Difference between revisions of "Nintendo Zone"

From DSiBrew
Jump to navigation Jump to search
(Added old link to other USA test locations.)
 
(61 intermediate revisions by the same user not shown)
Line 1: Line 1:
Nintendo Zone is the successor of DS Download Station, the latest revision in the Nintendo Spot series. The predecessor of Nintendo Zone in this series is DS Station, and the first revision in this series is Nintendo Spot. Although Nintendo Zone is the latest revision in the series, most game stores still use DS Station. This series downloads DS demos from an Internet server, rather than from a local DS host. Nintendo Zone locations have additional company-specific content. Companies can use this for information about the store/location, coupons with McDonalds, mini-games, etc. Technical details available [http://code.google.com/p/wmb-asm/wiki/NintendoSpot here.]
+
Nintendo Zone is the successor of DS Download Station, the latest revision in the Nintendo Spot series. The predecessor of Nintendo Zone in this series is DS Station, and the first revision in this series is Nintendo Spot. Although Nintendo Zone is the latest revision in the series, most game stores still use DS Station, however JP stores are starting to switch to NZone. This series downloads DS demos from an Internet server, rather than from a local DS host. Technical info on NSpot/DS Station is available [http://code.google.com/p/wmb-asm/wiki/NintendoSpot here.] Nintendo Zone locations have additional company-specific content. Companies can use this for information about the store/location, coupons with JP McDonalds won by quizzes, prizes, mini-games, etc.
Nintendo Zone is only available in Japan, at Nintendo World Store in New York City, and a few McDonalds test locations in [http://translate.google.com/translate?langpair=de|en&u=http%3A%2F%2Fnintendo.de%2FNOE%2Fde_DE%2Fnews%2Fevents%2Fpilotprojekt_-_nintendo_zone_bei_mcdonalds_18254.html Germany]. The test Germany locations are only available for a limited time, see the URL. Several USA Best Buy locations started a NZone test service in June 2009, see [http://gonintendo.com/viewstory.php?id=84077 this]. It's unknown if those Best Buy locations still have NZone.
+
Nintendo Zone is available in Japan. Nintendo World Store in New York City used to have NZone, but they don't have NZone or even DS Download Station anymore. A few McDonalds test locations in [http://translate.google.com/translate?langpair=de|en&u=http%3A%2F%2Fnintendo.de%2FNOE%2Fde_DE%2Fnews%2Fevents%2Fpilotprojekt_-_nintendo_zone_bei_mcdonalds_18254.html Germany] used to have NZone. That test service ended, but the EUR server is still online. Several USA Best Buy locations started a NZone test service in June 2009, see [http://gonintendo.com/viewstory.php?id=84077 this]. That test service ended, NZone is non-existent in USA since no test services exist in USA. NZone pictures [http://gonintendo.com/viewstory.php?id=84247 here]. EUR NZone screenshots [http://translate.google.com/translate?langpair=de|en&u=http%3A%2F%2Fwww.bisafans.de%2Flexikon%2F069.shtml here] and [http://translate.google.com/translate?langpair=de|en&u=http%3A%2F%2Fwww.filb.de%2F1376 here]. Old USA NYC screenshots [http://www.nintendo.com/bin/w3I-XYyMEgk1VUUqyo5k-P4eQc_mlXDU/mcHH5cHLGbg5AJQIa_x2nLkBLEUlFmEJ.pdf here.] Japan screenshots: [http://translate.google.com/translate?langpair=ja|en&u=http%3A%2F%2Fwww.nintendo.co.jp%2Fds%2Fnintendozone%2Fhowto_dsi.html here] and [http://translate.google.com/translate?langpair=ja|en&u=http%3A%2F%2Fwww.driveplaza.com%2Fds%2Fhowto.html here].
 +
Nintendo filed  a patent describing the NSpot/DS Station AP system. This system is old, yet this was never patented until 2010.
  
 +
NZone and DS Station usually have the same demos as Wii Nintendo Channel. However, sometimes certain retailers with NZone have exclusive content(NZone location exclusive) and demos(all NZone locations) not available anywhere else. Eventually these exclusive demos are released on NinCh.
 +
 +
[[File:2010-08-08-203240.jpg|200px|thumb|right|Sysmenu displays this when NZone is detected for the first time.]]
 +
[[File:2010-08-09-002721.jpg|200px|thumb|right|NZone icon flashing in sysmenu when sysmenu detects NZone again after the initial detection. ]]
 +
[[File:2010-08-09-133249.jpg|200px|thumb|right|NZone loading content from the server.]]
 +
[[File:100_7456.JPG|200px|thumb|right|Hidden settings app menu for updating NZone.]]
  
 
== Client usage ==
 
== Client usage ==
  
Unlike DS Station, the Nintendo Zone client is rigged to only connect to an AP with a certain Broadcom tag. In other words, the client is rigged to only work with a certain router. When the AP has the correct SSID, WEP key, and Broadcom tag, the client attempts to connect to the AP.(WEP key is generated from the SSID, Nintendo software can automatically connect to these APs without any configuration.)
+
Unlike DS Station, the Nintendo Zone client is rigged to only connect to a certain AP when there's a special beacon with the payload encrypted in range. When the AP has the correct SSID and WEP key(WEP isn't always used), the client attempts to connect to the AP. The AP SSID and WEP key if any is contained in the special beacon in the encrypted payload.
When the DSi is in range of a Nintendo Zone AP, sysmenu will display a message that you're in range of a Nintendo Zone AP. The hidden DSi Nintendo Zone client will then appear in the [http://www.mcdonalds.co.jp/ds/how_to_play/ menu.] The client is basically a NetFront browser rigged to only work with certain APs, and with the capability of booting RSA-1024 signed NDS software downloaded with https. DS Station seems to only support Nintendo's custom [http://code.google.com/p/wmb-asm/wiki/NTFA NTFA] file format for graphics. Nintendo Spot supports other formats, one of the formats is GIF. Nintendo Zone supports NTFA, GIF, and PNG.
+
When the DSi is in range of the special beacon with the encrypted payload for the first time, sysmenu will display a message that you're in range of a Nintendo Zone. When you press the "Start" button, sysmenu boots NZone. The hidden DSi Nintendo Zone client will then appear in the [http://www.mcdonalds.co.jp/ds/how_to_play/ menu,] see the images to the right as well. After the initial NZone detection, the client icon always stays in the menu, it is never removed. When NZone is detected the second time in sysmenu, the icon and the icon on the strip which you can touch with stylus to select app icons starts flashing, and a sound constantly plays while in range of NZone. If sysmenu doesn't detect another NZone beacon for 10 seconds, the flashing and sound stops. NZone is not region-locked, the server region is determined by the special beacon.
 +
 
 +
The client is basically a NetFront browser rigged to only work with certain APs, and with the capability of booting RSA-1024 signed(same as WMB sign system) NDS software downloaded with https. DS Station seems to only support Nintendo's custom [http://code.google.com/p/wmb-asm/wiki/NTFA NTFA] file format for graphics. Nintendo Spot supports other formats, one of the formats is GIF. Nintendo Zone supports NTFA, GIF, and PNG.
 +
The DSi NZone with the memo menu, can take pictures with the DSi cameras and save to the camera album. You can also draw stuff then save to camera album, and take screenshots of either screen at anytime(except when loading pages, sometimes memo menu is disabled by third-party sites) and save to NZone savedata. Screenshots can be viewed later via the memo menu, regardless if NZone beacons are in range or not. The NZone WFC usage notes state: "Photos, drawings or any other kind of images that you post via the Nintendo Zone can be viewed and downloaded by other users, and may be made public via Nintendo Zone or the internet. These photos, drawings or other kinds of image may then be copied, edited and/or posted by others." The rest is just "your images may be seen by a large number of people, don't post offensive material or copyrighted etc."
 +
 
 +
=== Beacon payload format ===
 +
 
 +
The NZone beacon payload is encrypted with an XOR pad. It's not the trivial sequential XOR code. The XOR pad is generated from a 8-byte key: the first 4-bytes is "!SDW",(might be a reference to [http://en.wikipedia.org/wiki/Wireless_Distribution_System WDS]?) the last 4 bytes are the last 4 bytes of the beacon BSSID MAC. Nintendo Spot uses the same special beacon encryption, the cleartext differs from NZone slightly for the unknown fields.
 +
This table is the format of the cleartext data.
 +
The NZone beacon code is contained in TWL SDK, arm9 side. DSi opera web browser automatically connects to NZone APs, all official DSi software automatically connects to NZone APs. NZone has a option to install a wifi config entry for the NZone AP, for old NTR SDK games run from cards.
 +
TWL SDK scans for beacons with the Nintendo tag(0xDD) with payload size 0x70. When those are found, it decrypts them and verifies the checksum, when that's valid NZone is detected.
 +
 
 +
{| class="wikitable" border="1"
 +
|-
 +
!  OFFSET
 +
!  SIZE
 +
!  DESCRIPTION
 +
|-
 +
|  0x00
 +
|  32
 +
|  AP SSID.
 +
|-
 +
| 0x20
 +
| 10
 +
| Authentication parameter, required for connecting to the server. Server uses this to determine which third-party content to link to on the index page. First ASCII number char in this param is region, this is also used to determine which server to connect to. Regions: 0) JP 1) USA 2/3) EUR 4) KOR 5) China
 +
|-
 +
| 0x2a
 +
| 2
 +
| This u16 was always one in all dumps, unknown what this is. This isn't used by the client.
 +
|-
 +
| 0x2c
 +
| 24
 +
| Some retailer ID string includes the country, unknown what this is but it's not used by the client. "McDonalds Japan"
 +
|-
 +
| 0x44
 +
| 32
 +
| WEP key, if any.
 +
|-
 +
| 0x64
 +
| 1
 +
| Unknown, not used by the client.
 +
|-
 +
| 0x65
 +
| 1
 +
| WEP type: 0) Open 1) WEP-64 2) WEP-128 3) WEP-152
 +
|-
 +
| 0x66
 +
| 1
 +
| Unknown flags, always three in all dumps. Bits 0 and 1 don't seem to be used by the client. The client does use bit 2, testing setting bit 2 didn't help reveal what bit 2 is for.
 +
|-
 +
| 0x67
 +
| 5
 +
| Padding.
 +
|-
 +
| 0x6c
 +
| 2
 +
| Unknown, was always 0x428 in all dumps. Not used by the client.
 +
|-
 +
| 0x6e
 +
| 2
 +
| CRC16 over the whole payload excluding checksum offset, initval is 0.
 +
|}
  
 
== Versions ==
 
== Versions ==
  
Version 3.0 of the DSi Nintendo Zone client was released with the February 9, 2010 update. Version 3.0 of the Japanese client was released on January 8, 2010. It is unknown what has changed since the initial version, v2.0. DSi Nintendo Zone checks for a newer Nintendo Zone client version with the server somehow, the client won't let you use the service without updating. The user agent used by Nintendo Zone v3.0 is "NintendoZoneViewer/1.1". It's unknown if the version check is done client-side by downloading a file, or by the server checking the user agent.(There are no direct URLs for checking the version in the client.)
+
Version 3.0 of the DSi Nintendo Zone client was released with the February 9, 2010 update. Version 3.0 of the Japanese client was released on January 8, 2010. It is unknown what has changed since the initial version, v2.0. The server can check the version param the client sends, and if the version is old, the server replies with an error. The user-agent used by NZone v3.0 is "NintendoZoneViewer/1.1". Since the server can refuse to let the client continue since the client is old, the client may display a message "This viewer must be updated in order to use the Nintendo Zone service. Update now?". When you press the "No" button in the update dialog, NZone returns to sysmenu, and pressing the "Yes" button boots the settings app to a hidden menu to only update NZone. When updating NZone via this menu, the AP that NZone uses is used for updating. Like DSi Shop, Nintendo can force you to run a system update when the client was updated. The JP server forces you to update NZone. The JP server has a html sysmenu_update tag that forces you to update your DSi to 1.4.
  
 
== Exploits ==
 
== Exploits ==
  
DS Station's web browser uses NetFront 3.3. This browser version has a stack smash bug in a function writing the URL from a tag field's value to the stack. This bug is present in at least one function, other functions don't seem to have this bug.
+
DS Station's web browser uses NetFront 3.3.
Nintendo Zone v3.0 has the bug. The layout of the Nintendo Zone binary NetFront html tag attribute strings were significantly changed, meaning NetFront was probably updated. The NetFront version user agent was removed from the NZone bin, so it's unknown what NetFront version NZone uses. Linux/hostapd compatible box and a NIC supported by hostapd is required. An SSID, and the WEP key generated from the SSID, from a real Nintendo Zone/DS Station AP is required.
+
Nintendo Zone v3.0 has the URL buffer overflow bug from NetFront 3.3 and DS Station, but htmlhaxx is [[#Security|impossible]] to use with NZone due to SSL. The NetFront version user agent was removed from the NZone bin, so it's unknown what NetFront version NZone uses.
At real Nintendo Zone APs, a laptop running Linux with a wireless NIC supporting monitor mode would be needed to use the exploit at the NZone AP location. Using airpwn at a real NZone AP location is dangerous and not recommended, you must be cautious since every DS in range of the airpwn box will receive the injected exploit html. Using airpwn at a real NZone AP shouldn't be tried as other DSes besides the one you own, that are using the DS Station/NZone client and are not playing demos will download the injected exploit.
+
 
 +
A DS Station exploit was written by [[User:Yellows8|Yellows8]]. The exploit is only available on Google Code wmb-asm SVN. SVN web interface is available [http://code.google.com/p/wmb-asm/source/browse/#svn/trunk/ds/nzonehtmlhaxx here], SVN URL available [http://wmb-asm.googlecode.com/svn/trunk/ds/nzonehtmlhaxx here.] To use the exploit at home with DS Station, you need a Linux/hostapd compatible box and a NIC supported by hostapd. You also need a HTTPS forwarder/proxy, like httpsforwarder available in SVN. This exploit can only be used with html that is transferred over http.
 +
This DS Station exploit works perfectly on DSi with WMB ds-mode. The default embedded .nds in the exploit loads hbmenu from flash card, loading from flash card works perfectly on DSi in WMB ds-mode from DS Station nzonehtmlhaxx.
 +
You need the DS Station bin to use this exploit, but the bin will not be publicly redistributed due to copyright etc.
 +
 
 +
[[File:2010-08-22-161844.jpg|200px|thumb|right|Test NZone haxx, crashed NZone. The EUR server bug exploited here was fixed a couple hours after beginning html injection attacks.]]
 +
 
 +
=== Server exploits ===
 +
 
 +
The EUR NZone server used to have the [http://www.phonefactor.com/sslgap SSL] [http://extendedsubset.com/?p=8 renegotiation] [http://www.g-sec.lu/tls-ssl-proof-of-concept.html authentication] [http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html gap] bug. Initially, exploiting this with the redirection script on the server were being attempted. Then on the next day, attacks via HTTP TRACE requests to inject html into the server response to the DSi NZone client were done. Tests of crashing DSi NZone with nzonehtmlhaxx was done twice: first test was injecting htmlhaxx when the client tried sending a request to the redirection script for third-party content, the second test was injecting htmlhaxx immediately when the client first connected to the server. Both tests crashed DSi NZone perfectly. HTTP TRACE is never used by NZone or any web browser. Counting from the initial attack, Nintendo fixed this in less than 26 hours. Counting from when attacks with HTTP TRACE were started, Nintendo fixed this in less than 4 hours. The picture to the right is a shot of crashed DSi NZone, Nintendo fixed the bug before any payload was executed.
 +
 
 +
That EUR SSL reneg exploit was the only NZone servers hole in existence, there are no more SSL holes, there are zero http links on all NZone sites Nintendo and third-party, and there are zero NZone beacon data code buffer overflows. NZone haxx is completely dead.
 +
 
 +
=== Security ===
  
A DS Station exploit has been written by [[User:Yellows8|Yellows8]]. The exploit is only available on Google Code wmb-asm SVN. SVN web interface is available [http://code.google.com/p/wmb-asm/source/browse/#svn/trunk/nzoneurlstacksmash here], SVN URL available [http://wmb-asm.googlecode.com/svn/trunk/nzoneurlstacksmash here.] To use the exploit at home, you also need a HTTPS forwarder/proxy, like httpsforwarder available in SVN. This exploit hasn't been tested with Nintendo Zone. This exploit can't be tested [[User:Yellows8|until]] a Nintendo Zone AP beacons capture is obtained. This exploit can only be used with html that is transferred over http. The html for the index main and sub screens is transferred over https. However, the html for the main screen for the pages after the index,(main server and third-party companies websites) is transferred with http. The sub screen html is transferred with https, with the main server. Sub screen html with third-party companies is transferred with http.
+
NZone is very secure due to SSL. NZone will abort when the server cert isn't signed by Nintendo. None of the NZone servers have http links, nor do they even listen on port 80 for http. HTTP downgrade attacks are impossible even when you can inject html.(nzonehtmlhaxx can be used when it's possible to inject html into the server reply, but that's impossible now.)
NetFront limits the size of html files that can be downloaded. The max size of a LZSS compressed .nds embedded in the exploit is between 121.7KB - 129.9KB.
+
All NZone sites use only relative URLs. When URLs that include https are used, they must use Nintendo's server otherwise NZone will refuse to load the linked page. NZone refuses to load linked pages that use http, or use https but don't link to Nintendo's site. With images, the path must be relative otherwise NZone will refuse to render the page. The NZone servers use a redirect.cgi script to redirect the client to the third-party server via a HTTP 302. The "url" parameter to this script can be arbitrary, the server allows any protocol https or http, and any domain. However NZone will refuse to load a http page from a redirection. For NZone redirection it only allows https to any site with cert signed by Nintendo.

Latest revision as of 03:09, 21 November 2010

Nintendo Zone is the successor of DS Download Station, the latest revision in the Nintendo Spot series. The predecessor of Nintendo Zone in this series is DS Station, and the first revision in this series is Nintendo Spot. Although Nintendo Zone is the latest revision in the series, most game stores still use DS Station, however JP stores are starting to switch to NZone. This series downloads DS demos from an Internet server, rather than from a local DS host. Technical info on NSpot/DS Station is available here. Nintendo Zone locations have additional company-specific content. Companies can use this for information about the store/location, coupons with JP McDonalds won by quizzes, prizes, mini-games, etc. Nintendo Zone is available in Japan. Nintendo World Store in New York City used to have NZone, but they don't have NZone or even DS Download Station anymore. A few McDonalds test locations in Germany used to have NZone. That test service ended, but the EUR server is still online. Several USA Best Buy locations started a NZone test service in June 2009, see this. That test service ended, NZone is non-existent in USA since no test services exist in USA. NZone pictures here. EUR NZone screenshots here and here. Old USA NYC screenshots here. Japan screenshots: here and here. Nintendo filed a patent describing the NSpot/DS Station AP system. This system is old, yet this was never patented until 2010.

NZone and DS Station usually have the same demos as Wii Nintendo Channel. However, sometimes certain retailers with NZone have exclusive content(NZone location exclusive) and demos(all NZone locations) not available anywhere else. Eventually these exclusive demos are released on NinCh.

Sysmenu displays this when NZone is detected for the first time.
NZone icon flashing in sysmenu when sysmenu detects NZone again after the initial detection.
NZone loading content from the server.
Hidden settings app menu for updating NZone.

Client usage

Unlike DS Station, the Nintendo Zone client is rigged to only connect to a certain AP when there's a special beacon with the payload encrypted in range. When the AP has the correct SSID and WEP key(WEP isn't always used), the client attempts to connect to the AP. The AP SSID and WEP key if any is contained in the special beacon in the encrypted payload. When the DSi is in range of the special beacon with the encrypted payload for the first time, sysmenu will display a message that you're in range of a Nintendo Zone. When you press the "Start" button, sysmenu boots NZone. The hidden DSi Nintendo Zone client will then appear in the menu, see the images to the right as well. After the initial NZone detection, the client icon always stays in the menu, it is never removed. When NZone is detected the second time in sysmenu, the icon and the icon on the strip which you can touch with stylus to select app icons starts flashing, and a sound constantly plays while in range of NZone. If sysmenu doesn't detect another NZone beacon for 10 seconds, the flashing and sound stops. NZone is not region-locked, the server region is determined by the special beacon.

The client is basically a NetFront browser rigged to only work with certain APs, and with the capability of booting RSA-1024 signed(same as WMB sign system) NDS software downloaded with https. DS Station seems to only support Nintendo's custom NTFA file format for graphics. Nintendo Spot supports other formats, one of the formats is GIF. Nintendo Zone supports NTFA, GIF, and PNG. The DSi NZone with the memo menu, can take pictures with the DSi cameras and save to the camera album. You can also draw stuff then save to camera album, and take screenshots of either screen at anytime(except when loading pages, sometimes memo menu is disabled by third-party sites) and save to NZone savedata. Screenshots can be viewed later via the memo menu, regardless if NZone beacons are in range or not. The NZone WFC usage notes state: "Photos, drawings or any other kind of images that you post via the Nintendo Zone can be viewed and downloaded by other users, and may be made public via Nintendo Zone or the internet. These photos, drawings or other kinds of image may then be copied, edited and/or posted by others." The rest is just "your images may be seen by a large number of people, don't post offensive material or copyrighted etc."

Beacon payload format

The NZone beacon payload is encrypted with an XOR pad. It's not the trivial sequential XOR code. The XOR pad is generated from a 8-byte key: the first 4-bytes is "!SDW",(might be a reference to WDS?) the last 4 bytes are the last 4 bytes of the beacon BSSID MAC. Nintendo Spot uses the same special beacon encryption, the cleartext differs from NZone slightly for the unknown fields. This table is the format of the cleartext data. The NZone beacon code is contained in TWL SDK, arm9 side. DSi opera web browser automatically connects to NZone APs, all official DSi software automatically connects to NZone APs. NZone has a option to install a wifi config entry for the NZone AP, for old NTR SDK games run from cards. TWL SDK scans for beacons with the Nintendo tag(0xDD) with payload size 0x70. When those are found, it decrypts them and verifies the checksum, when that's valid NZone is detected.

OFFSET SIZE DESCRIPTION
0x00 32 AP SSID.
0x20 10 Authentication parameter, required for connecting to the server. Server uses this to determine which third-party content to link to on the index page. First ASCII number char in this param is region, this is also used to determine which server to connect to. Regions: 0) JP 1) USA 2/3) EUR 4) KOR 5) China
0x2a 2 This u16 was always one in all dumps, unknown what this is. This isn't used by the client.
0x2c 24 Some retailer ID string includes the country, unknown what this is but it's not used by the client. "McDonalds Japan"
0x44 32 WEP key, if any.
0x64 1 Unknown, not used by the client.
0x65 1 WEP type: 0) Open 1) WEP-64 2) WEP-128 3) WEP-152
0x66 1 Unknown flags, always three in all dumps. Bits 0 and 1 don't seem to be used by the client. The client does use bit 2, testing setting bit 2 didn't help reveal what bit 2 is for.
0x67 5 Padding.
0x6c 2 Unknown, was always 0x428 in all dumps. Not used by the client.
0x6e 2 CRC16 over the whole payload excluding checksum offset, initval is 0.

Versions

Version 3.0 of the DSi Nintendo Zone client was released with the February 9, 2010 update. Version 3.0 of the Japanese client was released on January 8, 2010. It is unknown what has changed since the initial version, v2.0. The server can check the version param the client sends, and if the version is old, the server replies with an error. The user-agent used by NZone v3.0 is "NintendoZoneViewer/1.1". Since the server can refuse to let the client continue since the client is old, the client may display a message "This viewer must be updated in order to use the Nintendo Zone service. Update now?". When you press the "No" button in the update dialog, NZone returns to sysmenu, and pressing the "Yes" button boots the settings app to a hidden menu to only update NZone. When updating NZone via this menu, the AP that NZone uses is used for updating. Like DSi Shop, Nintendo can force you to run a system update when the client was updated. The JP server forces you to update NZone. The JP server has a html sysmenu_update tag that forces you to update your DSi to 1.4.

Exploits

DS Station's web browser uses NetFront 3.3. Nintendo Zone v3.0 has the URL buffer overflow bug from NetFront 3.3 and DS Station, but htmlhaxx is impossible to use with NZone due to SSL. The NetFront version user agent was removed from the NZone bin, so it's unknown what NetFront version NZone uses.

A DS Station exploit was written by Yellows8. The exploit is only available on Google Code wmb-asm SVN. SVN web interface is available here, SVN URL available here. To use the exploit at home with DS Station, you need a Linux/hostapd compatible box and a NIC supported by hostapd. You also need a HTTPS forwarder/proxy, like httpsforwarder available in SVN. This exploit can only be used with html that is transferred over http. This DS Station exploit works perfectly on DSi with WMB ds-mode. The default embedded .nds in the exploit loads hbmenu from flash card, loading from flash card works perfectly on DSi in WMB ds-mode from DS Station nzonehtmlhaxx. You need the DS Station bin to use this exploit, but the bin will not be publicly redistributed due to copyright etc.

Test NZone haxx, crashed NZone. The EUR server bug exploited here was fixed a couple hours after beginning html injection attacks.

Server exploits

The EUR NZone server used to have the SSL renegotiation authentication gap bug. Initially, exploiting this with the redirection script on the server were being attempted. Then on the next day, attacks via HTTP TRACE requests to inject html into the server response to the DSi NZone client were done. Tests of crashing DSi NZone with nzonehtmlhaxx was done twice: first test was injecting htmlhaxx when the client tried sending a request to the redirection script for third-party content, the second test was injecting htmlhaxx immediately when the client first connected to the server. Both tests crashed DSi NZone perfectly. HTTP TRACE is never used by NZone or any web browser. Counting from the initial attack, Nintendo fixed this in less than 26 hours. Counting from when attacks with HTTP TRACE were started, Nintendo fixed this in less than 4 hours. The picture to the right is a shot of crashed DSi NZone, Nintendo fixed the bug before any payload was executed.

That EUR SSL reneg exploit was the only NZone servers hole in existence, there are no more SSL holes, there are zero http links on all NZone sites Nintendo and third-party, and there are zero NZone beacon data code buffer overflows. NZone haxx is completely dead.

Security

NZone is very secure due to SSL. NZone will abort when the server cert isn't signed by Nintendo. None of the NZone servers have http links, nor do they even listen on port 80 for http. HTTP downgrade attacks are impossible even when you can inject html.(nzonehtmlhaxx can be used when it's possible to inject html into the server reply, but that's impossible now.) All NZone sites use only relative URLs. When URLs that include https are used, they must use Nintendo's server otherwise NZone will refuse to load the linked page. NZone refuses to load linked pages that use http, or use https but don't link to Nintendo's site. With images, the path must be relative otherwise NZone will refuse to render the page. The NZone servers use a redirect.cgi script to redirect the client to the third-party server via a HTTP 302. The "url" parameter to this script can be arbitrary, the server allows any protocol https or http, and any domain. However NZone will refuse to load a http page from a redirection. For NZone redirection it only allows https to any site with cert signed by Nintendo.