Difference between revisions of "Talk:MK8 Network Protocol"

From MK8
Jump to: navigation, search
m (no horizontal scrolling)
 
(5 intermediate revisions by 2 users not shown)
Line 82: Line 82:
 
<pre>
 
<pre>
 
   
 
   
  Magic        Sub  ID  Counter  ms1    ms2    Flags   size
+
  Magic        Sub  ID  Counter  ms1    ms2    Flags Slot  Size
[32 AB 98 64] [01] [00] [00 00]  [FF 77] [00 00] [00 01] [00 00]
+
[32 AB 98 64] [01] [00] [00 00]  [FF 77] [00 00] [00]  [01] [00 00]
  
...  ???
+
...  ???          NNID          Type ???
... [00 00 03 7D 04 78 59 45 00 C0 00 00 00 00 00 00] [Payload][padding]
+
... [00 00 00 03] [7D 04 78 59] [45] [00 C0 00 00 00 00 00 00] [Payload][padding]
  
 
...  HMAC?
 
...  HMAC?
Line 98: Line 98:
 
ms2: Remote time in millseconds truncated to 16bit short big-endian if ID is zero then this will be zero too.
 
ms2: Remote time in millseconds truncated to 16bit short big-endian if ID is zero then this will be zero too.
 
Flags: No clue what this is used for.  
 
Flags: No clue what this is used for.  
 +
Slot: The lobby slot the player is occupying. Initial connection player will start with slot 254 for some reason.
 
Size: Length of the payload minus the overhead as big-endian.
 
Size: Length of the payload minus the overhead as big-endian.
 +
NNID: Global numerical id for user on Nintendo's network.
 +
Type: Payload type.
 
HMAC: Used to validate and sign the packet. This used to be 128 bits but is now 96 bits.
 
HMAC: Used to validate and sign the packet. This used to be 128 bits but is now 96 bits.
 
</pre>
 
</pre>
 +
 +
: This Splatoon data looks exactly the same as in MK8, great! Could you give me a network dump of Splatoon (I don't have that game)?
 +
: And maybe also tell me your NNID then I might look into the "NNID" value
 +
: [[User:Leseratte|Leseratte]] ([[User talk:Leseratte|talk]]) 18:47, 19 January 2016 (UTC)
 +
 +
: All my network captures are to a database, so I can't provide a PCAP file. I do have quite a bit of Nintendo's networking code figured out.
 +
: You can find it here [https://github.com/Shragei/SplatNet SplatNet].
 +
: As for the NNID, this is a some type of ID tied to a player's account.
 +
: It is always the same between capture sessions, and no two people have the same ID.
 +
--[[User:Shragei|Shragei]] ([[User talk:Shragei|talk]]) 07:32, 1 February 2016 (UTC)
 +
 +
== Smash 4 (3DS) ==
 +
I've been investigating Smash 3DS's network protocol a bit and I'm starting to look into the matchup protocol. It seems Smash 3DS (and probably Wii U) shares connections with nncs1.app.nintendowifi.net, nncs2.app.nintendowifi.net, and discovery.olv.nintendo.net. The only reference to discovery.olv.nintendo.net, however, is a single URL https://discovery.olv.nintendo.net/v1/endpoint. Olive is the name for Miiverse it seems though, so the prior two URLs are probably what is used directly for matchmaking. https://npdl.cdn.nintendowifi.net/p01/nsa/ and https://npvk.app.nintendo.net/reports are also referenced, but those are presumably used for BOSS in order to download content for the Conquests. --[[User:Shinyquagsire23|Shinyquagsire23]] ([[User talk:Shinyquagsire23|talk]]) 03:46, 22 February 2016 (UTC)

Latest revision as of 03:46, 22 February 2016

Searching network dumps & videos

As I do not have a WiiU, I'm searching for Mario Kart 8 network dumps. Best is to make a network dump and a video the same time so I can see what happens. If you are able to dump MK8 network data and make a video, please do so, upload the dump and the video and post the download link here. -- Leseratte (talk) 06:50, 29 May 2014 (UTC)

Leserratte, I think this will help you for sure. [1] --TheMetaPirate (talk) 08:55, 17 August 2014 (UTC)
Leserratte, do you hang out in some IRC server/channel? I hace become interested in reverse engineering the mk8 network protocol and I am able to record network dumps of me playing mk8. Mgrandi (talk) 20:00, 18 September 2014 (UTC)


mgrandi's research

wireshark capture + videos

The way i have these set up is that I capture the traffic using wireshark, and have a capture filter so i only get traffic that goes to / from my Wii U, to reduce clutter and filesize. The packets are of course timestamped, and when recording the video, i have a Unix Epoch (seconds since 1970) clock visible in the video so you can more or less match up the exact time in the wireshark capture that something happens (within a second, couldn't find a millisecond clock)

Filtering for time in wireshark is strange, If you set your 'time display format' (view -> set time display format) to "seconds since epoch", and then the precision in the same menu to be milliseconds, then you can see the epoch time for each of the packets. However filtering based on time (like greater then <some epoch date>), you can't just right click on the time -> apply as filter, as it does "time delta", which is incorrect. You have to expand the packet and go to frame -> arrival time , and then you should get a display filter (if you right click -> apply as filter) like this: frame.time_epoch == 1410939898.442630000, then you can use the binary operators like ==, and >=, etc to filter.

urls

In addition to the one URL that the wii u contacts when starting mario kart 8 / connecting online, it seems to contact all of these urls (some of them are just redirects to an amazon AWS instance it seems)

  • mii-secure.account.nintendo.net
    • 54.225.148.154 mii-secure-proxy-prod-lb-12465627.us-east-1.elb.amazonaws.com
  • 69.25.139.186 ias.wup.shop.nintendo.net
  • 111.168.21.82 nppl.app.nintendo.net
  • 202.32.117.142 nncs1.app.nintendowifi.net
  • 107.23.139.110 discovery.olv.nintendo.net
  • 192.195.204.136 account.nintendo.net
  • 202.32.117.143 nncs2.app.nintendowifi.net
  • 69.25.139.194 tagaya.wup.shop.nintendo.net
  • npvk.app.nintendo.net
    • front-p01-1453423078.us-west-2.elb.amazonaws.com
  • 69.25.139.185 ecs.wup.shop.nintendo.net
  • api-us.olv.nintendo.net

certificates

In my wireshark capture the wii downloads 6 certificates, 5 of which are signed by the 6th, the nintendo CA root certificate Here is a zip of them (exported from a wiresharp capture), which includes

  • account.nintendo.net
  • *.app.nintendo.net
  • *.olv.nintendo.net
  • Nintendo CA - G3 (root certificate)
  • Wii U Common Prod 1
  • *.wup.shop.nintendo.net

string encoding

It seems that the game uses utf-16-be as its string encoding, as I noticed when racing, at the beginning, my wii u seems to send something like this to every racer i'm facing against: (Mark is my wii character's name )

000004A8  32 ab 98 64 01 00 00 00  1f de 16 5d 00 02 00 4c 2..d.... ...]...L
000004B8  00 00 00 00 01 15 44 0c  01 00 00 00 00 00 00 00 ......D. ........
000004C8  02 00 03 03 30 5f 37 36  32 30 30 33 39 5f 31 00 ....0_76 20039_1.
000004D8  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
000004E8  00 00 00 00 00 4d 00 61  00 72 00 6b 00 00 00 00 .....M.a .r.k....
000004F8  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000508  00 00 00 00 04 00 00 00  19 8f 1e f8 7c b9 2b bd ........ ....|.+.
00000518  18 66 98 21 df 33 0d 73  a2 17 e1 a6             .f.!.3.s ....

<code>
>>> x="00 4d 00 61  00 72 00 6b".replace(" ", "")
>>> x
'004d00610072006b'
>>> import binascii
>>> y = binascii.unhexlify(x)
b'\x00M\x00a\x00r\x00k'
>>> y.decode("utf_16_be")
'Mark'
</code>

Splatoon

I'm currently work on this same problem with Splatoon. I wouldn't be surprised if this packet is also used in other Nintendo IP. This is what I have currently for the packet description --Shragei (talk) 20:28, 3 October 2015 (UTC)

 
 Magic         Sub  ID   Counter  ms1     ms2     Flags  Slot  Size
[32 AB 98 64] [01] [00] [00 00]  [FF 77] [00 00] [00]   [01]  [00 00]

...  ???           NNID          Type ???
... [00 00 00 03] [7D 04 78 59] [45] [00 C0 00 00 00 00 00 00] [Payload][padding]

...  HMAC?
... [7D F6 19 32 CF 87 E8 A6 23 D4 AB D6 15 4A 77 43]

Magic: magic marker.
Sub: Some type of subtype indicator.
ID: The id of target client. If the packet is a broadcast to all clients this will be set to zero
Counter: big-endian. If ID is zero then counter will be zero (broadcast?)
ms1: Local time in millseconds truncated to 16bit short big-endian
ms2: Remote time in millseconds truncated to 16bit short big-endian if ID is zero then this will be zero too.
Flags: No clue what this is used for. 
Slot: The lobby slot the player is occupying. Initial connection player will start with slot 254 for some reason.
Size: Length of the payload minus the overhead as big-endian.
NNID: Global numerical id for user on Nintendo's network.
Type: Payload type.
HMAC: Used to validate and sign the packet. This used to be 128 bits but is now 96 bits.
This Splatoon data looks exactly the same as in MK8, great! Could you give me a network dump of Splatoon (I don't have that game)?
And maybe also tell me your NNID then I might look into the "NNID" value
Leseratte (talk) 18:47, 19 January 2016 (UTC)
All my network captures are to a database, so I can't provide a PCAP file. I do have quite a bit of Nintendo's networking code figured out.
You can find it here SplatNet.
As for the NNID, this is a some type of ID tied to a player's account.
It is always the same between capture sessions, and no two people have the same ID.

--Shragei (talk) 07:32, 1 February 2016 (UTC)

Smash 4 (3DS)

I've been investigating Smash 3DS's network protocol a bit and I'm starting to look into the matchup protocol. It seems Smash 3DS (and probably Wii U) shares connections with nncs1.app.nintendowifi.net, nncs2.app.nintendowifi.net, and discovery.olv.nintendo.net. The only reference to discovery.olv.nintendo.net, however, is a single URL https://discovery.olv.nintendo.net/v1/endpoint. Olive is the name for Miiverse it seems though, so the prior two URLs are probably what is used directly for matchmaking. https://npdl.cdn.nintendowifi.net/p01/nsa/ and https://npvk.app.nintendo.net/reports are also referenced, but those are presumably used for BOSS in order to download content for the Conquests. --Shinyquagsire23 (talk) 03:46, 22 February 2016 (UTC)