Difference between revisions of "SpotPass"

From 3dbrew
Jump to navigation Jump to search
 
(49 intermediate revisions by 6 users not shown)
Line 1: Line 1:
 
'''SpotPass''' is a Nintendo 3DS feature that allows the 3DS to automatically download content, notifications, and software when it's in standby mode.(SpotPass may download/upload some content while the 3DS is in "active" mode, but *only* if the currently active app uses SpotPass) SpotPass can upload content as well. Software downloaded with SpotPass is stored on SD card.
 
'''SpotPass''' is a Nintendo 3DS feature that allows the 3DS to automatically download content, notifications, and software when it's in standby mode.(SpotPass may download/upload some content while the 3DS is in "active" mode, but *only* if the currently active app uses SpotPass) SpotPass can upload content as well. Software downloaded with SpotPass is stored on SD card.
  
SpotPass Internet communications are mostly small UDP frames and HTTPS transfers, the only HTTP download is the connection test page.
+
SpotPass Internet communications are mostly HTTPS transfers.
  
With the [[2.0.0-2]] update, SpotPass now regularly requests content over HTTPS from nppl.c.app.nintendowifi.net and sometimes nasc.nintendowifi.net. These are probably related to the SpotPass automatic software download functionality. Going by the domain names, nppl* might be for SpotPass software downloads?
+
In System Settings, you can disable SpotPass automatic title downloading, but it states that important software will still downloaded.(This only disables downloading of free titles via SpotPass)
In System Settings, you can disable SpotPass content downloading,(this is _only_ for free titles etc not auto system updates) but it states that important software will still downloaded. This is likely why SpotPass still connects to nppl* even with that option disabled.
 
  
'nasc.nintendowifi.net' confirmed usages:
+
'nasc.nintendowifi.net' confirmed usages:(not SpotPass related)
  
*Friends List application requires this server to be 'Online' (most likely the reason for regular requests to this server)
+
*Friends List applet requires this server to be 'Online' (most likely the reason for regular requests to this server)
*Required for initialization of E-shop, (for first time e-shop users). Not required for using E-Shop after first use.  
+
*Required for initialization of [[eShop]], (for first time eShop users). Not required for using eShop after first use.
  
== Homemenu SpotPass usage ==
+
In some cases the BOSS module will add the following URL parameter to HTTPS requests, when connected to a [[Nintendo Zone]] AP: "ap=<NZoneApNum>" or when using a specific [[Cfg:GetSystemModel|system model]]: "tm=<SystemModelNumber>". The Old 3DS and Old 3DS XL don't set this value.
  
Homemenu uses two domains with HTTPS for SpotPass. SpotPass stores this content in Homemenu's NAND shared extdata.
+
== policylist ==
 +
Every time the system connects to the wifi AP, the BOSS ("Background online storage service" = SpotPass) module itself will download the cleartext xml policylist: "https://nppl.c.app.nintendowifi.net/p01/policylist/3/<countrycode>". This policylist contains a list of SpotPass tasks for certain titles. This policylist can control whether the specified tasks are processed at all.
  
* Via the a248.e.akamai.net cache mirror npdl.c.app.nintendowifi.net is accessed. The content(using the SpotPass content container) downloaded from this seems to be related to notifications possibly. There's 4 files download from here, each of which are downloaded if updated every 24 hours. There's separate files stored on the server for each region and language.
+
As of the policylist updated 2017-11-08, this stops the <tt>OlvNotf</tt> (Miiverse notification sync) task for <tt>000400300000bc00</tt>, <tt>000400300000bd00</tt>, <tt>000400300000be00</tt> for all regions and <tt>basho0</tt> for the [[Home Menu]]. Japan also has the <tt>9ER_NTD</tt> task blocked for いつの間にテレビ (<tt>0004000000034700</tt>).
* The pls.c.shop.nintendowifi.net domain is used for uploading data from the NAND shared extdata. "pl" might be referring to "play log"? This is uploaded every 24 hours.
+
 
 +
== User Agent ==
 +
 
 +
The default user-agent used for SpotPass HTTPS requests (including the policylist) has the following format:
 +
 
 +
<tt><user agent codename>-<user agent version>/<printed hex u64 [[CfgS:GetLocalFriendCodeSeed|LocalFriendCodeSeed]]>-<printed hex u64 [[FRDU:GetMyFriendKey|Friend]] [[FRDU:PrincipalIdToFriendCode|Code]]>/<text [[CVer|system]] [[NVer|version]]>/<CTRSDK version of sysmodule>/<[[Cfg:GetSystemModel|system model number]]></tt>
 +
 
 +
The codename can be set to either <tt>PBOS</tt> (Production BOSS?) or <tt>DBOS</tt> (Development BOSS?) depending if the console is a [[Configuration_Memory#UNITINFO|retail]] unit. As of system version 11.17, the user agent version is hardcoded to 8.0 and the CTRSDK version is set to 62452 (0xF3F4).
 +
 
 +
No user-agent is used for plaintext HTTP requests with SpotPass.
 +
 
 +
== Titles Spotpass usage ==
 +
{| class="wikitable"
 +
|-
 +
! Title
 +
! Description
 +
|-
 +
| [[Home Menu]]
 +
| Home Menu uses SpotPass for system notifications, and for uploading data from home-menu shared extdata.
 +
|-
 +
| [[System Settings]]
 +
| System Settings uses SpotPass for uploading data, with this URL: https://npul.c.app.nintendowifi.net/p01/recv/<RegionID>/sendcfg This RegionID is separate from the RegionIDs home-menu uses.
 +
|-
 +
| ?
 +
| Unknown log data is uploaded with this URL: https://logus-p.est.c.app.nintendowifi.net/LogServer_us_live/Upload
 +
|}
  
 
== Automatic System Update Download ==
 
== Automatic System Update Download ==
 +
See [[Automatic System Update Download]].
  
With the [[2.0.0-2]] update, system updates updates are automatically downloaded via SpotPass. It only downloads updates, it will not install updates without the user's permission. See this: http://www.nintendo.com/consumer/systems/3ds/en_na/menu_update.jsp
+
== BOSS Sysmodule Savegame==
 
+
See [[BOSS Savegame]]
SpotPass downloads/checks for updates every 24 hours. This is identical to the system used for manual system updates: when it's time to check for updates, SpotPass will send a system update SOAP request to the server.
 
When there's an update available, SpotPass will then do the usual sysupdate procedure like manual sysupdates.
 
  
 
== Content Container ==
 
== Content Container ==
  
All SpotPass content uses this container to encrypt the payload and sign it. The cleartext payload is stored in [[extdata]]. The format of these headers is big-endian.
+
SpotPass content must use this container to encrypt the payload and sign it, for content downloads. The cleartext content is stored in [[extdata]]. The format of these headers is big-endian.
  
 
=== BOSS Header ===
 
=== BOSS Header ===
Line 34: Line 58:
 
! Offset
 
! Offset
 
! Length
 
! Length
!  
+
! Description
 
|-
 
|-
 
| 0x0
 
| 0x0
Line 42: Line 66:
 
| 0x4
 
| 0x4
 
| 0x4
 
| 0x4
| Magic Number 0x1000100
+
| Magic Number 0x10001
 
|-
 
|-
 
| 0x8
 
| 0x8
Line 50: Line 74:
 
| 0xC
 
| 0xC
 
| 0x8
 
| 0x8
| u64 release date (UNIX timestamp)
+
| u64 serial number (?)
 
|-
 
|-
 
| 0x14
 
| 0x14
 
| 0x2
 
| 0x2
| Must always be 0x2
+
| Must always be 0x1
 
|-
 
|-
 
| 0x16
 
| 0x16
Line 66: Line 90:
 
| 0x1A
 
| 0x1A
 
| 0x2
 
| 0x2
| Content header RSA type, always 0x2 for RSA-2048
+
| Content header RSA size, always 0x2 for RSA-2048 (X<<7)
 
|-
 
|-
 
| 0x1C
 
| 0x1C
 
| 0xC
 
| 0xC
| First 12 bytes of the CTR
+
| First 12 bytes of the Initialization Vector (IV)
 
|}
 
|}
  
Data following the header is encrypted with AES-CTR. The first 12 bytes of the CTR are from offset 0x1C of the header, while the last word of the CTR in big-endian is 0x1. The cleartext data begins with another header. Following that header is the actual content.
+
Data following the BOSS header is encrypted with AES-CTR. The AES key that is used is stored in [[AES_Registers#Keyslots|keyslot 0x38]]. The first 12 bytes of the IV are from offset 0x1C of the header, while the last 32-bit integer of the IV in big-endian is 0x1. The IV from the header is random per file, and an unique random IV is used each time the content is updated. The cleartext data begins with the content header.
 +
 
 +
The 64-bit number at 0xC may be a serial number which is increased every time someone requested to sign and create a boss container for a file. The 3DS sees the downloaded file as new if this number is different from the previous download (Doesn't matter if the number is bigger or smaller).
 +
 
 +
The boss system module v13314 begins at address 0x0010eb98 with the function for parsing the BOSS header.
  
 
=== Content Header ===
 
=== Content Header ===
Line 80: Line 108:
 
! Offset
 
! Offset
 
! Length
 
! Length
!  
+
! Description
 
|-
 
|-
 
| 0x0
 
| 0x0
Line 88: Line 116:
 
| 0x10
 
| 0x10
 
| 0x2
 
| 0x2
| ?
+
| Number of payload contents (Payload Content Header + Payload)
 
|-
 
|-
 
| 0x12
 
| 0x12
Line 99: Line 127:
 
|}
 
|}
  
The hash at offset 0x12 hashes the 0x10-byte data at offset 0x0 followed by a zero u16.
+
The first 0x10-bytes are all-zero except the first byte which is usually 0x80. It's unknown what the first 0x10-bytes are used for.
 +
 
 +
The 16-bit value at 0x10 tells how many payload contents follow after this the content header. For example there can be a downloaded file for a game followed by a message for the news system module.
 +
 
 +
The hash at offset 0x12 hashes the 0x12-byte data at offset 0x0 followed by a zero u16. The RSA signature is signed by Nintendo. Following this header is the actual content payload, which is written to a cleartext file under the [[extdata]] /boss directory.
 +
 
 +
=== Payload Content Header ===
 +
{| class="wikitable"
 +
|-
 +
! Offset
 +
! Length
 +
! Description
 +
|-
 +
| 0x0
 +
| 0x8
 +
| ProgramID
 +
|-
 +
| 0x8
 +
| 0x4
 +
| Usually zero?
 +
|-
 +
| 0xC
 +
| 0x4
 +
| Content datatype, used for filtering with [[BOSSU:GetNsDataIdList]].
 +
Usually 0x10001? (observed 0x20001 in eShop strings)
 +
|-
 +
| 0x10
 +
| 0x4
 +
| Size of the payload after this header
 +
|-
 +
| 0x14
 +
| 0x4
 +
| [[BOSS_Services|NsDataId]], used for generating the extdata filepath.
 +
|-
 +
| 0x18
 +
| 0x4
 +
| Probably some version field for the payload
 +
|-
 +
| 0x1C
 +
| 0x20
 +
| SHA-256 hash
 +
|-
 +
| 0x3C
 +
| 0x100
 +
| RSA-2048 signature over the previous SHA-256 hash
 +
|}
 +
 
 +
This signature is signed by Nintendo with the same key-pair as the content header.
 +
 
 +
The hash at offset 0x1C hashes the 0x1C-byte data at offset 0x0 followed by a zero u16, followed by all of the remaining cleartext data following this header(the actual content data).
 +
 
 +
The downloaded boss data is written in the following format to extdata. The file name that is generated might be Base85/Ascii85 encoded.
 +
First an extdata header in the following format
 +
{| class="wikitable"
 +
|-
 +
! Offset
 +
! Length
 +
! Description
 +
|-
 +
| 0x0
 +
| 0x1
 +
| Size of header including this field. Always 0x18
 +
|-
 +
| 0x1
 +
| 0xB
 +
| Usually zero?
 +
|-
 +
| 0xC
 +
| 0x4
 +
| Unknown
 +
|-
 +
| 0x10
 +
| 0x4
 +
| Download date in format: Bit 0-5 = day, Bit 6-9 = month, Bit 10-20 = year
 +
|-
 +
| 0x14
 +
| 0x4
 +
| Usually zero? Padding?
 +
|}
 +
Followed by the Payload Content Header without the hash and signature (first 0x1C bytes) and the actual payload.
 +
 
 +
==Tools==
 +
* [http://wiiucodes.ddnss.eu/tools/BossDecryptor3DS.zip BossDecryptor3DS] Decrypts an encrypted boss container
 +
* [http://wiiucodes.ddnss.eu/tools/BossEncryptor3DS.zip BossEncryptor3DS] Builds and encrypts a file into a boss container
  
 
[[Category:Nintendo Software]]
 
[[Category:Nintendo Software]]

Latest revision as of 14:45, 3 July 2024

SpotPass is a Nintendo 3DS feature that allows the 3DS to automatically download content, notifications, and software when it's in standby mode.(SpotPass may download/upload some content while the 3DS is in "active" mode, but *only* if the currently active app uses SpotPass) SpotPass can upload content as well. Software downloaded with SpotPass is stored on SD card.

SpotPass Internet communications are mostly HTTPS transfers.

In System Settings, you can disable SpotPass automatic title downloading, but it states that important software will still downloaded.(This only disables downloading of free titles via SpotPass)

'nasc.nintendowifi.net' confirmed usages:(not SpotPass related)

  • Friends List applet requires this server to be 'Online' (most likely the reason for regular requests to this server)
  • Required for initialization of eShop, (for first time eShop users). Not required for using eShop after first use.

In some cases the BOSS module will add the following URL parameter to HTTPS requests, when connected to a Nintendo Zone AP: "ap=<NZoneApNum>" or when using a specific system model: "tm=<SystemModelNumber>". The Old 3DS and Old 3DS XL don't set this value.

policylist[edit]

Every time the system connects to the wifi AP, the BOSS ("Background online storage service" = SpotPass) module itself will download the cleartext xml policylist: "https://nppl.c.app.nintendowifi.net/p01/policylist/3/<countrycode>". This policylist contains a list of SpotPass tasks for certain titles. This policylist can control whether the specified tasks are processed at all.

As of the policylist updated 2017-11-08, this stops the OlvNotf (Miiverse notification sync) task for 000400300000bc00, 000400300000bd00, 000400300000be00 for all regions and basho0 for the Home Menu. Japan also has the 9ER_NTD task blocked for いつの間にテレビ (0004000000034700).

User Agent[edit]

The default user-agent used for SpotPass HTTPS requests (including the policylist) has the following format:

<user agent codename>-<user agent version>/<printed hex u64 LocalFriendCodeSeed>-<printed hex u64 Friend Code>/<text system version>/<CTRSDK version of sysmodule>/<system model number>

The codename can be set to either PBOS (Production BOSS?) or DBOS (Development BOSS?) depending if the console is a retail unit. As of system version 11.17, the user agent version is hardcoded to 8.0 and the CTRSDK version is set to 62452 (0xF3F4).

No user-agent is used for plaintext HTTP requests with SpotPass.

Titles Spotpass usage[edit]

Title Description
Home Menu Home Menu uses SpotPass for system notifications, and for uploading data from home-menu shared extdata.
System Settings System Settings uses SpotPass for uploading data, with this URL: https://npul.c.app.nintendowifi.net/p01/recv/<RegionID>/sendcfg This RegionID is separate from the RegionIDs home-menu uses.
? Unknown log data is uploaded with this URL: https://logus-p.est.c.app.nintendowifi.net/LogServer_us_live/Upload

Automatic System Update Download[edit]

See Automatic System Update Download.

BOSS Sysmodule Savegame[edit]

See BOSS Savegame

Content Container[edit]

SpotPass content must use this container to encrypt the payload and sign it, for content downloads. The cleartext content is stored in extdata. The format of these headers is big-endian.

BOSS Header[edit]

Offset Length Description
0x0 0x4 Magic Number "boss"
0x4 0x4 Magic Number 0x10001
0x8 0x4 Big-endian filesize
0xC 0x8 u64 serial number (?)
0x14 0x2 Must always be 0x1
0x16 0x2 Padding
0x18 0x2 Content header hash type, always 0x2 for SHA-256
0x1A 0x2 Content header RSA size, always 0x2 for RSA-2048 (X<<7)
0x1C 0xC First 12 bytes of the Initialization Vector (IV)

Data following the BOSS header is encrypted with AES-CTR. The AES key that is used is stored in keyslot 0x38. The first 12 bytes of the IV are from offset 0x1C of the header, while the last 32-bit integer of the IV in big-endian is 0x1. The IV from the header is random per file, and an unique random IV is used each time the content is updated. The cleartext data begins with the content header.

The 64-bit number at 0xC may be a serial number which is increased every time someone requested to sign and create a boss container for a file. The 3DS sees the downloaded file as new if this number is different from the previous download (Doesn't matter if the number is bigger or smaller).

The boss system module v13314 begins at address 0x0010eb98 with the function for parsing the BOSS header.

Content Header[edit]

Offset Length Description
0x0 0x10 ?
0x10 0x2 Number of payload contents (Payload Content Header + Payload)
0x12 0x20 SHA-256 hash
0x32 0x100 RSA-2048 signature over the above hash

The first 0x10-bytes are all-zero except the first byte which is usually 0x80. It's unknown what the first 0x10-bytes are used for.

The 16-bit value at 0x10 tells how many payload contents follow after this the content header. For example there can be a downloaded file for a game followed by a message for the news system module.

The hash at offset 0x12 hashes the 0x12-byte data at offset 0x0 followed by a zero u16. The RSA signature is signed by Nintendo. Following this header is the actual content payload, which is written to a cleartext file under the extdata /boss directory.

Payload Content Header[edit]

Offset Length Description
0x0 0x8 ProgramID
0x8 0x4 Usually zero?
0xC 0x4 Content datatype, used for filtering with BOSSU:GetNsDataIdList.

Usually 0x10001? (observed 0x20001 in eShop strings)

0x10 0x4 Size of the payload after this header
0x14 0x4 NsDataId, used for generating the extdata filepath.
0x18 0x4 Probably some version field for the payload
0x1C 0x20 SHA-256 hash
0x3C 0x100 RSA-2048 signature over the previous SHA-256 hash

This signature is signed by Nintendo with the same key-pair as the content header.

The hash at offset 0x1C hashes the 0x1C-byte data at offset 0x0 followed by a zero u16, followed by all of the remaining cleartext data following this header(the actual content data).

The downloaded boss data is written in the following format to extdata. The file name that is generated might be Base85/Ascii85 encoded. First an extdata header in the following format

Offset Length Description
0x0 0x1 Size of header including this field. Always 0x18
0x1 0xB Usually zero?
0xC 0x4 Unknown
0x10 0x4 Download date in format: Bit 0-5 = day, Bit 6-9 = month, Bit 10-20 = year
0x14 0x4 Usually zero? Padding?

Followed by the Payload Content Header without the hash and signature (first 0x1C bytes) and the actual payload.

Tools[edit]