SpotPass
SpotPass is a Nintendo 3DS feature that allows the 3DS to automatically download content, notifications, and software when it's in standby mode.(SpotPass may download/upload some content while the 3DS is in "active" mode, but *only* if the currently active app uses SpotPass) SpotPass can upload content as well. Software downloaded with SpotPass is stored on SD card.
SpotPass Internet communications are mostly HTTPS transfers.
In System Settings, you can disable SpotPass automatic title downloading, but it states that important software will still downloaded.(This only disables downloading of free titles via SpotPass)
'nasc.nintendowifi.net' confirmed usages:(not SpotPass related)
- Friends List applet requires this server to be 'Online' (most likely the reason for regular requests to this server)
- Required for initialization of eShop, (for first time eShop users). Not required for using eShop after first use.
nppl.c.app.nintendowifi.net is used by SpotPass itself to download various data via HTTPS, including a cleartext xml policylist which is country-code specific. This policylist seems to contain a list of SpotPass tasks for certain titles. This policylist can control whether the specified tasks are processed at all.
Homemenu uses two domains with HTTPS for SpotPass. SpotPass stores this content in Homemenu's NAND shared extdata.
- The system notifications are downloaded from: https://a248.e.akamai.net/f/248/103046/10m/npdl.c.app.nintendowifi.net/p01/nsa/<regionID>/bashoX/<langcode>/bashoX Where langcode is the two-character language codes from here, X is 0-3, and regionID is from the below table.
- The pls.c.shop.nintendowifi.net domain is used for uploading data from the home menu NAND shared extdata, it's unknown what this is used for. This is uploaded every 24 hours.
Region | ID |
---|---|
JPN | gWr4JXxb2mKTG3lq |
NA | uuI82221UKkqmtbp |
EUR / Others | UrXSeurnxhPrq7AS |
The SpotPass content payload for notifications begin with a header, followed by an icon and the UTF-16 text, and various metadata.
Automatic System Update Download
With the 2.0.0-2 update, system updates are automatically downloaded via the system.(SpotPass doesn't handle this, some other applet handles this) It only downloads updates, it will not install updates without the user's permission. See this: http://www.nintendo.com/consumer/systems/3ds/en_na/menu_update.jsp
The system downloads/checks for updates every 24 hours. This is identical to the system used for manual system updates: when it's time to check for updates, it will send a system update SOAP request to the server. When there's an update available, it will then do the usual sysupdate procedure like manual sysupdates.
Content Container
All SpotPass content uses this container to encrypt the payload and sign it. The cleartext content is stored in extdata. The format of these headers is big-endian.
BOSS Header
Offset | Length | |
---|---|---|
0x0 | 0x4 | Magic Number "boss" |
0x4 | 0x4 | Magic Number 0x10001 |
0x8 | 0x4 | Big-endian filesize |
0xC | 0x8 | u64 release date (UNIX timestamp) |
0x14 | 0x2 | Must always be 0x1 |
0x16 | 0x2 | Padding |
0x18 | 0x2 | Content header hash type, always 0x2 for SHA-256 |
0x1A | 0x2 | Content header RSA size, always 0x2 for RSA-2048 (X<<7) |
0x1C | 0xC | First 12 bytes of the CTR |
Data following the BOSS header is encrypted with AES-CTR. The first 12 bytes of the CTR are from offset 0x1C of the header, while the last word of the CTR in big-endian is 0x1. The CTR from the header is random per file, and an unique random CTR is used each time the content is updated. The cleartext data begins with the content header.
Content Header
Offset | Length | Description |
---|---|---|
0x0 | 0x10 | ? |
0x10 | 0x2 | FileID used for the extdata filename |
0x12 | 0x20 | SHA-256 hash |
0x32 | 0x100 | RSA-2048 signature over the above hash |
The first 0x10-bytes are all-zero except the first byte which is 0x80. It's unknown what the first 0x10-bytes are used for.
The hash at offset 0x12 hashes the 0x12-byte data at offset 0x0 followed by a zero u16. The RSA signature is signed by Nintendo. Following this header is the actual content payload, which is written to a cleartext file under the extdata /boss directory. The data following the payload header is written to extdata, but it's unknown what data is written to the extdata file before the content payload.
Payload Content Header
Offset | Length | Description |
---|---|---|
0x0 | 0x8 | ProgramID |
0x8 | 0x4 | Usually zero? |
0xC | 0x4 | Magic Number 0x10001 |
0x10 | 0x4 | Size of the payload after this header |
0x14 | 0x4 | Extdata FileID |
0x18 | 0x4 | ? |
0x1C | 0x100 | RSA-2048 signature, which likely signs the following hash |
0x11C | 0x20 | SHA-256 hash, likely hashes the whole content payload |
The application likely handles verifying the RSA signature for this payload header.