Hacking Save Nintendo WiFi - A project to save online servers for Wii (and DS) games

[Toad King]

UPDATE: We got a custom server up an running: Instructions on how to use it are at http://altwfc.net/. Also hop on IRC if you want to help or contribute at #altwfc on Rizon.


UPDATE 2
2014-10-12 : the new altwfc server IP is 104.131.93.87! Be sure to update your DNS settings!




http://save-nintendo-wifi.com/

I'm starting this project in response to the announcement of Nintendo Wi-Fi servers shutting down in May. Eventually this project hopes to have enough information so myself or other hackers have enough information to reverse engineer the Nintendo Wi-Fi servers and make emulated servers to live long after the May 20th cutoff date. What I plan to do is until the servers get shut down, is collect as many packet dumps from as many of these games as I can. That is where you can come in.

Right now we only have a little less than three months to gather data on all the games being shut down. Pure manpower is needed at this point, because a lot of games are going away and although initial analysis seems to indicate games use very similar protocols, there might be some differences between games we'll have to save and document.

If you have a capable router and one of the games being shut down, you can help. I have a guide on how to configure a DD-WRT or Tomato router on the project page, and it is possible to get packet logs from emulators as well. If someone can contribute a guide for that that would be really helpful to get people on.

Goals right now:
* Get packets from as many games as possible before it goes down, with focus on games we don't have any information on yet.

This thread is for discussing Wii games. The thread for DS games is here: http://gbatemp.net/threads/save-nin...e-online-servers-for-ds-and-wii-games.362717/

 

[Kyohack]

Sorry to rain on your parade, but setting up fake servers is impossible for any game that uses the Nintendo Wi-Fi Connection. As you might've noticed, the protocol starts out by sending encrypted communications to Nintendo's servers (this is used for banning consoles, etc). SSL ecnryption cannot be cracked, and there is no way for you to setup a fake server if SSL is involved. You would need the SSL private cert to do this. The private cert is different from the public cert, and as the name suggests, it is indeed private. It is kept server side, and nobody has access to it, nor ever will (except for a select few Nintendo employee(s) that administer the official servers).

Since the games won't be able to reach the Nintendo Wi-Fi Connection ban servers, they will immediately halt the active connection and refuse to go to any third party game servers (even if some of those servers are unencrypted, such as the gamestats server used for the Pokemon GTS online functionality). But this is besides the point because most third party game servers are encrypted, just like the Nintendo game servers. Even if you COULD get the connection to proceed, you'd be stuck at another encrypted server.

 

[Toad King]

Sorry to rain on your parade, but setting up fake servers is impossible for any game that uses the Nintendo Wi-Fi Connection. As you might've noticed, the protocol starts out by sending encrypted communications to Nintendo's ban servers. SSL ecnryption cannot be cracked, and there is no way for you to setup a fake server if SSL is involved. And if the games can't reach the Nintendo Wi-Fi Connection, they can't go to any third party game servers, even if some of those servers are unencrypted (such as the gamestats server used for the unencrypted Pokemon GTS server).

SSL can't easily be cracked, but it can be intercepted and is susceptible to MITM attacks. All it takes is the client trusting a rogue CA authority or not verifying the certificate. Since we know where CA authorities are stored on the Wii, it wouldn't be hard to sneak our own in there and use a MITM proxy to read the info.

This is all assuming the CA authority is even checked. It probably is on the Wii, but I'm not sure it is on the DS.

 

[Kyohack]

No, the games are not susceptible to rogue CAs. The public SSL certs for the Nintendo Wi-Fi Connection are hard encoded into each ROM, and will only accept connections from servers using the private SSL cert. It's not like we didn't see this coming. The private SSL cert is set to expire in 2015 anyways. If Nintendo didn't shut down the Nintendo Wi-Fi Connection now, then it would have just died on its own.

The only way to get around the SSL would be to replace the public cert that the ROMs use. Doing so would require a ROM patch, and the game would need to be run from a flash cart in order to make this possible. Yes, emulators such as Desmume do allow for some online play functionality, but this support is still in its infancy and many people have difficulties getting it to work.

 

[Toad King]

Wii homebrew can already do patching from tools like GekkoOS and Riivolution, I don't see how hardcoded certs are an issue when we can simply replace it with our own. Sure vanilla users won't be able to use it but there is always going to be some setup that needs to be done for emulated servers.

Also, I just connected to Mario Kart Wii online with my internal date set to 2018 so games are probably coded to ignore expiration dates on certs. Which sounds right, because why would Nintendo put in a soft cutoff date?

 

[Kyohack]

Yes, since softmodding is possible with the Nintendo Wii console your proposal would have a larger potential fanbase for Wii-related game servers than for DS-related servers. And since the Wii has been so widely exploited in the past, I would reason to say that it might even be easier for you to accomplish your goal on the Wii than on the DS. Needless to say, a significant amount of protocol research would need to be performed in order to make this possible. For a very skilled individual, I suppose three months might be enough time to code support for a game or two.

Yes, it is technically possible for Nintendo to ignore the SSL expiration date for in-game functionality. I hadn't tested that myself, and just assumed that Nintendo would have coded in date checking for all games, since they should already have SSL expiration validation coded for online shop functionality, to meet PCI compliance standards for ecommerce.

 

[Toad King]

Right now I want to focus on grabbing as many packets from as many games as possible. While most games I've tested so far only use Nintendo servers for matchmaking and all gameplay is P2P, I still want to get all that recorded and saved before they're gone for good. Right now I'm assuming the banlist stuff is common across games (at least the two I've tried so far have a similar server they query over HTTPS at connection, which I'm guessing is that ban server you were talking about) but there still is matchmaking, friend codes, etc. for each game to handle.

If anyone wants to help with Dolphin, I have a guide up for getting captures from there now: http://save-nintendo-wifi.com/dolphin.html

 

[HNKii]

I need a way for smartphones badly...

 

[Toad King]

I need a way for smartphones badly...

Unfortunately I have not found a way to do it from an Android phone yet.

HNKii Try this guide for your Android phone. Note that your phone must be rooted. http://save-nintendo-wifi.com/android.html

 

[HNKii]

HNKii Try this guide for your Android phone. Note that your phone must be rooted. http://save-nintendo-wifi.com/android.html

OK!
BTW, CAN I CAPTURE PACKETS FOR SEVERAL GAMES IN ONE RUN?

 

[Yepi69]

Actual rounds are entirely P2P. Nintendo servers just handle matchmaking.

That explains why brawl sometimes its laggy, it depends on yours and your opponents connection, I fight with a portuguese friend and we barely have any lag.

 

[Toad King]

OK!
BTW, CAN I CAPTURE PACKETS FOR SEVERAL GAMES IN ONE RUN?

Doing them in separate captures would be the way to go. Just easier to manage that way.

Also, I hope to have a guide on dumping decrypted SSL communication later. Dolphin makes it painless but right now there's some bugs with their internet code.

 

[Little Baron]

For MKW, Wiimm is analyzing the network protocol since a year. He has also written a tool (mkw-ana) for analysis support and for real time statistics.
http://wiki.tockdom.com/wiki/MKWii_Network_Protocol

 

[HNKii]

I've collected packets including Friend code generating for these games:
MKWii
SSBB
Dr. Mario online Rx
Mario Sports Mix

 

[Sliter]

I'm very noob on this but like these "fake GTS" that people create for pokemon just by changing the DNS shouln'dt work? I mean, creating server and to acess it, justchange the DNS on the configuration stetings?

another ideia could be hacking the Wii system towork to this non offfical dedicated server and all.. by hacking could be only the console frend code be "global", like on 3ds? ô3o well I have nor much idea what I'm talking about XD

 

[Toad King]

I'm very noob on this but like these "fake GTS" that people create for pokemon just by changing the DNS shouln'dt work? I mean, creating server and to acess it, justchange the DNS on the configuration stetings?

another ideia could be hacking the Wii system towork to this non offfical dedicated server and all.. by hacking could be only the console frend code be "global", like on 3ds? ô3o well I have nor much idea what I'm talking about XD

For most of the game servers I'm seeing that should work for most games, but the issue is the Wii authenticator server, at naswii.nintendowifi.net. That is connected to over SSL so simply pointing it to a new server won't trick the Wii since it won't have a certificate signed by Nintendo's CA. However, there are ways around that with ROM hacking, including a possible workaround through an undocumented debug mode for the Wii's SSL driver. That will require hacking or patching the game though.

 

[HNKii]

For most of the game servers I'm seeing that should work for most games, but the issue is the Wii authenticator server, at naswii.nintendowifi.net. That is connected to over SSL so simply pointing it to a new server won't trick the Wii since it won't have a certificate signed by Nintendo's CA. However, there are ways around that with ROM hacking, including a possible workaround through an undocumented debug mode for the Wii's SSL driver. That will require hacking or patching the game though.

There will be no problems since Riivolution is there to help

 

[HAARP-GE 007]

Hi There , I've just joined the site after coming across your post for potential help with data gathering for your project , the only game I really play is Goldeneye 007 on the wii which its online play will come to an end on the 20th of May , this game still has a thriving online community and active gamers, with no realistic migration proposed to the wii-u or no later releases worthy...we kind of feel left out to hang ...so ..although not very technical minded , I would like to do my best to help gather any information you could use , I play the game almost daily when not working ...if there is anything in particular a noob like myself could help with, if guided in the right direction I am sure i could manage it and would be happy to do so ...thank you for trying to save our games

 

[Toad King]

Hi There , I've just joined the site after coming across your post for potential help with data gathering for your project , the only game I really play is Goldeneye 007 on the wii which its online play will come to an end on the 20th of May , this game still has a thriving online community and active gamers, with no realistic migration proposed to the wii-u or no later releases worthy...we kind of feel left out to hang ...so ..although not very technical minded , I would like to do my best to help gather any information you could use , I play the game almost daily when not working ...if there is anything in particular a noob like myself could help with, if guided in the right direction I am sure i could manage it and would be happy to do so ...thank you for trying to save our games

Follow one of the guides on the site and start recording network packets from the game. Third party games like GoldenEye will take more work to reverse engineer, since they aren't using Nintendo servers outside of the verification one. Getting a couple from Dolphin so we get encrypted packets would help too.

 

[Wiimm]

Info and invitation:

At the German site Wii-Homebrew.com we have started the English speaking Project:

* MKW-Server Project

The goal of the project is to enable Mario Kart Wii online gaming without Nintendos servers. I started 14 month ago to archive network traffic and to analyse the dumps. One result is an MKWii online statistic in real time. based on this and the knowledge we started this new forums yesterday.