Difference between revisions of "Nintendo Zone"
(Added some more info on version checking.) |
(The bug is present in NZone, the exploit hasn't been adapted to NZone yet.) |
||
Line 15: | Line 15: | ||
DS Station's web browser uses NetFront 3.3. This browser version has a stack smash bug in a function writing the URL from a tag field's value to the stack. This bug is present in at least one function, other functions don't seem to have this bug. | DS Station's web browser uses NetFront 3.3. This browser version has a stack smash bug in a function writing the URL from a tag field's value to the stack. This bug is present in at least one function, other functions don't seem to have this bug. | ||
− | + | Nintendo Zone v3.0 has the bug. The layout of the Nintendo Zone binary NetFront html tag attribute strings were significantly changed, meaning NetFront was probably updated. The NetFront version user agent was removed from the NZone bin, so it's unknown what NetFront version NZone uses. A Nintendo Zone exploit couldn't be easily used by everyone, as Linux and a compatible hostapd wireless NIC is required. An SSID, and the WEP key generated from the SSID, from a real Nintendo Zone/DS Station AP is required. | |
− | At real Nintendo Zone APs, a laptop running Linux with a wireless NIC supporting monitor mode would be needed. | + | At real Nintendo Zone APs, a laptop running Linux with a wireless NIC supporting monitor mode would be needed to use the exploit at the NZone AP location. |
This exploit would be meant more for reverse engineers. | This exploit would be meant more for reverse engineers. | ||
− | A DS Station exploit has been written by Yellows8 | + | A DS Station exploit has been written by Yellows8. The exploit is only available on Google Code wmb-asm SVN. SVN web interface is available [http://code.google.com/p/wmb-asm/source/browse/#svn/trunk/nzoneurlstacksmash here], SVN URL available [http://wmb-asm.googlecode.com/svn/trunk/nzoneurlstacksmash here.] If you want to use the exploit at home, you also need a HTTPS forwarder/proxy, like httpsforwarder available in SVN. This exploit hasn't been tested with Nintendo Zone, and this exploit hasn't been adapted to NZone yet. This exploit can only be used with html that is transferred over http. The html for the index main and sub screens is transferred over https. However, the html for the main screen for the pages after the index,(main server and third-party companies websites) is transferred with http. The sub screen html is transferred with https, with the main server. Sub screen html with third-party companies is transferred with http. |
Bootstrapping a .nds embedded in the exploit has been done somewhat successfully, but Arm7 code doesn't work 100%. Bootstrapping the Arm7 works fine when done with the embedded .nds. There seems to be zero issues with homebrew bootstrapped from a loader embedded in the exploit. When attempting to use touch screen in the embedded .nds, the Arm7 code doesn't work at all for touch screen. Most of the time, Arm7 Wifi doesn't work, it only worked once. Arm7 bootstrapping is buggy: adding only one instruction to either the arm9 or arm7 bootstubs cause a hang when the embedded .nds loader attempts to bootstrap the Arm7. When bootstrapping the Arm7 breaks with the embedded .nds loader, the Arm7 doesn't seem to be executing main() at all. Calling systemShutDown in Arm7 main doesn't shutdown the DS. NetFront limits the size of html files that can be downloaded. The max size of a LZSS compressed .nds embedded in the exploit is between 121.7KB - 129.9KB. | Bootstrapping a .nds embedded in the exploit has been done somewhat successfully, but Arm7 code doesn't work 100%. Bootstrapping the Arm7 works fine when done with the embedded .nds. There seems to be zero issues with homebrew bootstrapped from a loader embedded in the exploit. When attempting to use touch screen in the embedded .nds, the Arm7 code doesn't work at all for touch screen. Most of the time, Arm7 Wifi doesn't work, it only worked once. Arm7 bootstrapping is buggy: adding only one instruction to either the arm9 or arm7 bootstubs cause a hang when the embedded .nds loader attempts to bootstrap the Arm7. When bootstrapping the Arm7 breaks with the embedded .nds loader, the Arm7 doesn't seem to be executing main() at all. Calling systemShutDown in Arm7 main doesn't shutdown the DS. NetFront limits the size of html files that can be downloaded. The max size of a LZSS compressed .nds embedded in the exploit is between 121.7KB - 129.9KB. |
Revision as of 01:15, 1 July 2010
Nintendo Zone is the successor of DS Download Station, the latest revision in the Nintendo Spot series. The predecessor of Nintendo Zone in this series is DS Station, and the first revision in this series is Nintendo Spot. Although Nintendo Zone is the latest revision in the series, most game stores still use DS Station. This series downloads DS demos from an Internet server, rather than from a local DS host. Nintendo Zone locations have additional company-specific content. Companies can use this for information about the store/location, coupons with McDonalds, mini-games, etc. Technical details available here. Nintendo Zone is only available in Japan, at Nintendo World Store in New York City, and a few McDonalds test locations in Germany. The test Germany locations are only available for a limited time, see the URL.
Client usage
Unlike DS Station, the Nintendo Zone client is rigged to only connect to an AP with a certain Broadcom tag. In other words, the client is rigged to only work with a certain router. When the AP has the correct SSID, WEP key, and Broadcom tag, the client attempts to connect to the AP.(WEP key is generated from the SSID, Nintendo software can automatically connect to these APs without any configuration.) When the DSi is in range of a Nintendo Zone AP, sysmenu will display a message that you're in range of a Nintendo Zone AP. The hidden DSi Nintendo Zone client will then appear in the menu. The client is basically a NetFront browser rigged to only work with certain APs, and with the capability of booting RSA-1024 signed NDS software downloaded with https. DS Station seems to only support Nintendo's custom NTFA file format for graphics. Nintendo Spot supports other formats, one of the formats is GIF. Nintendo Zone supports NTFA and GIF.
Versions
Version 3.0 of the DSi Nintendo Zone client was released with the February 9, 2010 update. Version 3.0 of the Japanese client was released on January 8, 2010. It is unknown what has changed since the initial version, v2.0. DSi Nintendo Zone checks for a newer Nintendo Zone client version with the server somehow, the client won't let you use the service without updating. The user agent used by Nintendo Zone v3.0 is "NintendoZoneViewer/1.1". It's unknown if the version check is done client-side by downloading a file, or by the server checking the user agent.(There are no direct URLs for checking the version in the client.)
Exploits
DS Station's web browser uses NetFront 3.3. This browser version has a stack smash bug in a function writing the URL from a tag field's value to the stack. This bug is present in at least one function, other functions don't seem to have this bug. Nintendo Zone v3.0 has the bug. The layout of the Nintendo Zone binary NetFront html tag attribute strings were significantly changed, meaning NetFront was probably updated. The NetFront version user agent was removed from the NZone bin, so it's unknown what NetFront version NZone uses. A Nintendo Zone exploit couldn't be easily used by everyone, as Linux and a compatible hostapd wireless NIC is required. An SSID, and the WEP key generated from the SSID, from a real Nintendo Zone/DS Station AP is required. At real Nintendo Zone APs, a laptop running Linux with a wireless NIC supporting monitor mode would be needed to use the exploit at the NZone AP location. This exploit would be meant more for reverse engineers.
A DS Station exploit has been written by Yellows8. The exploit is only available on Google Code wmb-asm SVN. SVN web interface is available here, SVN URL available here. If you want to use the exploit at home, you also need a HTTPS forwarder/proxy, like httpsforwarder available in SVN. This exploit hasn't been tested with Nintendo Zone, and this exploit hasn't been adapted to NZone yet. This exploit can only be used with html that is transferred over http. The html for the index main and sub screens is transferred over https. However, the html for the main screen for the pages after the index,(main server and third-party companies websites) is transferred with http. The sub screen html is transferred with https, with the main server. Sub screen html with third-party companies is transferred with http.
Bootstrapping a .nds embedded in the exploit has been done somewhat successfully, but Arm7 code doesn't work 100%. Bootstrapping the Arm7 works fine when done with the embedded .nds. There seems to be zero issues with homebrew bootstrapped from a loader embedded in the exploit. When attempting to use touch screen in the embedded .nds, the Arm7 code doesn't work at all for touch screen. Most of the time, Arm7 Wifi doesn't work, it only worked once. Arm7 bootstrapping is buggy: adding only one instruction to either the arm9 or arm7 bootstubs cause a hang when the embedded .nds loader attempts to bootstrap the Arm7. When bootstrapping the Arm7 breaks with the embedded .nds loader, the Arm7 doesn't seem to be executing main() at all. Calling systemShutDown in Arm7 main doesn't shutdown the DS. NetFront limits the size of html files that can be downloaded. The max size of a LZSS compressed .nds embedded in the exploit is between 121.7KB - 129.9KB.