[Tutorial] Add custom root certs to the Wii U's browser

Discussion in 'Wii U - Tutorials' started by aplumafreak500, Apr 19, 2017.

  1. aplumafreak500
    OP

    Newcomer aplumafreak500 Member

    Joined:
    Dec 20, 2014
    Messages:
    16
    Location:
    East Smethport, PA
    Country:
    United States
    NOTE: I am not responsible if you brick.

    Hi there. This tutorial will allow you to use custom SSL certs in the Wii U's browser. This will not need signature patches to run, but it does require them to make the modification.

    This has been tested with a 5.5.1U system with Haxchi enabled.

    1. Activate CFW or signature patches using Mocha, Haxchi, or CHBC.
    2. Go into FTPii Everywhere.
    3. On an FTP client, navigate to /storage_mlc/sys/title/00050030/10012x0a/content/browser where x is 0 for Japan, 1 for America, and 2 for Europe.
    4. Download the file rootCA.pem.
    5. Open this file in a text editor.
    6. Find some root certificates (in PEM format) to add to the file. If they aren't in PEM format, convert it using OpenSSL. Personally, I would recommend adding Fiddler's root cert, and the DST Root CA X3 root cert (which will make Let's Encrypt sites, such as GBATemp, work with the Wii U). PEM certificates can also be obtained (in Windows) by exporting them from the "Copy to File" dialog which comes up when you view a certificate's properties.
    7. Append the desired certificates to rootCA.pem and save it.
    8. Upload it back to the Wii U.
    9. Test it by opening the browser, and visiting a site that uses your certificates. If it worked, you should not be prompted to manually allow SSL connections to hosts that use those certificates.
    I hope you found this tutorial useful! Feel free to reply with any questions!
     
    Last edited by aplumafreak500, Apr 22, 2017 at 1:44 AM
  2. THEELEMENTKH

    Member THEELEMENTKH A stupid weeaboo

    Joined:
    May 31, 2016
    Messages:
    665
    Location:
    Satan's secret party
    Country:
    Spain
    Sweet! But what can we do with this? :unsure:
     
    TarkinMX likes this.
  3. ShadowOne333

    Member ShadowOne333 GBAtemp Guru

    Joined:
    Jan 17, 2013
    Messages:
    5,955
    Country:
    Mexico
    Access certain websites which cannot be accessed through the normal Wii U's Browser due to new SSL certificates.
    Some examples I can think of are Starmen.net's Forums and the other being Libretro.com and all of it's related links, including the buildbot.

    @aplumafreak500 do you happen to know what exactly do I need to do to access those two sites specifically?
    I've been wanting to do this for a long time, and now that's it possible I am greatly interested in reenable access to those two sites through my Wii U Browser.

    Btw, I don't think posting links to the PEM files for the cetificates is against the rules, so here:
    https://github.com/kivy/kivy-sdk-packager/blob/master/win/DST Root CA X3.pem

    That's the one for DST Root CA X3 certificate in PEM format, I am only lacking the Fiddler's one.
     
    Last edited by ShadowOne333, Apr 20, 2017
  4. aplumafreak500
    OP

    Newcomer aplumafreak500 Member

    Joined:
    Dec 20, 2014
    Messages:
    16
    Location:
    East Smethport, PA
    Country:
    United States
    @ShadowOne333 Basically, append the desired PEM certificates to rootCA.pem as described above. Analysis of those two sites show that they use a certificate chain with AddTrust External CA as its root. Idk if it's in the certificate store, but by following the steps above, they can be "trusted" by the Wii U browser.
     
    ShadowOne333 likes this.
  5. ShadowOne333

    Member ShadowOne333 GBAtemp Guru

    Joined:
    Jan 17, 2013
    Messages:
    5,955
    Country:
    Mexico
    How do you check the sites for the certificate?
    It's these two in particular:
    https://forum.starmen.net/
    https://libretro.com/

    They both throw:
    I talked to the main admins in both sites and error started occurring right when they updated their SSL certificates as mentioned here:
    https://forum.starmen.net/forum/Fan...Wii-U-but-I-can-access-just-fine-on-my-laptop

    Btw do you have a link to Fiddler's root cert?
    I'm missing that one out of the two you mention in the OP.
     
    Last edited by ShadowOne333, Apr 22, 2017 at 2:42 AM
  6. Felek666

    Member Felek666 redNAND hate machine // Wants catgirls

    Joined:
    Jan 3, 2017
    Messages:
    1,673
    Location:
    Somewhere between boot0 and boot1
    Country:
    Poland
     
  7. aplumafreak500
    OP

    Newcomer aplumafreak500 Member

    Joined:
    Dec 20, 2014
    Messages:
    16
    Location:
    East Smethport, PA
    Country:
    United States
    We're dealing with the Wii U's stores, not those of a PC. However, obtaining Fiddler's certificate is the same. We download the cert by going to http://10.0.0.20:8888/FiddlerRoot.cer (replace 10.0.0.20:8888 with the host name and port of your Fiddler machine). It's in DER format though so we have to make it PEM format before importing it.

    As for the error code, I assume it isn't related to the certificates, and it is instead an unsupported TLS protocol. I'll try it tonight and report back.
     
    ShadowOne333 likes this.
  8. aplumafreak500
    OP

    Newcomer aplumafreak500 Member

    Joined:
    Dec 20, 2014
    Messages:
    16
    Location:
    East Smethport, PA
    Country:
    United States
    Sorry for double post. I found out that the server closes the connection due to an SSL handshake error, which occurs before the server even presents its certificate. It seems to be related to the cipher suite the browser presents, which seems to be incompatible with the remote server.

    So, this means that this particular error is unrelated to the certificates.

    TL;DR Ask the site's admins about changing its SSL cipher suite.
     
    ShadowOne333 likes this.
  9. ShadowOne333

    Member ShadowOne333 GBAtemp Guru

    Joined:
    Jan 17, 2013
    Messages:
    5,955
    Country:
    Mexico
    Thanks! That'll help to narrow it down for them :)
     

Share This Page