#62237 - sleeper - Mon Nov 28, 2005 4:52 pm
So was anyone crazy enough to look at the communication flow between nintendo and mario kart and started to build a fake server? ;)
Just curious. (this is not a "you guys should definetly do this and that thread")
#62274 - zonk - Mon Nov 28, 2005 10:41 pm
I snooped some traffic and it doesn't look complicated.. well.. if i had more time..
What i got so far:
#1 It connects via TCP to 'conntest.nintendowifi.net' and does a 'GET / HTTP/1.0'
#2 resolves mariokartds.available.gs.nintendowifi.net:
UDP to port 27900 : <0x0900000000>mariokart ds<0x00>
Reply: <0xfefd09000000>
#3 resolves nas.nintendowifi.net and talks https.(!!!)
Tracing the request is no problem with squid..
..but IF mariokart verifies the SERVER-SSL-Cert, d'oh.. it will be
almost impossible to get a fake-server working :-/
#4 gpcm.gs.nintendowifi.net
-> ??
#5 mariokartds.master.gs.nintendowifi.net
=> SENDS
0000 00 11 24 6e ad 46 00 09 bf 0a 7a 39 08 00 45 00 ..$n.F....z9..E.
0010 00 e7 00 24 00 00 80 11 9d 76 c0 a8 01 7b cf 26 ...$.....v...{.&
0020 0b 22 c5 ff 6c fc 00 d3 ee b9 03 c4 f4 16 91 6c ."..l..........l
0030 6f 63 61 6c 69 70 30 00 31 39 32 2e 31 36 38 2e ocalip0.192.168.
0040 31 2e 31 32 33 00 6c 6f 63 61 6c 70 6f 72 74 00 1.123.localport.
0050 35 30 36 38 37 00 6e 61 74 6e 65 67 00 31 00 73 50687.natneg.1.s
0060 74 61 74 65 63 68 61 6e 67 65 64 00 31 00 67 61 tatechanged.1.ga
0070 6d 65 6e 61 6d 65 00 6d 61 72 69 6f 6b 61 72 74 mename.mariokart
0080 64 73 00 70 75 62 6c 69 63 69 70 00 30 00 70 75 ds.publicip.0.pu
0090 62 6c 69 63 70 6f 72 74 00 30 00 6e 75 6d 70 6c blicport.0.numpl
00a0 61 79 65 72 73 00 30 00 6d 61 78 70 6c 61 79 65 ayers.0.maxplaye
00b0 72 73 00 30 00 75 6e 6b 6e 6f 77 6e 00 36 30 30 rs.0.unknown.600
00c0 37 32 37 36 33 00 75 6e 6b 6e 6f 77 6e 00 30 00 72763.unknown.0.
00d0 75 6e 6b 6e 6f 77 6e 00 30 00 75 6e 6b 6e 6f 77 unknown.0.unknow
00e0 6e 00 33 00 75 6e 6b 6e 6f 77 6e 00 31 00 00 00 n.3.unknown.1...
00f0 00 00 00 00 00 9b e1 50 92 .......P.
<= RECV
0000 00 09 bf 0a 7a 39 00 11 24 6e ad 46 08 00 45 00 ....z9..$n.F..E.
0010 00 38 9b 1a 00 00 68 11 1b 2f cf 26 0b 22 c0 a8 .8....h../.&."..
0020 01 7b 6c fc c5 ff 00 24 49 ef fe fd 01 c4 f4 16 .{l....$I.......
0030 91 65 74 37 36 47 21 30 30 33 45 43 41 30 30 31 .et76G!003ECA001
0040 32 43 35 46 46 00 2C5FF.
=> SENDS
0000 00 11 24 6e ad 46 00 09 bf 0a 7a 39 08 00 45 00 ..$n.F....z9..E.
0010 00 3e 00 25 00 00 80 11 9e 1e c0 a8 01 7b cf 26 .>.%.........{.&
0020 0b 22 c5 ff 6c fc 00 2a d5 93 01 c4 f4 16 91 48 ."..l..*.......H
0030 45 4c 4c 42 49 77 43 5a 79 31 73 6d 38 30 62 53 ELLBIwCZy1sm80bS
0040 53 63 66 64 63 74 56 6e 79 4d 41 00 f0 5a 93 46 ScfdctVnyMA..Z.F
0050
..and some more..
after mariokart found the players, connection goes directly between them, the Nintendo-Server isn't used anymore..
UDP is used as Protocoll
They look like this:
0000 00 09 bf 0a 7a 39 00 11 24 6e ad 46 08 00 45 00 ....z9..$n.F..E.
0010 00 58 3f bc 00 00 72 11 c7 55 52 e6 2c 7a c0 a8 .X?...r..UR.,z..
0020 01 7b cd 90 c5 ff 00 44 1a b1 33 02 00 00 71 08 .{.....D..3...q.
0030 00 38 00 00 68 00 be e4 a0 07 fa fb 89 15 38 e7 .8..h.........8.
0040 3c ff 10 00 00 00 18 00 00 01 0a 00 00 00 00 00 <...............
0050 00 00 00 00 00 00 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f ................
0060 0f 0f 0f 0f 0f 0f ......
#62280 - knight0fdragon - Tue Nov 29, 2005 1:28 am
interesting, the wifi allows direct connectingso perhaps servers arent needed, and some of system could be used to rid of the dreadful random battle
#62282 - sleeper - Tue Nov 29, 2005 1:34 am
| knight0fdragon wrote: |
| interesting, the wifi allows direct connectingso perhaps servers arent needed, and some of system could be used to rid of the dreadful random battle |
hmm so the https connection is only between the nintendo server and the ds? Maybe you just let the server assign the players for you and then let the proxy do the stuff where you connect to the players you want...
interesting...
#62724 - knight0fdragon - Mon Dec 05, 2005 1:12 am
hmm its odd that the localIP being send is the one being used by what I am assuming is your DS, and not the net IP to allow direct connection, well what did you use to see this, a standard packet sniffer?
#62725 - wintermute - Mon Dec 05, 2005 1:51 am
| knight0fdragon wrote: |
| hmm its odd that the localIP being send is the one being used by what I am assuming is your DS, and not the net IP to allow direct connection, well what did you use to see this, a standard packet sniffer? |
Never heard of NAT? :P
#62726 - knight0fdragon - Mon Dec 05, 2005 2:02 am
yes but even NAT itself has to have some kind of address sent to nintendo to tell the other DS's where its located at
#62892 - zonk - Tue Dec 06, 2005 7:33 pm
> well what did you use to see this, a standard packet sniffer?
tcpdump on my linux-router
Well.. sending the local (private) IP may may make sense for nintendo:
Nintendo can see my pulic ip anyway.. If the DS sends it's private IP, it may help nintendo to distinguish multiple DS's behind one public ip..
I'll setup a fake-DNS and install a squid http(s) proxy to track the https communication in the next few days (..or weeks ;-) )
#66637 - zigg - Thu Jan 12, 2006 4:14 pm
Is there any evidence that the DS is using or trying to use UPnP to get ports forwarded to it from the router? I've not been able to find anything explaining how two DS's behind NAT are able to send UDP directly to each other.
I may try to sniff it myself, but I'd have to sniff from a separate PC; I don't have a router I can sniff from. :)
#66649 - derula - Thu Jan 12, 2006 6:11 pm
The public key of the https certificate is 1120 bit of length, which means there will be not a slightest chance (except luck) of finding out the secret key. That is sad. Only to hope that MKDS doesn't validate the cert. Which I doubt.
#66720 - ProdigySim - Fri Jan 13, 2006 5:26 am
| zigg wrote: |
| Is there any evidence that the DS is using or trying to use UPnP to get ports forwarded to it from the router? I've not been able to find anything explaining how two DS's behind NAT are able to send UDP directly to each other. |
Indeed, I too have wondered this.
If we knew what port it ran this on, perhaps we could improve connectivity by opening it on our NAT/firewalls.
EDIT: Or I could read the post and realize that it uses 50687 (from what I can tell)
#66767 - zigg - Fri Jan 13, 2006 12:25 pm
Well, I did kick my ralink card into Monitor mode on my Linux box, and got half of a session (a friend jumped on me in Animal Crossing shortly after my gate opened, heh.) I say half because the ralink drivers under Linux seem to only monitor broadcast or AP-originating packets.
I saw a lot of similarities between zonk's stuff above, but most interestingly I noticed about eight SSDP (which I believe UPnP is based on) packets coming from the router just before the connection was opened up and I started getting UDP from my friend's IP address. I would assume that those SSDP packets came in response to something my DS was doing that I couldn't see, but I could be wrong on that front; they were sent to multicast, which may justbe how UPnP operates, but I'm not really sure. I need to do some reading.
The really bizarre part about it all is that Nintendo seems to never talk about UPnP in any of their support materials. If two people without a working UPnP implementation are trying to get connected, surely Nintendo would have to pass packets for them? I'm dismayed at the utter lack of information coming from Nintendo on NAT traversal, especially since it seems several people do have trouble with firewalls (the dreaded 80430 error.)
#66815 - M3d10n - Fri Jan 13, 2006 6:23 pm
There is another way to get two computers behind NAT to talk directly to each other without UPnP, with the aid of a server outside a NAT, but I'm not sure if Nintendo does this (one could try disabling the UPnP settings in their router and see what happens - most routers come with that option on by default).
I've been working with the Torque game engine lately, and their master server implementation can do that. I don't know the specifics (I barely messed with the network components yet), but it's something like both clients connecting to the server, and the server doing some voodoo to "link" the two clients directly, so they can send data directly to each other, without any of it going through the server.
#66820 - zigg - Fri Jan 13, 2006 6:55 pm
| M3d10n wrote: |
| I've been working with the Torque game engine lately, and their master server implementation can do that. I don't know the specifics (I barely messed with the network components yet), but it's something like both clients connecting to the server, and the server doing some voodoo to "link" the two clients directly, so they can send data directly to each other, without any of it going through the server. |
Interesting. Just before I started getting packets from my friend, I saw packets coming from two distinct hosts at GameSpy. I assumed they were connection tests, but maybe this is being done here too.
In any event, I think I have a decent sniffer now, so I'll try again tonight and see if I can break this down.
#66828 - JaJa - Fri Jan 13, 2006 7:32 pm
| M3d10n wrote: |
| There is another way to get two computers behind NAT to talk directly to each other without UPnP, with the aid of a server outside a NAT, but I'm not sure if Nintendo does this (one could try disabling the UPnP settings in their router and see what happens - most routers come with that option on by default). |
I hate UPnP, so have it off and can play MKDS DS fine.
I assume the Nintendo server is used for matchmaking and this inital port opening.
Then the DS's talk directly to each other.
#66832 - zigg - Fri Jan 13, 2006 7:48 pm
| JaJa wrote: |
I assume the Nintendo server is used for matchmaking and this inital port opening.
Then the DS's talk directly to each other. |
Nintendo's server cannot open a port in someone's NAT router, though. That's why UPnP is used for some gaming implementations; it can be used to request that port forwarding be set up on the NAT router to forward packets sent to a particular port on to the DS.
However, I think I may have located a paper on the technique that Torque may use. Peer-to-Peer Communication Across Network Address Translators explains "hole punching". I'm reading it and it makes sense to me. The success rates aren't very encouraging, but are probably Good Enough for WFC use.