

This actually sounds like a somewhat interesting idea... let us know how it goes. Maybe i could set up a temp circumventor style proxy for you to borrow (aus). though i'm not sure if any 3d vids are available in AUS anymore. did'nt nity retract the demo vid with the new FW update?


After thinking about it some more, why not attempt a full blown MITM attack? can you poison the DNS somehow, or set one up locally? if so then we can try to set up a local nty vid server. Might be an interesting idea if no one's tried it.

 

[popoffka]

This really depends on whether the connection is fully encrypted or not.
The most likely scenario is that it's fully encrypted, however, I saw some plaintext connections to pubeu-p.est.c.app.nintendowifi.net in my logs.

 

[Snailface]

If you're not aware already, GBAtemp's own Cyan (moderater) has already done some update analysis in this thread:
http://gbatemp.net/t285655-3ds-update-process-analyzed?

The second firmware update has a video included so maybe you can analyze that?

 

[popoffka]

Here's what I was able to achieve with some DNS spoofing:

(I just happened to have a printed Latvian flag near me :3)
This didn't actually allow me to download any videos, though, but I'll keep on trying.

Here's the list of files the 3DS tried to download from pubeup-p.est.c.app.nintendowifi.net over plain HTTP (i.e. without any encryption):

GET /1/110/1/ESP_MD1 HTTP/1.1
GET /1/110/1/ESP_MD2 HTTP/1.1
GET /1/110/1/ESP_MD3 HTTP/1.1
GET /1/110/1/ESP_MD4 HTTP/1.1
GET /1/110/1/CHECK HTTP/1.1

The server gives me a 403 error when I try to download these files, and I guess that this 403 means that my region isn't allowed to use Video (I've checked it with a sniffer: 3DS only makes requests to these files, gets 403 answer and then tells me my country isn't allowed). However, I redirected all requests for pubeup-p.est.c.app.nintendowifi.net to another server, which gave 404 errors, and then the 3DS said everything's OK.

UPD: I've tried creating text files named "/1/110/1/CHECK", "/1/110/1/ESP_MD1", "/1/110/1/ESP_MD2", "/1/110/1/ESP_MD3", "/1/110/1/ESP_MD4" containing a single word on my server. When I pressed "Connection test" on my 3DS, it downloaded the "/1/110/1/CHECK" file successfully and then gave me the 004-2010 error. Interesting.

UPD: Using a server located in the UK, I've been able to find out following stuff:
/1/110/1/CHECK, /1/110/1/ESP_MD3 and /1/110/1/ESP_MD4 give me the 404 error.
However, I was able to download /1/110/1/ESP_MD1 and /1/110/1/ESP_MD2. I have no time to look at them today, but I will try to analyse them tomorrow.

 

[loco365]

Here's what I was able to achieve with some DNS spoofing:

(I just happened to have a printed Latvian flag near me :3)
This didn't actually allow me to download any videos, though, but I'll keep on trying.

Here's the list of files the 3DS tried to download from pubeup-p.est.c.app.nintendowifi.net over plain HTTP (i.e. without any encryption):

GET /1/110/1/ESP_MD1 HTTP/1.1
GET /1/110/1/ESP_MD2 HTTP/1.1
GET /1/110/1/ESP_MD3 HTTP/1.1
GET /1/110/1/ESP_MD4 HTTP/1.1
GET /1/110/1/CHECK HTTP/1.1

The server gives me a 403 error when I try to download these files, and I guess that this 403 means that my region isn't allowed to use Video (I've checked it with a sniffer: 3DS only makes requests to these files, gets 403 answer and then tells me my country isn't allowed). However, I redirected all requests for pubeup-p.est.c.app.nintendowifi.net to another server, which gave 404 errors, and then the 3DS said everything's OK.

UPD: I've tried creating text files named "/1/110/1/CHECK", "/1/110/1/ESP_MD1", "/1/110/1/ESP_MD2", "/1/110/1/ESP_MD3", "/1/110/1/ESP_MD4" containing a single word on my server. When I pressed "Connection test" on my 3DS, it downloaded the "/1/110/1/CHECK" file successfully and then gave me the 004-2010 error. Interesting.

UPD: Using a server located in the UK, I've been able to find out following stuff:
/1/110/1/CHECK, /1/110/1/ESP_MD3 and /1/110/1/ESP_MD4 give me the 404 error.
However, I was able to download /1/110/1/ESP_MD1 and /1/110/1/ESP_MD2. I have no time to look at them today, but I will try to analyse them tomorrow.

What proxy did you connect to? I want to try spoofing that as well, but I have no clue what to connect to or how to set up a DNS.

 

[popoffka]

So, it seems that, as I guessed, the /1/110/1/CHECK file should return 403 if region is not supported, 404 otherwise. /1/110/1/ESP_MDi returns 403 if region is not supported, ith video otherwise (404 if there's no such video). It seems that support for only four videos is hardcoded into Nintendo Video.
Here's a video proof that I've been able to succesfully spoof NVideo server and make my Latvian 3DS play videos (there's some explanation on what's going on in annotations):
[youtube]Tl8QYofL1tg[/youtube]
I don't think that videos are encrypted or signed in any way, so I'll try to analyse the file format right now.

@Team Fall: I've set up my own DNS server and my own HTTP server to do that.

 

[Rayder]

I don't know about the hacking stuff (I'm no hacker), but I will wish GOOD LUCK on hacking the 3DS as it's tantamount to my ever getting one.

 

[WiiUBricker]

Videos downloaded from the Nintendo Video application are saved to SD card, but can only be played with the Nintendo Video application. It's not exactly a streaming service like Netflix. The videos are somewhat "cached" to SD card and they will be overwritten when new videos are available. So, if they really are not encrypted, they can be dumped right off SD card and be analysed.

 

[dark_day]

Damn fine work there mate

I had a suspicion you could spoof the video server DNS. This could lead to some interesting conclusions. If you're correct and the video's are not encrypted, it could possibly lead to an exploit or at least being able to upload custom videos. If its not too much trouble, can you let us know what apps/settings your using to set up your DNS and HTTP servers?

Keep up the great work

 

[popoffka]

Videos downloaded from the Nintendo Video application are saved to SD card, but can only be played with the Nintendo Video application. It's not exactly a streaming service like Netflix. The videos are somewhat "cached" to SD card and they will be overwritten when new videos are available. So, if they really are not encrypted, they can be dumped right off SD card and be analysed.
I've already been able to "dump" the videos by downloading them from the Nintendo's server. However, I'll now take a look at my SD card's contents and report if I find anything.


QUOTE(dark_day @ Jul 18 2011, 10:17 AM) Damn fine work there mate

I had a suspicion you could spoof the video server DNS. This could lead to some interesting conclusions. If you're correct and the video's are not encrypted, it could possibly lead to an exploit or at least being able to upload custom videos. If its not too much trouble, can you let us know what apps/settings your using to set up your DNS and HTTP servers?

Keep up the great work

I'm writing an article about Nintendo Video for the 3DBrew right now, it will contain all the data I found including domains, file structure and everything else.

 

[WiiUBricker]

Since they are 3D videos, even decrypted most video players won't play them. mpo is the file format of decrypted 3D images, but what is the file format of decrypted 3D videos?

 

[popoffka]

Here's the 3DBrew article with a little bit more info: http://3dbrew.org/wiki/Nintendo_Video

 

[loco365]

Well, I'll have to try this soon. Living in Canada, and if it checks the IP, I could spoof it to a European country and get Nintendo Video. Maybe.

I wonder if you can spoof shops as well using your technique.

 

[bailli]

The server for germany is the same, but the path is different:

http://pubeu-p.est.c.app.nintendowifi.net/1/78/1/CHECK

 

[popoffka]

The server for germany is the same, but the path is different:

http://pubeu-p.est.c.app.nintendowifi.net/1/78/1/CHECK

Thanks for the info! This probably means that second number is the country ID.