[Tutorial][Advanced] Homepassing with password protected AP (i.e. Windows hostednetwork)

Discussion in '3DS - Tutorials' started by Arkansaw, Apr 30, 2015.

  1. Arkansaw
    OP

    Member Arkansaw GBAtemp Advanced Fan

    Joined:
    Jul 23, 2005
    Messages:
    993
    Country:
    East Timor
    WARNING: for advanced users only

    This is applicable for users who need/want to homepass with a password-protected AP on the latest firmware, for whatever reasons.

    1. Extract the system title 000400DB00010502 from emunand (via rxtools + some decryptor)
    2. Extract the hotspot.conf file from romfs - this is of the same nature as teh slotXkey file, so no copies will be shared here
    3. Look up the relevant entry on 3dsbrew to figure out what to do with the above
    4. Fill in the blank:

    Code:
    netsh wlan set hostednetwork mode=allow ssid=ConsoleNintendo3DS key=26________________________47
    No further support will be provided after this point. If you can complete step 2, you are pretty much home free and can pride yourself on being a sufficiently "advanced" user :lol:

    Special thanks:
    motezazer, cearp (for pointers)
    Apache Thunder (for inspiration)
    Roxas and others whose tools made things a lot easier, as otherwise I wouldn't have bothered
     
    Queno138, cearp, suloku and 1 other person like this.
  2. shadyninja94

    Newcomer shadyninja94 Newbie

    Joined:
    Nov 24, 2015
    Messages:
    3
    Country:
    United States
    After everything is said and done, how would someone go about implementing these security key(s) into their Homepass setup.



    Examples (sortof )

    - Window hostednetwork only ???

    - Router + (Any Listed SSID Inside 'hotspot.conf') + (Any Listed Security Key Inside 'hotspot.conf')

    - Router + (Specific Listed SSID Inside 'hotspot.conf') + (Its Corresponding Listed Security Key Inside 'hotspot.conf')




    Any help at all with this matter would be greatly appreciated. THX!
     
  3. Filo97

    Member Filo97 A Nintendo REALLY big hacking fan

    Joined:
    Oct 8, 2015
    Messages:
    3,478
    Location:
    an ancient videogame...
    Country:
    Italy
    how do i open and fill in tthe blank hotspot.conf?

    — Posts automatically merged - Please don't double post! —

    can you at least link the 3dbrew page?
     
  4. Ryccardo

    Member Ryccardo WiiUaboo

    Joined:
    Feb 13, 2015
    Messages:
    2,056
    Location:
    Imola
    Country:
    Italy
    ^ Funny, someone from (the downloads site) just asked me how I dumped the passwords last night...


    I used 2 Perl programs.

    One is from 3dbrew https://www.3dbrew.org/wiki/Talk:Nintendo_Zone and prints SSIDs and everything you see on yls8.mtheall.com;

    after using it, you count lines from the bottom to find the network you're interested in, then take the base64-encoded key from hotspot.conf and paste it in the 2nd line (between apostrophes) of this de-base64 program:

    use MIME::Base64;
    $encoded = 'YML3jC3xUcKXLgfBllZU9JSeKYqBzmJw2AcW-AVpJOsA';
    printf "%s", decode_base64($encoded);

    You wiill need to redirect the output to a file (b64.pl > key), then open it in a hex editor to get the encryption key in hex form.
    Not all access points/softwares support manually entering prehashed hex keys, beware!
     
  5. Filo97

    Member Filo97 A Nintendo REALLY big hacking fan

    Joined:
    Oct 8, 2015
    Messages:
    3,478
    Location:
    an ancient videogame...
    Country:
    Italy
    I STill can't understand how to extract hotspot.conf also i do not find anything for Windows on 3dbrew
     
  6. Ryccardo

    Member Ryccardo WiiUaboo

    Joined:
    Feb 13, 2015
    Messages:
    2,056
    Location:
    Imola
    Country:
    Italy
    The same way you would extract any other CIA: copy it to your SD into a "D9Game" folder, use the Decrypt9WIP homebrew, choosing the last option then "CIA decryption - full", when it's done copy the CIA back to the computer, rename it to a single word, and extract it with Asia81's PackHack!

    The Perl program is at the end of that page. It's multiplatform, don't be fooled by /usr/bin/perl at the start
     
  7. Filo97

    Member Filo97 A Nintendo REALLY big hacking fan

    Joined:
    Oct 8, 2015
    Messages:
    3,478
    Location:
    an ancient videogame...
    Country:
    Italy
    I can 't find perl program. If it is the command, then, how do i convert it to Windows?
     
  8. Ryccardo

    Member Ryccardo WiiUaboo

    Joined:
    Feb 13, 2015
    Messages:
    2,056
    Location:
    Imola
    Country:
    Italy
    It's even higlighted on that page...

    #!/usr/bin/perl
    use strict;
    use MIME::Base64 qw( decode_base64 );
    open INFILE,$ARGV[0] or die;
    my @res;
    while (<INFILE>) {
    if ($_ =~ /.*,\d,\d$/) {
    @res = split(',',$_);
    $res[3] =~ s/\./+/gs;
    $res[3] =~ s/-/\//gs;
    $res[3] =~ s/\*/=/gs;
    $res[3] = decode_base64($res[3]);
    $res[3] =~ s/(.)/sprintf("%02X",ord($1))/egs;
    $res[3] = "";
    $res[5] = "";
    printf "%s,%s,%s,%s", decode_base64(shift(@res)),decode_base64(shift(@res)),decode_base64(shift(@res)),join(',',@res);
    }else{
    print $_;
    }
    }
    close INFILE;


    copy and paste to a file, of course!

    then: perl whatever.pl hotspots.conf
     
  9. Filo97

    Member Filo97 A Nintendo REALLY big hacking fan

    Joined:
    Oct 8, 2015
    Messages:
    3,478
    Location:
    an ancient videogame...
    Country:
    Italy
    Can't you step by step explain process? (Sorry if i keep asking but in new to homepass and can't afford an Android to mod.)
     
  10. Filo97

    Member Filo97 A Nintendo REALLY big hacking fan

    Joined:
    Oct 8, 2015
    Messages:
    3,478
    Location:
    an ancient videogame...
    Country:
    Italy
    and maybe in a pm. (and in italian since it does seems that we are both italian.
     
  11. CreativeMan

    Member CreativeMan GBAtemp Regular

    Joined:
    Apr 26, 2009
    Messages:
    134
    Country:
    Monaco
    For that particular example, why have you stripped the two 00 after 47 ? Haven't still tried to use WPA/WEP Nzone, but we need to stip the last 00's at the end of each keys that has them ?
     
  12. Arkansaw
    OP

    Member Arkansaw GBAtemp Advanced Fan

    Joined:
    Jul 23, 2005
    Messages:
    993
    Country:
    East Timor
    Last edited by Arkansaw, Feb 27, 2016
  13. John_Kirky

    Newcomer John_Kirky Member

    Joined:
    Jan 12, 2017
    Messages:
    39
    Country:
    Germany
    Hi guys!

    This is giving me a very hard time...

    Decrypted the title, got the romFS, get the hotspot.conf.

    Parsed the hotspot.conf with the Perlscript: Looks exactly like the one on yellow8s website (So the decryption was successful)
    Used the small Perlscript to decode the key into a bin file. Seemed to work as well..

    But here the trouble begins:
    The bin is exactly 30Bytes long. As I understand it, it should contain the preshared/prehashed key. But that has to be 32Bytes long (256Bit, 64 digits)

    I tried my dd-wrt router (a Netgear 602 using micro build) and the windows hosted network using
    1) the 30Byte key
    2) the 30Byte key padded with 0000 at the end
    3) the 30Byte key padded with 0000 at the beginning

    Windows hosted network (using the netsh from above) tells me it chnaged the passphrase?!? even when entring the padded 64 digits...

    3ds always says it couldn't connect to the NZone.

    Any ideas where I went wrong???? BTW I am using the hotspot.conf from 11.2.35-E

    Regards,

    Kirky
     
  14. John_Kirky

    Newcomer John_Kirky Member

    Joined:
    Jan 12, 2017
    Messages:
    39
    Country:
    Germany
    Never mind... figured it out myself.

    Your Perl-Script for decoding the hexkey is faulty. Only works for some keys.
    With just a slight modification I was able to get all keys.

    Regards,
    Kirky
     
    Ryccardo likes this.
  15. hirakujira

    Newcomer hirakujira Member

    Joined:
    Sep 15, 2016
    Messages:
    12
    Country:
    Taiwan
    --Deleted--
     
    Last edited by hirakujira, Feb 22, 2017
  16. John_Kirky

    Newcomer John_Kirky Member

    Joined:
    Jan 12, 2017
    Messages:
    39
    Country:
    Germany
    And this is what it looks like when you are really into it :-)

    Regards,

    Kirky
     

    Attached Files:

  17. k7ra

    Member k7ra GBAtemp Regular

    Joined:
    Dec 11, 2016
    Messages:
    160
    Country:
    United Kingdom
    Where to get that program?
     
  18. John_Kirky

    Newcomer John_Kirky Member

    Joined:
    Jan 12, 2017
    Messages:
    39
    Country:
    Germany
    @k7ra: Wrote it myself :-) It has got a database containing all SSID and the password, 3700 original MAC Adresses from real Nzones Worldwide. If I klick one it send telnet commands to my dd-wrt Access point and changes the SSID, Password and MAC (and shows me on google maps where the Nintendo Zone is located :-). It can also cycle the macs.
    If you use an original SSID Password and MAC you get the streetpasses from that NZone. The original Streetpasses from the people walking into that store.

    If I set it on cycle I get 100 passes every hour...

    Regards,
    Kirky
     
  19. k7ra

    Member k7ra GBAtemp Regular

    Joined:
    Dec 11, 2016
    Messages:
    160
    Country:
    United Kingdom
    Wow! Cool, any chance you share it with us? :)
    Would like to use it too, because where I living no one have 3ds or interested in it :(
     

Share This Page