Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

friends-server(nasc) #47

Closed
ThauEx opened this issue Jan 6, 2017 · 21 comments
Closed

friends-server(nasc) #47

ThauEx opened this issue Jan 6, 2017 · 21 comments

Comments

@ThauEx
Copy link

ThauEx commented Jan 6, 2017

Hi,
is it possible to use this to change the friends-server requests to a different server? I want to access it and read the friend list data.
If so, what do I have to do?
@yellows8
Copy link
Owner

yellows8 commented Jan 6, 2017

Yes, see README, configdoc.xml, and web/config.php.

@ThauEx
Copy link
Author

ThauEx commented Jan 6, 2017

Okay,
I modified the user_config.xml

and added:

    <targeturl>
        <name>nasc</name>
        <caps>AddRequestHeader AddPostDataAscii</caps>
        <url>https://nasc.nintendowifi.net/ac</url>
        <new_url>https://my-server.tld/ac</new_url>
    </targeturl>

My server is using https, should I use http for that or how can I add a working root ca (I think thats the issue atm). My cert is issues by lets encrypt.

@yellows8
Copy link
Owner

yellows8 commented Jan 6, 2017

That's the same rootCA used by yls8.mtheall.com so HTTPS should work fine for that.

@ThauEx
Copy link
Author

ThauEx commented Jan 6, 2017

Thanks. It worked via http.
Are most of the value of the request encrypted? Can I decrypt them somehow?
I'm trying now to make the request to the nin server by myself with php+curl, does the request require some special ssl version configuration?

@yellows8
Copy link
Owner

yellows8 commented Jan 6, 2017

Besides HTTPS no(unless you meant base64 which is not encryption).

"I'm trying now to make the request to the nin server by myself with php+curl, does the request require some special ssl version configuration?" <- Client-cert is (probably) required.

@ThauEx
Copy link
Author

ThauEx commented Jan 6, 2017

Ah, I have not noticed the base64.
This means, I have to add something like you have done here:
https://github.com/yellows8/ctr-httpwn/blob/master/web/NetUpdateSOAP.php#L54-L62

How can I get the certificate for that?

@yellows8
Copy link
Owner

yellows8 commented Jan 6, 2017

I'm not sure if there's any public tool(s) for easily obtaining it.

@ThauEx
Copy link
Author

ThauEx commented Jan 6, 2017

Are these files stored on my 3ds somewhere?

@yellows8
Copy link
Owner

yellows8 commented Jan 6, 2017

https://www.3dbrew.org/wiki/ClCertA And this was in my browser-history apparently: https://github.com/SciresM/ccrypt

@ThauEx
Copy link
Author

ThauEx commented Jan 6, 2017

Thank you very much. I will try this out, when everything works I will close this issue.

@ThauEx
Copy link
Author

ThauEx commented Jan 7, 2017

I dumped the encrypted cert files and compiled ccrypt, but I think the way of executing it is not working anymore. How would I run this on 11.2 with a9lh?

@yellows8
Copy link
Owner

yellows8 commented Jan 7, 2017

dunno

@ThauEx
Copy link
Author

ThauEx commented Jan 7, 2017

Okay, got it working by downgrading the emunand on my spare o3ds.
Now I have the files, but it is still not working:

* Hostname was NOT found in DNS cache
*   Trying 69.25.139.139...
* Connected to nasc.nintendowifi.net (69.25.139.139) port 443 (#0)
* unable to use client certificate (no key found or wrong pass phrase?)
* Closing connection 0

sha256sum:

80cc4c111e1366c8e006af8642cb2d286642dc55e0c48de704d6c4e965880be6  ctr-common-1-cert.dec
29919052fdd278e4e78dc16a2b976c1d37b9292f6a0fa93780b9645e461f544c  ctr-common-1-key.dec

These are the curl opts of my script:

curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_VERBOSE, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, $hdrs);
curl_setopt($ch, CURLOPT_POST, count($fields));
curl_setopt($ch, CURLOPT_POSTFIELDS, $fieldsString);
curl_setopt($ch, CURLOPT_SSLCERTTYPE, 'PEM');
curl_setopt($ch, CURLOPT_SSLCERT, 'ctr-common-1-cert.dec');
curl_setopt($ch, CURLOPT_SSLKEY, 'ctr-common-1-key.dec');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);

I tried setting SSLCERTTYPE to DER, because https://www.3dbrew.org/wiki/ClCertA sais it is in DERformat, but it seems like this is wrong.

* Hostname was NOT found in DNS cache
*   Trying 69.25.139.139...
* Connected to nasc.nintendowifi.net (69.25.139.139) port 443 (#0)
* unable to set private key file: 'ctr-common-1-key.dec' type PEM
* Closing connection 0

@yellows8
Copy link
Owner

yellows8 commented Jan 7, 2017

No, convert to PEM.

@Plailect
Copy link
Contributor

@ThauEx see either this (PEM) or this (PFX)

@ThauEx
Copy link
Author

ThauEx commented Jan 10, 2017

Thanks, I already converted them to pem and I'm able to get a login token. Now I have to figure out, how to use this token to get the friend list data.

@ThauEx
Copy link
Author

ThauEx commented Apr 4, 2017

Hello again,
sorry for leaving this open that long...
I had finally time to work on this again.
Like I wrote above, my goal is to get the data of the friendlist. Afaik this data is comming from the nasc server. With your prevuois help, I was able to record the data, which was send to the login server. The request POST data was something like this:

    "gameid": "MDAxMkRDMDA*",
    "sdkver": "MDAwMDAw",
    "titleid": "MDAwNDAwMDAwMDE3QTQwMA**",
    "gamecd": "QkZXUA**",
    "gamever": "RkZGRg**",
    "mediatype": "MQ**",
    "makercd": "MDA*",
    "unitcd": "Mg**",
    "macadr": "#####",
    "bssid": "#####",
    "apinfo": "#####",
    "fcdcert": "#####",
    "devname": "VABoAGEAdQA*",
    "servertype": "TDE*",
    "fpdver": "MDAwOA**",
    "devtime": "MTcwMTA4MTg1NDU1",
    "lang": "MDM*",
    "region": "MDI*",
    "csnum": "WUVNMTAxNjQ0Njk*",
    "uidhmac": "YWFiMWVjNTc*",
    "userid": "MTM5NzI3ODcz",
    "action": "TE9HSU4*",
    "ingamesn": "",

And response:

    "locator":"NTIuMTk2LjI1My4xMjg6NDAwMDA*",
    "retry":"MA**",
    "returncd":"MDAx",
    "token":"#####",
    "datetime=MjAxNzA0MDQxNzExNDM*",

Where do I have to use this token and I can use it to get the data of my friendlist? If so, where?

When I should ask somewhere else, please tell me. Then I would close this issue.

Thank you very much

@yellows8
Copy link
Owner

yellows8 commented Apr 4, 2017

dunno

@ThauEx
Copy link
Author

ThauEx commented Apr 5, 2017

Hm... okay.
I have not figured out how to see all HTTP requests of the 3ds (including request and response), because of https. I installed mitm proxy on my computer and converted the root ca to der format and used it with ctr-httpwn. But it looks like, it's not beeing accepted. I got errors when I tried to open friendlist or eshop. Is there a know way to see these requests? Then I could figure out the friedlist stuff by myself...

@yellows8
Copy link
Owner

yellows8 commented Apr 5, 2017

NIM rootCA has nothing to do with this. ctr-httpwn doesn't support adding your own rootCA for friends. You could use the new_url config option with plain http, but then the original URI would be missing.

@ThauEx
Copy link
Author

ThauEx commented Apr 5, 2017

I already did this with:

    <targeturl>
        <name>nasc</name>
        <caps>AddRequestHeader AddPostDataAscii</caps>
        <url>https://nasc.nintendowifi.net/ac</url>
        <new_url>https://my-server.tld/ac</new_url>
    </targeturl>

This is how I figured out the login process, but I don't know which urls will be used next. Thats why I tried to use the mitm proxy.

@ThauEx ThauEx closed this as completed May 30, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@yellows8 @ThauEx @Plailect