https://github.com/PretendoNetwork/SSSL Skip to content Toggle navigation Sign in * Product + Actions Automate any workflow + Packages Host and manage packages + Security Find and fix vulnerabilities + Codespaces Instant dev environments + Copilot Write better code with AI + Code review Manage code changes + Issues Plan and track work + Discussions Collaborate outside of code Explore + All features + Documentation + GitHub Skills + Blog * Solutions For + Enterprise + Teams + Startups + Education By Solution + CI/CD & Automation + DevOps + DevSecOps Resources + Learning Pathways + White papers, Ebooks, Webinars + Customer Stories + Partners * Open Source + GitHub Sponsors Fund open source developers + The ReadME Project GitHub community articles Repositories + Topics + Trending + Collections * Pricing Search or jump to... Search code, repositories, users, issues, pull requests... Search [ ] Clear Search syntax tips Provide feedback We read every piece of feedback, and take your input very seriously. [ ] [ ] Include my email address so I can be contacted Cancel Submit feedback Saved searches Use saved searches to filter your results more quickly Name [ ] Query [ ] To see all available qualifiers, see our documentation. Cancel Create saved search Sign in Sign up You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session. Dismiss alert {{ message }} PretendoNetwork / SSSL Public * Notifications * Fork 2 * Star 132 * License GPL-3.0 license 132 stars 2 forks Branches Tags Activity Star Notifications * Code * Issues 1 * Pull requests 0 * Actions * Projects 0 * Security * Insights Additional navigation options * Code * Issues * Pull requests * Actions * Projects * Security * Insights PretendoNetwork/SSSL This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. master BranchesTags Go to file Code Folders and files Name Name Last commit Last commit message date Latest commit History 24 Commits .eslintrc.json .eslintrc.json .gitignore .gitignore LICENSE LICENSE README.md README.md package-lock.json package-lock.json package.json package.json patch.js patch.js shutter.png shutter.png View all files Repository files navigation * README * GPL-3.0 license SSSL - Hackless SSL bypass for the Wii U [shutter] On March 1, 2021 Nintendo released Wii U firmware version 5.5.5. This update updated the Wii U's SSL verification and recompiled all RPLs (though no code changes were made). The exact purpose for this update is unknown, as nothing of significance was changed, and no other changes were made in this update. With the changes to SSL verification, Nintendo introduced a bug which allows for the forging of SSL certificates. These forged certificates will be seen as "Nintendo Signed" and, due to an existing bug with how the Wii U handles CA common names, will be accepted by all domains. The bugs There are 2 bugs at play: 1. Normally a CA common name does not accept a single wildcard (*) value. They must contain a hostname, and optionally one or many wildcards for subdomains. The Wii U will accept a single * wildcard in place of a hostname, which allows the CA to be accepted as any domain. This bug has existed since before 5.5.5, but was not useful until now. 2. As of 5.5.5, CA's crafted in a specific way may take a newly introduced alternate path for verification. This allows for a CA's signature to not be verified correctly. Instead, the Wii U simply checks if the CA matches one already known by the system, but not the signature or contents of the CA. We have no idea why this change was made, as it does not benefit Nintendo at all. It almost feels intentional. Exploiting Not any CA will work. There are 3 conditions for a CA which still need to be met even for a forged CA to be accepted: 1. The CA needs to be one which the Wii U would already accept. The signature is not validated in this case, so modifying an existing CA works. 2. The Wii U does not allow a Root CA in the cert chain. It will ignore any certs that have a matching subject and authority key. 3. The title must not roll it's own SSL. WebKit titles such as the eShop, Miiverse, TVii, etc, as well as any game which uses it's own SSL library, will not work with these certificates. The easiest way to exploit this bug is to use the Nintendo CA - G3 CA, and is what this script opts to do. This can be dumped from a Wii U's SSL certificates title at /storage_mlc/sys/title/0005001b/ 10054000/content/scerts/CACERT_NINTENDO_CA_G3.der. Changing the public key to a user-controlled key and changing the authority key identifier to anything else is all that is required. The resulting user-controlled private key and patched CA can be used to bypass SSL verification without any homebrew or CFW at all. The script This script takes in a PEM encoded copy of Nintendo CA - G3 and does the above patches and exports the patched CA and private key. * Install NodeJS * git clone https://github.com/PretendoNetwork/SSSL * cd SSSL * npm i to install the dependencies * node patch to run the patching wizard Credits * Shutterbug for actually finding the new verification bug * Jemma and Quarky for decompiling the updated SSL functions About No description, website, or topics provided. Resources Readme License GPL-3.0 license Activity Custom properties Stars 132 stars Watchers 5 watching Forks 2 forks Report repository Releases No releases published Packages 0 No packages published Contributors 2 * @jonbarrow jonbarrow Jonathan Barrow * @CenTdemeern1 CenTdemeern1 Charlotte Herngreen Languages * JavaScript 100.0% Footer (c) 2024 GitHub, Inc. Footer navigation * Terms * Privacy * Security * Status * Docs * Contact * Manage cookies * Do not share my personal information You can't perform that action at this time.