Thank god Nintendo didn’t use complicated cert chain. It is compressed with reverse LZ77 so lets uncompress it again.Īfter a bit of skimming I located the actual root certificate used for connection to 3ds-fushigi server. I extracted the executable code from the exefs. Now we need to get it splitted into proper partition. Lets get into the actual data using ctrtool.Įxtracted the CXI portion from the dumped CIA file. Using Decrypt9, I retrieved the decrypted CIA file. I looked up for the ID of the SSL module and extracted the cia file from nintendo update server.Īs all the update cias are encrypted, I needed to decrypt them using a 3DS. But eventually I found out that the certificates are not stored in the game file but it is embedded within the firmware SSL module.
I wasted a day trying to decompile the rom filesystem and searching for any meaningful information using grep. I guess that it might be storing the certificate chain in the game file, as far as I know Wii games store their certificates within the game file. The 3DS was communicating with Nintendo servers with SSL as I expected. I used my laptop as a bogus wifi network to capture the packets from the 3DS People had pretty much no progress after capturing the encrypted connections.įirst, I went down to the basics like everyone else Packet capture. I looked up on GBATemp and Project Pokemon but interestingly I could not find any technical insights on it. While receiving the Hoopa gift from the 18th Pokemon movie series, I suddenly felt like hacking into how this entire mystery gift process works.
0 kommentar(er)
