Spoofing Nintendo's Update Server

Discussion in 'Wii U - Hacking & Backup Loaders' started by gamax92, Dec 2, 2012.

Thread Status:
Not open for further replies.
  1. gamax92
    OP

    gamax92 Newbie

    Newcomer
    7
    0
    Nov 25, 2012
    United States
    I'm just wondering, technically if you have a dns server program and a file server, you could have the Wii U Download content from your server instead of their servers.

    All of the Nintendo Servers I've seen (3DS, Wii) seem to be simple HTTP servers, so it shouldn't be too hard to set one up.

    Would there be any real usage of this server spoofing or is it just not worth it at this time.
     
  2. Cyan

    Cyan GBATemp's lurking knight

    Global Moderator
    17,299
    7,878
    Oct 27, 2002
    France
    Engine room, learning
    The connection is established first as secure.
    Then the transfer is not secure and use only HTTP.

    start log of European WiiU update
    the eshop is secure, but the NUS server is not.

    Spoofing it will have which purpose?
    It require encrypted/signed files, so you can't replace links with your own files, and not even with someone else's files (different signature).
    if you replace a file by another one or from another region, you risk a brick (unless there's a checksum and the file is downloaded again)


    But maybe I don't see the purpose of doing it for the moment.
    I know 3DS is doing it to bypass Video's region lock. Is there the same thing on wiiU?
     
  3. gamax92
    OP

    gamax92 Newbie

    Newcomer
    7
    0
    Nov 25, 2012
    United States
    Ahh I though that the files on the shop were encrypted, i guess spoofing at this time won't serve any point at this moment unless it can be tricked.
     
  4. Rydian

    Rydian Resident Furvertâ„¢

    Member
    27,883
    8,103
    Feb 4, 2010
    United States
    Cave Entrance, Watching Cyan Write Letters
    Even if you could get the Wii U to download files from your PC instead of Nintendo's servers... what would be the use?

    You'd still need to actually make and encrypt+sign Wii U software that loads other programs and junk.
     
  5. sychotix

    sychotix Advanced Member

    Newcomer
    64
    30
    Jul 26, 2011
    United States
    I could possibly see there being a use of installing already signed content, as long as it isn't encrypted in the transfer as well.

    I.E. tell your 3DS to download a free app. Modify the download location to either be that of a different game in the eshop, or one you host yourself. Would the 3DS even notice the difference? Maybe.
     
  6. joka

    joka Newbie

    Newcomer
    5
    0
    Feb 13, 2007
    United States
    Hi, not really related, but have you tried sniffing packets in Miiverse? Particularly interested if there's any plaintext packets when viewing stuff like the activity log. Would check myself but no Wii U here so I'd appreciate it!
     
  7. SifJar

    SifJar Not a pirate

    Member
    6,022
    891
    Apr 4, 2009
    If you read the thread, you would have seen that e-shop is secure (i.e. uses HTTPS I think), but NUS is not. In other words, this could only work for updates, not e-shop content. (Unless you find a way to create a site certificate that the console would accept i.e. one signed with Nintendo's private keys).
     
  8. Supercool330

    Supercool330 GBAtemp Advanced Fan

    Member
    681
    131
    Sep 28, 2008
    United States
    Still, the Wii U will only install properly signed content with the proper TMD, so it isn't like you could use this to install anything differently. The only thing you could use this for is to set up a personal mirror of NUS or something.
     
  9. FierceDeity_

    FierceDeity_ Newbie

    Newcomer
    7
    3
    Nov 21, 2012
    Gambia, The
    Actually it would rock for the people who have a REAL crappy internet connection. Give them a USB with the files, set up a web server, etc, so they can pull the update.
     
  10. thatmarksguy

    thatmarksguy Newbie

    Newcomer
    1
    3
    Dec 8, 2012
    I've been monitoring packets with wireshark on the Wii U while in Miiverse. Here is what I have so far:

    1 - All comunication with Miiverse is encrypted.
    2 - Its https based. At this point I can only asume Miiverse comunicates with Nintendo through some REST api but without decrypting the requests I can't know. Only caught glimpses at certain IPs,URLs and headers.
    3 - I tried to do a man in the middle attack. At first I noticed the Wii U was using a Diffie Helman key exchange so just listening in the handshake and requests wouldn't work.
    4 - Moved on to proxy software that performs MitM attacks by spoofing the key exchanges. I noticed the Wii started using RSA style handshake instead of DHE.
    5 - This would have worked but when the Wii U communicates with the proxy, it notices that the SSL certificate that is issued by the proxy software cannot be verified by a Certificate Authority so it errors out and doesn't connect to Miiverse (and I can only asume this is the case cause the error number is not informative).
    6 - The Wii U connects to https://account.nintendo.net/ for logging in your Nintendo Network account on the Wii U. The certificate authority is Nintendo itself.
    7 - We can assume that the Wii U has installed Nintendo as a trusted CA and therefore won't complain when connecting directly to them with a certificate issued by them.
    8 - At this point we start talking about spoofing the Certificate Authority but I think this might not be possible as we can't install trusted root CAs on the Wii U.
    9 - This is all I have so far and I'm going crazy.


    Honestly I would like to reverse engineer the Miiverse and maybe be able to write some sort of client and API. But I'm not sure how to go on from here. I would love to have some help if possible. If I can see the plain text communication developing an API wont be so hard.
     
    H0neyBadger, joka and Cyan like this.
  11. Kafke
    This message by Kafke has been removed from public view by FIX94, Jan 25, 2015, Reason: ....
    Jan 25, 2015
  12. Kafke
    This message by Kafke has been removed from public view by FIX94, Jan 25, 2015, Reason: ....
    Jan 25, 2015
Thread Status:
Not open for further replies.