Tag: Vendor Specific: Nintendo

Yes, you read that right – Nintendo. It’s no secret that I own and use Nintendo equipment (now the source of two blogs!). What did surprise me is that during the course of some routine attacking of my home network (doesn’t everyone?) I happened across some very interesting Probe requests showing up:

Yes – that is a Probe Request that is asking for the SSID “Nintendo_3DS_continuous_scan_000”. This is particularly interesting since a) I hadn’t powered on my Nintendo 3DS in about 3 months (thank you CCNP) until last night and b) when I was done playing with it, I just closed the lid thinking it would just go quietly off into standby. Clearly that wasn’t the case so I hunted around for where I dropped it last and opened the lid. To my surprise, the Probe Requests stopped! Closed the lid and in about 10 seconds, they started again! Clearly something is going on here so I dug a little further… Inspecting the Probe Request reveals some interesting tidbits – down towards the bottom is “Vendor Specific: Nintendo”:

Further inspection of the ‘Tag interpretation: Not interpreted” reveals a good chunk of interesting looking data:

After a bit of digging, I stumbled across the data I was looking for! The SSIDs being probed for are part of Nintendo’s StreetPass service that allows ‘sleeping 3DSs’ to share data such as Mii Plaza data and other games that are ‘StreetPass enabled’. The fine folks over at 3dbrew spell this out quite nicely – The first byte of this (01) is the Vendor Specific OUI Type. The next byte (11) is likely Protocol Identification. The next byte (05) in this example is the length of the StreetPass services being advertised. The next 5 bytes (length from the previous byte) in this case are 00 05 40 00 30 are the actual services being advertised – in this case, Super Mario 3D Land. The next two bytes (f0 08) seem to be a marker of the end of the services. Everything after that appears to be my unique StreetPass ID.

Here is another capture showing two sets of StreetPass services:

The same beginning (01 11 11) followed by a StreetPass services length (0a which is twice as long as 05 – someone check my math on that!). This means that there should be two StreetPass services advertised – each 5 bytes long. The next 5 bytes are 00 03 74 00 00 (which I believe belong to Lego Pirates of the Caribbean) and 00 05 40 00 30 (which match my Super Mario 3D Land example above!) and the closing bytes f0 08 then my StreetPass ID.

Here is another capture showing a single StreetPass service identified by the 3rd highlighted byte (05) and the following ID of 00 02 08 00 00. This particular StreetPass service is the Mii Plaza – basically ad-hoc twitter and IRC with goofy avatars all rolled into one!

Okay – 1 more then, I’ll stop. 🙂

Here we see the same intro (01 11) followed by 0a which means we have 10 byes of services (or two services). The first one (00 02 08 00 00) we’ve seen before – it’s Mii Plaza. The second one (00 03 06 00 30) this time line up to Mario Kart 7 followed by our end of StreetPass services (f0 08) and my StreetPass ID.

If you have a Nintendo 3DS and want to see what StreetPass services you (or your children) have enabled, goto System Settings -> Data Management -> StreetPass Management. You should see a matching number of StreetPass services to the StreetPass Service Length field in your packet capture. Decipher yours out and let me know which ones you have!

-Sam

Post script: I now understand why this thing eats batteries in ‘standby’. 🙂