Getting set up to use Kaeru WFC is easy! All you need is your DS, a game supported by Wiimmfi, and a compatible 2.4GHz wireless access point (see the 'Notes on WiFi' section below for more information).


Instructions for Nintendo DS games (on all consoles)

  1. Enter the Nintendo WFC Settings menu, which can be found in any WFC-enabled game.
  2. Select 'Nintendo Wi-Fi Connection Settings'.
  3. Set up a connection if you haven't already done so, then select the connection slot you wish to use.
  4. Scroll down to the bottom and change the 'Auto-obtain DNS' setting to 'No'.
  5. Change the 'Primary DNS' setting to 178.062.043.212.
  6. Ensure that the 'Secondary DNS' setting is set to 0.0.0.0 so that the DS doesn't try to connect to another DNS server. (This is one of the most common causes of issues and instability.)
  7. Save the connection settings then exit the WFC menu.


Instructions for DSiWare and DSi-Enhanced Games

A few games, such as Pokémon Black/White/Black 2/White 2, are so-called 'DSi Enhanced' games which can take advantage of the more capable WiFi hardware on DSi and 3DS consoles, along with DSiWare titles. You can configure these to connect with modern access points as follows:

DSi

  1. Launch the 'System Settings' application from the DSi Menu.
  2. Go to page 3 of the System Settings menu and select 'Internet'.
  3. Select 'Connection Settings'.
  4. Select 'Advanced Setup'.
  5. Set up a connection if you haven't already done so, then select the connection slot you wish to use.
  6. Select 'Change Settings'.
  7. Set 'Auto-Obtain DNS' to 'No', then select 'Detailed Setup'.
  8. Change the 'Primary DNS' setting to 178.062.043.212.
  9. Ensure that the 'Secondary DNS' setting is set to 0.0.0.0 so that the DS doesn't try to connect to another DNS server. (This is one of the most common causes of issues and instability.)
  10. Select 'OK'.
  11. Select 'Save' to confirm the new settings and then perform a connection test.


3DS

Please note that whilst custom DNS settings are in effect within the 3DS Internet Settings you may be unable to use 3DS online services.

  1. Launch the 'System Settings' application from the HOME Menu.
  2. Select 'Internet Settings'.
  3. Select 'Connection Settings'.
  4. Set up a connection if you haven't already done so, then select the connection slot you wish to use.
  5. Select 'Change Settings'.
  6. Scroll to the right page and select 'DNS'.
  7. Set 'Auto-Obtain DNS' to 'No', then select 'Detailed Setup'.
  8. Change the 'Primary DNS' setting to 178.062.043.212.
  9. Ensure that the 'Secondary DNS' setting is set to 0.0.0.0 so that the DS doesn't try to connect to another DNS server. (This is one of the most common causes of issues and instability.)
  10. Select 'OK' twice to leave the DNS menu.
  11. Select 'Save' to confirm the new settings and then perform a connection test.


Notes on WiFi

Because the WiFi hardware in the DS/DS Lite weren't built to support 'modern' encryption schemes such as WPA or WPA2, nor 5GHz frequencies, to play the vast majority of DS games online you'll need to setup an access point which either uses weak WEP 'security', or no security at all.


One way you could do this would be to setup an unsecured guest network on your wireless router, and enable MAC address filtering so that only your DS can use it. Alternatively, you could setup an open mobile hotspot if your phone allows it, and switch it off once you've finished playing.


Notes on DNS

Kaeru WFC works by using a custom DNS server, which essentially acts as an alternative 'address book' for the DS to search when it wants to find the IP addresses of Nintendo's game servers. Instead of pointing to the original / 'official' servers, when the DS asks where it would find, for example, the Nintendo WFC auth server, we tell it that it can find that server at an address controlled by Kaeru.


Here's another way to think about it - say you're a cool early 2000s kid who wants to phone Nintendo's headquarters. Assuming you weren't allowed to use the Internet for whatever reason, you'd look up the phone number for Nintendo in a telephone directory. In this case, we're swapping the normal phone directory that you use for a special one - this special phone book has a different phone number listed for 'Nintendo', which is a direct line to someone else who sounds like Nintendo, acts like Nintendo and for all intents and purposes gives the same info as Nintendo (but technically isn't).


In this scenario, although we have no way to tell the DS that it should speak to us instead of Nintendo without hacks or patches, we can 'misdirect' it and just pretend to be Nintendo ourselves; this trick means that there is no need to patch games to use Kaeru WFC, as DNS server settings can be changed easily in the console network settings :)


Note however that you might encounter issues with some ISPs / mobile networks / phones as sometimes queries to custom DNS servers are intercepted, perhaps for parental controls or ad blocking. This can unfortunately break Kaeru WFC and similar services as the DS is unable to contact our servers, so we recommend disabling any such services if you can.


Sudomemo DNS

If you're using Sudomemo on your console, you may already be using a custom DNS server to access it. Unfortunately at the moment it isn't possible to have your console configured to use both Sudomemo and online play at the same time, but we're in talks with Sudomemo to try to improve this situation - stay tuned for further updates.


At the moment, while you're using Kaeru DNS, trying to access 'Flipnote Hatena' within Flipnote Studio will connect to IPGFlip (an alternative Flipnote service) instead of Sudomemo; there's no harm in this and we encourage you to take a look around IPGFlip if you like, but you can always change your DNS settings back again to access Sudomemo and vice-versa as often as you like.


Notes on SSL

As well as the above DNS trick, there's one more aspect that's essential to pull this all off, since DS games use SSL encryption for their web traffic.


SSL encryption (known as TLS in its modern form, and the 'secure' part in HTTPS) is based around something called a 'public key infrastructure' (PKI), in which clients have a 'root of trust' / 'trust anchor' (often several of them) which they trust to certify other individuals / servers are who they claim to be.


In a typical scenario, website administrators apply to a 'certificate authority' (CA) to request that the CA certifies (signs) a certificate for them. These certificates attest that its holder is the owner of a particular domain name, and the website owner would upload this to their web server to send to web browsers at the start of every session.


Certificates also include something called a 'public key', which has a corresponding (secret) 'private key'. Public keys can be used to encrypt data such that only someone with the matching private key can decrypt it, and private keys can be used to create digital signatures so that anyone with the public key can verify that only the holder of the private key could reasonably have signed some piece of data. These two concepts enable clients to establish an encrypted communications channel with a server, although this is an oversimplification.


Browser / OS vendors typically bundle several CA 'root certificates' in their trust store; these act as the 'trust anchors' we mentioned earlier, and clients verify that signatures on certificates presented by web servers can be traced back to a trusted CA root. Assuming you don't have any nefarious root CA certificates installed on your system, this is how your browser can trust when you use online banking that it's truly communicating with the real Acme Bank web server at 'acmebank.com', and not someone intercepting the communication.


Back to the DS specifically, our server exploits a bug in the security code in DS games to impersonate Nintendo servers when talking to the DS. We dubbed this "nds-constrain't", because the DS ignores something called a 'basic constraint' in SSL certificates. The basic constraints section of a certificate is inserted by the CA and it's meant to specify what it is and isn't allowed to be used for; for example, so-called 'client' certificates aren't typically meant to be allowed to certify other people, but because the DS doesn't check this, if you have any certificate signed by a root CA in the game's trust store and its corresponding private key, it can be used to further certify any other certificate you like.


As it happens, such a certificate can be found on every Wii - a client certificate which Wiis used to authenticate themselves to the Wii Shop servers, which fortunately happens to be signed by the same root CA that Nintendo used to sign their WFC server certificates! Because the DS doesn't check whether or not a certificate is authorised to act as a certificate authority, we can use this to certify whatever we like.