I would love to know what happened on Nintendo's side.
If it weren't Nintendo, one would think this could be a creative approach to reviving the console (and its sales).
It could also have been a debug config which made it through the release. I guess we'll never know but this is the part of tech which I love the most: finding ways to break outside the intended capabilities of a platform, just because.
> If it weren't Nintendo, one would think this could be a creative approach to reviving the console
That is what they're doing, the Pretendo project is building custom servers for the 3DS and Wii U to replace the official ones which just shut down. This exploit makes it possible to point a non-jailbroken Wii U at the Pretendo servers just by changing the DNS settings.
it is possible that an engineer inside nintendo is surrepticiously helping by introducing a bug like this. It's really the lawyers that are trigger happy about suits and take downs (and they're within their right, and have good reasons to of course).
> I would love to know what happened on Nintendo's side.
I suspect it's just a normal, regular software bug.
SSL code is often complicated, and the faulty code probably passed a bunch of tests. As the software update was for a decade-old product, which had been discontinued for 4 years, the people who were best placed to spot the new bug had probably already moved on to other projects.
Why mess with the SSL stuff at all? I can't say for sure, but SSL makes it easy to accidentally create a time bomb by, for example, hardcoding a certificate with an expiry date 10 years away. Or a console might have special requirements. For example, a user can leave a device in a cupboard for 5 years without turning it on, so the software update procedure needs extreme backwards compatibility.
> TLS libraries by default don't have this behavior.
No, but the most popular one gives you just a callback and people end up using that to build their own insecure, weird strategies.
That's how we end up with things like "the certificate is valid if the issuer DN is this hardcoded string" (very common attempt at pinning an issuer), or "the certificate chain is valid if the chain contains this precise value" (this one, likely another failed attempt at pinning), or indeed the Hashicorp Vault vuln the other week which was roughly "the certificate is valid if it has the right AKID and serial number".
Or it’s two separate bugs that were introduced at wildly different times (which the article mentions; the first bug was there pre-5.5.5 but useless on its own).
It’s quite a stretch to say that an engineer designed a multi-year project to surreptitiously break TLS so third party stores could be used without CFW (which is also pretty trivial to do on the WiiU).
> By December 2019, Nintendo reported life-time sales of 13.56 million Wii U console units and by September 2022 103.53 million software units worldwide
and
> Despite this, the console had third party releases until 2020.
So software sold in September 2022 can no longer run in April 2024, and you somehow try to justify that by "legacy platform"?
Production stopped, eventually hardware sales stopped, too, but software sales for the locked in hardware did not until recently.
>> Despite this, the console had third party releases until 2020.
> So software sold in September 2022 can no longer run in April 2024, and you somehow try to justify that by "legacy platform"?
I tend to imagine that every third-party release for the Wii U in 2020 was built for the Switch and made available on the Wii U as a low-cost port. There were no vendors and no Wii U owners at that time who weren't well aware that the platform had died years ago.
Nintendo clearly stopped caring about the Wii U other than as a source of free money from the eshop as soon as the switch released. They did do some stuff with the 3DS for a bit after the switch launched but not a ton of
> So software sold in September 2022 can no longer run in April 2024, and you somehow try to justify that by "legacy platform"?
What? Wii U software still works fine - you can even still download digital purchases from the eShop if you already own them. The component that was turned off yesterday was the servers used for multiplayer games, which isn’t an unusual thing to see occur this late into a console’s lifespan.
Pretendo are doing good work! Even if most of the worthwhile parts of the console’s library have since been ported to other systems, it’s still nice that some parts of the original experience are going to be preserved.
Did you read the comment chain you are replying to? Your comment makes no sense at all in that context, that the bug was introduced to revive console sales.
The developer(s) responsible for the bug, whether it was accidental or not, are likely not the same people in charge of Nintendo's legal and/or marketing strategies.
We [0] did for a while - discovered by the same dev as found SSSL — and sat on it for a long time at Kaeru, but it was independently discovered [1] and reported to Nintendo by someone else, so it unfortunately got patched before EoL.
It doesn't seem like it, though I'd recommend modding your 3DS anyways. The process is pretty short and painless, and It becomes a really cool piece of hardware that can run GBA/DS/3DS games, has a working Virtual Boy emulator, and can easily retrieve patched games (useful for undub's, fan translations, and romhacks). And, now, can connect to the Pretendo network.
Hmm. I had held off on trying to mod my 3DS for fear of knock-on effect (since my 3DS and Switch account were tied together behind the same email, I didn't want some nightmare scenario of Nintendo somehow detecting mods on the 3DS and then banning my account, locking out the Switch in the same stroke).
But I suppose if the 3DS servers are actually shut down now, that risk goes away. Primarily I'd just like to backup my saves and the games I legally purchased.
Telemetry on the 3DS is minimal compared to what Nintendo put in place on the Switch — you’ll be alright, especially if you use the Pretendo online servers.
All of this is weird. Leaving a SSL CA open to anyone ~~the day official servers are close~~.
EDIT: Bug exists since 1 march 2021.
At first, it seems nice. But its impossible that Nintendo being nice in anyway, and even less more by adding a bug. This, and Pretendo that seems to expect the bug before the release.
> For the foreseeable future, it is still possible to download update data and redownload purchased software and downloadable content from Nintendo eShop.
Yeah, this community prefers that these kinds of exploits (that require physical possession of the device to recover power over it) aren't patched. I don't see anything morally wrong with it. If security comes to the cost of the user losing control over the device, it is not security, it's abusive DRM.
