Hacking Spoofing Nintendo's Update Server

gamax92 · Dec 2, 2012

I'm just wondering, technically if you have a dns server program and a file server, you could have the Wii U Download content from your server instead of their servers.

All of the Nintendo Servers I've seen (3DS, Wii) seem to be simple HTTP servers, so it shouldn't be too hard to set one up.

Would there be any real usage of this server spoofing or is it just not worth it at this time.

Cyan · Dec 2, 2012

The connection is established first as secure.
Then the transfer is not secure and use only HTTP.

[01/12/2012 12:39:20] nus.cdn.wup.shop.nintendo.net/ccs/download/0005001010000200/0000000C
[01/12/2012 12:39:16] nus.cdn.wup.shop.nintendo.net/ccs/download/0005001010000200/00000006
[01/12/2012 12:39:13] nus.cdn.wup.shop.nintendo.net/ccs/download/0005001010000200/0000000B
[01/12/2012 12:39:10] nus.cdn.wup.shop.nintendo.net/ccs/download/0005001010000200/0000000A
[01/12/2012 12:39:06] nus.cdn.wup.shop.nintendo.net/ccs/download/0005001010000200/0000000C.h3
[01/12/2012 12:39:03] ccs.wup.shop.nintendo.net:443
[01/12/2012 12:38:59] nus.cdn.wup.shop.nintendo.net/ccs/download/0005001010000100/00000001
[01/12/2012 12:38:56] ccs.wup.shop.nintendo.net:443
[01/12/2012 12:38:41] ias.wup.shop.nintendo.net:443
[01/12/2012 12:38:38] ecs.wup.shop.nintendo.net:443
[01/12/2012 12:38:32] nus.wup.shop.nintendo.net:443
[01/12/2012 12:38:00] conntest.nintendowifi.net/

the eshop is secure, but the NUS server is not.

Spoofing it will have which purpose?
It require encrypted/signed files, so you can't replace links with your own files, and not even with someone else's files (different signature).
if you replace a file by another one or from another region, you risk a brick (unless there's a checksum and the file is downloaded again)

But maybe I don't see the purpose of doing it for the moment.
I know 3DS is doing it to bypass Video's region lock. Is there the same thing on wiiU?

gamax92 · Dec 2, 2012

Ahh I though that the files on the shop were encrypted, i guess spoofing at this time won't serve any point at this moment unless it can be tricked.

Rydian · Dec 3, 2012

Even if you could get the Wii U to download files from your PC instead of Nintendo's servers... what would be the use?

You'd still need to actually make and encrypt+sign Wii U software that loads other programs and junk.

sychotix · Dec 3, 2012

I could possibly see there being a use of installing already signed content, as long as it isn't encrypted in the transfer as well.

I.E. tell your 3DS to download a free app. Modify the download location to either be that of a different game in the eshop, or one you host yourself. Would the 3DS even notice the difference? Maybe.

joka · Dec 3, 2012

Cyan said:
The connection is established first as secure.
Then the transfer is not secure and use only HTTP.

[01/12/2012 12:39:20] nus.cdn.wup.shop.nintendo.net/ccs/download/0005001010000200/0000000C
[01/12/2012 12:39:16] nus.cdn.wup.shop.nintendo.net/ccs/download/0005001010000200/00000006
[01/12/2012 12:39:13] nus.cdn.wup.shop.nintendo.net/ccs/download/0005001010000200/0000000B
[01/12/2012 12:39:10] nus.cdn.wup.shop.nintendo.net/ccs/download/0005001010000200/0000000A
[01/12/2012 12:39:06] nus.cdn.wup.shop.nintendo.net/ccs/download/0005001010000200/0000000C.h3
[01/12/2012 12:39:03] ccs.wup.shop.nintendo.net:443
[01/12/2012 12:38:59] nus.cdn.wup.shop.nintendo.net/ccs/download/0005001010000100/00000001
[01/12/2012 12:38:56] ccs.wup.shop.nintendo.net:443
[01/12/2012 12:38:41] ias.wup.shop.nintendo.net:443
[01/12/2012 12:38:38] ecs.wup.shop.nintendo.net:443
[01/12/2012 12:38:32] nus.wup.shop.nintendo.net:443
[01/12/2012 12:38:00] conntest.nintendowifi.net/

the eshop is secure, but the NUS server is not.

Spoofing it will have which purpose?
It require encrypted/signed files, so you can't replace links with your own files, and not even with someone else's files (different signature).
if you replace a file by another one or from another region, you risk a brick (unless there's a checksum and the file is downloaded again)

But maybe I don't see the purpose of doing it for the moment.
I know 3DS is doing it to bypass Video's region lock. Is there the same thing on wiiU?

Hi, not really related, but have you tried sniffing packets in Miiverse? Particularly interested if there's any plaintext packets when viewing stuff like the activity log. Would check myself but no Wii U here so I'd appreciate it!

SifJar · Dec 3, 2012

sychotix said:
I could possibly see there being a use of installing already signed content, as long as it isn't encrypted in the transfer as well.

I.E. tell your 3DS to download a free app. Modify the download location to either be that of a different game in the eshop, or one you host yourself. Would the 3DS even notice the difference? Maybe.

If you read the thread, you would have seen that e-shop is secure (i.e. uses HTTPS I think), but NUS is not. In other words, this could only work for updates, not e-shop content. (Unless you find a way to create a site certificate that the console would accept i.e. one signed with Nintendo's private keys).

Supercool330 · Dec 3, 2012

Still, the Wii U will only install properly signed content with the proper TMD, so it isn't like you could use this to install anything differently. The only thing you could use this for is to set up a personal mirror of NUS or something.

FierceDeity_ · Dec 3, 2012

Actually it would rock for the people who have a REAL crappy internet connection. Give them a USB with the files, set up a web server, etc, so they can pull the update.

thatmarksguy · Dec 8, 2012

joka said:
Hi, not really related, but have you tried sniffing packets in Miiverse? Particularly interested if there's any plaintext packets when viewing stuff like the activity log. Would check myself but no Wii U here so I'd appreciate it!

I've been monitoring packets with wireshark on the Wii U while in Miiverse. Here is what I have so far:

1 - All comunication with Miiverse is encrypted.
2 - Its https based. At this point I can only asume Miiverse comunicates with Nintendo through some REST api but without decrypting the requests I can't know. Only caught glimpses at certain IPs,URLs and headers.
3 - I tried to do a man in the middle attack. At first I noticed the Wii U was using a Diffie Helman key exchange so just listening in the handshake and requests wouldn't work.
4 - Moved on to proxy software that performs MitM attacks by spoofing the key exchanges. I noticed the Wii started using RSA style handshake instead of DHE.
5 - This would have worked but when the Wii U communicates with the proxy, it notices that the SSL certificate that is issued by the proxy software cannot be verified by a Certificate Authority so it errors out and doesn't connect to Miiverse (and I can only asume this is the case cause the error number is not informative).
6 - The Wii U connects to https://account.nintendo.net/ for logging in your Nintendo Network account on the Wii U. The certificate authority is Nintendo itself.
7 - We can assume that the Wii U has installed Nintendo as a trusted CA and therefore won't complain when connecting directly to them with a certificate issued by them.
8 - At this point we start talking about spoofing the Certificate Authority but I think this might not be possible as we can't install trusted root CAs on the Wii U.
9 - This is all I have so far and I'm going crazy.

Honestly I would like to reverse engineer the Miiverse and maybe be able to write some sort of client and API. But I'm not sure how to go on from here. I would love to have some help if possible. If I can see the plain text communication developing an API wont be so hard.

Hacking Spoofing Nintendo's Update Server

Member

GBATemp's lurking knight

Member

Resident Furvert™

Well-Known Member

Member

Not a pirate

Well-Known Member

Member

New Member

Similar threads

Popular threads in this forum