Tutorial [Tutorial][Advanced] Homepassing with password protected AP (i.e. Windows hostednetwork)

Arkansaw

Well-Known Member
OP
Member
Joined
Jul 23, 2005
Messages
993
Trophies
0
Website
Visit site
XP
457
Country
Trinidad and Tobago
WARNING: for advanced users only

This is applicable for users who need/want to homepass with a password-protected AP on the latest firmware, for whatever reasons.

1. Extract the system title 000400DB00010502 from emunand (via rxtools + some decryptor)
2. Extract the hotspot.conf file from romfs - this is of the same nature as teh slotXkey file, so no copies will be shared here
3. Look up the relevant entry on 3dsbrew to figure out what to do with the above
4. Fill in the blank:

Code:
netsh wlan set hostednetwork mode=allow ssid=ConsoleNintendo3DS key=26________________________47

No further support will be provided after this point. If you can complete step 2, you are pretty much home free and can pride yourself on being a sufficiently "advanced" user :lol:

Special thanks:
motezazer, cearp (for pointers)
Apache Thunder (for inspiration)
Roxas and others whose tools made things a lot easier, as otherwise I wouldn't have bothered
 

shadyninja94

New Member
Newbie
Joined
Nov 24, 2015
Messages
3
Trophies
0
Age
27
XP
35
Country
United States
After everything is said and done, how would someone go about implementing these security key(s) into their Homepass setup.



Examples (sortof )

- Window hostednetwork only ???

- Router + (Any Listed SSID Inside 'hotspot.conf') + (Any Listed Security Key Inside 'hotspot.conf')

- Router + (Specific Listed SSID Inside 'hotspot.conf') + (Its Corresponding Listed Security Key Inside 'hotspot.conf')




Any help at all with this matter would be greatly appreciated. THX!
 

Ryccardo

watching Thames TV from London
Member
Joined
Feb 13, 2015
Messages
7,406
Trophies
0
Age
26
Location
Imola
XP
6,345
Country
Italy
^ Funny, someone from (the downloads site) just asked me how I dumped the passwords last night...


Hi I was able to obtain the hotspot.conf file from 000400DB00010502.cia but I was wondering what did you use to read it since it is encoded. Did you use yellows8's hotspotconf-tool or something else?

I used 2 Perl programs.

One is from 3dbrew https://www.3dbrew.org/wiki/Talk:Nintendo_Zone and prints SSIDs and everything you see on yls8.mtheall.com;

after using it, you count lines from the bottom to find the network you're interested in, then take the base64-encoded key from hotspot.conf and paste it in the 2nd line (between apostrophes) of this de-base64 program:

use MIME::Base64;
$encoded = 'YML3jC3xUcKXLgfBllZU9JSeKYqBzmJw2AcW-AVpJOsA';
printf "%s", decode_base64($encoded);

You wiill need to redirect the output to a file (b64.pl > key), then open it in a hex editor to get the encryption key in hex form.
Not all access points/softwares support manually entering prehashed hex keys, beware!
 

Filo97

Pink = Best colour
Member
Joined
Oct 8, 2015
Messages
4,098
Trophies
1
Location
Hyrule Castle
XP
2,603
Country
Italy
^ Funny, someone from (the downloads site) just asked me how I dumped the passwords last night...




I used 2 Perl programs.

One is from 3dbrew https://www.3dbrew.org/wiki/Talk:Nintendo_Zone and prints SSIDs and everything you see on yls8.mtheall.com;

after using it, you count lines from the bottom to find the network you're interested in, then take the base64-encoded key from hotspot.conf and paste it in the 2nd line (between apostrophes) of this de-base64 program:

use MIME::Base64;
$encoded = 'YML3jC3xUcKXLgfBllZU9JSeKYqBzmJw2AcW-AVpJOsA';
printf "%s", decode_base64($encoded);

You wiill need to redirect the output to a file (b64.pl > key), then open it in a hex editor to get the encryption key in hex form.
Not all access points/softwares support manually entering prehashed hex keys, beware!
I STill can't understand how to extract hotspot.conf also i do not find anything for Windows on 3dbrew
 

Ryccardo

watching Thames TV from London
Member
Joined
Feb 13, 2015
Messages
7,406
Trophies
0
Age
26
Location
Imola
XP
6,345
Country
Italy
The same way you would extract any other CIA: copy it to your SD into a "D9Game" folder, use the Decrypt9WIP homebrew, choosing the last option then "CIA decryption - full", when it's done copy the CIA back to the computer, rename it to a single word, and extract it with Asia81's PackHack!

The Perl program is at the end of that page. It's multiplatform, don't be fooled by /usr/bin/perl at the start
 

Filo97

Pink = Best colour
Member
Joined
Oct 8, 2015
Messages
4,098
Trophies
1
Location
Hyrule Castle
XP
2,603
Country
Italy
The same way you would extract any other CIA: copy it to your SD into a "D9Game" folder, use the Decrypt9WIP homebrew, choosing the last option then "CIA decryption - full", when it's done copy the CIA back to the computer, rename it to a single word, and extract it with Asia81's PackHack!

The Perl program is at the end of that page. It's multiplatform, don't be fooled by /usr/bin/perl at the start
I can 't find perl program. If it is the command, then, how do i convert it to Windows?
 

Ryccardo

watching Thames TV from London
Member
Joined
Feb 13, 2015
Messages
7,406
Trophies
0
Age
26
Location
Imola
XP
6,345
Country
Italy
It's even higlighted on that page...

#!/usr/bin/perl
use strict;
use MIME::Base64 qw( decode_base64 );
open INFILE,$ARGV[0] or die;
my @res;
while (<INFILE>) {
if ($_ =~ /.*,\d,\d$/) {
@res = split(',',$_);
$res[3] =~ s/\./+/gs;
$res[3] =~ s/-/\//gs;
$res[3] =~ s/\*/=/gs;
$res[3] = decode_base64($res[3]);
$res[3] =~ s/(.)/sprintf("%02X",ord($1))/egs;
$res[3] = "";
$res[5] = "";
printf "%s,%s,%s,%s", decode_base64(shift(@res)),decode_base64(shift(@res)),decode_base64(shift(@res)),join(',',@res);
}else{
print $_;
}
}
close INFILE;


copy and paste to a file, of course!

then: perl whatever.pl hotspots.conf
 

Filo97

Pink = Best colour
Member
Joined
Oct 8, 2015
Messages
4,098
Trophies
1
Location
Hyrule Castle
XP
2,603
Country
Italy
It's even higlighted on that page...

#!/usr/bin/perl
use strict;
use MIME::Base64 qw( decode_base64 );
open INFILE,$ARGV[0] or die;
my @res;
while (<INFILE>) {
if ($_ =~ /.*,\d,\d$/) {
@res = split(',',$_);
$res[3] =~ s/\./+/gs;
$res[3] =~ s/-/\//gs;
$res[3] =~ s/\*/=/gs;
$res[3] = decode_base64($res[3]);
$res[3] =~ s/(.)/sprintf("%02X",ord($1))/egs;
$res[3] = "";
$res[5] = "";
printf "%s,%s,%s,%s", decode_base64(shift(@res)),decode_base64(shift(@res)),decode_base64(shift(@res)),join(',',@res);
}else{
print $_;
}
}
close INFILE;


copy and paste to a file, of course!

then: perl whatever.pl hotspots.conf
Can't you step by step explain process? (Sorry if i keep asking but in new to homepass and can't afford an Android to mod.)
 

Filo97

Pink = Best colour
Member
Joined
Oct 8, 2015
Messages
4,098
Trophies
1
Location
Hyrule Castle
XP
2,603
Country
Italy
It's even higlighted on that page...

#!/usr/bin/perl
use strict;
use MIME::Base64 qw( decode_base64 );
open INFILE,$ARGV[0] or die;
my @res;
while (<INFILE>) {
if ($_ =~ /.*,\d,\d$/) {
@res = split(',',$_);
$res[3] =~ s/\./+/gs;
$res[3] =~ s/-/\//gs;
$res[3] =~ s/\*/=/gs;
$res[3] = decode_base64($res[3]);
$res[3] =~ s/(.)/sprintf("%02X",ord($1))/egs;
$res[3] = "";
$res[5] = "";
printf "%s,%s,%s,%s", decode_base64(shift(@res)),decode_base64(shift(@res)),decode_base64(shift(@res)),join(',',@res);
}else{
print $_;
}
}
close INFILE;


copy and paste to a file, of course!

then: perl whatever.pl hotspots.conf
and maybe in a pm. (and in italian since it does seems that we are both italian.
 

CreativeMan

Well-Known Member
Member
Joined
Apr 26, 2009
Messages
157
Trophies
0
XP
1,315
Country
Belgium
WARNING: for advanced users only

4. Fill in the blank:

Code:
netsh wlan set hostednetwork mode=allow ssid=ConsoleNintendo3DS key=26________________________47

For that particular example, why have you stripped the two 00 after 47 ? Haven't still tried to use WPA/WEP Nzone, but we need to stip the last 00's at the end of each keys that has them ?
 

Arkansaw

Well-Known Member
OP
Member
Joined
Jul 23, 2005
Messages
993
Trophies
0
Website
Visit site
XP
457
Country
Trinidad and Tobago
Last edited by Arkansaw,

John_Kirky

Well-Known Member
Newcomer
Joined
Jan 12, 2017
Messages
55
Trophies
0
Age
50
XP
70
Country
Gambia, The
Hi guys!

This is giving me a very hard time...

Decrypted the title, got the romFS, get the hotspot.conf.

Parsed the hotspot.conf with the Perlscript: Looks exactly like the one on yellow8s website (So the decryption was successful)
Used the small Perlscript to decode the key into a bin file. Seemed to work as well..

But here the trouble begins:
The bin is exactly 30Bytes long. As I understand it, it should contain the preshared/prehashed key. But that has to be 32Bytes long (256Bit, 64 digits)

I tried my dd-wrt router (a Netgear 602 using micro build) and the windows hosted network using
1) the 30Byte key
2) the 30Byte key padded with 0000 at the end
3) the 30Byte key padded with 0000 at the beginning

Windows hosted network (using the netsh from above) tells me it chnaged the passphrase?!? even when entring the padded 64 digits...

3ds always says it couldn't connect to the NZone.

Any ideas where I went wrong???? BTW I am using the hotspot.conf from 11.2.35-E

Regards,

Kirky
 

John_Kirky

Well-Known Member
Newcomer
Joined
Jan 12, 2017
Messages
55
Trophies
0
Age
50
XP
70
Country
Gambia, The
Never mind... figured it out myself.

Your Perl-Script for decoding the hexkey is faulty. Only works for some keys.
With just a slight modification I was able to get all keys.

Regards,
Kirky
 
  • Like
Reactions: Ryccardo

John_Kirky

Well-Known Member
Newcomer
Joined
Jan 12, 2017
Messages
55
Trophies
0
Age
50
XP
70
Country
Gambia, The
And this is what it looks like when you are really into it :-)

Regards,

Kirky
 

Attachments

  • Unbenannt.JPG
    Unbenannt.JPG
    153.1 KB · Views: 327

John_Kirky

Well-Known Member
Newcomer
Joined
Jan 12, 2017
Messages
55
Trophies
0
Age
50
XP
70
Country
Gambia, The
@k7ra: Wrote it myself :-) It has got a database containing all SSID and the password, 3700 original MAC Adresses from real Nzones Worldwide. If I klick one it send telnet commands to my dd-wrt Access point and changes the SSID, Password and MAC (and shows me on google maps where the Nintendo Zone is located :-). It can also cycle the macs.
If you use an original SSID Password and MAC you get the streetpasses from that NZone. The original Streetpasses from the people walking into that store.

If I set it on cycle I get 100 passes every hour...

Regards,
Kirky
 

k7ra

Well-Known Member
Member
Joined
Dec 11, 2016
Messages
674
Trophies
0
Age
29
XP
1,210
Country
Russia
@k7ra: Wrote it myself :-) It has got a database containing all SSID and the password, 3700 original MAC Adresses from real Nzones Worldwide. If I klick one it send telnet commands to my dd-wrt Access point and changes the SSID, Password and MAC (and shows me on google maps where the Nintendo Zone is located :-). It can also cycle the macs.
If you use an original SSID Password and MAC you get the streetpasses from that NZone. The original Streetpasses from the people walking into that store.

If I set it on cycle I get 100 passes every hour...

Regards,
Kirky
Wow! Cool, any chance you share it with us? :)
Would like to use it too, because where I living no one have 3ds or interested in it :(
 
General chit-chat
Help Users
    Psionic Roshambo @ Psionic Roshambo: So wee on your Wii lol