Difference between revisions of "Wiimms mkw-ana (tool)"

The tools mkw-ana is a new project by Wiimm to analyze the network protocol of Mario Kart Wii.

Intention

In November 2012, Wiimm decided to analyze the network protocol of Mario Kart Wii. The main goal was to discover online cheaters. Another goal was to set up his own server if Nintendo ever shut down its servers, which eventually happened on May 20th, 2014.

The main feature is to dump the packets of a tcpdump (done by tcpdump or wireshark) in a user-friendly format. After first experiments, it also became a live racing statistic tool.

The Tool

Based on new knowledge made with Wiimmfi development, Wiimm has restructured mkw-ana. The important changes since v1.02 are:

• New record analysis.
• Improved detection of race type (racing, balloon, coin, team, global, private room) and race stages.
• Improved detection of current active players.
• Improved hex dumps.
• Complete new RACE command:
  • It shows battles and normal races.
  • It shows the in-game players while in VIEW mode.
  • Log messages are printed in an own scroll region.
  • special tables that shows client and racing slot usage.
• Friend code calculation by Wii or by NDS mode.
  • Support of an internal database to find the correct friend code calculation. This database can be modified by external files.
• Support of an internal secret database. It is needed to decode MS answers. This database can be modified by external files.
• User defined race and statistics tables. The columns can be enabled and ordered by the new option --table. Alternatively the table definitions can be exported by 'mkw-ana tables, edited and then read by option --tfile.
• Configurable tables: Columns can be selected and ordered by options or definiton files.
• A backend server:
  • The backend server is enabled by option --cmd <ADDRESS>:<PORT> or --cmd unix:<FILE>.
  • The number of backend clients is not limited.
  • The backend server work either in a simple stream modus (use e.g. ncat or netcat for it) or in interactive modus using telnet negotiations.
  • The server has an built-in help. Just type "HELP".

Change log

mkw-ana v1.06 r2302 - 2015-07-21

 - mkw-ana has now its own backend server. The communication goes over TCP/IP
   or unix sockets:

    - The server is activated by option --cmd ADDR:PORT or --cmd unix:FILE.

    - The backend server supports up to 3 coexistent sockets.

    - The server supports telnet negotiation. An active client or the command
      INTERACTIVE enables full telnet support. Also typing RETURN as very first
      character enables telnet negotiation.

    - The telnet interface supports line editing with command history support
      and a status line. It shows always the current scanning status.

    - Option --history loads and stores a command history.

    - Option --wait tells mkw-ana to not terminate and to wait for more
      connections.

    - Option --exec defines commands, that are executed by a virtual backend
      connection in non-interactive modus after setup.

    - Try --cmd=0 and @'telnet 127.0.0.1 12000'@ for an interactive session.

    - Try --cmd=0 and @'echo command | ncat 127.0.0.1:12000'@ for jobs.

    - Command TRACKS prints the track names of selected races.

    - Commands TABLES, FINISH, GRANDPRIX and TOTALS print the status tables
      for selected races. The table layout can be modified for the client only
      or for the main program (=default for new clients).

    - Commands SUSPEND and CONTINUE allow small step analysis of the dump.

    - Commands KEYS informs about commands key mapping for line editing and for
      the pager.

    - Commands HELP informs about all available commands and options.

 - The warnings about manipulated packets has a new layout. The client IP is
   always printed now. This is important if no user data is found.

 - Some packets like cheated lightnings are repeated by other clients. The old
   version of mkw-ana reported this wrongly as cheat by the carrier.


mkw-ana v1.05 r2220 - 2015-07-04

 - Bug fix: Under some condition the proxy client instead the original
   sender is assigned to a slot named by the racing data.

 - New modes for --print and --table: DRIVER, VEHICLE and COMBI. COMBI
   combines driver and vehicle into 9 characters of format 'driv,vehi'.

 - Option --table supports now the statistics tables STARTER, FINISH,
   GRANDPRIX (former EVENT) and TOTALS.

 - New option --tfile=file: Read the table definitions from a file.

 - New command: TABLES: Print out table columns with usage comments and/or a
   complete column description. The output can be edited and used as private 
   table setup and is compatible with the input format of option {--tfile}.

 - More messages adapted to the new message system (with scroll region).

 - The CRC32 checksums for data packets are calculated and compared.
   A warning is printed on failure.

 - Overall, the layout of command RACE is renewed.

→ old logs

General Description

The tool started as simple hex dumper reading network dumps in PCAP format. In the first phase of the tool, the textual dumps of wireshark and tcpdump were much better. But after only a few days, the tool learned to handle records, clients, users, friend codes and Miis. From this moment the tool was better to analyze the Mario Kart Wii traffic.

Now, mkw-ana split the traffic into records and scans some data to detect stages of the online meeting. Stages are for example room, prepare race, count down, racing and end of race. It is able to separate races into events (grand prix and team grand prix) and to calculate racing tables. Racing data can also be exported to support live statistics.

At the moment there are three different kinds of hexdumps. All 3 are able to dump in one line mode to have large tables. Tool less is here a very good tool for vertical and horizontal scrolling. The stages are includes into the dump as comment lines. The dumped records can be filters by sending, receiving, proxy, record types, stage types and packet length. It is also possible to select the dumped bytes by indices and ranges.

With version 1.02 Wiimm used the knowledge of the Wiimmfi development to re-implement record and stage detection. For example: If you enter a game in visitor modus, then mkw-ana shows racing data before you can see anything of the race on the screen.

Since version 1.06, mkw-ana has a built-in backend server. Th euser can login with any telnet client and can e,g, reconfigure the table layout or request tables of old races.

Download

You can find the latest and some old distributions here

• http://download.wiimm.de/mkw-ana/

Content

• Binaries for:
  • Linux i386
  • Linux x86_64
  • Cygwin/Windows (Needed Cygwin^[1] DLL files are delivered. Best is to install a Cygwin system).
• Some scripts as examples.
• Some BMG text examples.
• Some doc files.

Sometimes I upload single tool updates (beta versions) for testers

• http://download.wiimm.de/mkw-ana/bin/

Capture the network data

First you must capture the network traffic of the Wii. Therefore you must redirect it to a PC running a capture software. There are 3 general ways to to this:

• If you have a manageable switch, enable port mirroring and send all Wii traffic to a PC.
• Use your PC as router.
• Use old network hubs (not switches). A hub will mirror all traffic of all ports to all others; it's just a multi port repeater and will slow down your network.

Use a software like tcpdump or wireshark to capture the data. Best is to save the captured data directly to a file or to send it to other commands like mkw-ana for a live analysis.

It's also possible to save the data to a file and to make a live analysis at the same time. Use the following command pipe:

tcpdump -w- -U -i eth1 host wii | tee save.dump | mkw-ana ...

It is important to filter the data by host ip_or_name, because foreign traffic interfere the wii traffic analysis and will have curious side effects.

If using wireshark, save the dump to a file and use the following command for a live analysis:

mkw-ana COMMAND --follow DUMPFILE ...

See »Dumping Network Traffic« more more details.

Accepted file formats

mkw-ana accepts the following file formats for the network dumps:

• PCAP 2.4 : Standard packet capturing file format^[2].
  • Big and little endian are supported.
  • Timestamps in micro- and in nanoseconds are supported.

• PCAP 2.4.modified : Like PCAP, but with an extend packet header. This format is used by several routers, AVM FRITZ!Box^[3] is one example.
  • Big and little endian are supported.
  • Only microseconds timestamps are supported.

• PCAP-NG 2.4.modified : A next generation (NG) PCAP format^[4].
  • Big and little endian are supported.
  • Microseconds timestamps are assumed, other are not supported.
  • Only the Enhanced Packet Block^[5] is supported to retrieve packets.

• BZIP2 compression
  • mkw-ana detects a BZIP2 compression automatically. It is supported for all other dump file formats.

mkw-ana accepts any list of dump files. The file format is detected for each single input file, so mixed formats are possible. The special file name »-« (minus sign) means: Don't open the file and and read the standard input (stdin) instead. So one of the input files can be read via pipe.

Live Statistics

mkw-ana can scan the network traffic in real time and can produce makedoc or php data files. Together with ssh and a cgi script, a live statistic is created. Live means that the tables are updates 2-5 seconds after the race have finished.

How it works

The whole job is done by 3 processes:

1. First, you must capture the network traffic like described above. Then use one of the commands:

   ... | mkw-ana log --md  DATAFILE
   ... | mkw-ana log --php DATAFILE
   mkw-ana --follow DUMPFILE log --md  DATAFILE
   mkw-ana --follow DUMPFILE log --php DATAFILE
   

2. Each time, a new DATAFILE is written, it must be transferred to the web server. A script using ssh, sftp scp or ftp within an endless loop will do this job automatically.
3. Last not least, a CGI or PHP script running at the web server must read the data files to serve a html-page to the visitors.

To see, what live means, visit the live statistics on Wednesday or Thursday between 19:10 and 20:30 CET (Central European Time).

Links

• MKWii Network Protocol
• Discussion at Wii-Homebrew.com (german forum)

References

Template:MKWii Network Protocol