Difference between revisions of "Nintendo Zone"
m (→Client usage) |
m (→Exploits) |
||
Line 17: | Line 17: | ||
Nintendo Zone v3.0 has the bug. The NetFront version user agent was removed from the NZone bin, so it's unknown what NetFront version NZone uses. Linux/hostapd compatible box and a NIC supported by hostapd is required. An SSID, and the WEP key generated from the SSID, from a real Nintendo Zone/DS Station AP is required. | Nintendo Zone v3.0 has the bug. The NetFront version user agent was removed from the NZone bin, so it's unknown what NetFront version NZone uses. Linux/hostapd compatible box and a NIC supported by hostapd is required. An SSID, and the WEP key generated from the SSID, from a real Nintendo Zone/DS Station AP is required. | ||
− | A DS Station exploit has been written by [[User:Yellows8|Yellows8]]. The exploit is only available on Google Code wmb-asm SVN. SVN web interface is available [http://code.google.com/p/wmb-asm/source/browse/#svn/trunk/nzoneurlstacksmash here], SVN URL available [http://wmb-asm.googlecode.com/svn/trunk/nzoneurlstacksmash here.] To use the exploit at home, you also need a HTTPS forwarder/proxy, like httpsforwarder available in SVN. This exploit hasn't been tested with Nintendo Zone. This exploit can't be tested [[User:Yellows8|until]] a Nintendo Zone AP beacons capture is obtained. NZone is region-locked: you can't forward a connection with the Europe DNS server name, to the USA NZone server due to TLS cert server name verification. And an USA NZone SSID won't work with Europe NZone. Once obtained, only a USA Best Buy SSID could be released. This exploit can only be used with html that is transferred over http. All html on the NZone server was probably moved to HTTPS, but this won't be known for certain until [[User:Yellows8|Yellows8]] gets server access with a NZone SSID. The html for the index main and sub screens is transferred over https. However, the html for the main screen for the pages after the index,(main server for DS Station unknown for NZone and third-party companies websites) is transferred with http. The sub screen html is transferred with https, with the main server. Sub screen html with third-party companies is transferred with http. | + | A DS Station exploit has been written by [[User:Yellows8|Yellows8]]. The exploit is only available on Google Code wmb-asm SVN. SVN web interface is available [http://code.google.com/p/wmb-asm/source/browse/#svn/trunk/nzoneurlstacksmash here], SVN URL available [http://wmb-asm.googlecode.com/svn/trunk/nzoneurlstacksmash here.] To use the exploit at home, you also need a HTTPS forwarder/proxy, like httpsforwarder available in SVN. This exploit hasn't been tested with Nintendo Zone. This exploit can't be tested [[User:Yellows8|until]] a Nintendo Zone AP beacons capture is obtained. NZone is region-locked: you can't forward a connection with the Europe DNS server name, to the USA NZone server due to TLS cert server name verification. And an USA NZone SSID won't work with Europe NZone. The region-specific URLs NZone uses for the initial server HTTPS connection is hard-coded. Once obtained, only a USA Best Buy SSID could be released. This exploit can only be used with html that is transferred over http. All html on the NZone server was probably moved to HTTPS, but this won't be known for certain until [[User:Yellows8|Yellows8]] gets server access with a NZone SSID. The html for the index main and sub screens is transferred over https. However, the html for the main screen for the pages after the index,(main server for DS Station unknown for NZone and third-party companies websites) is transferred with http. The sub screen html is transferred with https, with the main server. Sub screen html with third-party companies is transferred with http. |
NetFront limits the size of html files that can be downloaded. The max size of a LZSS compressed .nds embedded in the exploit is between 121.7KB - 129.9KB. | NetFront limits the size of html files that can be downloaded. The max size of a LZSS compressed .nds embedded in the exploit is between 121.7KB - 129.9KB. |
Revision as of 22:17, 31 July 2010
Nintendo Zone is the successor of DS Download Station, the latest revision in the Nintendo Spot series. The predecessor of Nintendo Zone in this series is DS Station, and the first revision in this series is Nintendo Spot. Although Nintendo Zone is the latest revision in the series, most game stores still use DS Station. This series downloads DS demos from an Internet server, rather than from a local DS host. Nintendo Zone locations have additional company-specific content. Companies can use this for information about the store/location, coupons with McDonalds, mini-games, etc. Technical details available here. Nintendo Zone is available in Japan. Nintendo World Store in New York City used to have NZone, but they don't have NZone or even DS Download Station anymore. A few McDonalds test locations in Germany have NZone. The test Germany locations are only available for a limited time, see the URL. Several USA Best Buy locations started a NZone test service in June 2009, see this. It's unknown if those Best Buy locations still have NZone. NZone pictures here. NZone screenshots here.
Client usage
Unlike DS Station, the Nintendo Zone client is rigged to only connect to an AP with a certain Broadcom tag. In other words, the client is rigged to only work with a certain router.(This tag is for the NIC/driver, not a specific router. NSpot used to use linksys routers, however custom fw may be needed for DSi to recognize the AP as NZone.) When the AP has the correct SSID, WEP key, and Broadcom tag, the client attempts to connect to the AP.(WEP key is generated from the SSID, Nintendo software can automatically connect to these APs without any configuration.) When the DSi is in range of a Nintendo Zone AP, sysmenu will display a message that you're in range of a Nintendo Zone AP. The hidden DSi Nintendo Zone client will then appear in the menu. The client is basically a NetFront browser rigged to only work with certain APs, and with the capability of booting RSA-1024 signed NDS software downloaded with https. DS Station seems to only support Nintendo's custom NTFA file format for graphics. Nintendo Spot supports other formats, one of the formats is GIF. Nintendo Zone supports NTFA, GIF, and PNG.
Versions
Version 3.0 of the DSi Nintendo Zone client was released with the February 9, 2010 update. Version 3.0 of the Japanese client was released on January 8, 2010. It is unknown what has changed since the initial version, v2.0. The server checks the client user-agent, and if the version contained in the user-agent is old, the server replies with an error. The user-agent used by NZone v3.0 is "NintendoZoneViewer/1.1". Since the server refuses to let the client continue since the client is old, the client displays a message "This viewer must be updated in order to use the Nintendo Zone service. Update now?". Like DSi Shop, Nintendo forces you to run a system update when the client was updated.
Exploits
DS Station's web browser uses NetFront 3.3. This browser version has a stack smash bug in a function writing the URL from a tag field's value to the stack. Nintendo Zone v3.0 has the bug. The NetFront version user agent was removed from the NZone bin, so it's unknown what NetFront version NZone uses. Linux/hostapd compatible box and a NIC supported by hostapd is required. An SSID, and the WEP key generated from the SSID, from a real Nintendo Zone/DS Station AP is required.
A DS Station exploit has been written by Yellows8. The exploit is only available on Google Code wmb-asm SVN. SVN web interface is available here, SVN URL available here. To use the exploit at home, you also need a HTTPS forwarder/proxy, like httpsforwarder available in SVN. This exploit hasn't been tested with Nintendo Zone. This exploit can't be tested until a Nintendo Zone AP beacons capture is obtained. NZone is region-locked: you can't forward a connection with the Europe DNS server name, to the USA NZone server due to TLS cert server name verification. And an USA NZone SSID won't work with Europe NZone. The region-specific URLs NZone uses for the initial server HTTPS connection is hard-coded. Once obtained, only a USA Best Buy SSID could be released. This exploit can only be used with html that is transferred over http. All html on the NZone server was probably moved to HTTPS, but this won't be known for certain until Yellows8 gets server access with a NZone SSID. The html for the index main and sub screens is transferred over https. However, the html for the main screen for the pages after the index,(main server for DS Station unknown for NZone and third-party companies websites) is transferred with http. The sub screen html is transferred with https, with the main server. Sub screen html with third-party companies is transferred with http. NetFront limits the size of html files that can be downloaded. The max size of a LZSS compressed .nds embedded in the exploit is between 121.7KB - 129.9KB.