Mozilla holding a sparkler


Basically, nds-constrain't is one of the greatest discoveries of all time.
That discovery was that Nintendo's NTR SSL library didn't care if certificates were signed by a non-CA certificate as long as they were still linked to the root CA. This is a huge fail.
This allows the NDS to connect to unofficial services without patching the ROM, which is great.

Shutterbug2000 is responsible for finding nds-constrain't. If you haven't seen his work, please do.

The rest of this page is a vague guide on setting it up. :-)
If you don't need to make your own certificate, then feel free to download this sample certificate which is valid for all domains, then skip to step 4. However, I would recommend making your own for security reasons.


Step 1) Getting the Wii client certificate
As explained in the page, the Wii client certificate is signed by Nintendo, and can therefore be used to sign other certificates.
You could get it from your Wii itself, or you could download "Wii NWC Prod 1" at Larsenv's page.
(Arian Kordi most likely dumped this since his name is in the footer. Thank you Arian!)

Step 2) Converting it to a useable format
As you probably noticed, the file is PKCS12 which is not what you'll want for signing certificates.
openssl pkcs12 -in WII_NWC_1_CERT.p12 -passin pass:alpine -passout pass:alpine -out keys.txt
This will export the public and private keys. (The private key will have the password alpine again.)
These cannot be exported separately from the command line as far as I know.
Copy the public and private keys from the output at keys.txt, then save them as NWC.crt and NWC.key.

Step 3) Signing your certificate
Instructions for this are listed on the GitHub page. These are copied for reference.
Make sure it's in the right format, since the DS can only handle SHA1 and MD5 ciphers.
openssl genrsa -out server.key 1024
openssl req -new -key server.key -out server.csr
openssl x509 -req -in server.csr -CA NWC.crt -CAkey NWC.key -CAcreateserial -out server.crt -days 3650 -sha1
cat server.crt NWC.crt > server-chain.crt
If you followed the instructions, you should now have all of your certificates in server-chain.crt.

Step 4) Using your certificates
If you do not know how to install SSL certificates, you would not have made it this far.
Many people get stuck here since the device will keep refusing their connection even with a valid cert.
This is most likely due to your webserver not wanting to work with the DSi's insecure and outdated SSL.
You will want to make sure your server supports SSLv3 and the ECDHE-RSA-AES128-SHA (or MD5) cipher set.
If it doesn't, I recommend reverse-proxying it with NGINX to enable NDS connections with SSL to work.
Add the following to your NGINX configuration to enable compatibility with NDS SSL.

	ssl_protocols SSLv3;
	ssl_ciphers ECDHE-RSA-AES128-SHA;

This final option is not SSL related, but I recommend setting it when reverse-proxying WFC.
Otherwise, NGINX will not pass headers to your server, which the NDS most likely makes use of.

	underscores_in_headers on;
	proxy_pass_request_headers on;

Note that you will definitely want to dedicate this NGINX install for your project. You are enabling insecure settings on your server after all, and keeping your config simple makes testing and debugging much easier.
If you still have trouble getting this working, feel free to contact me and ask for help.

Step 5) Whatever you want
How should I know? Go write a server or something, there are many possibilities.
You can mess with protocols, try implementing WFC protocols, do whatever you want!
Enjoy not requiring ROM patches! This is a big step in NDS hacking. :-)


I have recieved multiple e-mails from people asking for assistance with this.
Don't worry, I understand your pain completely. Figuring out how to make it work took me hours.
The most common error is with the SSL handshake. The NDS only supports very old ciphers and SSLv3.
Most webservers disable SSLv3 and the insecure ciphers by default, and that can be changed quite easily.
Unfortunately, the NDS-supported ciphers are disabled in OpenSSL versions past 1.0.2g unless configured with "enable-weak-ssl-ciphers". This means you may have to re-build NGINX or mod_ssl in order to get it working.

If you have the means, I suggest taking Wireshark captures to see why SSL is failing.
Enabling debug logging in NGINX can also help you pinpoint handshake errors.
If all else fails, you can always contact me for help. (My e-mail is on my homepage.)

I wish you all luck on whatever project you may be working on. I'm sure it will be great!
- Ryan Fox (flewkey)