76
edits
Changes
Jump to navigation
Jump to search
Line 9:
Line 9: − + Line 114:
Line 114: − + − - The titleID of StreetPass Mii Plaza is 00020800 according to http://3dbrew.org/wiki/Title_list+ − - The last byte (flags) have been observed between those possibilities :+ Line 129:
Line 129: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Line 149:
Line 407: + + + + + + + + + + + + + + Line 154:
Line 426: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
→StreetPass Relay
== CCMP Key ==
== CCMP Key ==
The StreetPass local-WLAN CCMP data-encryption key is generated by the StreetPass CECD module, where the CCMP key is the 16-byte output from encrypting an all-zero block with AES-CTR via [[PS:EncryptDecryptAes]], with keytype6. The CTR is the first 0x10-bytes from a SHA1-HMAC hash. The SHA1-HMAC key is a 17-byte text string including the NULL-terminator, a seperate HMAC key is used for retail/dev-units, this is determined via [[Configuration_Memory|UNITINFO]] bit0. The data hashed with SHA1-HMAC is a 0x1C-byte buffer, which is described below.
The StreetPass local-WLAN CCMP data-encryption key is generated by the StreetPass CECD module, where the CCMP key is the 16-byte output from encrypting an all-zero block with AES-CTR via [[PS:EncryptDecryptAes]], with keytype6. The CTR is the first 0x10-bytes from a SHA1-HMAC hash. The SHA1-HMAC key is a 17-byte text string including the NULL-terminator, a seperate HMAC key is used for retail/dev-units, this is determined via [[Configuration_Memory#ENVINFO|ENVINFO]] bit0. The data hashed with SHA1-HMAC is a 0x1C-byte buffer, which is described below.
=== Hash Block ===
=== Hash Block ===
Street Fighter: 00 03 05 00 02 (FF FF FF FF FF FF)
Street Fighter: 00 03 05 00 02 (FF FF FF FF FF FF)
The first 4 bytes are the titleID of the service, the last byte seems to contain flags :
The first 4 bytes are the titleID of the service, the last byte seems to contain flags.
The last byte (flags) have been observed between those possibilities :
00000000
00000000
Some services have a 6-byte field succeeding the StreetPass service that is just FF bytes (e.g. FF FF FF FF FF FF). The purpose of these is unknown, although may be used as data for a service, or as separator of some sort for different types of StreetPass services.
Some services have a 6-byte field succeeding the StreetPass service that is just FF bytes (e.g. FF FF FF FF FF FF). The purpose of these is unknown, although may be used as data for a service, or as separator of some sort for different types of StreetPass services.
Observed services (leading titleID 0x00 removed, 6*0xff ignored) on 68K probe requests between 2013-08-24 and 2014-06-29 in various european locations.
The fact that a same titleID can have different flags should be noted.
0db6-00100000 5
0db6-00110000 20
{| class="wikitable" border="1"
|-
! Occurrences
! TitleID
! Flags
|-
| 131
| 0208
| 00000000
|-
| 58
| 0516
| 00010000
|-
| 56
| 053f
| 00100000
|-
| 55
| 0306
| 00100000
|-
| 44
| 0862
| 00110000
|-
| 26
| 09f1
| 00110000
|-
| 20
| 0db6
| 00110000
|-
| 18
| 0516
| 00110000
|-
| 18
| 0205
| 00110010
|-
| 17
| 0ec4
| 00110000
|-
| 17
| 0300
| 00110000
|-
| 16
| 055d
| 00110000
|-
| 13
| 08d3
| 00010000
|-
| 13
| 053b
| 00100000
|-
| 12
| 0916
| 00100000
|-
| 12
| 07ad
| 00100000
|-
| 12
| 0306
| 00110000
|-
| 12
| 0300
| 00100000
|-
| 11
| 0916
| 00110000
|-
| 9
| 0b1d
| 00110000
|-
| 8
| 0ec4
| 00100000
|-
| 7
| 080f
| 00110000
|-
| 7
| 07c8
| 00100000
|-
| 6
| 038a
| 00100000
|-
| 5
| 0f30
| 00110000
|-
| 5
| 0db6
| 00100000
|-
| 5
| 0910
| 00110000
|-
| 5
| 0862
| 00100000
|-
| 5
| 053f
| 00110000
|-
| 5
| 0522
| 00110000
|-
| 4
| 07ad
| 00110000
|-
| 3
| 0ae2
| 00110000
|-
| 3
| 09f1
| 00100000
|-
| 3
| 08c5
| 00110000
|-
| 3
| 038c
| 00000000
|-
| 3
| 033b
| 00100000
|-
| 3
| 030b
| 00100000
|-
| 2
| 0ba9
| 00110000
|-
| 2
| 0a53
| 00110000
|-
| 2
| 08d3
| 00100000
|-
| 2
| 07ad
| 00010000
|-
| 2
| 0751
| 00110000
|-
| 2
| 0402
| 00100000
|-
| 1
| 0f82
| 00110000
|-
| 1
| 0f5b
| 00110000
|-
| 1
| 0e7f
| 00110000
|-
| 1
| 0bff
| 00110000
|-
| 1
| 0b1d
| 00100000
|-
| 1
| 0ad6
| 00010000
|-
| 1
| 0a90
| 00110000
|-
| 1
| 0a05
| 00100000
|-
| 1
| 073c
| 00110000
|-
| 1
| 06da
| 00100000
|-
| 1
| 05aa
| 00110000
|-
| 1
| 05a5
| 00110000
|-
| 1
| 053b
| 00110000
|-
| 1
| 04ca
| 00110000
|-
| 1
| 038a
| 00110000
|-
| 1
| 033b
| 00110000
|-
| 1
| 030b
| 00110000
|-
| 1
| 0305
| 00000010
|}
===== Unknown 2-byte Field =====
===== Unknown 2-byte Field =====
The 3DS (#1) that the Initial Probe Response is directed to will send an 802.11 Action frame back to the device. The sequence numbers at this point stop stepping up by 3, and instead increase by one based from each originating device's SN. It will then send another Probe Request, this time sent directly to the responding 3DS (#2) by specifying its MAC address in the destination field, and setting its own MAC address in the source address field. It also does not have a SSID specified in the frame, except the frame will contain a BSSID with the value of the 3DS (#2) that responded to the initial Probe, and thus acts as the master in the 802.11 exchange.
The 3DS (#1) that the Initial Probe Response is directed to will send an 802.11 Action frame back to the device. The sequence numbers at this point stop stepping up by 3, and instead increase by one based from each originating device's SN. It will then send another Probe Request, this time sent directly to the responding 3DS (#2) by specifying its MAC address in the destination field, and setting its own MAC address in the source address field. It also does not have a SSID specified in the frame, except the frame will contain a BSSID with the value of the 3DS (#2) that responded to the initial Probe, and thus acts as the master in the 802.11 exchange.
=== Send Mode ===
The 3DS can mark StreetPass data with one of 4 Send Modes
{| class="wikitable" border="1"
!ID!!Send Mode!!Description
|-
|0||EXCHANGE||StreetPass message exchange will only happen if both consoles can store the message of the other. E.g. the inbox isn't full. Example title: StreetPass Mii Plaza
|-
|1||RECV_ONLY||3DS doesn't have anything in its outbox so it is only receiving messages.
|-
|2||SEND_ONLY||
|-
|3||SEND_RECV||
|}
== StreetPass Spoofing ==
== StreetPass Spoofing ==
A streetpass "AP" was spoofed with hostapd by setting the SSID to "Nintendo_3DS_continuous_scan_000", with the extra Nintendo tag from another 3DS' probe request. Like 3DS<>3DS communications, the 3DS didn't authenticate or associate with the host. Streetpass communications use CCMP encryption. Eventually the 3DS stops communicating with the host since the host doesn't reply to any of the data frames, then sends a 802.11 "Action" frame, with category ID 0x7f and Nintendo's vendor ID: 00 1f 32.(However the 3DS keeps communicating with the above process repeatedly)
A streetpass "AP" was spoofed with hostapd by setting the SSID to "Nintendo_3DS_continuous_scan_000", with the extra Nintendo tag from another 3DS' probe request. Like 3DS<>3DS communications, the 3DS didn't authenticate or associate with the host. Streetpass communications use CCMP encryption. Eventually the 3DS stops communicating with the host since the host doesn't reply to any of the data frames, then sends a 802.11 "Action" frame, with category ID 0x7f and Nintendo's vendor ID: 00 1f 32.(However the 3DS keeps communicating with the above process repeatedly)
Communication with two 3DSes are the same as above except there's actual encrypted data sent to/from both consoles, unlike the fake host.
Communication with two 3DSes are the same as above except there's actual encrypted data sent to/from both consoles, unlike the fake host.
==StreetPass Relay==
This feature was implemented in version [[6.2.0-12]].
It was probably controlled over the [[SpotPass#policylist]]. When connecting to a Nintendo Zone Hotspot the console will send an additional GET parameter named ''ap''. Adding the following priority to the policylist will instruct the console to upload its data (The level tag can probably be lower and must not be HIGH).
<pre>
<Priority>
<TitleId>0004013000003400</TitleId>
<TaskId>sprelay</TaskId>
<Level>HIGH</Level>
<Persistent>false</Persistent>
<Revive>false</Revive>
</Priority>
</pre>
===Request===
The following additional headers will be send in the request:
{| class=wikitable
|X-Boss-Apinfo||Access Point Info. The same number that is send with the policylist GET parameter ap. Probably identifies the SSID of connected Nintendo Zone Hotspot. If not connected to Nintendo Zone Hotspot this will be an empty string.||02012600000
|-
|X-Boss-Bssid||The MAC address of the access point the 3DS is connected to.||11:22:33:44:55:66
|-
|X-Boss-Country||2 letter country code of the set language.||ES
|-
|X-Boss-Region||3 letter region code of the 3DS' region.||EUR
|-
|X-Boss-Userid||A unique 16 character long hexadecimal string that represents a 64-bit integer. It is unknown how this number is generated.||6966442DE2EED063
|}
In the request body there will be a file named ''spr-meta'' and a file per registered StreetPass game ''spr-slotXX'' where XX is an incrementing number. If the game contains not messages in its outbox so the size of the file would be 0 then no file is created and sent but it will still be listed in the spr-meta file.
===spr-meta file===
The spr-meta file is a text file which may contain the following content.
<pre>
slotsize: 5
spr-slot01: 3,000EC400,10664
spr-slot02: 2,0007AD00,3648
spr-slot03: 3,00030000,3804
spr-slot04: 1,00051600,0
spr-slot05: 0,00020800,28228
</pre>
The comma seperated list after each spr-slotXX has the following meaning
{| class=wikitable
|Send Mode||StreetPass ID (Low title ID of the game. May be from a different region like japan.)||Size of the file in bytes
|}
===spr-slotXX files===
These are binary files. They begin a with a header with the follwing structure.
{| class=wikitable
!Offset!!Size!!Description
|-
|0x00||0x04||Magic number 0x00006161
|-
|0x04||0x04||Size of the file in bytes including this header
|-
|0x08||0x04||StreetPass ID (Low title ID of the game. May be from a different region like japan.)
|-
|0x0C||0x04||Unknown
|-
|0x10||0x04||Number of messages after this header
|}
After the header follows the StreetPass message exactly as it is stored in the outbox of [[CECD_Savegame#File_.3C12-char_ID.3E|CEC Save]].
===Response===
The following headers are expected:
{| class=wikitable
!Key!!colspan=3|Value!!Example
|-
|X-Spr-SlotXX-Result||StreetPass ID||Send Mode||Size of the file in bytes||X-Spr-Slot01-Result: 000EC400,3,17760
|}
It expects a header for every game it sent in the request.
The body is expected to contain binary data with the same structure as the spr-slotXX files in the request. The order of these must be the same as the reponse header order.
[[Category:Nintendo Software]]
[[Category:Nintendo Software]]