Authentication Notes
Recently we made a patched version of Flipnote Studio 3D (the EU version), which can be pointed to more or less any URL that we choose.
At the time of writing we simply changed https:// to http:// in an attempt to force authentication with the usual server over plaintext. This fails, however, since it seems that Nintendo's server won't respond to non-SSL requests.
As such, we decided to guess the response on a whim, which seems to have been partially successful.
(aka "Nintendo DSi Library" outside of Japan)
A POST request is sent with the following:
| Header | Notes |
|---|---|
Ugm-Token |
Likely to be an NNID auth token(?) |
Ugm-ID |
User's Flipnote Studio ID in HEX |
Ugm-ShopID |
Blank, perhaps because the app wasn't released on the EU/US eShop? |
Ugm-MAC |
Console MAC address in HEX |
Ugm-Region |
Region ID, values here |
Ugm-Language |
1 = English, not sure about other values |
Ugm-Country |
Country ID, 110 = UK, not sure about other values |
Ugm-Time |
Console time, format YYYY/MM/DD hh:mm:ss
|
The rest of the header (at least, I think it's the header, I can't really tell where it ends from the dump I'm looking at) is more or less the same as this:
Content-Type: multipart/form-data; boundary=t9Sf4yfjf1RtvDu3AA
Transfer-Encoding: chunked
96
--t9Sf4yfjf1RtvDu3AA
Content-Disposition: form-data; name="miiName"
Content-Type: application/octet-stream
Content-Transfer-Encoding: binary
422
--t9Sf4yfjf1RtvDu3AA
Content-Disposition: form-data; name="miiImage"
Content-Type: application/octet-stream
Content-Transfer-Encoding: binary
GIF89a@@á!˘,@@iH∞†¡É*\»∞°√á#JúH±¢≈ã3j‹»±£«è CäI≤§…ì(S™\…≤•Àó0c úI≥¶Õõ8sÍ‹…≥ßœü@É
J¥®—£Hì*] ¥©”ßP£JùJµ™’´X≥j;
18
--t9Sf4yfjf1RtvDu3AA--
0
There's two interesting things to note about this:
-
miiNamehas no content whatsoever, it's blank. -
miiImageis a completely transparent 64x64 GIF image.
We assume that these were either patched out for the EU and US releases, or they're simply placeholders because we need to fully connect to the server first. We don't know for now.
Based on some RAM dump strings that were grouped together, we tried to guess the response on a whim. We seem to have got this at least partially correct since the 3DS makes another request after this:
| Header | Notes |
|---|---|
Ugm-ChallengeBlob |
44-character lowercase HEX string |
Ugm-SessionID |
Unique ascii string generated by the server |
After the 3DS received our response, it sent a GET request to the same URL:
| Header | Notes |
|---|---|
Ugm-SessionID |
Same session ID as issued by the server |
Ugm-ID |
User's Flipnote Studio ID in HEX |
Ugm-Region |
Region ID, values here |
Ugm-Language |
1 = English, not sure about other values |
Ugm-Country |
Country ID, 110 = UK, not sure about other values |
Ugm-Version |
3-UsEu = Latest EU version |
The app uses several custom HTTP headers, some of them haven't been seen in use yet, however they exist in the ROM:
| Header | Usage |
|---|---|
Ugm-SessionID |
Unique session ID, probably issued by the server |
Ugm-Version |
Flipnote Studio 3D version; latest JPN version is 1.3.1 |
Ugm-ShopID |
Unsure |
Ugm-Time |
Console time |
Ugm-ChallengeBlob |
Auth challenge sent from the server? |
Ugm-Token |
NNID token |
Ugm-Region |
Region ID |
Ugm-Language |
Language ID |
Ugm-Country |
Country ID |
Ugm-ID |
User's Flipnote Studio ID |
Ugm-MAC |
Console MAC address |
| number | region |
|---|---|
0 |
Japan |
1 |
America |
2 |
Europe |
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
