Nintendo Zone

Revision as of 21:00, 6 July 2010 by Yellows8 (talk | contribs) (Added old link to other USA test locations.)

Nintendo Zone is the successor of DS Download Station, the latest revision in the Nintendo Spot series. The predecessor of Nintendo Zone in this series is DS Station, and the first revision in this series is Nintendo Spot. Although Nintendo Zone is the latest revision in the series, most game stores still use DS Station. This series downloads DS demos from an Internet server, rather than from a local DS host. Nintendo Zone locations have additional company-specific content. Companies can use this for information about the store/location, coupons with McDonalds, mini-games, etc. Technical details available here. Nintendo Zone is only available in Japan, at Nintendo World Store in New York City, and a few McDonalds test locations in Germany. The test Germany locations are only available for a limited time, see the URL. Several USA Best Buy locations started a NZone test service in June 2009, see this. It's unknown if those Best Buy locations still have NZone.


Client usage

Unlike DS Station, the Nintendo Zone client is rigged to only connect to an AP with a certain Broadcom tag. In other words, the client is rigged to only work with a certain router. When the AP has the correct SSID, WEP key, and Broadcom tag, the client attempts to connect to the AP.(WEP key is generated from the SSID, Nintendo software can automatically connect to these APs without any configuration.) When the DSi is in range of a Nintendo Zone AP, sysmenu will display a message that you're in range of a Nintendo Zone AP. The hidden DSi Nintendo Zone client will then appear in the menu. The client is basically a NetFront browser rigged to only work with certain APs, and with the capability of booting RSA-1024 signed NDS software downloaded with https. DS Station seems to only support Nintendo's custom NTFA file format for graphics. Nintendo Spot supports other formats, one of the formats is GIF. Nintendo Zone supports NTFA, GIF, and PNG.

Versions

Version 3.0 of the DSi Nintendo Zone client was released with the February 9, 2010 update. Version 3.0 of the Japanese client was released on January 8, 2010. It is unknown what has changed since the initial version, v2.0. DSi Nintendo Zone checks for a newer Nintendo Zone client version with the server somehow, the client won't let you use the service without updating. The user agent used by Nintendo Zone v3.0 is "NintendoZoneViewer/1.1". It's unknown if the version check is done client-side by downloading a file, or by the server checking the user agent.(There are no direct URLs for checking the version in the client.)

Exploits

DS Station's web browser uses NetFront 3.3. This browser version has a stack smash bug in a function writing the URL from a tag field's value to the stack. This bug is present in at least one function, other functions don't seem to have this bug. Nintendo Zone v3.0 has the bug. The layout of the Nintendo Zone binary NetFront html tag attribute strings were significantly changed, meaning NetFront was probably updated. The NetFront version user agent was removed from the NZone bin, so it's unknown what NetFront version NZone uses. Linux/hostapd compatible box and a NIC supported by hostapd is required. An SSID, and the WEP key generated from the SSID, from a real Nintendo Zone/DS Station AP is required. At real Nintendo Zone APs, a laptop running Linux with a wireless NIC supporting monitor mode would be needed to use the exploit at the NZone AP location. Using airpwn at a real NZone AP location is dangerous and not recommended, you must be cautious since every DS in range of the airpwn box will receive the injected exploit html. Using airpwn at a real NZone AP shouldn't be tried as other DSes besides the one you own, that are using the DS Station/NZone client and are not playing demos will download the injected exploit.

A DS Station exploit has been written by Yellows8. The exploit is only available on Google Code wmb-asm SVN. SVN web interface is available here, SVN URL available here. To use the exploit at home, you also need a HTTPS forwarder/proxy, like httpsforwarder available in SVN. This exploit hasn't been tested with Nintendo Zone. This exploit can't be tested until a Nintendo Zone AP beacons capture is obtained. This exploit can only be used with html that is transferred over http. The html for the index main and sub screens is transferred over https. However, the html for the main screen for the pages after the index,(main server and third-party companies websites) is transferred with http. The sub screen html is transferred with https, with the main server. Sub screen html with third-party companies is transferred with http. NetFront limits the size of html files that can be downloaded. The max size of a LZSS compressed .nds embedded in the exploit is between 121.7KB - 129.9KB.