Difference between revisions of "Wiimms mkw-ana (tool)"

Wiimms mkw-ana

Author:	Wiimm
Operating Systems:	Linux (i386,x86_64), Windows (Cygwin).
Software Type:	Mario Kart Wii network traffic analyzer
File Formats:	PCAP 2.4, PCAP 2.4.modified, PCAP-NG, bzip2 compression, BMG (text).
Current Version:	v1.15, 2017-08-21
Homepage:	mkw-ana.wiimm.de
Download:	download.wiimm.de

mkw-ana is a tool by Wiimm to analyze the network protocol of Mario Kart Wii. It can also print infos about current races and detect the usage of different cheats and used glitches.

Intention

In November 2012, Wiimm decided to analyze the network protocol of Mario Kart Wii. The main goal was to discover online cheaters. Another goal was to set up his own server if Nintendo ever shut down its servers, which eventually happened on May 20th, 2014.

The main feature is to dump the packets of a tcpdump (done by tcpdump or wireshark) in a user-friendly format. After first experiments, it also became a live racing statistic tool.

The Tool

Based on new knowledge made with Wiimmfi development, Wiimm has restructured mkw-ana. The important changes since v1.02 are:

• New record analysis.
• Improved detection of race type (racing, balloon, coin, team, global, private room) and race stages.
• Improved detection of current active players.
• Improved hex dumps.
• Complete new RACE command:
  • It shows battles and normal races.
  • It shows the in-game players while in VIEW mode.
  • Log messages are printed in an own scroll region.
  • special tables that shows client and racing slot usage.
• Friend code calculation by Wii or by NDS mode.
  • Support of an internal database to find the correct friend code calculation. This database can be modified by external files.
• Support of an internal secret database. It is needed to decode MS answers. This database can be modified by external files.
• User defined race and statistics tables. The columns can be enabled and ordered by the new option --table. Alternatively the table definitions can be exported by 'mkw-ana tables, edited and then read by option --tfile.
• Configurable tables: Columns can be selected and ordered by options or definiton files.
• A backend server:
  • The backend server is enabled by option --cmd <ADDRESS>:<PORT> or --cmd unix:<FILE>.
  • The number of backend clients is not limited.
  • The backend server work either in a simple stream modus (use e.g. ncat or netcat for it) or in interactive modus using telnet negotiations.
  • The server has an built-in help. Just type "HELP".

With v1.07, mkw-ana can send ban jobs to Wiimmfi if a not allowed cheat is detected and the user have the rights to ban.

• Using of 19 different glitches is checked. Some of them may trigger an autnoatic ban.
• Many item cheats are detected. Because of to less packets false positives are possible. But if really an item cheat is used, the item cheat counter goes >4 in a race.
• Instant drift is detected. A relative rate is used as trigger to avoid false positives.
• Moving around before race start is detected.
• Enabling an item before race start is detected.
• Manipulation of finish time is detected.

With v1.13, the GPCM server send extra message to inform the cleint about room players and their status. mkw-ana extract these infos and creates a room table. But the new room status is not used at the frontend yet and only available at by beackend comamnd »WIIMMFI«. Try »WATCH WIIMMFI«.

Change log

mkw-ana v1.15 r2787 - 2017-08-21

 - Backend command »WIIMMFI« improved. Try »WATCH WIIMMFI«.

 - \wiimmfi\: New data about inactive clients scanned and used.

 - New frontend command: BACKEND:
   The frontend works like an interactive backend connection. (EXPERIMENTAL)

 - Different minor updates.

 - Windows only: Cygwin update to v2.8.1, 2017-07-03.


mkw-ana v1.14 r2631 - 2016-12-08

 - Detection of GPCM \wiimmfi\...\final\ packets.
    - The statistics table is only available at the backend yet.
    - Update of peer-connection flags.

 - Bug fix: Command FLOWRATES failed sometimes.

 - Bug fix: Better detection of invalid STATUS packages. A warning is printed.

 - New option: --warn-mode=LIST: Define, which warnings are enabled:
    - LENGTH  :  Racing records with wrong length.
    - XLENGTH :  Like RACE but be more verbose.
    - STATUS  :  Invalid STATUS records.
    - EVENT   :  Unknown event found.
    - DEFAULT := LENGTH | XLENGTH | STATUS
    - ALL and NONE are also possible.

 - Command SILENT is now silent again. It also disables all warnings.

→ old logs

General Description

The tool started as simple hex dumper reading network dumps in PCAP format. In the first phase of the tool, the textual dumps of wireshark and tcpdump were much better. But after only a few days, the tool learned to handle records, clients, users, friend codes and Miis. From this moment the tool was better to analyze the Mario Kart Wii traffic.

Now, mkw-ana split the traffic into records and scans some data to detect stages of the online meetings. Stages are for example room, prepare race, count down, racing and end of race. It is able to separate races into events (grand prix and team grand prix) and to calculate racing tables. Racing data can also be exported to support live statistics.

At the moment there are four different kinds of hexdumps. All 4 are able to dump in one line mode to have large tables. Tool less is here a very good tool for vertical and horizontal scrolling. The stages are includes into the dump as comment lines. The dumped records can be filters by sending, receiving, proxy, record types, stage types and packet length. It is also possible to select the dumped bytes by indices and ranges.

With beginning of version 1.02, Wiimm used the knowledge of the Wiimmfi development to re-implement record and stage detection. For example: If you enter a game in visitor modus, then mkw-ana shows racing data before you can see anything of the race on the screen.

Since version 1.06, mkw-ana has a built-in backend server. The user can login with any telnet client and can e.g. reconfigure the table layout or request tables of old races or control the autoban system.

Download

You can find the latest and some old distributions here

• http://download.wiimm.de/mkw-ana/

Content

• Binaries for:
  • Linux i386
  • Linux x86_64
  • Cygwin/Windows (Needed Cygwin^[1] DLL files are delivered. Best is to install a Cygwin system).
• Some scripts as examples.
• Some BMG text examples.
• Some doc files.

Sometimes I upload single tool updates (beta versions) for testers

• http://download.wiimm.de/mkw-ana/bin/

Capture the network data

First you must capture the network traffic of the Wii. Therefore you must redirect it to a PC running a capture software. There are 3 general ways to to this:

• If you have a manageable switch, enable port mirroring and send all Wii traffic to a PC.
• Use your PC as router.
• Use old network hubs (not switches). A hub will mirror all traffic of all ports to all others; it's just a multi port repeater and will slow down your network.

Use a software like tcpdump or wireshark to capture the data. Best is to save the captured data directly to a file or to send it to other commands like mkw-ana for a live analysis.

It's also possible to save the data to a file and to make a live analysis at the same time. Use the following command pipe:

tcpdump -w- -U -i eth1 host wii | tee save.dump | mkw-ana ...

It is important to filter the data by host ip_or_name, because foreign traffic interfere the wii traffic analysis and will have curious side effects.

If using wireshark, save the dump to a file and use the following command for a live analysis:

mkw-ana COMMAND --follow DUMPFILE ...

DUMPFILE can not only be a standard file, it can also be a socket or a ZCP7IP connection.

See »Dumping Network Traffic« more more details.

Accepted file formats

mkw-ana accepts the following file formats for the network dumps:

• PCAP 2.4 : Standard packet capturing file format^[2].
  • Big and little endian are supported.
  • Timestamps in micro- and in nanoseconds are supported.

• PCAP 2.4.modified : Like PCAP, but with an extend packet header. This format is used by several routers, AVM FRITZ!Box^[3] is one example.
  • Big and little endian are supported.
  • Only microseconds timestamps are supported.

• PCAP-NG 2.4.modified : A next generation (NG) PCAP format^[4].
  • Big and little endian are supported.
  • Microseconds timestamps are assumed, other are not supported.
  • Only the Enhanced Packet Block^[5] is supported to retrieve packets.

• BZIP2 compression
  • mkw-ana detects a BZIP2 compression automatically. It is supported for all other dump file formats.

mkw-ana accepts any list of dump files. The file format is detected for each single input file, so mixed formats are possible. The special file name »-« (minus sign) means: Don't open the file and and read the standard input (stdin) instead. So one of the input files can be read via pipe.

Live Statistics

mkw-ana can scan the network traffic in real time print a complete race statistics and more at the text screen. Moreover it can create makedoc or php data files after each race to create.

First, you must capture the network traffic like described above. Then use one of the commands:

... | mkw-ana race
mkw-ana race --follow DUMPFILE

With this command you'll see information about selected the track, entering the room and a live game statistics. Important infos about cheats and glitches are added if detected.

Links

• Network Protocol
• Discussion at Wii-Homebrew.com (german forum)

References