more research

author: lonkaars <loek@pipeframe.xyz> 2024-05-01 17:14:22 +0200
committer: lonkaars <loek@pipeframe.xyz> 2024-05-01 17:14:22 +0200
commit: 7c402c347b46f908eefefb6a957bf92100061951 (patch)
tree: 09cf919ddc3065fe2df06e456c59eb16e66aaaff /docs/notes.md
parent: bee4b8c09ff3a3720855266a2c417e262c082441 (diff)
1 files changed, 60 insertions, 9 deletions
diff --git a/docs/notes.md b/docs/notes.md
index 657383e..10c2608 100644
--- a/docs/notes.md
+++ b/docs/notes.md
@@ -90,9 +90,9 @@ source: <https://git.pipeframe.xyz/fork/melonDS>
 
   ![](../assets/ws-no-encrypt.png)
 
-  the string `lork` is visible as plain text in the hexdump (offset 0x0056), which appears to
-  be some kind of 16-bit encoding of the username set on the emulator used to
-  capture these packets
+  the string `lork` is visible as plain text in the hexdump (offset 0x0056),
+  which appears to be some kind of 16-bit encoding of the username set on the
+  emulator used to capture these packets
 - The messages are not sent as single packets. The nifi protocol appears to set
   up a constant stream, and messages are sent across multiple frames.
 - PictoChat does not appear to send messages when you are in a chat room by
@@ -103,11 +103,11 @@ source: <https://git.pipeframe.xyz/fork/melonDS>
 
 - PictoChat automatically crops messages to the smallest height (at the fixed
   intervals shown as notebook lines in the edit field on the bottom screen).
-  Message content can be on the line itself without causing the cropping
-  algorithm to 'allocate' more space; the allocation only happens if any of the
-  pixels on the line *below* the colored line are used. The method used to crop
-  the messages also ensures that the username label in the top left does not
-  obstruct or remove any content.
+  Message content can be on the notebook line itself without causing the
+  cropping algorithm to 'allocate' more space; the allocation only happens if
+  any of the pixels on the line *below* the colored line are used. The method
+  used to crop the messages also ensures that the username label in the top
+  left does not obstruct or remove any content.
 
   ![](../assets/pictochat-msg-height-1-4.png)
   ![](../assets/pictochat-msg-height-5-draw.png)
@@ -121,7 +121,8 @@ source: <https://git.pipeframe.xyz/fork/melonDS>
     notebook line is colored in as well
   - Send message (displayed as top message)
   - Copy message
-  - Erase small portion of black area on the right side (displayed as bottom message)
+  - Erase small portion of black area on the right side (displayed as bottom
+    message)
   
   Notable observations:
   - The message content has a 1 pixel border (padding/margin) on all sides
@@ -133,6 +134,7 @@ source: <https://git.pipeframe.xyz/fork/melonDS>
     screen become visible again in the edit field. This includes the bottom row
     of pixels, as well as the two rows of pixels shown in the single line
     message picture.
+  - The drawable area (including obstructed top-left corner) is 228x80 pixels
 
 ### Message content
 
@@ -148,6 +150,55 @@ source: <https://git.pipeframe.xyz/fork/melonDS>
   random 32-bit value at offset 0x0046.
 - The message content (suspected bitmap-like format) appears to be sent
   unencrypted (patterns of 0x0 and 0x1 nibbles clearly visible in hexdump).
+- 0x004d - 0x00ec appears to be used to send the actual message content:
+
+  ![](../assets/pictochat-msg-crop-lork2.png)
+  ![](../assets/ws-msg-fill-top.png)
+  ![](../assets/ws-msg-fill-mid.png)
+  ![](../assets/ws-msg-fill-bot.png)
+
+  (excerpts from the start, middle and end frames of a completely filled
+  message)
+- The completely filled message also shows an interesting pattern at the end,
+  hinting at a slightly odd image codec
+
+#### Analysis
+
+![](../assets/ws-msg-fill-mid.png)
+
+|offset|type|description|
+|-|-|-|
+|0x0000|`u32`|NIFI: Magic (0x4e494649)|
+|0x0004|`u32`|NIFI: SenderID (melonDS InstanceID)|
+|0x0008|`u32`|NIFI: Type|
+|0x000c|`u32`|NIFI: Length (after NIFI header)|
+|0x0010|`u64`|NIFI: Timestamp|
+|
+|0x0018|`u16`|PictoChat: 0|
+|0x001a|`u16`|PictoChat: (Resend???) (2=New, 0=Resend)|<!-- I assume u16 because the next byte is always 0x00 -->
+|0x0028|`u8[6]`|PictoChat: multiplayer CMD MAC (melonDS Wifi::MPCmdMAC)|
+|0x002e|`u8[6]`|PictoChat: sender MAC|
+|0x0034|`u8[6]`|PictoChat: sender MAC (again)|
+|0x004d|`u8[0xa0]`|PictoChat: Message data (encoding unknown)|
+|0x00ed|`u16`|PictoChat: (random???)|
+|0x00f0|`u8[6]`|PictoChat: (mac/id???)|
+
+### Fiddling
+
+After editing melonDS source code to corrupt the local multiplayer message
+buffer in known content locations before sending the message to the FIFO
+buffer:
+
+![](../assets/pictochat-msg-corrupt-lork.png)
+![](../assets/pictochat-msg-corrupt-lork2.png)
+
+This shows a few important details:
+
+- Messages are not limited to the apparent 228x80 size (there is also message
+  content behind the username label in the above screenshots, but the username
+  label is on a different graphics layer)
+- The ordering of pixels in the messages is not reading order
+- Message content is not checked or validated in any way
 
 ## Unsure/notes
author	lonkaars <loek@pipeframe.xyz>	2024-05-01 17:14:22 +0200
committer	lonkaars <loek@pipeframe.xyz>	2024-05-01 17:14:22 +0200
commit	7c402c347b46f908eefefb6a957bf92100061951 (patch)
tree	09cf919ddc3065fe2df06e456c59eb16e66aaaff /docs/notes.md
parent	bee4b8c09ff3a3720855266a2c417e262c082441 (diff)