73
edits
Changes
→StreetPass Relay
== CCMP Key ==
== CCMP Key ==
The StreetPass local-WLAN CCMP data-encryption key is generated by the StreetPass CECD module, where the CCMP key is the 16-byte output from encrypting an all-zero block with AES-CTR via [[PS:EncryptDecryptAes]], with keytype6. The CTR is the first 0x10-bytes from a SHA1-HMAC hash. The SHA1-HMAC key is a 17-byte text string including the NULL-terminator, a seperate HMAC key is used for retail/dev-units, this is determined via [[Configuration_Memory|UNITINFO]] bit0. The data hashed with SHA1-HMAC is a 0x1C-byte buffer, which is described below.
The StreetPass local-WLAN CCMP data-encryption key is generated by the StreetPass CECD module, where the CCMP key is the 16-byte output from encrypting an all-zero block with AES-CTR via [[PS:EncryptDecryptAes]], with keytype6. The CTR is the first 0x10-bytes from a SHA1-HMAC hash. The SHA1-HMAC key is a 17-byte text string including the NULL-terminator, a seperate HMAC key is used for retail/dev-units, this is determined via [[Configuration_Memory#ENVINFO|ENVINFO]] bit0. The data hashed with SHA1-HMAC is a 0x1C-byte buffer, which is described below.
=== Hash Block ===
=== Hash Block ===
Street Fighter: 00 03 05 00 02 (FF FF FF FF FF FF)
Street Fighter: 00 03 05 00 02 (FF FF FF FF FF FF)
The first 4 bytes are the titleID of the service, the last byte seems to contain flags :
The first 4 bytes are the titleID of the service, the last byte seems to contain flags.
The last byte (flags) have been observed between those possibilities :
00000000
00000000
Some services have a 6-byte field succeeding the StreetPass service that is just FF bytes (e.g. FF FF FF FF FF FF). The purpose of these is unknown, although may be used as data for a service, or as separator of some sort for different types of StreetPass services.
Some services have a 6-byte field succeeding the StreetPass service that is just FF bytes (e.g. FF FF FF FF FF FF). The purpose of these is unknown, although may be used as data for a service, or as separator of some sort for different types of StreetPass services.
Observed services (leading titleID 0x00 removed, 6*0xff ignored) on 68K probe requests between 2013-08-24 and 2014-06-29 in various european locations.
The fact that a same titleID can have different flags should be noted.
0db6-00100000 5
0db6-00110000 20
{| class="wikitable" border="1"
|-
! Occurrences
! TitleID
! Flags
|-
| 131
| 0208
| 00000000
|-
| 58
| 0516
| 00010000
|-
| 56
| 053f
| 00100000
|-
| 55
| 0306
| 00100000
|-
| 44
| 0862
| 00110000
|-
| 26
| 09f1
| 00110000
|-
| 20
| 0db6
| 00110000
|-
| 18
| 0516
| 00110000
|-
| 18
| 0205
| 00110010
|-
| 17
| 0ec4
| 00110000
|-
| 17
| 0300
| 00110000
|-
| 16
| 055d
| 00110000
|-
| 13
| 08d3
| 00010000
|-
| 13
| 053b
| 00100000
|-
| 12
| 0916
| 00100000
|-
| 12
| 07ad
| 00100000
|-
| 12
| 0306
| 00110000
|-
| 12
| 0300
| 00100000
|-
| 11
| 0916
| 00110000
|-
| 9
| 0b1d
| 00110000
|-
| 8
| 0ec4
| 00100000
|-
| 7
| 080f
| 00110000
|-
| 7
| 07c8
| 00100000
|-
| 6
| 038a
| 00100000
|-
| 5
| 0f30
| 00110000
|-
| 5
| 0db6
| 00100000
|-
| 5
| 0910
| 00110000
|-
| 5
| 0862
| 00100000
|-
| 5
| 053f
| 00110000
|-
| 5
| 0522
| 00110000
|-
| 4
| 07ad
| 00110000
|-
| 3
| 0ae2
| 00110000
|-
| 3
| 09f1
| 00100000
|-
| 3
| 08c5
| 00110000
|-
| 3
| 038c
| 00000000
|-
| 3
| 033b
| 00100000
|-
| 3
| 030b
| 00100000
|-
| 2
| 0ba9
| 00110000
|-
| 2
| 0a53
| 00110000
|-
| 2
| 08d3
| 00100000
|-
| 2
| 07ad
| 00010000
|-
| 2
| 0751
| 00110000
|-
| 2
| 0402
| 00100000
|-
| 1
| 0f82
| 00110000
|-
| 1
| 0f5b
| 00110000
|-
| 1
| 0e7f
| 00110000
|-
| 1
| 0bff
| 00110000
|-
| 1
| 0b1d
| 00100000
|-
| 1
| 0ad6
| 00010000
|-
| 1
| 0a90
| 00110000
|-
| 1
| 0a05
| 00100000
|-
| 1
| 073c
| 00110000
|-
| 1
| 06da
| 00100000
|-
| 1
| 05aa
| 00110000
|-
| 1
| 05a5
| 00110000
|-
| 1
| 053b
| 00110000
|-
| 1
| 04ca
| 00110000
|-
| 1
| 038a
| 00110000
|-
| 1
| 033b
| 00110000
|-
| 1
| 030b
| 00110000
|-
| 1
| 0305
| 00000010
|}
===== Unknown 2-byte Field =====
===== Unknown 2-byte Field =====
A streetpass "AP" was spoofed with hostapd by setting the SSID to "Nintendo_3DS_continuous_scan_000", with the extra Nintendo tag from another 3DS' probe request. Like 3DS<>3DS communications, the 3DS didn't authenticate or associate with the host. Streetpass communications use CCMP encryption. Eventually the 3DS stops communicating with the host since the host doesn't reply to any of the data frames, then sends a 802.11 "Action" frame, with category ID 0x7f and Nintendo's vendor ID: 00 1f 32.(However the 3DS keeps communicating with the above process repeatedly)
A streetpass "AP" was spoofed with hostapd by setting the SSID to "Nintendo_3DS_continuous_scan_000", with the extra Nintendo tag from another 3DS' probe request. Like 3DS<>3DS communications, the 3DS didn't authenticate or associate with the host. Streetpass communications use CCMP encryption. Eventually the 3DS stops communicating with the host since the host doesn't reply to any of the data frames, then sends a 802.11 "Action" frame, with category ID 0x7f and Nintendo's vendor ID: 00 1f 32.(However the 3DS keeps communicating with the above process repeatedly)
Communication with two 3DSes are the same as above except there's actual encrypted data sent to/from both consoles, unlike the fake host.
Communication with two 3DSes are the same as above except there's actual encrypted data sent to/from both consoles, unlike the fake host.
==StreetPass Relay==
This feature was implemented in version [[6.2.0-12]].
It was probably controlled over the [[SpotPass#policylist]]. When connecting to a Nintendo Zone Hotspot the console will send an additional GET parameter named ''ap''. Adding the following priority to the policylist will instruct the console to upload its data (The level tag can probably be lower and must not be HIGH).
<pre>
<Priority>
<TitleId>0004013000003400</TitleId>
<TaskId>sprelay</TaskId>
<Level>HIGH</Level>
<Persistent>false</Persistent>
<Revive>false</Revive>
</Priority>
</pre>
In the request body there will be a file named ''spr-meta'' and a file per registered StreetPass game ''spr-slotXX'' where XX is an incrementing number. If the game contains not messages in its outbox so the size of the file would be 0 then no file is created and sent but it will still be listed in the spr-meta file.
===spr-meta file===
The spr-meta file is a text file which may contain the following content.
<pre>
slotsize: 5
spr-slot01: 3,000EC400,10664
spr-slot02: 2,0007AD00,3648
spr-slot03: 3,00030000,3804
spr-slot04: 1,00051600,0
spr-slot05: 0,00020800,28228
</pre>
The comma seperated list after each spr-slotXX has the following meaning
{| class=wikitable
|unknown||StreetPass ID (Low title ID of the game. May be from a different region like japan.)||Size of the file in bytes
|}
===spr-slotXX files===
These are binary files. They begin a with a header with the follwing structure.
{| class=wikitable
!Offset!!Size!!Description
|-
|0x00||0x04||Magic number 0x00006161
|-
|0x04||0x04||Size of the file in bytes including this header
|-
|0x08||0x04||StreetPass ID (Low title ID of the game. May be from a different region like japan.)
|-
|0x0C||0x04||Unknown. Maybe some version field. Always 0x00000001
|-
|0x10||0x04||Number of messages after this header
|}
[[Category:Nintendo Software]]
[[Category:Nintendo Software]]