[HN Gopher] SSSL - Hackless SSL bypass for the Wii U
___________________________________________________________________
SSSL - Hackless SSL bypass for the Wii U
Author : todsacerdoti
Score : 203 points
Date : 2024-04-09 10:03 UTC (12 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| xandrius wrote:
| I would love to know what happened on Nintendo's side.
|
| If it weren't Nintendo, one would think this could be a creative
| approach to reviving the console (and its sales).
|
| It could also have been a debug config which made it through the
| release. I guess we'll never know but this is the part of tech
| which I love the most: finding ways to break outside the intended
| capabilities of a platform, just because.
| LocutusOfBorges wrote:
| > reviving the console (and its sales).
|
| Wii U production ended entirely more than 7 years ago - there's
| no more stock to sell. It's a legacy platform in every sense of
| the word.
| randunel wrote:
| From https://en.wikipedia.org/wiki/Wii_U#Sales
|
| > By December 2019, Nintendo reported life-time sales of
| 13.56 million Wii U console units and by September 2022
| 103.53 million software units worldwide
|
| and
|
| > Despite this, the console had third party releases until
| 2020.
|
| So software sold in September 2022 can no longer run in April
| 2024, and you somehow try to justify that by "legacy
| platform"?
|
| Production stopped, eventually hardware sales stopped, too,
| but software sales for the locked in hardware did not until
| recently.
| thaumasiotes wrote:
| >> Despite this, the console had third party releases until
| 2020.
|
| > So software sold in September 2022 can no longer run in
| April 2024, and you somehow try to justify that by "legacy
| platform"?
|
| I tend to imagine that every third-party release for the
| Wii U in 2020 was built for the Switch and made available
| on the Wii U as a low-cost port. There were no vendors and
| no Wii U owners at that time who weren't well aware that
| the platform had died years ago.
| godzillabrennus wrote:
| Even Scott the Woz knew enough to make videos about its
| death by then...
| beeboobaa3 wrote:
| You think every parent who buys a console for their 8
| years kid watches whoever Scott the Woz is?
| philistine wrote:
| Well, you call those parents who don't watch Scott bad
| parents.
| LocutusOfBorges wrote:
| > So software sold in September 2022 can no longer run in
| April 2024, and you somehow try to justify that by "legacy
| platform"?
|
| What? Wii U software still works fine - you can even still
| download digital purchases from the eShop if you already
| own them. The component that was turned off yesterday was
| the servers used for multiplayer games, which isn't an
| unusual thing to see occur this late into a console's
| lifespan.
|
| Pretendo are doing good work! Even if most of the
| worthwhile parts of the console's library have since been
| ported to other systems, it's still nice that some parts of
| the original experience are going to be preserved.
| beeboobaa3 wrote:
| If you bought the game for the multiplayer then it does
| not in fact work fine.
| Shawnj2 wrote:
| Nintendo clearly stopped caring about the Wii U other than
| as a source of free money from the eshop as soon as the
| switch released. They did do some stuff with the 3DS for a
| bit after the switch launched but not a ton of
| kristofferR wrote:
| Did you read the comment chain you are replying to? Your
| comment makes no sense at all in that context, that the bug
| was introduced to revive console sales.
| jsheard wrote:
| > If it weren't Nintendo, one would think this could be a
| creative approach to reviving the console
|
| That is what they're doing, the Pretendo project is building
| custom servers for the 3DS and Wii U to replace the official
| ones which just shut down. This exploit makes it possible to
| point a non-jailbroken Wii U at the Pretendo servers just by
| changing the DNS settings.
|
| https://pretendo.network/blog/4-8-24
| internetter wrote:
| Yes, but Nintendo certainly isn't trying to help pretendo
| chii wrote:
| it is possible that an engineer inside nintendo is
| surrepticiously helping by introducing a bug like this.
| It's really the lawyers that are trigger happy about suits
| and take downs (and they're within their right, and have
| good reasons to of course).
| xyst wrote:
| The equivalent of "thermal exhaust" flaw for Nintendo IP
| mrbluecoat wrote:
| brilliant Star Wars reference
| jdwithit wrote:
| I feel like this would be more plausible if the bug hadn't
| been introduced more than 3 years ago.
| michaelt wrote:
| _> I would love to know what happened on Nintendo 's side._
|
| I suspect it's just a normal, regular software bug.
|
| SSL code is often complicated, and the faulty code probably
| passed a bunch of tests. As the software update was for a
| decade-old product, which had been discontinued for 4 years,
| the people who were best placed to spot the new bug had
| probably already moved on to other projects.
|
| Why mess with the SSL stuff at all? I can't say for sure, but
| SSL makes it easy to accidentally create a time bomb by, for
| example, hardcoding a certificate with an expiry date 10 years
| away. Or a console might have special requirements. For
| example, a user can leave a device in a cupboard for 5 years
| without turning it on, so the software update procedure needs
| extreme backwards compatibility.
| mannyv wrote:
| TLS libraries by default don't have this behavior.
|
| It's been years since I read the TLS spec, but a host
| wildcard like this isn't normally possible, since it bypasses
| host verification completely.
|
| And the CA verification bypass is also out of line with
| normal behavior. CA verification is another TLS bedrock
| behavior.
|
| Together, these basically disable TLS verification. I'm
| surprised they didn't disable date checking too, because why
| not go for it at this point.
|
| This isn't a bug, this is designed.
| mynameisvlad wrote:
| Or it's two separate bugs that were introduced at wildly
| different times (which the article mentions; the first bug
| was there pre-5.5.5 but useless on its own).
|
| It's quite a stretch to say that an engineer designed a
| multi-year project to surreptitiously break TLS so third
| party stores could be used without CFW (which is also
| pretty trivial to do on the WiiU).
| ctz wrote:
| > TLS libraries by default don't have this behavior.
|
| No, but the most popular one gives you just a callback and
| people end up using that to build their own insecure, weird
| strategies.
|
| That's how we end up with things like "the certificate is
| valid if the issuer DN is this hardcoded string" (very
| common attempt at pinning an issuer), or "the certificate
| chain is valid if the chain contains this precise value"
| (this one, likely another failed attempt at pinning), or
| indeed the Hashicorp Vault vuln the other week which was
| roughly "the certificate is valid if it has the right AKID
| and serial number".
| Retr0id wrote:
| The developer(s) responsible for the bug, whether it was
| accidental or not, are likely not the same people in charge of
| Nintendo's legal and/or marketing strategies.
| trollied wrote:
| Note that this is relevant because Nintendo shut the servers down
| yesterday. https://en-americas-
| support.nintendo.com/app/answers/detail/...
| Narann wrote:
| All of this is weird. Leaving a SSL CA open to anyone ~~the day
| official servers are close~~.
|
| EDIT: Bug exists since 1 march 2021.
|
| At first, it seems nice. But its impossible that Nintendo being
| _nice_ in anyway, and even less more by _adding_ a bug. This, and
| Pretendo that seems to expect the bug before the release.
|
| I find this really suspicious.
| idle_zealot wrote:
| I would assume they sat on this until Nintendo shut down
| service to ensure they wouldn't push a fix.
| rawling wrote:
| Indeed, from their blog post
|
| > We've been holding on to this exploit for this day for
| quite some time, in case Nintendo decided to issue patches
| for it.
|
| https://news.ycombinator.com/item?id=39978886
| Sakos wrote:
| Before anybody asks why Nintendo would patch exploits for
| such an old system, they've been regularly patching
| exploits for the 3DS up until May 2023.
|
| https://en-americas-
| support.nintendo.com/app/answers/detail/...
|
| I'm somewhat skeptical that Nintendo won't end up fixing
| this one too. The eShop is still running so users can
| continue to download their purchased games: https://en-
| americas-support.nintendo.com/app/answers/detail/...
|
| > For the foreseeable future, it is still possible to
| download update data and redownload purchased software and
| downloadable content from Nintendo eShop.
| braiamp wrote:
| Yeah, this community prefers that these kinds of exploits
| (that require physical possession of the device to recover
| power over it) aren't patched. I don't see anything morally
| wrong with it. If security comes to the cost of the user
| losing control over the device, it is not security, it's
| abusive DRM.
| AdmiralAsshat wrote:
| Do we have something comparable for the 3DS yet?
| prophesi wrote:
| It doesn't seem like it, though I'd recommend modding your 3DS
| anyways. The process is pretty short and painless, and It
| becomes a really cool piece of hardware that can run GBA/DS/3DS
| games, has a working Virtual Boy emulator, and can easily
| retrieve patched games (useful for undub's, fan translations,
| and romhacks). And, now, can connect to the Pretendo network.
| AdmiralAsshat wrote:
| Hmm. I had held off on trying to mod my 3DS for fear of
| knock-on effect (since my 3DS and Switch account were tied
| together behind the same email, I didn't want some nightmare
| scenario of Nintendo somehow detecting mods on the 3DS and
| then banning my account, locking out the Switch in the same
| stroke).
|
| But I suppose if the 3DS servers are actually shut down now,
| that risk goes away. Primarily I'd just like to backup my
| saves and the games I legally purchased.
| thejsa wrote:
| Telemetry on the 3DS is minimal compared to what Nintendo
| put in place on the Switch -- you'll be alright, especially
| if you use the Pretendo online servers.
| thejsa wrote:
| We [0] did for a while - discovered by the same dev as found
| SSSL -- and sat on it for a long time at Kaeru, but it was
| independently discovered [1] and reported to Nintendo by
| someone else, so it unfortunately got patched before EoL.
|
| [0]: https://twitter.com/KaeruTeam/status/1340021213352128512
|
| [1]: https://github.com/MrNbaYoh/3ds-ssloth
___________________________________________________________________
(page generated 2024-04-09 23:02 UTC)