Skip to content

Authentication Notes

Billy Humphreys edited this page May 26, 2017 · 10 revisions

Recently we made a patched version of Flipnote Studio 3D (the EU version), which can be pointed to more or less any URL that we choose.

At the time of writing we simply changed https:// to http:// in an attempt to force authentication with the usual server over plaintext. This fails, however, since it seems that Nintendo's server won't respond to non-SSL requests.

As such, we decided to guess the response on a whim, which seems to have been partially successful. EDIT: We have successfully MITMed some of their servers to learn more info.

Flipnote Gallery World

(aka "Nintendo DSi Library" outside of Japan)

User Auth

Initial connection to the FGW server:

A POST request is sent with the following:

Header Notes
Ugm-Token ServiceToken.
Ugm-ID User's Flipnote Studio ID in HEX
Ugm-ShopID eShop Token sent for Japanese FGW?
Ugm-MAC Console MAC address in HEX
Ugm-Region Region ID - list of values
Ugm-Language Language Code - [list of values] (#language-code-values)
Ugm-Country Country Code - list of values (on 3dbrew)
Ugm-Time Console time, format YYYY/MM/DD hh:mm:ss

The rest of the header is a multi-part form:

Content-Type: multipart/form-data; boundary=t9Sf4yfjf1RtvDu3AA
Transfer-Encoding: chunked

96
--t9Sf4yfjf1RtvDu3AA
Content-Disposition: form-data; name="miiName"
Content-Type: application/octet-stream
Content-Transfer-Encoding: binary



422
--t9Sf4yfjf1RtvDu3AA
Content-Disposition: form-data; name="miiImage"
Content-Type: application/octet-stream
Content-Transfer-Encoding: binary

GIF89a@@á!˘,@@iH∞†¡É*\»∞°√á#JúH±¢≈ã3j‹»±£«è CäI≤§…ì(S™\…≤•Àó0c úI≥¶Õõ8sÍ‹…≥ßœü@É
J¥®—£Hì*] ¥©”ßP£JùJµ™’´X≥j;

18
--t9Sf4yfjf1RtvDu3AA--

0

There's two interesting things to note about this:

  • miiName has no content whatsoever, it's blank.
  • miiImage is a completely transparent 64x64 GIF image.

We assume that these were either patched out for the EU and US releases, or they're simply placeholders because we need to fully connect to the server first. We don't know for now.

Response:

Based on some RAM dump strings that were grouped together, we tried to guess the response on a whim. We seem to have got this at least partially correct since the 3DS makes another request after this:

Header Notes
Ugm-ChallengeBlob 44-character lowercase HEX string
Ugm-SessionID Unique ascii string generated by the server

The response body can contain the HTML for your index page

Second request

After the 3DS received our response, it sent a GET request to the same URL:

Header Notes
Ugm-SessionID Same session ID as issued by the server
Ugm-ID User's Flipnote Studio ID in HEX
Ugm-Region Region ID - list of values
Ugm-Language Language Code - list of values
Ugm-Country Country Code - list of values (on 3dbrew)
Ugm-Version 3-UsEu = Latest EU/US version, 3 = Latest Japanese version

Notes

Something is wrong

So far we haven't been able to get the 3DS to send us a session ID when it requests another page... and we have no idea why...

Region ID Values

number region
0 Japan
1 America
2 Europe

Language Code Values

For now we're assuming these are the same as those used on the Wii, as documented here

number language
0 Japanese
1 English
2 German
3 French
4 Spanish
5 Italian
6 Dutch

If these are incorrect, the value might instead relate to the config values referenced on 3dsbrew