Use the cfg:nor service to read/write WiFi configurations

Discussion in '3DS - Homebrew Development and Emulators' started by natinusala, Apr 27, 2017.

  1. natinusala
    OP

    natinusala GBAtemp Regular

    Member
    166
    104
    Dec 1, 2012
    France
    Hello,

    I would like to make a tiny "WiFi Bank" homebrew which would be useful to store more than 3 WiFi configurations on the device. I already know how to compile a 3DSX and display text, respond to inputs etc...

    To make such an homebrew I obviously need to be able to read from and write WiFi configurations. I read that it was located in the NVRAM section, which I can read using the cfg:nor service.

    The read function needs an offset and a size, and I don't really know what to put there. I tried to put 0x00080000 and 0xC00 as documented there but I only seem to get garbage. I don't know the format of the NVRAM so I really don't know what offset corresponds to what. I also tried the cfg:u service, with no success (it can't find the block with the given size with any of the different flags).

    Do any of you have any clue on how to handle this ? Is this the good approach to do so ? How could I know that I have the right data, apart from printing the hex and searching manually ?

    Thanks for the help :)
     
  2. NexoCube

    NexoCube stop using piracy :(

    Member
    1,184
    588
    Nov 3, 2015
    France
    Stack Pointer
    For the Wii U it is fairly easy but here, looks like we have no idea where WiFi Configuration are stored. And there's no real function to read/write to it, we can only blindly read and write to NVRAM, so maybe you can try to dump the NVRAM and search for your WiFi config and deduce a structure from it, and then make a homebrew that will read/write to NVRAM from a binary (which store more WifiConfig)

    EDIT: We know that WifiConfig is 0xC00 bytes big and is stored on a save file, where we can read to it from CFG Service

    — Posts automatically merged - Please don't double post! —

    EDIT x2 :

    https://www.3dbrew.org/wiki/CfgS:GetConfigInfoBlk8
    https://www.3dbrew.org/wiki/CfgS:SetConfigInfoBlk4

    So, use these to read/write WiFi Config

    BlkID = 0x00080000 (for the first wifi slot)
    0x00080001 (for the second wifi slot)
    0x00080002 (for the third wifi slot)

    You just need to implement these function and make a nice and tidy homebrew, i'd be glad to help :)

    I can actually make this homebrew, but as this is your homebrew, i'll just try to help if i can
     
    Last edited by NexoCube, Apr 28, 2017
    Quantumcat likes this.
  3. Jayro

    Jayro MediCat USB and Mini Windows 10 Developer

    Member
    GBAtemp Patron
    Jayro is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    5,142
    2,808
    Jul 23, 2012
    United States
    Octo Canyon
    I hear the Wi-Fi settings are stored in the System Settings of the NVRAM, so you might have to do full dumps and restores of System Settings to get it to work right. I could be wrong, but again, it's just what I've heard.
     
  4. NexoCube

    NexoCube stop using piracy :(

    Member
    1,184
    588
    Nov 3, 2015
    France
    Stack Pointer
    They are stored on savefile which we can read (or write) from using CFG service commands
     
    Jayro likes this.
  5. natinusala
    OP

    natinusala GBAtemp Regular

    Member
    166
    104
    Dec 1, 2012
    France
    Thanks for your answers :)

    For the NVRAM part, I did a dump using NVRAM Manager (or something like that) and the WiFi profiles are definitely stored there, I checked using a hex editor. The thing is that I can't find a way to read it on the console ; if I look at the offset in my hex editor and try to read this my using CFGNOR_ReadData, I only get garbage. I don't think I have the good method to read the data, print the data on the console or I don't have the right offsets.

    For the CFG part, I tried to read the 0x080000 block with CFGU but it fails each time, is it because I'm supposed to use CFGS ? It's not present in libctru so as you said I'll need to implement them myself. I'll try and let you know :)

    edit : CFG_GetConfigInfoBlk8 is in libctru, am I supposed to use it ?

    edit2: I don't know if Citra3DS has the wifi config blocks implemented but when running this :

    Code:
    #define WIFI_SLOT1_ADDR 0x00080000
    #define WIFI_SLOT2_ADDR 0x00080001
    #define WIFI_SLOT3_ADDR 0x00080002
    #define WIFI_SLOT_SIZE 0xC00
    
    cfguInit();
    
    uint8_t buf[WIFI_SLOT_SIZE];
    CFG_GetConfigInfoBlk8(WIFI_SLOT_SIZE, WIFI_SLOT1_ADDR, buf);
    [...]
    cfguExit();
    
    It gives me this in Citra's logs :
    Code:
    [   0.556439] Service.CFG <Error> core\hle\service\cfg\cfg.cpp:Service::CFG::GetConfigInfoBlockPointer:312: Config block 0x80000 with flags 8 and size 3072 was not found
    It also fails on my 3DS
     
    Last edited by natinusala, Apr 29, 2017
  6. NexoCube

    NexoCube stop using piracy :(

    Member
    1,184
    588
    Nov 3, 2015
    France
    Stack Pointer
    Flags is 0xC or something like that, and there's no function for it, so you need to find a way to R/W in NVRAM
     
  7. natinusala
    OP

    natinusala GBAtemp Regular

    Member
    166
    104
    Dec 1, 2012
    France
    Well isn't the CFGNOR_ReadData function for that ?
     
  8. NexoCube

    NexoCube stop using piracy :(

    Member
    1,184
    588
    Nov 3, 2015
    France
    Stack Pointer
    I have no idea :/
     
  9. natinusala
    OP

    natinusala GBAtemp Regular

    Member
    166
    104
    Dec 1, 2012
    France
    That's what NVRAM Manager (or whatever it's called) uses to dump it, so I guess it would be the function to use, with the offset I can have from the hex editor.

    But would it be safe to use ? Wouldn't just write to the NVRAM like this corrupt it somehow ? It looks like we read and write blindly without knowing what's in it
     
  10. NexoCube

    NexoCube stop using piracy :(

    Member
    1,184
    588
    Nov 3, 2015
    France
    Stack Pointer
    Nope, it won't corrupt anything because CFG is writing data to NVRAM from the config save, so just write/read from it and see if it works
     
  11. natinusala
    OP

    natinusala GBAtemp Regular

    Member
    166
    104
    Dec 1, 2012
    France
    Okay. I guess I have to find the offset and convert the u32 to u8 and print them to see if I get anything ?
     
  12. NexoCube

    NexoCube stop using piracy :(

    Member
    1,184
    588
    Nov 3, 2015
    France
    Stack Pointer
    Code:
    #define NVRAM_START_ADDR 0xAABBCCDD
    #define NVRAM_SIZE  0xNVRAM_SIZE 
    
    // You need to find these
    
    u32 *nvram_dump[NVRAM_SIZE/4]
    
    nvram_dump = linearAlloc(NVRAM_SIZE);
    
    // dump ...
    
    u32 test = 0;
    memcpy(nvram_dump + offset, &test, 4);
    printf("test_offset = %08X\n", (unsigned int)test);
    
    // same thing with another offset ... (or you can create a function that will print a certain offset from the dump)
    — Posts automatically merged - Please don't double post! —

    Then you can even try to write to it and see if connecting to the internet still work
     
  13. natinusala
    OP

    natinusala GBAtemp Regular

    Member
    166
    104
    Dec 1, 2012
    France
    Okay, I see, thanks. However, the libctru's CFGNOR_ReadData function fails everytime on my 3DS, even with offset 0 and a tiny size. It's the right function as it's the one NVRAM Manager is using. The error code is -656406537. Doesn't it require elevated privileges ?
     
  14. NexoCube

    NexoCube stop using piracy :(

    Member
    1,184
    588
    Nov 3, 2015
    France
    Stack Pointer
    Nope NVRAM Manager is running in userland so :/ and put the error codes in hex, might help lol, and, if libctru one isn't working, make your own implementation of it
     
  15. natinusala
    OP

    natinusala GBAtemp Regular

    Member
    166
    104
    Dec 1, 2012
    France
    The thing is that I don't know if the implementation is not working or my usage of it is wrong x)
     
  16. NexoCube

    NexoCube stop using piracy :(

    Member
    1,184
    588
    Nov 3, 2015
    France
    Stack Pointer
    i can't help anymore, sorry, i have no idea :/
     
  17. natinusala
    OP

    natinusala GBAtemp Regular

    Member
    166
    104
    Dec 1, 2012
    France
    I would have asked the creator of NVRAM Manager but his last login was 1 year ago =/ Thanks anyway for the help :)
     
  18. jockep

    jockep GBAtemp Regular

    Member
    169
    58
    Apr 12, 2017
    Try his github (same name).
     
  19. natinusala
    OP

    natinusala GBAtemp Regular

    Member
    166
    104
    Dec 1, 2012
    France
  20. jockep

    jockep GBAtemp Regular

    Member
    169
    58
    Apr 12, 2017
    Don't know, seems he dislikes the 3ds community and gives very rude replies but you could try.

    Another attempt is to dump it using the ctrulib function for it and analyze the bin with a hexeditor. I'd Guess the ssid is in a normal string.

    Edit: Oh you tried that.
     
    Last edited by jockep, Apr 29, 2017