Homebrew HomePass recreation/streetpass reverse engineering?

Berghopper

Member
OP
Newcomer
Joined
Apr 11, 2020
Messages
13
Trophies
0
Age
23
XP
94
Country
Netherlands
First of all; Hi!, I'm new to GBAtemp and was mostly a lurker every once in a while.

So to begin with this topic, the reason for me starting it is that I want more streetpasses. But because of the dwindling amount of 3DS users and the death of spotpass in 2018 and in turn PiPass/HomePass, this is quite difficult.
My goal with this post is to possibly reverse engineer how either:

  1. Streetpass works locally
  2. or how Spotpass servers used to work.

Since the spotpass servers are all but dead, I'm first focussing on how streetpass works.

Please feel free to discuss and share information/knowledge on this topic! I am only 1 person and cannot possibly hope to figure this out on my own.

Modding is an option to get the streetpass file from the DS and share it around (streetpass 2 rise from the ashes), but this is not the main goal. The goal is to be able to use a regular, unmodified 3DS, to be able to talk to any other wireless device and streetpass that way (Basically making another device fake they are a 3DS). If this is possible, we could then hope to share streetpass data more easily, without modding, and possibly making our own "spotpass".

So let's get into it:

The first area I decided to tackle, is to figure out what the heck streetpass even uses. After a bit of digging it seemed that it is using a regular 802.11b wifi chip to do its thing.
Loading up wireshark with management mode, indeed showed some broadcasting traffic from 2 3DS's I have laying around.
However, for a while I could not figure out more than this, until I tried something else: Local play.

So as far as local play goes, it shares some similarities with streetpass with the packets that it broadcasts.
Digging a bit into local play gave me the following information:

Both 3DS's spit out a bunch of broadcasts/beacon frames, showing network SSIDs.
After this, the DS's authenticate with the host, and start sharing game data.
Local play seems to make a WEP-encrypted access point (AP) on the 2.4ghz band with a bandwidth of 20mhz. Usually these APs appear on channel 1,6 and 11. Generic broadcasts (before authentication) seem to happen on all 2.4 channels. Also, these APs seem to have a hidden SSID.

So a few things we can gather from this:

  1. The host DS is making an AP
  2. Somehow it communicates to other DS's, its SSID and passkey
  3. After which clients are able to connect and play together.

As of right now I'm trying to crack the WEP key, for a single, very long mario kart 7 session, but still need to gather more data.
The main issue is that, either the ssid, or the passkey changes for each local play session. Hence I need to record 1 very long uninterupted session.
I want to crack the WEP key, so I can then identify if the passkey is just being broadcasted or if something else is happening.

Something else I noticed:


  • Streetpass seems to continuously send out the same SSID: "NWCUSBAP.username"

NWCUSBAP, probably stands for: "Ninentdo Wireless Connector, USB Access Point"
Strictly speaking there is some extra characters in the SSID, but for now I'm ignoring those.

I've so far been unsuccesful to capture a streetpass share. This is mainly difficult due to the 8 hour cooldown time, The access point not being on a consistent channel (wireshark can only listen in on 1 specific channel at a time with my wifi chip), and it happening randomly. This is why for now I'm so hyper-focussed on local play.

Sorry for the long post, but if you've made it this far, thanks for sticking around!

Edit1; This post might contain wrong assumptions/information, follow the posts latest comments to keep up to date.

Edit2; View this repository for a collection of links and information: https://bitbucket.org/casperwietse/streetbasket-public/src/master/

Edit 3; any old information has been struck-trough.
 
Last edited by Berghopper,

Berghopper

Member
OP
Newcomer
Joined
Apr 11, 2020
Messages
13
Trophies
0
Age
23
XP
94
Country
Netherlands
A 3ds hacker recently did a security talk about streetpass a few months ago, might want to give it a look:

Thanks so much! I would've never figured this stuff out on my own. I'll look into it more later, but I watched the talk, and man I was completely wrong!

Another thing that struck me as odd; The wiki mentions that the probe requests constantly send out an SSID of "Nintendo_3DS_continuous_scan_000". However, with the wiresharks I've done so far (yes streetpass, not local play), I got the "NWCUSBAP.username" as SSID.
 
Last edited by Berghopper,

Berghopper

Member
OP
Newcomer
Joined
Apr 11, 2020
Messages
13
Trophies
0
Age
23
XP
94
Country
Netherlands
Can anybody else confirm what the probe requests send out? I'm in the EU, so maybe the SSID is location dependent?
The wiki is still correct about the random strings probe requests.

It also seems inconsistent with the talk that authentication doesn't happen (according to the researcher it does).
 
Last edited by Berghopper,
  • Like
Reactions: Julie_Pilgrim

ThoD

GBATemp Addict (apparently), but more like "bored"
Member
Joined
Sep 8, 2017
Messages
3,626
Trophies
0
Age
25
XP
2,973
Country
Greece
Dude, if you only care about StreetPass hits, then just use this: https://www.reddit.com/r/3dshacks/comments/a7qh8n/streetpass_2_rise_from_the_ashes/

The one thing that we should all be working towards is making Homepass work again not for the hits, but to be able to play local-only games online (games such as MH3U for example).

Hits shouldn't even matter honestly, in games, hits either unlock more stuff or give you small bonuses, both of which you can do with a simple cheat meaning hits aren't even that important.
 
  • Like
Reactions: Julie_Pilgrim

Berghopper

Member
OP
Newcomer
Joined
Apr 11, 2020
Messages
13
Trophies
0
Age
23
XP
94
Country
Netherlands
Dude, if you only care about StreetPass hits, then just use this:
<link>

The one thing that we should all be working towards is making Homepass work again not for the hits, but to be able to play local-only games online (games such as MH3U for example).

Hits shouldn't even matter honestly, in games, hits either unlock more stuff or give you small bonuses, both of which you can do with a simple cheat meaning hits aren't even that important.

While I have not played enough games with heavy streetpass functionality, this is definitely a good argument. Either way it should be fun to try and figure out how to make vanilla streetpass work in some capacity again, without needing to be in close proximity to others. Especially now with the pandemic going around people will just be glued in their homes.
 

Berghopper

Member
OP
Newcomer
Joined
Apr 11, 2020
Messages
13
Trophies
0
Age
23
XP
94
Country
Netherlands
So, I just confirmed with a friend that the "Nintendo_3DS_continuous_scan_000" is indeed sent out. This also happens for my 2DS's but I didn't see it until recently. I was applying MAC filters to filter out the garbage, but apparently streetpass doesn't use Nintendo vendor mac addresses, so I had a bit of trouble finding them...

Also, maybe a bit of a note for the future; Scapy might be a handy python library to handle packet crafting with.
 
Last edited by Berghopper,
  • Like
Reactions: Julie_Pilgrim

Cralex

Well-Known Member
Member
Joined
Jul 29, 2016
Messages
203
Trophies
0
Age
34
XP
1,225
Country
United States
I’d love to see a homepass reimplementation some day. Back when Nintendo shut it all down, I was envisioning some setup where you could have a raspberry pi pretending to be a local 3DS, only it’d be connecting to a central repository of the systems that connect to it and occasionally spoofing each one. That’s my dream, anyway.
 

PrincessLillie

(Future) VTuber - Princess Lillie of the Stars
Member
Joined
Nov 28, 2013
Messages
2,874
Trophies
1
Age
18
Location
Virtual Earth
Website
lillie2523.carrd.co
XP
3,966
Country
United States
Dude, if you only care about StreetPass hits, then just use this: https://www.reddit.com/r/3dshacks/comments/a7qh8n/streetpass_2_rise_from_the_ashes/

The one thing that we should all be working towards is making Homepass work again not for the hits, but to be able to play local-only games online (games such as MH3U for example).

Hits shouldn't even matter honestly, in games, hits either unlock more stuff or give you small bonuses, both of which you can do with a simple cheat meaning hits aren't even that important.
Shhhh... Let people enjoy things...
I, for one, am quite interested in a HomePass recreation, since I never got to use it to begin with and I don't like using hacky methods like this.
 

Berghopper

Member
OP
Newcomer
Joined
Apr 11, 2020
Messages
13
Trophies
0
Age
23
XP
94
Country
Netherlands
I’d love to see a homepass reimplementation some day. Back when Nintendo shut it all down, I was envisioning some setup where you could have a raspberry pi pretending to be a local 3DS, only it’d be connecting to a central repository of the systems that connect to it and occasionally spoofing each one. That’s my dream, anyway.

Yes this is exactly the idea! Set up a pi, run an install script and you're ready to go!
 
  • Like
Reactions: Julie_Pilgrim

Kwyjor

Well-Known Member
Member
Joined
May 23, 2018
Messages
1,765
Trophies
1
XP
2,162
Country
Canada
That video above effectively demonstrates that if you can use a device to simulate a 3DS, you can also make a device that will effectively brick any 3DS in the area that's running firmware older than 11.12. That's some risky business.

Not sure what the best way to mitigate that would be except to aim for security-by-obscurity: release a closed-source tool that carefully validates data before sending it out.

The one thing that we should all be working towards is making Homepass work again not for the hits, but to be able to play local-only games online (games such as MH3U for example).
But Homepass never had anything to do with playing local-only games online?

I expect the major obstacle there is that typical Internet connections these days just don't have sufficiently low latency to make that feasible.
 

Berghopper

Member
OP
Newcomer
Joined
Apr 11, 2020
Messages
13
Trophies
0
Age
23
XP
94
Country
Netherlands
That video above effectively demonstrates that if you can use a device to simulate a 3DS, you can also make a device that will effectively brick any 3DS in the area that's running firmware older than 11.12. That's some risky business.

Not sure what the best way to mitigate that would be except to aim for security-by-obscurity: release a closed-source tool that carefully validates data before sending it out.


But Homepass never had anything to do with playing local-only games online?

I expect the major obstacle there is that typical Internet connections these days just don't have sufficiently low latency to make that feasible.

I did some brainstorming on the available information, as well as trying to approach this project in the best way. And yes, indeed, if the encryption is broken (which shouldn't be too hard as it should be based on static or known data), packets can potentially be crafted to completely take over a device, brick it, or something else (at least with before firmware before 11.12).
If we truly want to share this data over the internet, we would need parsers to make 100% sure no injection can happen, which would be technically impossible.
Most streetpass data packets would be custom tailored to each consecutive title, making the analysis, parsing, and exploit prevention a big frickin headache. Let alone the CECD streetpass system module.

So far I want to just see if I can communicate with a vpn/ssh tunnel with a friend, and make it work that way.
With this, the idea is that you add only trusted friends, instead of just throwing it out on the web.

For now I'll probably try to get the nlLib to work and maybe use a pi as a sort of "monkey see, monkey do" rather than trying to fully understand the encryption.

So client1 sends whatever the 1st 3ds sends, and client2 repeats this for the other side and vice versa.

And of course, as with any modding, we should make sure the project wouldn't be liable for these types of security issues. You are after all putting the streetpass data out on the world wide web, at your own risk.

The best way, in my view, would maybe to see if we can at least create partial parsers and see if that's enough. Or try see if we can prevent tampering with data peer-peer. Even in this case, it wouldn't be bullet proof.
 
Last edited by Berghopper,
  • Like
Reactions: Julie_Pilgrim

Berghopper

Member
OP
Newcomer
Joined
Apr 11, 2020
Messages
13
Trophies
0
Age
23
XP
94
Country
Netherlands
I suppose we could also try contact MrNbaYoh for further details on his research, however I wouldn't be surprised if he signed a non-disclosure agreement with Nintendo.

However, if anyone else knows a security researcher, that could possibly help with this problem, feel free to try get them into this project!

I myself am just a simple programmer, with a mild interest in security, and am only picking this up for some tinkering.
 
  • Like
Reactions: Julie_Pilgrim

EduAAA

Well-Known Member
Newcomer
Joined
Sep 3, 2017
Messages
67
Trophies
0
Age
36
XP
162
Country
Spain
There is a homebrew I use to reset the 8 hours limit, I've got 2 New 3Ds, 1 XL and 1 normal, I always wanted to try streetpass so now I use my second device, some games use this feature very well implemented.

I guess the easiest way would be to record the wifi signal a 3ds sends using Wireshark, and then replicate over and over near another 3ds, but the thing is, both 3Ds have to answer to each other, isn't it?

So you need a software that can record the 3ds wifi signal for lets call it user1, then send it over internet to user2 using the same software and a 3ds with streetpass activated too, the 3ds should receive the request and answer, the software should record and reply back to user1, his 3ds would know that it reached another 3ds and answer with another signal and once it reaches for the second time to the user2, the streetpass should be done. Yay! So easy, lets start coding:

If(3ds=send streetpass signal) then
{
Wait for response;
If(response=positive) then
{
Send= final response:
Printf= streetpass done;
}
Else
{
Printf=wait while internet is being hacked;
}
}
Else
{
Printf=the fuck:
}
 

IC_

Cossus cossus
Member
Joined
Aug 24, 2017
Messages
1,458
Trophies
1
Location
The Forest
XP
3,063
Country
Poland
There is a homebrew I use to reset the 8 hours limit, I've got 2 New 3Ds, 1 XL and 1 normal, I always wanted to try streetpass so now I use my second device, some games use this feature very well implemented.

I guess the easiest way would be to record the wifi signal a 3ds sends using Wireshark, and then replicate over and over near another 3ds, but the thing is, both 3Ds have to answer to each other, isn't it?

So you need a software that can record the 3ds wifi signal for lets call it user1, then send it over internet to user2 using the same software and a 3ds with streetpass activated too, the 3ds should receive the request and answer, the software should record and reply back to user1, his 3ds would know that it reached another 3ds and answer with another signal and once it reaches for the second time to the user2, the streetpass should be done. Yay! So easy, lets start coding:

If(3ds=send streetpass signal) then
{
Wait for response;
If(response=positive) then
{
Send= final response:
Printf= streetpass done;
}
Else
{
Printf=wait while internet is being hacked;
}
}
Else
{
Printf=the fuck:
}
what programming language is that?
 

Kwyjor

Well-Known Member
Member
Joined
May 23, 2018
Messages
1,765
Trophies
1
XP
2,162
Country
Canada
I guess the easiest way would be to record the wifi signal a 3ds sends using Wireshark, and then replicate over and over near another 3ds, but the thing is, both 3Ds have to answer to each other, isn't it?
Did you watch the video above? The protocol is extensively documented.
 
General chit-chat
Help Users
    kenenthk @ kenenthk: Don't know if smb2 for 3ds is insanely easy or I'm just gud 35 lives and on world 2 already lol