1. Berghopper

    OP Berghopper Member
    Newcomer

    Joined:
    Apr 11, 2020
    Messages:
    13
    Country:
    Netherlands
    First of all; Hi!, I'm new to GBAtemp and was mostly a lurker every once in a while.

    So to begin with this topic, the reason for me starting it is that I want more streetpasses. But because of the dwindling amount of 3DS users and the death of spotpass in 2018 and in turn PiPass/HomePass, this is quite difficult.
    My goal with this post is to possibly reverse engineer how either:

    1. Streetpass works locally
    2. or how Spotpass servers used to work.

    Since the spotpass servers are all but dead, I'm first focussing on how streetpass works.

    Please feel free to discuss and share information/knowledge on this topic! I am only 1 person and cannot possibly hope to figure this out on my own.

    Modding is an option to get the streetpass file from the DS and share it around (streetpass 2 rise from the ashes), but this is not the main goal. The goal is to be able to use a regular, unmodified 3DS, to be able to talk to any other wireless device and streetpass that way (Basically making another device fake they are a 3DS). If this is possible, we could then hope to share streetpass data more easily, without modding, and possibly making our own "spotpass".

    So let's get into it:

    The first area I decided to tackle, is to figure out what the heck streetpass even uses. After a bit of digging it seemed that it is using a regular 802.11b wifi chip to do its thing.
    Loading up wireshark with management mode, indeed showed some broadcasting traffic from 2 3DS's I have laying around.
    However, for a while I could not figure out more than this, until I tried something else: Local play.

    So as far as local play goes, it shares some similarities with streetpass with the packets that it broadcasts.
    Digging a bit into local play gave me the following information:

    Both 3DS's spit out a bunch of broadcasts/beacon frames, showing network SSIDs.
    After this, the DS's authenticate with the host, and start sharing game data.
    Local play seems to make a WEP-encrypted access point (AP) on the 2.4ghz band with a bandwidth of 20mhz. Usually these APs appear on channel 1,6 and 11. Generic broadcasts (before authentication) seem to happen on all 2.4 channels. Also, these APs seem to have a hidden SSID.

    So a few things we can gather from this:

    1. The host DS is making an AP
    2. Somehow it communicates to other DS's, its SSID and passkey
    3. After which clients are able to connect and play together.

    As of right now I'm trying to crack the WEP key, for a single, very long mario kart 7 session, but still need to gather more data.
    The main issue is that, either the ssid, or the passkey changes for each local play session. Hence I need to record 1 very long uninterupted session.
    I want to crack the WEP key, so I can then identify if the passkey is just being broadcasted or if something else is happening.

    Something else I noticed:


    • Streetpass seems to continuously send out the same SSID: "NWCUSBAP.username"

    NWCUSBAP, probably stands for: "Ninentdo Wireless Connector, USB Access Point"
    Strictly speaking there is some extra characters in the SSID, but for now I'm ignoring those.

    I've so far been unsuccesful to capture a streetpass share. This is mainly difficult due to the 8 hour cooldown time, The access point not being on a consistent channel (wireshark can only listen in on 1 specific channel at a time with my wifi chip), and it happening randomly. This is why for now I'm so hyper-focussed on local play.

    Sorry for the long post, but if you've made it this far, thanks for sticking around!

    Edit1; This post might contain wrong assumptions/information, follow the posts latest comments to keep up to date.

    Edit2; View this repository for a collection of links and information: https://bitbucket.org/casperwietse/streetbasket-public/src/master/

    Edit 3; any old information has been struck-trough.
     
    Last edited by Berghopper, Apr 25, 2020
    Acyl3n, Dartz150, justinweiss and 6 others like this.
  2. oni_kuma

    oni_kuma Member
    Newcomer

    Joined:
    Mar 19, 2016
    Messages:
    17
    Country:
    Canada
    I have a n3ds, Large 3DSXL and a Original 3DS that could be plugged in and run a LONG circuit. If need be?
     
  3. Berghopper

    OP Berghopper Member
    Newcomer

    Joined:
    Apr 11, 2020
    Messages:
    13
    Country:
    Netherlands
    Sure, you can run wireshark on your own and look around. What do you mean with a LONG circuit though?
     
  4. zoogie

    zoogie playing around in the dsiware
    Developer

    Joined:
    Nov 30, 2014
    Messages:
    8,109
    Country:
    Micronesia, Federated States of
    Last edited by zoogie, Apr 11, 2020
    Itzumi, ThoD and E1ite007 like this.
  5. Berghopper

    OP Berghopper Member
    Newcomer

    Joined:
    Apr 11, 2020
    Messages:
    13
    Country:
    Netherlands
    Thanks so much! I would've never figured this stuff out on my own. I'll look into it more later, but I watched the talk, and man I was completely wrong!

    Another thing that struck me as odd; The wiki mentions that the probe requests constantly send out an SSID of "Nintendo_3DS_continuous_scan_000". However, with the wiresharks I've done so far (yes streetpass, not local play), I got the "NWCUSBAP.username" as SSID.
     
    Last edited by Berghopper, Apr 12, 2020
    zoogie likes this.
  6. Berghopper

    OP Berghopper Member
    Newcomer

    Joined:
    Apr 11, 2020
    Messages:
    13
    Country:
    Netherlands
    Can anybody else confirm what the probe requests send out? I'm in the EU, so maybe the SSID is location dependent?
    The wiki is still correct about the random strings probe requests.

    It also seems inconsistent with the talk that authentication doesn't happen (according to the researcher it does).
     
    Last edited by Berghopper, Apr 12, 2020
  7. ThoD

    ThoD GBATemp Addict (apparently), but more like "bored"
    Member

    Joined:
    Sep 8, 2017
    Messages:
    3,616
    Country:
    Greece
    Dude, if you only care about StreetPass hits, then just use this: https://www.reddit.com/r/3dshacks/comments/a7qh8n/streetpass_2_rise_from_the_ashes/

    The one thing that we should all be working towards is making Homepass work again not for the hits, but to be able to play local-only games online (games such as MH3U for example).

    Hits shouldn't even matter honestly, in games, hits either unlock more stuff or give you small bonuses, both of which you can do with a simple cheat meaning hits aren't even that important.
     
  8. Berghopper

    OP Berghopper Member
    Newcomer

    Joined:
    Apr 11, 2020
    Messages:
    13
    Country:
    Netherlands
    While I have not played enough games with heavy streetpass functionality, this is definitely a good argument. Either way it should be fun to try and figure out how to make vanilla streetpass work in some capacity again, without needing to be in close proximity to others. Especially now with the pandemic going around people will just be glued in their homes.
     
    ThoD likes this.
  9. Berghopper

    OP Berghopper Member
    Newcomer

    Joined:
    Apr 11, 2020
    Messages:
    13
    Country:
    Netherlands
    So, I just confirmed with a friend that the "Nintendo_3DS_continuous_scan_000" is indeed sent out. This also happens for my 2DS's but I didn't see it until recently. I was applying MAC filters to filter out the garbage, but apparently streetpass doesn't use Nintendo vendor mac addresses, so I had a bit of trouble finding them...

    Also, maybe a bit of a note for the future; Scapy might be a handy python library to handle packet crafting with.
     
    Last edited by Berghopper, Apr 12, 2020
  10. Cralex

    Cralex GBAtemp Regular
    Member

    Joined:
    Jul 29, 2016
    Messages:
    203
    Country:
    United States
    I’d love to see a homepass reimplementation some day. Back when Nintendo shut it all down, I was envisioning some setup where you could have a raspberry pi pretending to be a local 3DS, only it’d be connecting to a central repository of the systems that connect to it and occasionally spoofing each one. That’s my dream, anyway.
     
    Berghopper likes this.
  11. sks316

    sks316 Pokémon XD: Gale of Darkness remaster activist
    Member

    Joined:
    Nov 28, 2013
    Messages:
    2,831
    Country:
    United States
    Shhhh... Let people enjoy things...
    I, for one, am quite interested in a HomePass recreation, since I never got to use it to begin with and I don't like using hacky methods like this.
     
    Itzumi, ThoD and E1ite007 like this.
  12. Berghopper

    OP Berghopper Member
    Newcomer

    Joined:
    Apr 11, 2020
    Messages:
    13
    Country:
    Netherlands
    Yes this is exactly the idea! Set up a pi, run an install script and you're ready to go!
     
  13. Kwyjor

    Kwyjor GBAtemp Maniac
    Member

    Joined:
    May 23, 2018
    Messages:
    1,041
    Country:
    Canada
    That video above effectively demonstrates that if you can use a device to simulate a 3DS, you can also make a device that will effectively brick any 3DS in the area that's running firmware older than 11.12. That's some risky business.

    Not sure what the best way to mitigate that would be except to aim for security-by-obscurity: release a closed-source tool that carefully validates data before sending it out.

    But Homepass never had anything to do with playing local-only games online?

    I expect the major obstacle there is that typical Internet connections these days just don't have sufficiently low latency to make that feasible.
     
    Berghopper likes this.
  14. Berghopper

    OP Berghopper Member
    Newcomer

    Joined:
    Apr 11, 2020
    Messages:
    13
    Country:
    Netherlands
    I did some brainstorming on the available information, as well as trying to approach this project in the best way. And yes, indeed, if the encryption is broken (which shouldn't be too hard as it should be based on static or known data), packets can potentially be crafted to completely take over a device, brick it, or something else (at least with before firmware before 11.12).
    If we truly want to share this data over the internet, we would need parsers to make 100% sure no injection can happen, which would be technically impossible.
    Most streetpass data packets would be custom tailored to each consecutive title, making the analysis, parsing, and exploit prevention a big frickin headache. Let alone the CECD streetpass system module.

    So far I want to just see if I can communicate with a vpn/ssh tunnel with a friend, and make it work that way.
    With this, the idea is that you add only trusted friends, instead of just throwing it out on the web.

    For now I'll probably try to get the nlLib to work and maybe use a pi as a sort of "monkey see, monkey do" rather than trying to fully understand the encryption.

    So client1 sends whatever the 1st 3ds sends, and client2 repeats this for the other side and vice versa.

    And of course, as with any modding, we should make sure the project wouldn't be liable for these types of security issues. You are after all putting the streetpass data out on the world wide web, at your own risk.

    The best way, in my view, would maybe to see if we can at least create partial parsers and see if that's enough. Or try see if we can prevent tampering with data peer-peer. Even in this case, it wouldn't be bullet proof.
     
    Last edited by Berghopper, Apr 14, 2020
  15. Berghopper

    OP Berghopper Member
    Newcomer

    Joined:
    Apr 11, 2020
    Messages:
    13
    Country:
    Netherlands
    I suppose we could also try contact MrNbaYoh for further details on his research, however I wouldn't be surprised if he signed a non-disclosure agreement with Nintendo.

    However, if anyone else knows a security researcher, that could possibly help with this problem, feel free to try get them into this project!

    I myself am just a simple programmer, with a mild interest in security, and am only picking this up for some tinkering.
     
  16. EduAAA

    EduAAA Member
    Newcomer

    Joined:
    Sep 3, 2017
    Messages:
    41
    Country:
    Spain
    There is a homebrew I use to reset the 8 hours limit, I've got 2 New 3Ds, 1 XL and 1 normal, I always wanted to try streetpass so now I use my second device, some games use this feature very well implemented.

    I guess the easiest way would be to record the wifi signal a 3ds sends using Wireshark, and then replicate over and over near another 3ds, but the thing is, both 3Ds have to answer to each other, isn't it?

    So you need a software that can record the 3ds wifi signal for lets call it user1, then send it over internet to user2 using the same software and a 3ds with streetpass activated too, the 3ds should receive the request and answer, the software should record and reply back to user1, his 3ds would know that it reached another 3ds and answer with another signal and once it reaches for the second time to the user2, the streetpass should be done. Yay! So easy, lets start coding:

    If(3ds=send streetpass signal) then
    {
    Wait for response;
    If(response=positive) then
    {
    Send= final response:
    Printf= streetpass done;
    }
    Else
    {
    Printf=wait while internet is being hacked;
    }
    }
    Else
    {
    Printf=the fuck:
    }
     
  17. IC_

    IC_ GBAtemp Maniac
    Member

    Joined:
    Aug 24, 2017
    Messages:
    1,125
    Country:
    Poland
    what programming language is that?
     
  18. EduAAA

    EduAAA Member
    Newcomer

    Joined:
    Sep 3, 2017
    Messages:
    41
    Country:
    Spain
    Its C--
     
  19. Kwyjor

    Kwyjor GBAtemp Maniac
    Member

    Joined:
    May 23, 2018
    Messages:
    1,041
    Country:
    Canada
    Did you watch the video above? The protocol is extensively documented.
     
  20. Berghopper

    OP Berghopper Member
    Newcomer

    Joined:
    Apr 11, 2020
    Messages:
    13
    Country:
    Netherlands
    Last edited by Berghopper, Apr 16, 2020
Draft saved Draft deleted
Loading...

Hide similar threads Similar threads with keywords - engineering, streetpass, recreation