-
Notifications
You must be signed in to change notification settings - Fork 0
Authentication Notes
Recently we made a patched version of Flipnote Studio 3D (the EU version), which can be pointed to more or less any URL that we choose.
At the time of writing we simply changed https://
to http://
in an attempt to force authentication with the usual server over plaintext. This fails, however, since it seems that Nintendo's server won't respond to non-SSL requests.
As such, we decided to guess the response on a whim, which seems to have been partially successful. EDIT: We have successfully MITMed some of their servers to learn more info.
(aka "Nintendo DSi Library" outside of Japan)
A POST request is sent with the following:
Header | Notes |
---|---|
Ugm-Token |
ServiceToken. |
Ugm-ID |
User's Flipnote Studio ID in HEX |
Ugm-ShopID |
eShop Token sent for Japanese FGW? |
Ugm-MAC |
Console MAC address in HEX |
Ugm-Region |
Region ID - list of values |
Ugm-Language |
Language Code - [list of values] (#language-code-values) |
Ugm-Country |
Country Code - list of values (on 3dbrew) |
Ugm-Time |
Console time, format YYYY/MM/DD hh:mm:ss
|
The rest of the header is a multi-part form:
Content-Type: multipart/form-data; boundary=t9Sf4yfjf1RtvDu3AA
Transfer-Encoding: chunked
96
--t9Sf4yfjf1RtvDu3AA
Content-Disposition: form-data; name="miiName"
Content-Type: application/octet-stream
Content-Transfer-Encoding: binary
422
--t9Sf4yfjf1RtvDu3AA
Content-Disposition: form-data; name="miiImage"
Content-Type: application/octet-stream
Content-Transfer-Encoding: binary
GIF89a@@á!˘,@@iH∞†¡É*\»∞°√á#JúH±¢≈ã3j‹»±£«è CäI≤§…ì(S™\…≤•Àó0c úI≥¶Õõ8sÍ‹…≥ßœü@É
J¥®—£Hì*] ¥©”ßP£JùJµ™’´X≥j;
18
--t9Sf4yfjf1RtvDu3AA--
0
There's two interesting things to note about this:
-
miiName
has no content whatsoever, it's blank. -
miiImage
is a completely transparent 64x64 GIF image.
We assume that these were either patched out for the EU and US releases, or they're simply placeholders because we need to fully connect to the server first. We don't know for now.
Based on some RAM dump strings that were grouped together, we tried to guess the response on a whim. We seem to have got this at least partially correct since the 3DS makes another request after this:
Header | Notes |
---|---|
Ugm-ChallengeBlob |
44-character lowercase HEX string |
Ugm-SessionID |
Unique ascii string generated by the server |
The response body can contain the HTML for your index page
After the 3DS received our response, it sent a GET request to the same URL:
Header | Notes |
---|---|
Ugm-SessionID |
Same session ID as issued by the server |
Ugm-ID |
User's Flipnote Studio ID in HEX |
Ugm-Region |
Region ID - list of values |
Ugm-Language |
Language Code - list of values |
Ugm-Country |
Country Code - list of values (on 3dbrew) |
Ugm-Version |
3-UsEu = Latest EU/US version, 3 = Latest Japanese version |
So far we haven't been able to get the 3DS to send us a session ID when it requests another page... and we have no idea why...
number | region |
---|---|
0 |
Japan |
1 |
America |
2 |
Europe |
For now we're assuming these are the same as those used on the Wii, as documented here
number | language |
---|---|
0 |
Japanese |
1 |
English |
2 |
German |
3 |
French |
4 |
Spanish |
5 |
Italian |
6 |
Dutch |
If these are incorrect, the value might instead relate to the config values referenced on 3dsbrew
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.