Talk:MK8 Network Protocol

From MK8
Revision as of 20:28, 3 October 2015 by Shragei (Talk | contribs)

Jump to: navigation, search

Searching network dumps & videos

As I do not have a WiiU, I'm searching for Mario Kart 8 network dumps. Best is to make a network dump and a video the same time so I can see what happens. If you are able to dump MK8 network data and make a video, please do so, upload the dump and the video and post the download link here. -- Leseratte (talk) 06:50, 29 May 2014 (UTC)

Leserratte, I think this will help you for sure. [1] --TheMetaPirate (talk) 08:55, 17 August 2014 (UTC)
Leserratte, do you hang out in some IRC server/channel? I hace become interested in reverse engineering the mk8 network protocol and I am able to record network dumps of me playing mk8. Mgrandi (talk) 20:00, 18 September 2014 (UTC)


mgrandi's research

wireshark capture + videos

The way i have these set up is that I capture the traffic using wireshark, and have a capture filter so i only get traffic that goes to / from my Wii U, to reduce clutter and filesize. The packets are of course timestamped, and when recording the video, i have a Unix Epoch (seconds since 1970) clock visible in the video so you can more or less match up the exact time in the wireshark capture that something happens (within a second, couldn't find a millisecond clock)

Filtering for time in wireshark is strange, If you set your 'time display format' (view -> set time display format) to "seconds since epoch", and then the precision in the same menu to be milliseconds, then you can see the epoch time for each of the packets. However filtering based on time (like greater then <some epoch date>), you can't just right click on the time -> apply as filter, as it does "time delta", which is incorrect. You have to expand the packet and go to frame -> arrival time , and then you should get a display filter (if you right click -> apply as filter) like this: frame.time_epoch == 1410939898.442630000, then you can use the binary operators like ==, and >=, etc to filter.

urls

In addition to the one URL that the wii u contacts when starting mario kart 8 / connecting online, it seems to contact all of these urls (some of them are just redirects to an amazon AWS instance it seems)

  • mii-secure.account.nintendo.net
    • 54.225.148.154 mii-secure-proxy-prod-lb-12465627.us-east-1.elb.amazonaws.com
  • 69.25.139.186 ias.wup.shop.nintendo.net
  • 111.168.21.82 nppl.app.nintendo.net
  • 202.32.117.142 nncs1.app.nintendowifi.net
  • 107.23.139.110 discovery.olv.nintendo.net
  • 192.195.204.136 account.nintendo.net
  • 202.32.117.143 nncs2.app.nintendowifi.net
  • 69.25.139.194 tagaya.wup.shop.nintendo.net
  • npvk.app.nintendo.net
    • front-p01-1453423078.us-west-2.elb.amazonaws.com
  • 69.25.139.185 ecs.wup.shop.nintendo.net
  • api-us.olv.nintendo.net

certificates

In my wireshark capture the wii downloads 6 certificates, 5 of which are signed by the 6th, the nintendo CA root certificate Here is a zip of them (exported from a wiresharp capture), which includes

  • account.nintendo.net
  • *.app.nintendo.net
  • *.olv.nintendo.net
  • Nintendo CA - G3 (root certificate)
  • Wii U Common Prod 1
  • *.wup.shop.nintendo.net

string encoding

It seems that the game uses utf-16-be as its string encoding, as I noticed when racing, at the beginning, my wii u seems to send something like this to every racer i'm facing against: (Mark is my wii character's name )

000004A8  32 ab 98 64 01 00 00 00  1f de 16 5d 00 02 00 4c 2..d.... ...]...L
000004B8  00 00 00 00 01 15 44 0c  01 00 00 00 00 00 00 00 ......D. ........
000004C8  02 00 03 03 30 5f 37 36  32 30 30 33 39 5f 31 00 ....0_76 20039_1.
000004D8  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
000004E8  00 00 00 00 00 4d 00 61  00 72 00 6b 00 00 00 00 .....M.a .r.k....
000004F8  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000508  00 00 00 00 04 00 00 00  19 8f 1e f8 7c b9 2b bd ........ ....|.+.
00000518  18 66 98 21 df 33 0d 73  a2 17 e1 a6             .f.!.3.s ....

<code>
>>> x="00 4d 00 61  00 72 00 6b".replace(" ", "")
>>> x
'004d00610072006b'
>>> import binascii
>>> y = binascii.unhexlify(x)
b'\x00M\x00a\x00r\x00k'
>>> y.decode("utf_16_be")
'Mark'
</code>

Splatoon

I'm currently work on this same problem with Splatoon. I wouldn't be surprised if this packet is also used in other Nintendo IP. This is what I have currently for the packet description --Shragei (talk) 20:28, 3 October 2015 (UTC)

 Magic         Sub  ID   Counter  ms1     ms2     Flags   size    ???                                                                 HMAC?
[32 AB 98 64] [01] [00] [00 00]  [FF 77] [00 00] [00 01] [00 00] [00 00 03 7D 04 78 59 45 00 C0 00 00 00 00 00 00] [Payload][padding][7D F6 19 32 CF 87 E8 A6 23 D4 AB D6 15 4A 77 43]

Magic: magic marker.
Sub: Some type of subtype indicator.
ID: The id of target client. If the packet is a broadcast to all clients this will be set to zero
Counter: big-endian. If ID is zero then counter will be zero (broadcast?)
ms1: Local time in millseconds truncated to 16bit short big-endian
ms2: Remote time in millseconds truncated to 16bit short big-endian if ID is zero then this will be zero too.
Flags: No clue what this is used for. 
Size: Length of the payload minus the overhead as big-endian.
HMAC: Used to validate and sign the packet. This used to be 128 bits but is now 96 bits.