Talk:MK8 Network Protocol
Searching network dumps & videos
As I do not have a WiiU, I'm searching for Mario Kart 8 network dumps. Best is to make a network dump and a video the same time so I can see what happens. If you are able to dump MK8 network data and make a video, please do so, upload the dump and the video and post the download link here. -- Leseratte (talk) 06:50, 29 May 2014 (UTC)
- Leserratte, I think this will help you for sure.  --TheMetaPirate (talk) 08:55, 17 August 2014 (UTC)
- Leserratte, do you hang out in some IRC server/channel? I hace become interested in reverse engineering the mk8 network protocol and I am able to record network dumps of me playing mk8. Mgrandi (talk) 20:00, 18 September 2014 (UTC)
wireshark capture + videos
The way i have these set up is that I capture the traffic using wireshark, and have a capture filter so i only get traffic that goes to / from my Wii U, to reduce clutter and filesize. The packets are of course timestamped, and when recording the video, i have a Unix Epoch (seconds since 1970) clock visible in the video so you can more or less match up the exact time in the wireshark capture that something happens (within a second, couldn't find a millisecond clock)
Filtering for time in wireshark is strange, If you set your 'time display format' (view -> set time display format) to "seconds since epoch", and then the precision in the same menu to be milliseconds, then you can see the epoch time for each of the packets. However filtering based on time (like greater then <some epoch date>), you can't just right click on the time -> apply as filter, as it does "time delta", which is incorrect. You have to expand the packet and go to frame -> arrival time , and then you should get a display filter (if you right click -> apply as filter) like this: frame.time_epoch == 1410939898.442630000, then you can use the binary operators like ==, and >=, etc to filter.
In addition to the one URL that the wii u contacts when starting mario kart 8 / connecting online, it seems to contact all of these urls (some of them are just redirects to an amazon AWS instance it seems)
- 188.8.131.52 mii-secure-proxy-prod-lb-12465627.us-east-1.elb.amazonaws.com
- 184.108.40.206 ias.wup.shop.nintendo.net
- 220.127.116.11 nppl.app.nintendo.net
- 18.104.22.168 nncs1.app.nintendowifi.net
- 22.214.171.124 discovery.olv.nintendo.net
- 126.96.36.199 account.nintendo.net
- 188.8.131.52 nncs2.app.nintendowifi.net
- 184.108.40.206 tagaya.wup.shop.nintendo.net
- 220.127.116.11 ecs.wup.shop.nintendo.net
In my wireshark capture the wii downloads 6 certificates, 5 of which are signed by the 6th, the nintendo CA root certificate Here is a zip of them (exported from a wiresharp capture), which includes
- Nintendo CA - G3 (root certificate)
- Wii U Common Prod 1
It seems that the game uses utf-16-be as its string encoding, as I noticed when racing, at the beginning, my wii u seems to send something like this to every racer i'm facing against: (Mark is my wii character's name )
000004A8 32 ab 98 64 01 00 00 00 1f de 16 5d 00 02 00 4c 2..d.... ...]...L 000004B8 00 00 00 00 01 15 44 0c 01 00 00 00 00 00 00 00 ......D. ........ 000004C8 02 00 03 03 30 5f 37 36 32 30 30 33 39 5f 31 00 ....0_76 20039_1. 000004D8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 000004E8 00 00 00 00 00 4d 00 61 00 72 00 6b 00 00 00 00 .....M.a .r.k.... 000004F8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000508 00 00 00 00 04 00 00 00 19 8f 1e f8 7c b9 2b bd ........ ....|.+. 00000518 18 66 98 21 df 33 0d 73 a2 17 e1 a6 .f.!.3.s ....
<code> >>> x="00 4d 00 61 00 72 00 6b".replace(" ", "") >>> x '004d00610072006b' >>> import binascii >>> y = binascii.unhexlify(x) b'\x00M\x00a\x00r\x00k' >>> y.decode("utf_16_be") 'Mark' </code>
I'm currently work on this same problem with Splatoon. I wouldn't be surprised if this packet is also used in other Nintendo IP. This is what I have currently for the packet description --Shragei (talk) 20:28, 3 October 2015 (UTC)
Magic Sub ID Counter ms1 ms2 Flags Slot Size [32 AB 98 64]   [00 00] [FF 77] [00 00]   [00 00] ... ??? NNID Type ??? ... [00 00 00 03] [7D 04 78 59]  [00 C0 00 00 00 00 00 00] [Payload][padding] ... HMAC? ... [7D F6 19 32 CF 87 E8 A6 23 D4 AB D6 15 4A 77 43] Magic: magic marker. Sub: Some type of subtype indicator. ID: The id of target client. If the packet is a broadcast to all clients this will be set to zero Counter: big-endian. If ID is zero then counter will be zero (broadcast?) ms1: Local time in millseconds truncated to 16bit short big-endian ms2: Remote time in millseconds truncated to 16bit short big-endian if ID is zero then this will be zero too. Flags: No clue what this is used for. Slot: The lobby slot the player is occupying. Initial connection player will start with slot 254 for some reason. Size: Length of the payload minus the overhead as big-endian. NNID: Global numerical id for user on Nintendo's network. Type: Payload type. HMAC: Used to validate and sign the packet. This used to be 128 bits but is now 96 bits.
- This Splatoon data looks exactly the same as in MK8, great! Could you give me a network dump of Splatoon (I don't have that game)?
- And maybe also tell me your NNID then I might look into the "NNID" value
- Leseratte (talk) 18:47, 19 January 2016 (UTC)
- All my network captures are to a database, so I can't provide a PCAP file. I do have quite a bit of Nintendo's networking code figured out.
- You can find it here SplatNet.
- As for the NNID, this is a some type of ID tied to a player's account.
- It is always the same between capture sessions, and no two people have the same ID.
Smash 4 (3DS)
I've been investigating Smash 3DS's network protocol a bit and I'm starting to look into the matchup protocol. It seems Smash 3DS (and probably Wii U) shares connections with nncs1.app.nintendowifi.net, nncs2.app.nintendowifi.net, and discovery.olv.nintendo.net. The only reference to discovery.olv.nintendo.net, however, is a single URL https://discovery.olv.nintendo.net/v1/endpoint. Olive is the name for Miiverse it seems though, so the prior two URLs are probably what is used directly for matchmaking. https://npdl.cdn.nintendowifi.net/p01/nsa/ and https://npvk.app.nintendo.net/reports are also referenced, but those are presumably used for BOSS in order to download content for the Conquests. --Shinyquagsire23 (talk) 03:46, 22 February 2016 (UTC)