From cc28773b03a5ac1c2a8529c9d170f30b9b778d07 Mon Sep 17 00:00:00 2001 From: lonkaars Date: Tue, 30 Apr 2024 16:32:18 +0200 Subject: more fiddling (found plain text!) --- assets/melon_1714483602.pcap | Bin 0 -> 636492 bytes assets/ws-no-encrypt.png | Bin 0 -> 167536 bytes docs/notes.md | 6 ++++++ wireshark/nifi-dissect.lua | 32 -------------------------------- wireshark/nifi.lua | 40 ++++++++++++++++++++++++++++++++++++++++ wireshark/wireshark | 4 ++-- 6 files changed, 48 insertions(+), 34 deletions(-) create mode 100644 assets/melon_1714483602.pcap create mode 100644 assets/ws-no-encrypt.png delete mode 100644 wireshark/nifi-dissect.lua create mode 100644 wireshark/nifi.lua diff --git a/assets/melon_1714483602.pcap b/assets/melon_1714483602.pcap new file mode 100644 index 0000000..5fa4d29 Binary files /dev/null and b/assets/melon_1714483602.pcap differ diff --git a/assets/ws-no-encrypt.png b/assets/ws-no-encrypt.png new file mode 100644 index 0000000..fb0c0d8 Binary files /dev/null and b/assets/ws-no-encrypt.png differ diff --git a/docs/notes.md b/docs/notes.md index 6043bfa..21eef78 100644 --- a/docs/notes.md +++ b/docs/notes.md @@ -87,4 +87,10 @@ source: - comment @ src/Wifi.cpp:46 "multiplayer host TX sequence" - references to `RFTransfer_Type{2,3}` @ - nintendo ds ni-fi protocol @ +- melonDS emulates actual 802.11b frames +- the protocol does not appear to be encrypted: + ![](../assets/ws-no-encrypt.png) + the string `lork` is visible as plain text in the hexdump (offset 0x0056), which appears to + be some kind of 16-bit encoding of the username set on the emulator used to + capture these packets diff --git a/wireshark/nifi-dissect.lua b/wireshark/nifi-dissect.lua deleted file mode 100644 index 98520e5..0000000 --- a/wireshark/nifi-dissect.lua +++ /dev/null @@ -1,32 +0,0 @@ -proto = Proto("NIFI", "Nintendo DS ni-fi") - -MAGIC = ProtoField.uint32("nifi.magic", "Magic", base.HEX) -SENDERID = ProtoField.int32("nifi.senderid", "SenderID", base.DEC) -TYPE = ProtoField.uint32("nifi.type", "Type", base.DEC) -LENGTH = ProtoField.uint32("nifi.length", "Length", base.DEC) -TIMESTAMP = ProtoField.uint64("nifi.timestamp", "Timestamp", base.DEC) - -proto.fields = { - MAGIC, - SENDERID, - TYPE, - LENGTH, - TIMESTAMP, -} - -function proto.dissector(buffer, pinfo, tree) - -- check magic ("NIFI") - if buffer(0, 4):uint() ~= 0x4e494649 then return end - - pinfo.cols.protocol = proto.name - - local subtree = tree:add(proto, buffer(), "Ni-Fi data") - - subtree:add(MAGIC, buffer(0, 4)) - subtree:add_le(SENDERID, buffer(4, 4)) - pinfo.cols.src = tostring(buffer(4, 4):le_int()) - subtree:add_le(TYPE, buffer(8, 4)) - subtree:add_le(LENGTH, buffer(12, 4)) - subtree:add_le(TIMESTAMP, buffer(16, 8)) -end - diff --git a/wireshark/nifi.lua b/wireshark/nifi.lua new file mode 100644 index 0000000..d81ff31 --- /dev/null +++ b/wireshark/nifi.lua @@ -0,0 +1,40 @@ +-- NOTE: my system is little-endian, so the .pcap files and this decoder expect +-- little endian + +local nifi = Proto("nifi", "Nintendo DS ni-fi") +nifi.fields.magic = ProtoField.uint32("nifi.magic", "Magic", base.HEX) +nifi.fields.senderid = ProtoField.int32("nifi.senderid", "SenderID", base.DEC) +nifi.fields.type = ProtoField.new("Type", "nifi.type", ftypes.UINT32) +nifi.fields.type_enum = ProtoField.uint16("nifi.type.enum", "Numeric message type enum", base.DEC, { + [0] = "Regular", + [1] = "CMD", + [2] = "Reply", + [3] = "ACK", +}) +nifi.fields.type_aid = ProtoField.uint16("nifi.type.aid", "Message type \"aid\" value") +nifi.fields.length = ProtoField.uint32("nifi.length", "Length", base.DEC) +nifi.fields.timestamp = ProtoField.uint64("nifi.timestamp", "Timestamp", base.DEC) + +local nifi_senderid_field = Field.new("nifi.senderid") +local nifi_type_enum_field = Field.new("nifi.type.enum") + +function nifi.dissector(buffer, pinfo, tree) + -- check magic ("NIFI") + if buffer(0, 4):uint() ~= 0x4e494649 then return end + local nifi_tree = tree:add(nifi, buffer(), "Ni-Fi data") + nifi_tree:add(nifi.fields.magic, buffer(0, 4)) + + nifi_tree:add_le(nifi.fields.senderid, buffer(4, 4)) + + local nifi_type_tree = nifi_tree:add_le(nifi.fields.type, buffer(8, 4)) + nifi_type_tree:add_le(nifi.fields.type_enum, buffer(8, 2)) + nifi_type_tree:add_le(nifi.fields.type_aid, buffer(10, 2)) + + nifi_tree:add_le(nifi.fields.length, buffer(12, 4)) + nifi_tree:add_le(nifi.fields.timestamp, buffer(16, 8)) + + pinfo.cols.protocol = nifi.name + pinfo.cols.src = nifi_senderid_field().display + pinfo.cols.info = "type:" .. nifi_type_enum_field().display +end + diff --git a/wireshark/wireshark b/wireshark/wireshark index b871ea3..42c37a5 100755 --- a/wireshark/wireshark +++ b/wireshark/wireshark @@ -1,5 +1,5 @@ #!/bin/sh -# simple wrapper to load nifi-dissect script as DLT_USER0 dissecter +# simple wrapper to load nifi.lua script as DLT_USER0 dissecter here="$(dirname "$0")" -exec wireshark -X "lua_script:$here/nifi-dissect.lua" -o 'uat:user_dlts:"User 0 (DLT=147)","nifi","","","",""' "$@" +exec wireshark -X "lua_script:$here/nifi.lua" -o 'uat:user_dlts:"User 0 (DLT=147)","nifi","","","",""' "$@" -- cgit v1.2.3