arhacker Posted December 21, 2010 Posted December 21, 2010 (edited) The purpose of this research project is to eventually create a home brew program for the DS and the Wii that can distribute Wondercards (Mystery Gifts) over local wireless. Below, I have included all information necessary for an individual inexperienced in researching wireless communication protocols to learn how to do so. Pokemon distributions over local wireless use the Ni-Fi protocol. Information on the Ni-Fi protocol can be found here: http://masscat.afraid.org/ninds/proto_info.php. Independent researchers of the Ni-Fi wireless communication protocol can perform "packet captures" to capture all data transmitted by a Pokemon Distribution host. There are two options to perform a packet capture. First, you could use a computer program called Wireshark if your computer has a Ralink RT2600 chipset based wireless PCI card. You may download the Wireshark program here: http://www.wireshark.org/download.html. If you do not have a Ralink RT2600 chipset based PCI card, but you would like to purchase one, a list of every wireless PCI card containing that chipset can be found here: http://ralink.rapla.net/. If your computer does not contain a PCI card slot, your second option is to perform a packet capture by using a home brew program on the Nintendo DS. You must have a flash cart in order to use home brew programs on the Nintendo DS. If you do not already have a flash cart, I recommend purchasing an Action Replay DSi. The Action Replay DSi is compatible with every Nintendo DS and DSi unit running any firmware, and can be purchased at any local video game store if you do not like to purchase electronics over the internet. The home brew program is available for download here: http://www.akkit.org/dswifi/wifi_lib_test.nds. Please be aware that this home brew is only capable of viewing the Hexadecimal data of the most recent packet that has been broadcast. Please also be aware that this home brew is not capable of saving captured packets into a file. It is a good idea to perform your packet captures while inside a Faraday Cage in order to minimize interference from other wireless devices. Since I do not have a Ralink RT2600 chipset based wireless PCI card, but I do have an extra Nintendo DS console, I chose to use the home brew program to capture packets from my local wireless Pokemon Distribution. Here is my research so far: Every packet broadcast by the DS hosting the Pokemon Distribution is exactly 188 bytes long. Every Pokemon Distribution has a pre-download header that typically is the same text as the title of the Wondercard being distributed, but can be altered to display different text. Nintendo DS's hosting Pokemon Distributions split this pre-download header into several separate payloads (one payload per packet), and continuously broadcast these payloads over and over again until a client DS responds, and requests for the entire Wondercard be sent by the host DS. I do not have a third DS to use as a client DS, so I have only captured packets while the host DS is broadcasting the pre-download header payload. Here are 4 packets that I have captured from a DS hosting the GameStop Deoxys Pokemon Distribution (I will add the rest of the payloads for this distribution when I have time): Please note that the packets below are not chronologically in order, and that thousands of packets have been missed in between. Packet Capture 1: 80 00 00 00 FF FF FF FF FF FF 00 1B EA 51 B7 9C 00 1B EA 51 B7 9C 30 C1 CC 20 E3 42 00 00 00 00 0A 00 21 00 01 02 82 84 03 01 0D 05 05 00 02 00 00 00 DD 88 00 09 BF 00 0A 00 00 00 01 00 01 00 18 03 40 00 00 00 70 00 28 00 0C 00 C5 BD 01 00 A8 03 00 00 0D 38 8D 41 BA E6 C5 C8 E2 A6 0B B3 C9 A5 9C 45 1A B2 3B 6F 6E 23 FA 5B D5 02 5C C8 AB 5F 40 4C 89 4E 22 39 6B A1 77 63 23 8C FA 09 EB A8 42 14 2C 36 4A 0D FA A8 52 1F E0 85 97 8F 0F 7A 80 26 F8 B0 47 AE 7D E2 6E 4A 1A AD 05 C3 F0 39 43 6D 85 54 3D 2B 48 B8 83 39 36 2C 3B B2 AA 96 39 B4 FD 54 7C ED E3 6F C8 06 Packet Capture 2: 80 00 00 00 FF FF FF FF FF FF 00 1B EA 51 B7 9C 00 1B EA 51 B7 9C E0 D9 7A DB A0 04 00 00 00 00 0A 00 21 00 01 02 82 84 03 01 0D 05 05 01 02 00 00 00 DD 88 00 09 BF 00 0A 00 00 00 01 00 01 00 18 03 40 00 00 00 70 00 28 00 0C 00 C5 BD 00 00 A8 03 00 00 A2 0D 67 8C C1 A8 C7 62 7A BA 87 29 12 D0 0A 83 AB E7 43 CA 32 D2 DC 1E 10 77 55 F0 EA 80 28 5B ED EE F8 DB C8 0D 02 E0 BF A7 76 64 68 1A 60 C4 48 E4 C6 CF 61 04 88 C7 34 AB A7 8A 50 A4 C9 45 CF 71 0F 24 BA 6B 66 D0 7D 62 0C A3 7F F4 FE 46 69 35 46 55 C3 05 04 D3 79 17 CA 83 8C 3D A0 10 58 74 7C F4 4B 8C 83 7E Packet Capture 3: 80 00 00 00 FF FF FF FF FF FF 00 1B EA 51 B7 9C 00 1B EA 51 B7 9C A0 E2 0D BF B6 04 00 00 00 00 0A 00 21 00 01 02 82 84 03 01 0D 05 05 01 02 00 00 00 DD 88 00 09 BF 00 0A 00 00 00 01 00 01 00 18 03 40 00 00 00 70 00 28 00 0C 00 C5 BD 04 00 A8 03 00 00 20 52 2E E0 8F 0E BF 3A 81 E6 FD 58 CA 06 36 C3 44 26 3D D9 98 5C BE 96 8B EC 4C 10 25 24 E2 E5 92 AE 4E 5A BD 33 93 A8 0F 54 5C 9E 6D B8 53 1D 12 1B 36 68 5F 96 8C 5F 49 6E 0F 9B EA 7C 79 C0 F5 AD D4 25 BF 47 69 DD 7C C3 69 12 A8 11 5A E4 A4 F1 8B D4 F4 89 4F 85 BA 61 B9 59 FC EF 41 D4 35 48 70 5E ED 4E 81 24 Packet Capture 4 80 00 00 00 FF FF FF FF FF FF 00 1B EA 51 B7 9C 00 1B EA 51 B7 9C 80 BB CC E8 54 54 00 00 00 00 0A 00 21 00 01 02 82 84 03 01 0D 05 05 01 02 00 00 00 DD 88 00 09 BF 00 0A 00 00 00 01 00 01 00 18 03 40 00 00 00 70 00 28 00 0C 00 C5 BD 06 00 A8 03 00 00 6B 04 4A ED 3C 9F 25 1D 45 92 49 94 47 D5 0D B2 5B 10 5C A6 99 80 E7 9B 44 6B 4B 43 58 27 5F AB 57 3F BE 1E 59 25 53 75 43 C1 E3 A9 E4 31 8B EF 3C FC DE DD A8 BA 17 B3 FE 11 B0 26 59 56 C1 61 24 E2 5B D1 32 C5 7A 06 0C AE 10 3E 05 22 AB B7 13 2A A7 D1 4C 59 12 43 04 F8 6B D7 BB 7F 07 DA 10 08 C3 6E B0 46 FA 96 The following offsets and info apply to all of the above packets. 0x0A - 0x0F is the host DS's MAC address 0x10 - 0x15 is the host DS's MAC address again 0x1C - 0x1F are possibly random due to an incrementing time stamp 0x2A this byte is the Wi-Fi channel that the host is broadcasting on (the byte 0D converted to decimal notation equals channel 13) 0x34 - 36 this is the "Nintendo Parameter", which is a vendor id number used instead of an ssid. 0x40 - 43 this is the English GGID that tells the client what region games the Pokemon Distribution is for. Please post your own research findings or questions in this thread. Edited December 23, 2010 by arhacker
Poryhack Posted December 21, 2010 Posted December 21, 2010 I've got what should be a compatible PCI card and now that I'm back home for break I can finally put it in a desktop machine and try it out.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now