Changes

1,683 bytes added ,  04:03, 17 June 2011
Added a "StreetPass Exchange" summary so we can discuss details in a bit more organized manner. Shuffled some content around where appropriate.
Line 9: Line 9:  
The MAC address used for these probes is the static MAC address found in the Settings application. Unlike the StreetPass MAC address, it will not change over time. This MAC address OUI also differs from the one used in StreetPass.
 
The MAC address used for these probes is the static MAC address found in the Settings application. Unlike the StreetPass MAC address, it will not change over time. This MAC address OUI also differs from the one used in StreetPass.
   −
== StreetPass Probe Request Frame ==
+
== StreetPass Exchange ==
   −
Using Wireshark tool with a WiFi card in monitor mode allow you to see the data used to scan for other 3DS in the range. The below is a broadcast probe request from an 3DS while in standby mode, with SSID "Nintendo_3DS_continuous_scan_000". This SSID remains consistent across all 3DS units. This frame also contains a custom Nintendo tag, which contains information regarding the offered StreetPass services. Probe responses contain the same Nintendo tag data as the probe requests from the same 3DS. The MAC address used in sleepmode seems to change every time there's a StreetPass hit, as well as the last 8-bytes of the Nintendo tag data. The MAC address + 8-byte ID for StreetPass is seen to change every time the user enters and exits and Settings application if they have not had a StreetPass in an observed time period of 24 hours.
+
While StreetPass is enabled, the 3DS constantly sends out Probe Requests with an SSID of "Nintendo_3DS_continuous_scan_000". Unlike beacons, which are actively advertising access points, the 3DS is essentially actively looking for other 3DSes. This design is likely to limit impact to non-3DS WiFi capable devices. Each Probe Request contains basic information about that 3DS, including an identifier, and active StreetPass services. If another 3DS is in range, the second 3DS (#2) will respond with a Probe Response, to which the original 3DS (#1), and of the receiving device with every frame thereafter, will respond with an 802.11 Acknowledgement. 3DS(#1) then sends an 802.11 Action frame, as well as an additional Probe Request. The second 3DS sends back another Probe Response that begins the encrypted exchange between the two devices.  
 +
 
 +
The MAC address used in sleepmode seems to change every time there's a StreetPass hit, as well as the last 8-bytes of the Nintendo tag data. The MAC address + 8-byte ID for StreetPass is seen to change every time the user enters and exits and Settings application if they have not had a StreetPass in an observed time period of 24 hours. It is uncertain how the 3DS determines when it can do a StreetPass again with another 3DS, or what information is actually used to track that. It may be related to how long that 3DS was in range constantly/out of range. 3DSes that are constantly in range of each other in sleepmode, usually do StreetPass every <12 hours?
 +
 
 +
When in standby mode the old DS WiFi is used, which includes SpotPass and StreetPass, but in "active" mode the regular DSi WiFi bus is used.
 +
 
 +
=== Probe Request Frame ===
 +
 
 +
Using Wireshark tool with a WiFi card in monitor mode allow you to see the data used to scan for other 3DS in the range. The below is a broadcast probe request from an 3DS while in standby mode, with SSID "Nintendo_3DS_continuous_scan_000". This SSID remains consistent across all 3DS units. This frame also contains a custom variable length Nintendo tag, which contains information regarding the offered StreetPass services. The sequence numbers for these probe request increment by 3 for every probe, until another 3DS responds with a probe response.
    
   0000  00 00 1a 00 2f 48 00 00 19 7d 19 de 2a 00 00 00  ..../H...}..*...
 
   0000  00 00 1a 00 2f 48 00 00 19 7d 19 de 2a 00 00 00  ..../H...}..*...
Line 22: Line 30:  
   0070  00 f0 08 c8 34 6e 05 0f c9 c6 80 5b 6f bc 5a    ....4n.....[o.Z
 
   0070  00 f0 08 c8 34 6e 05 0f c9 c6 80 5b 6f bc 5a    ....4n.....[o.Z
   −
It is uncertain how the 3DS determines when it can do a StreetPass again with another 3DS, or what information is actually used to track that. It may be related to how long that 3DS was in range constantly/out of range. 3DSes that are constantly in range of each other in sleepmode, usually do StreetPass every <12 hours?
+
==== Nintendo Tag Format ====
 
  −
When in standby mode the old DS WiFi is used, which includes SpotPass and StreetPass, but in "active" mode the regular DSi WiFi bus is used.
  −
 
  −
=== Nintendo Tag Format ===
      
The offsets, in bytes, mentioned in the table below start at the beginning of the Nintendo tag ID, which is variable in length, and can be found right after the Vendor Specific OUI type of the 802.11 frame, which is often seen as a byte of "01". Each one of the elements are discussed in more detail after the table. Note that this table represents a current theory on what each of the fields represent, with the argument stated in the corresponding sections.
 
The offsets, in bytes, mentioned in the table below start at the beginning of the Nintendo tag ID, which is variable in length, and can be found right after the Vendor Specific OUI type of the 802.11 frame, which is often seen as a byte of "01". Each one of the elements are discussed in more detail after the table. Note that this table represents a current theory on what each of the fields represent, with the argument stated in the corresponding sections.
Line 69: Line 73:  
|}
 
|}
   −
==== Protocol Version ====
+
===== Protocol Version =====
    
Appears to represent a protocol version, or device identification. This field remains consistent on all devices, despite variable enabled StreetPass services or length of the tag. Could also represent region.
 
Appears to represent a protocol version, or device identification. This field remains consistent on all devices, despite variable enabled StreetPass services or length of the tag. Could also represent region.
   −
==== StreetPass Service Length ====
+
===== StreetPass Service Length =====
    
This field is used to indicate the length of the StreetPass Services field. Removing and adding services has shown this field to increment and decrement in 5 bytes, or 11 bytes depending on the game. The StreetPass Services field has then expanded or reduced accordingly.
 
This field is used to indicate the length of the StreetPass Services field. Removing and adding services has shown this field to increment and decrement in 5 bytes, or 11 bytes depending on the game. The StreetPass Services field has then expanded or reduced accordingly.
   −
==== StreetPass Services ====
+
===== StreetPass Services =====
    
The third field in the protocol header appears to be an arbitrary length list of StreetPass services enabled on the device. Each StreetPass service seems to be identified by a 5-byte ID. If you enable or disable services, the number of 5-byte IDs grows and shrinks within this list. Observed service IDs include:
 
The third field in the protocol header appears to be an arbitrary length list of StreetPass services enabled on the device. Each StreetPass service seems to be identified by a 5-byte ID. If you enable or disable services, the number of 5-byte IDs grows and shrinks within this list. Observed service IDs include:
Line 88: Line 92:  
Some services have a 6-byte field preceding or succeeding the StreetPass service that is just FF bytes (e.g. FF FF FF FF FF FF). The purpose of these is unknown, although may be used as data for a service, or as separator of some sort for different types of StreetPass services.
 
Some services have a 6-byte field preceding or succeeding the StreetPass service that is just FF bytes (e.g. FF FF FF FF FF FF). The purpose of these is unknown, although may be used as data for a service, or as separator of some sort for different types of StreetPass services.
   −
==== Unknown 2-byte Field ====
+
===== Unknown 2-byte Field =====
    
The purpose of this field is not known yet. It has remained the same across all devices thus far. The value has always been observed as '''f008'''.
 
The purpose of this field is not known yet. It has remained the same across all devices thus far. The value has always been observed as '''f008'''.
   −
==== StreetPass ID ====
+
===== StreetPass ID =====
    
When there's a StreetPass hit, and no StreetPass data changed on either of the 3DSes, no data is transferred besides probes? Perhaps there's some ID in the Nintendo tag that gets updated every-time the 3DS' StreetPass data changes? After turning off power, then powering on and entering sleepmode, the MAC doesn't change from prior to power off but the last 8-bytes of the Nintendo tag changes. This tag has been seen to not be sequential over time. After one of the new StreetPass content is handled, (running one of the StreetPass titles etc) the 8bytes in the Nintendo tag changes?
 
When there's a StreetPass hit, and no StreetPass data changed on either of the 3DSes, no data is transferred besides probes? Perhaps there's some ID in the Nintendo tag that gets updated every-time the 3DS' StreetPass data changes? After turning off power, then powering on and entering sleepmode, the MAC doesn't change from prior to power off but the last 8-bytes of the Nintendo tag changes. This tag has been seen to not be sequential over time. After one of the new StreetPass content is handled, (running one of the StreetPass titles etc) the 8bytes in the Nintendo tag changes?
   −
== StreetPass Probe Response Frame ==
+
=== Initial Probe Response Frame ===
   −
If a 3DS receives another device's probe request and has not yet tagged that device in an arbitrary amount of time (~12 hours), the receiving 3DS will respond with a Probe Response frame. The destination MAC address is the StreetPass MAC address of the 3DS that was transmitting the probe request, while the receiving device sets its StreetPass MAC address as the source address. This is important to note because further exchanges may cease using destination and/or source addresses.
+
If a 3DS (#2) receives another device's probe request and has not yet tagged that device in an arbitrary amount of time (~12 hours), the receiving 3DS (#2) will respond with a Probe Response frame. The destination MAC address is the StreetPass MAC address of the 3DS (#1) that was transmitting the probe request, while the receiving device sets its StreetPass MAC address as the source address. This is important to note because further exchanges may cease using destination and/or source addresses.
   −
In the probe response, the 3DS appears to offer a channel of 1, 6, or 11. Different channels have been seen offered between the same set of 3DS for each StreetPass. Offered channels, and channel range most likely varies by region.
+
In the probe response, the 3DS (#2) appears to offer a channel of 1, 6, or 11. Different channels have been seen offered between the same set of 3DS for each StreetPass. Offered channels, and channel range most likely varies by region.
    
The StreetPass Probe Response frame contains the same Nintendo tag in Probe Requests of the device that is transmitting the Probe Response frame.
 
The StreetPass Probe Response frame contains the same Nintendo tag in Probe Requests of the device that is transmitting the Probe Response frame.
 +
 +
=== Subsequent Probe Request and Response Frames ===
 +
 +
The 3DS (#1) that the Initial Probe Response is directed to will send an 802.11 Action frame back to the device. It will then send another Probe Request, this time sent directly to the responding 3DS (#2) by specifying its MAC address in the destination field, and setting its own MAC address in the source address field.
 +
 +
The sequence number for this frame is +2 the original Probe Request, with the Action frame having a sequence number +1 the initial Probe Request. It also does not have a SSID specified in the frame, except the frame will contain a BSSID with the value of the 3DS (#2) that responded to the initial Probe, and thus acts as the master in the 802.11 exchange.
    
== StreetPass Spoofing ==
 
== StreetPass Spoofing ==
36

edits