WiiConnect24/Mail

From WiiBrew
Jump to: navigation, search

Info

Intro

WiiConnect24 Mail is surprisingly secure when it's used in the default Nintendo configuration. Flowcharts of how the service works are below, courtesy of RiiConnect24, from their flowcharts repository (https://github.com/RiiConnect24/Flowcharts).

RiiConnect24 has open-sourced their mail scripts here. (https://github.com/RiiConnect24/Mail-Go)

Check

Check is how the Wii checks to see if any mail is available; if mail.flag is set to 0, the Wii will not check for mail from receive.

The Wii first sends:


POST /cgi-bin/check.cgi HTTP/1.1

Host: riiconnect24.net

User-Agent: WiiConnect24/2.2.255.0

Connection: close

Content-Type: application/x-www-form-urlencoded

Content-Length: 79


mlchkid=ID&chlng=CHALLENGE


ID is the user's mlchkid, stored in nwc24msg.cfg, which is given by account.cgi to correlate with the Wii FC. The server then responds with:


cd=100

msg=Success

res=RESPONSE

mail.flag=FLAG

interval=5


If flag != 0, the Wii will proceed to do a receive check.

res is a SHA1 HMAC of some description against the challenge. We do not yet know how this works.

Send

Send handles processing of mail from Wii to database (or email server); this script is passed the mlid (w[WII-ID]) and passwd, referenced in nwc24msg.cfg:


POST /cgi-bin/send.cgi HTTP/1.1

Host: rc24.xyz User-Agent: WiiConnect24/2.2.255.0

Content-Type: multipart/form-data; boundary=t9Sf4yfjf1RtvDu3AA

Content-Length: 20235


--t9Sf4yfjf1RtvDu3AA

Content-Disposition: form-data; name="mlid"

mlid=wWIIFC

passwd=PASSWD

--t9Sf4yfjf1RtvDu3AA

Content-Disposition: form-data; name="m1"

[MAILDATA]

--t9Sf4yfjf1RtvDu3AA

Content-Disposition: form-data; name="m2" [You get the picture] --t9Sf4yfjf1RtvDu3AA--


The server then responds:

cd=100

msg=success

mlnum=[NUMBER]


[NUMBER] is the highest mail number (i.e. the total amount of mails sent) -1

Receive

Receive sends Wii mail from database/email to Wii; this script is passed the mlid (w[WII-ID]) and passwd, referenced in nwc24msg.cfg

The Wii sends


POST /cgi-bin/receive.cgi HTTP/1.1

Host: mtw.wc24.wiimmfi.de

User-Agent: WiiConnect24/2.2.255.0

Content-Type: application/x-www-form-urlencoded

Content-Length: 62

mlid=wWIIFC&passwd=PASSWORD&maxsize=MAX


And the server will respond with all mail for that user (I have not yet dumped this, someone needs to do a packet dump) in a certain format.

Delete

After Wii mail is received, the Wii will inform the server to delete the mail; this script is passed the mlid (w[WII-ID]) and passwd, referenced in nwc24msg.cfg

Flowcharts

Check

CheckChart.png

Send

SendChart.png

Receive

ReceiveChart.png

Delete

DeleteChart.png ==