Difference between revisions of "StreetPass"
m |
(expanded on active WiFi probe information, although admittedly not related to StreetPass most likely.) |
||
Line 2: | Line 2: | ||
It can be used to share Mii(s) on Mii Plaza for example. Games' StreetPass data is stored on [[SD_Filesystem|SD card]] under [[extdata]], while Mii Plaza StreetPass data is stored on NAND. Not all StreetPass data is stored on SD card: "StreetPass Management" can still be used without a SD card inserted. Wifi infrastructure with APs are used to communicate, like WMB and multi-player. | It can be used to share Mii(s) on Mii Plaza for example. Games' StreetPass data is stored on [[SD_Filesystem|SD card]] under [[extdata]], while Mii Plaza StreetPass data is stored on NAND. Not all StreetPass data is stored on SD card: "StreetPass Management" can still be used without a SD card inserted. Wifi infrastructure with APs are used to communicate, like WMB and multi-player. | ||
StreetPass in sleepmode can work without SD card inserted. Games' Streetpass data are temporarily stored in NAND, and when the games process the StreetPass data they move that data to extdata on SD card. | StreetPass in sleepmode can work without SD card inserted. Games' Streetpass data are temporarily stored in NAND, and when the games process the StreetPass data they move that data to extdata on SD card. | ||
+ | |||
+ | == WiFi Probe Frame == | ||
+ | |||
+ | Whenever the 3DS is woken from sleep (or turned on), and WiFi is enabled, it sends out a 802.11 Probe Request which include all saved access points, as well as to an SSID containing an arbitrary string of data, such as "ic[kSvm9s@*cYD>/~IEVj\(fGG;qDo8j". The latter probe may be related to the 3DS looking for Nintendo Zone APs. This string changes at least daily, and most likely every time it is woken up. | ||
+ | |||
+ | The MAC address used for these probes are the static MAC address found in the Settings application. Unlike the StreetPass MAC address, it will not change over time. This MAC address OUI also differs from the one used in StreetPass. | ||
== StreetPass Probe Frame == | == StreetPass Probe Frame == | ||
− | Using Wireshark tool with a WiFi card in monitor mode allow you to see the data used to scan for other 3DS in the range. The below is a broadcast probe request from an 3DS while in standby mode, with SSID "Nintendo_3DS_continuous_scan_000 | + | Using Wireshark tool with a WiFi card in monitor mode allow you to see the data used to scan for other 3DS in the range. The below is a broadcast probe request from an 3DS while in standby mode, with SSID "Nintendo_3DS_continuous_scan_000". This frame also contains a custom Nintendo tag, the contents of this tag from different 3ds captures don't match. Probe responses contain the same Nintendo tag data as the probe requests from the same 3DS. The MAC address used in sleepmode seems to change every time there's a streetpass hit, as well as the last 8-bytes of the Nintendo tag data? The MAC address + 8 byte ID for StreetPass is seen to change every time the user enters and exits and Settings application. |
0000 00 00 1a 00 2f 48 00 00 19 7d 19 de 2a 00 00 00 ..../H...}..*... | 0000 00 00 1a 00 2f 48 00 00 19 7d 19 de 2a 00 00 00 ..../H...}..*... |
Revision as of 05:30, 16 June 2011
StreetPass is a feature that allow your 3DS to connect with other 3DS using WiFi in standby mode. It can be used to share Mii(s) on Mii Plaza for example. Games' StreetPass data is stored on SD card under extdata, while Mii Plaza StreetPass data is stored on NAND. Not all StreetPass data is stored on SD card: "StreetPass Management" can still be used without a SD card inserted. Wifi infrastructure with APs are used to communicate, like WMB and multi-player. StreetPass in sleepmode can work without SD card inserted. Games' Streetpass data are temporarily stored in NAND, and when the games process the StreetPass data they move that data to extdata on SD card.
WiFi Probe Frame
Whenever the 3DS is woken from sleep (or turned on), and WiFi is enabled, it sends out a 802.11 Probe Request which include all saved access points, as well as to an SSID containing an arbitrary string of data, such as "ic[kSvm9s@*cYD>/~IEVj\(fGG;qDo8j". The latter probe may be related to the 3DS looking for Nintendo Zone APs. This string changes at least daily, and most likely every time it is woken up.
The MAC address used for these probes are the static MAC address found in the Settings application. Unlike the StreetPass MAC address, it will not change over time. This MAC address OUI also differs from the one used in StreetPass.
StreetPass Probe Frame
Using Wireshark tool with a WiFi card in monitor mode allow you to see the data used to scan for other 3DS in the range. The below is a broadcast probe request from an 3DS while in standby mode, with SSID "Nintendo_3DS_continuous_scan_000". This frame also contains a custom Nintendo tag, the contents of this tag from different 3ds captures don't match. Probe responses contain the same Nintendo tag data as the probe requests from the same 3DS. The MAC address used in sleepmode seems to change every time there's a streetpass hit, as well as the last 8-bytes of the Nintendo tag data? The MAC address + 8 byte ID for StreetPass is seen to change every time the user enters and exits and Settings application.
0000 00 00 1a 00 2f 48 00 00 19 7d 19 de 2a 00 00 00 ..../H...}..*... 0010 12 16 9e 09 a0 00 c9 02 00 00 40 00 00 00 ff ff ..........@..... 0020 ff ff ff ff da 6b f7 22 f3 77 ff ff ff ff ff ff .....k.".w...... 0030 40 77 00 20 4e 69 6e 74 65 6e 64 6f 5f 33 44 53 @w. Nintendo_3DS 0040 5f 63 6f 6e 74 69 6e 75 6f 75 73 5f 73 63 61 6e _continuous_scan 0050 5f 30 30 30 01 08 82 84 8b 0c 12 96 18 24 32 04 _000.........$2. 0060 30 48 60 6c dd 15 00 1f 32 01 11 05 00 02 08 00 0H`l....2....... 0070 00 f0 08 c8 34 6e 05 0f c9 c6 80 5b 6f bc 5a ....4n.....[o.Z
It is uncertain how the 3DS determines when it can do a StreetPass again with another 3DS, or what information is actually used to track that. It may be related to how long that 3DS was in range constantly/out of range. 3DSes that are constantly in range of each other in sleepmode, usually do StreetPass every <12 hours?
When in standby mode the old DS WiFi is used, which includes SpotPass and StreetPass, but in "active" mode the regular DSi WiFi bus is used.
Nintendo Tag Format
The Nintendo tag always begins at the 0x50 offset if observing a captured frame. The offsets mentioned in the table below start at the beginning of the Nintendo tag ID, which is variable in length.
Offset | Length | Description |
---|---|---|
0x0 | varies | Unknown, but may include active Streetpass services. This remains static between street passes, reboots, and Settings app interaction. |
-0x8 | 0x8 | Some random StreetPass ID, changes after each StreetPass hit and system power-off? |
Identification String
Unknown at the moment, but the length appears to vary from 3DS to 3DS.
StreetPass ID
When there's a StreetPass hit, and no StreetPass data changed on either of the 3DSes, no data is transferred besides probes? Perhaps there's some ID in the Nintendo tag that gets updated every-time the 3DS' StreetPass data changes? After turning off power, then powering on and entering sleepmode, the MAC doesn't change from prior to power off but the last 8-bytes of the Nintendo tag changes. This tag has been seen to not be sequential over time. After one of the new StreetPass content is handled, (running one of the StreetPass titles etc) the 8bytes in the Nintendo tag changes?
StreetPass spoofing
A streetpass "AP" was spoofed on a laptop with hostapd by setting the SSID to "Nintendo_3DS_continuous_scan_000", with the extra Nintendo tag from another 3DS' probe request. The SSID and AP can't be easily spoofed with hostapd for streetpass when 3DS is "active", for the random "ic[kSvm9s@*cYD>/~IEVj\(fGG;qDo8j" strings. The 3DS didn't seem to authenticate or associate with the "AP". Streetpass "AP" comms use WPA2 encryption. Eventually the 3DS stops communicating with the fake "AP" since the AP doesn't understand the sent data,(especially since it's encrypted) and sends a 802.11 "Action" frame, with category ID 0x7f and Nintendo's vendor ID: 00 1f 32.(However the 3DS keeps communicating with the above process repeatedly) Communication with two 3DSes are the same as above except there's encrypted data sent to/from both consoles, unlike the fake "AP".