diff options
author | lonkaars <loek@pipeframe.xyz> | 2024-05-01 12:43:26 +0200 |
---|---|---|
committer | lonkaars <loek@pipeframe.xyz> | 2024-05-01 12:43:26 +0200 |
commit | bee4b8c09ff3a3720855266a2c417e262c082441 (patch) | |
tree | 799151bc38583bee85e2c3b1d4ec6fa860404302 /docs | |
parent | cc28773b03a5ac1c2a8529c9d170f30b9b778d07 (diff) |
more notes + WIP wireshark pictochat dissector (brokey)
Diffstat (limited to 'docs')
-rw-r--r-- | docs/notes.md | 69 |
1 files changed, 67 insertions, 2 deletions
diff --git a/docs/notes.md b/docs/notes.md index 21eef78..657383e 100644 --- a/docs/notes.md +++ b/docs/notes.md @@ -81,16 +81,81 @@ sufficiently advanced local multiplayer emulation. source: <https://git.pipeframe.xyz/fork/melonDS> -### Findings - - melonDS @ Config > Wifi settings "Local multiplayer features do not use the same network protocols as online play" - comment @ src/Wifi.cpp:46 "multiplayer host TX sequence" - references to `RFTransfer_Type{2,3}` @ <https://www.problemkaputt.de/gbatek.htm#dswifirfchip> - nintendo ds ni-fi protocol @ <https://web.archive.org/web/20090202194241/http://masscat.afraid.org/ninds/proto_info.php> - melonDS emulates actual 802.11b frames - the protocol does not appear to be encrypted: + ![](../assets/ws-no-encrypt.png) + the string `lork` is visible as plain text in the hexdump (offset 0x0056), which appears to be some kind of 16-bit encoding of the username set on the emulator used to capture these packets +- The messages are not sent as single packets. The nifi protocol appears to set + up a constant stream, and messages are sent across multiple frames. +- PictoChat does not appear to send messages when you are in a chat room by + yourself, so local multiplayer / nifi emulation is required for capturing + message content + +### Message sizing/cropping + +- PictoChat automatically crops messages to the smallest height (at the fixed + intervals shown as notebook lines in the edit field on the bottom screen). + Message content can be on the line itself without causing the cropping + algorithm to 'allocate' more space; the allocation only happens if any of the + pixels on the line *below* the colored line are used. The method used to crop + the messages also ensures that the username label in the top left does not + obstruct or remove any content. + + ![](../assets/pictochat-msg-height-1-4.png) + ![](../assets/pictochat-msg-height-5-draw.png) +- Message content is likely only cropped when displaying + + ![](../assets/pictochat-msg-crop.png) + ![](../assets/pictochat-msg-crop-lork2.png) + + The above image was obtained after the following steps: + - Fill in the top row of the message with the black pen, ensuring the entire + notebook line is colored in as well + - Send message (displayed as top message) + - Copy message + - Erase small portion of black area on the right side (displayed as bottom message) + + Notable observations: + - The message content has a 1 pixel border (padding/margin) on all sides + (except the bottom and corners) that can not be filled in. The bottom + border is correctly displayed for received messages, but the edit field has + an additional row of pixels that directly touch the message border on the + bottom. + - When any message is cloned, additional pixels that were masked on the top + screen become visible again in the edit field. This includes the bottom row + of pixels, as well as the two rows of pixels shown in the single line + message picture. + +### Message content + +![](../assets/pictochat-msg-pattern.png) +![](../assets/ws-msg-pattern.png) + +- All messages with interesting content have NIFI header type 1 (CMD). +- PictoChat messages appear to be sent over frames of length 0xf6 (246) + regardless of actual message size. +- All frames appear to be sent exactly 5 times. 'New' frames have a value of + 0xe004 at offset 0x0026, while resends have a value of 0xf000 instead. +- There are a lot of messages with length 0xaa (170), these appear to include a + random 32-bit value at offset 0x0046. +- The message content (suspected bitmap-like format) appears to be sent + unencrypted (patterns of 0x0 and 0x1 nibbles clearly visible in hexdump). + +## Unsure/notes + +- Is the endianness of the DS properly emulated? +- Is the NIFI magic value also present in physical frames or is this something + MelonDS did? +- The DS implemented WEP(?) encryption for connecting to home network + routers/APs, but is this encryption also used when the WiFi module is used in + local multiplayer mode? Does this even matter inside the emulator? + |