LDN services: Difference between revisions

(15 intermediate revisions by the same user not shown)

Line 286:

Unlike CreateNetworkPrivate, this overwrites the channel field in the [[#NetworkConfig]]. When the cached [[SPL_services#IsDevelopment|IsDevelopment]] value is true, the output from [[Settings_services|GetLdnChannel]] will overwrite that field if the s32 setting value is >=0, otherwise the original value is used. Otherwise when the IsDevelopment field is false (retail), the channel is overwritten with value 0.

This overwrites the u16 field at [[#SecurityConfig]]+0. When the cached [[SPL_services#IsDevelopment|IsDevelopment]] value is false (retail) ([?+] [[System_Settings|system-setting]] <code>ldn!enable_static_security_mode_configuration</code> is checked for being true instead), value 1 is used ([?+] value from [[System_Settings|system-setting]] <code>ldn!static_security_mode</code> is used, with fallback to value 1 if the setting is >=0x4), otherwise the original value is used.

This overwrites the u16 field at [[#SecurityConfig]]+0. When the cached [[SPL_services#IsDevelopment|IsDevelopment]] value is false (retail) ([18.0.0+] [[System_Settings|system-setting]] <code>ldn!enable_static_security_mode_configuration</code> is checked for being true instead), value 1 is used ([18.0.0+] value from [[System_Settings|system-setting]] <code>ldn!static_security_mode</code> is used, with fallback to value 1 if the setting is >=0x4), otherwise the original value is used.

[[#GetState|State]] must be 2, this cmd eventually sets the State to value 3.

Line 350:

This is identical to [[#ConnectPrivate]] (besides the below), except the data internally passed for [[#SecurityParameter]]/[[#NetworkConfig]] are loaded from the input [[#NetworkInfo]].

[1.0.0-?] This overwrites the u16 field at [[#SecurityConfig]]+0. When the cached [[SPL_services#IsDevelopment|IsDevelopment]] value is false (retail), value 1 is used, otherwise the used value is: original_field == 0 ? {u16 [[#NetworkInfo]]+0x60} : original_field. [?+] This now uses the same SecurityMode override as [[#CreateNetwork|CreateNetwork]].

[1.0.0-?] This overwrites the u16 field at [[#SecurityConfig]]+0. When the cached [[SPL_services#IsDevelopment|IsDevelopment]] value is false (retail), value 1 is used, otherwise the used value is: original_field == 0 ? {u16 [[#NetworkInfo]]+0x60} : original_field. [18.0.0+] This now uses the same SecurityMode override as [[#CreateNetwork|CreateNetwork]].

u32 LocalCommunicationVersion>>15 must be 0.

Line 359:

See [[#Connect]].

[1.0.0-?] This overwrites the u16 field at [[#SecurityConfig]]+0. When the cached [[SPL_services#IsDevelopment|IsDevelopment]] value is false (retail), value 1 is used, otherwise the original value is used. [?+] This now uses the same SecurityMode override as [[#Connect|Connect]].

[1.0.0-?] This overwrites the u16 field at [[#SecurityConfig]]+0. When the cached [[SPL_services#IsDevelopment|IsDevelopment]] value is false (retail), value 1 is used, otherwise the original value is used. [18.0.0+] This now uses the same SecurityMode override as [[#Connect|Connect]].

=== Disconnect ===

Line 419:

=== SendActionFrame ===

Takes a type-0x21 input buffer, two input [[#MacAddress]], two input s16s ('''Band''' and '''ChannelNumber''') and an input [[#MessageFlagSet]]. No output.

[20.0.0+] The input s16s were replaced with a single u16, which has the same format as [[#SetHomeChannel|SetHomeChannel]].

The first [[#MacAddress]] is the destination, the second [[#MacAddress]] is the Bssid.

The ChannelNumber must be non-zero.

[[#State|State]] must be 3-4 (AccessPointCreated/Station).

~~On NX this sends~~ a ~~raw action frame with the~~ input ~~buffer as the data?~~

=== RecvActionFrame ===

Takes a type-0x22 output buffer and an input [[#MessageFlagSet]]. Returns two output [[#MacAddress]], two output s16s ('''Band''' and '''ChannelNumber'''), an output u32 '''Size''', and an output s32 '''LinkLevel'''.

~~=== RecvActionFrame ===~~

[20.0.0+] The output s16s were replaced with a single u16, which has the same format as [[#SetHomeChannel|SetHomeChannel]].

~~Takes a type-0x22 output buffer and an input~~ [~~[#MessageFlagSet]~~]~~. Returns an~~ output ~~u32 '''Size'''~~, ~~two output~~ [[#~~MacAddress~~]]~~, two output s16s ('''Band''' and '''ChannelNumber''') and an output s32 '''LinkLevel'''~~.

[[#EnableActionFrame|EnableActionFrame]] must be used prior to this.

Line 432:

Line 438:

Takes two input s16s '''Band''' and '''ChannelNumber'''. No output.

[20.0.0+] Now takes a ~~total of~~ 2-~~bytes of~~ input ~~instead of 4-bytes~~.

[20.0.0+] Now takes an input u16 instead of two s16s, merging the two params. Bitmask 0x3FF (low 10-bits) is the ChannelNumber, while the remaining upper 6-bits is the Band. The Band is used as an array index to load the actual Band for passing to a func. Only the following Band input is valid, others return 0x0/0xFFFF: 2 - > 2400, 5 -> 5000, 6 -> 6000.

On NX Band must be ([20.0.0+] converted Band from the above array) 50 ([20.0.0+] 5000) or 24 ([20.0.0+] 2400).

The ChannelNumber must be non-zero.

The [[#State|State]] must be Station.

sdknso uses the input channel to convert to the input needed by the cmd.

=== SetTxPower ===

Takes an input s16 '''Power'''. No output.

The input must be 0x0..0xFF.

A state field must be non-zero.

The [[#State|State]] must be 2-5 (AccessPoint*/Station*).

=== ResetTxPower ===

No input/output.

The same state field checked by [[#SetTxPower|SetTxPower]] must be non-zero. The [[#State|State]] check is also the same as [[#SetTxPower|SetTxPower]].

== IClientProcessMonitor ==

Line 975:

Line 997:

| 0xC || 0x21 || UserName

|-

| 0x2D || 0x1 || [?+] Platform? (0 = NX, 1 = Ounce)

| 0x2D || 0x1 || [19.0.0+] Platform? (0 = NX, 1 = Ounce)

|-

| 0x2E || 0x2 || LocalCommunicationVersion

Line 1,412:

Line 1,434:

| 0x3C || 0x2 || SecurityMode

|-

| 0x3E || 0x2 || PassphraseSize

| 0x3E || 0x2 || PassphraseSize (Must be 0x10-0x40)

|-

| 0x40 || 0x40 || Passphrase

|}

SecurityMode must be 1-2. The same SecurityMode override functionality from elsewhere is used later with this.

The same LocalCommunicationId override/validation from elsewhere is used with the input as well.

= MessageFlagSet =

Line 1,430:

Line 1,456:

| 0 ||

|}

[[#SendActionFrame|SendActionFrame]]/[[#RecvActionFrame|RecvActionFrame]] handles bit0 the same way as the MessageFlag with lp2p [[#SendToOtherGroup|SendToOtherGroup]]/[[#RecvFromOtherGroup|RecvFromOtherGroup]].

= MacAddress =

Line 1,611:

Line 1,639:

| 0x4 || 0x1 || [6.0.0+] High u8 for the size.

|-

| 0x5 || 0x1 || [?+] AuthEncryptionType, must match the type being used by the [[#Protocol|Protocol]]. 0 = plaintext ([[#Protocol|Protocol]] NX), 1 = AES-128-GCM ([[#Protocol|Protocol]] 3).

| 0x5 || 0x1 || [20.0.0+] AuthEncryptionType, must match the type being used by the [[#Protocol|Protocol]]. 0 = plaintext ([[#Protocol|Protocol]] NX), 1 = AES-128-GCM ([[#Protocol|Protocol]] 3).

|-

| 0x6 || 0x2 || Unused, zeros.

Line 1,653:

Line 1,681:

| 0x20 || 0x2 || Big-endian LocalCommunicationVersion. Byte-swapped by the AccessPoint then copied into state. [?+] This is now ignored.

|-

| 0x22 || 0x1 || [?+] [[#NodeInfo|NodeInfo]] +0x2D. Copied into state by the AccessPoint. On NX the Station always sets this to 0 in the sent payload-data.

| 0x22 || 0x1 || [19.0.0+] [[#NodeInfo|NodeInfo]] +0x2D. Copied into state by the AccessPoint. On NX the Station always sets this to 0 in the sent payload-data.

|-

| 0x23 || 0x1D || Zeros, unused by the AccessPoint.

Line 1,670:

Line 1,698:

! Description

|-

| 0x0 || ~~0x40~~ || Zeros. [6.0.0-?] Only included in the frame if it's enabled (+0x0 [[#AuthVersion]] >= 3). Unused by the Station.

| 0x0 || 0x1 ||

|-

| 0x1 || 0x3F || Zeros. [6.0.0-?] Only included in the frame if it's enabled (+0x0 [[#AuthVersion]] >= 3). Unused by the Station.

|-

| 0x40 || 0x44 || [6.0.0-?] Only included in the frame if it's enabled (+0x0 [[#AuthVersion]] >= 3). Unused by the Station.

Line 1,692:

Line 1,722:

| 3 || [6.0.0+]

|-

| 4 || ?

| 4 || [19.0.0+]

|}

Line 1,729:

Line 1,759:

| 0x20 || 0x1 || [[#AuthVersion]]. Copied to [[#NetworkInfo]]+0x63. When comparing with a previous frame is enabled, this must match the value from the previous frame.

|-

| 0x21 || 0x1 || Encryption type: 1 = plaintext, 2 = AES-128-CTR, 3 = AES-128-GCM, {frames with other values are ignored by [[#Scan]]/[[#ScanPrivate]]}. Must match the type which is currently being used: with [[#Scan]]/[[#ScanPrivate]] this is determined via this field, otherwise [[#SecurityConfig]] is used to determine this.

| 0x21 || 0x1 || Encryption type: 1 = plaintext, 2 = AES-128-CTR, [20.0.0+] 3 = AES-128-GCM, {frames with other values are ignored by [[#Scan]]/[[#ScanPrivate]]}. Must match the type which is currently being used: with [[#Scan]]/[[#ScanPrivate]] this is determined via this field, otherwise [[#SecurityConfig]] is used to determine this.

|-

| 0x22 || 0x2 || Big-endian u16 size for the data starting at +0x48 (+0x38 with EncryptionType3), and must match {total frame size relative to +0x0 above} - {header_size}.

Line 1,743:

Line 1,773:

When encryption is enabled, the encrypted data is at +0x28 (+0x38 with EncryptionType3) with size {remaining frame size}. The key is derived from the raw 0x20-bytes at +0x0. The CTR/IV is {raw Counter above without byte-swap}, with the rest cleared to zeros. The AAD for AES-128-GCM is at +0x0 size 0x28-bytes.

Originally [[#Scan]]/[[#ScanPrivate]] used the EncryptionType field to determine encryption handling. With [18.0.0+] these now set an internal SecurityMode field to 0 (Any) initially, then later uses the same SecurityMode override as [[#CreateNetwork|CreateNetwork]]. The internal SecurityMode field is used to determine encryption handling: Any uses the EncryptionType field like before. With non-zero the encryption handling is determined as required by the SecurityMode.

The content data at +{above_header_size} follows, which has the size specified above (which must be >=0x500 with EncryptionType1-2), where all fields are big-endian. For EncryptionType1-2:

Line 1,828:

Line 1,860:

| 0xA || 0x1 || bool IsConnected

|-

| 0xB || 0x1 || [?+] [[#NodeInfo|NodeInfo]] +0x2D

| 0xB || 0x1 || [19.0.0+] [[#NodeInfo|NodeInfo]] +0x2D

|-

| 0xC || 0x20 || First 0x20-bytes of [[#UserConfig]].

Line 1,857:

Line 1,889:

| 0x2C || 0x4 || Unused

|}

=== ActionFrame2 ===

The Action frames used by [[#SendActionFrame|SendActionFrame]]/[[#RecvActionFrame|RecvActionFrame]] have the following structure:

* "Fixed parameters":

** "Category code: Vendor Specific (127)"

** "OUI: 00:22:aa (Nintendo Co., Ltd.)"

* The Data starts with the following header:

{| class="wikitable" border="1"

|-

! Offset

! Size

! Description

|-

| 0x0 || 0x2 || 04 00

|-

| 0x2 || 0x2 || Protocol ID, must match big-endian 0x0102.

|-

| 0x4 || 0x2 || 00 00

|-

| 0x6 || 0x2 || 00 00

|}

Then the actual data follows (all fields big-endian):

{| class="wikitable" border="1"

|-

! Offset

! Size

! Description

|-

| 0x0 || 0x1 || [[#AuthVersion]]

|-

| 0x1 || 0x1 || EncryptionType, must match the expected type for the current SecurityMode. 1 = plaintext, 2 = AES-128-GCM.

|-

| 0x2 || 0x2 || Padding

|-

| 0x4 || 0x4 || Counter

|-

| 0x8 || 0x8 || LocalCommunicationId

|-

| 0x10 || 0x10 || Used with key derivation.

|-

| 0x20 || 0x10 || EncryptionType2: AES-128-GCM MAC tag.

|-

| 0x30 || Remaining frame size || Data payload

|}

The 0xC-byte IV for AES-128-GCM is the raw 4-bytes from the above Counter, with the rest cleared to zeroes. The encrypted data is at +0x30, with the remaining frame size. The AAD is the 0x20-bytes at +0x0.

The key is derived similar to the regular action-frame key (same KeySource), except: the Generation is always [[17.0.0|0x11]], with the following data for hashing: {big-endian LocalCommunicationId} {+0x10 size 0x10-bytes} {[[#ActionFrameSettings]] Passphrase with the specified PassphraseSize}.

== lp2p ==

@@ Line 286: / Line 286: @@
 Unlike CreateNetworkPrivate, this overwrites the channel field in the [[#NetworkConfig]]. When the cached [[SPL_services#IsDevelopment|IsDevelopment]] value is true, the output from [[Settings_services|GetLdnChannel]] will overwrite that field if the s32 setting value is >=0, otherwise the original value is used. Otherwise when the IsDevelopment field is false (retail), the channel is overwritten with value 0.
-This overwrites the u16 field at [[#SecurityConfig]]+0. When the cached [[SPL_services#IsDevelopment|IsDevelopment]] value is false (retail) ([?+] [[System_Settings|system-setting]] <code>ldn!enable_static_security_mode_configuration</code> is checked for being true instead), value 1 is used ([?+] value from [[System_Settings|system-setting]] <code>ldn!static_security_mode</code> is used, with fallback to value 1 if the setting is >=0x4), otherwise the original value is used.
+This overwrites the u16 field at [[#SecurityConfig]]+0. When the cached [[SPL_services#IsDevelopment|IsDevelopment]] value is false (retail) ([18.0.0+] [[System_Settings|system-setting]] <code>ldn!enable_static_security_mode_configuration</code> is checked for being true instead), value 1 is used ([18.0.0+] value from [[System_Settings|system-setting]] <code>ldn!static_security_mode</code> is used, with fallback to value 1 if the setting is >=0x4), otherwise the original value is used.
 [[#GetState|State]] must be 2, this cmd eventually sets the State to value 3.
@@ Line 350: / Line 350: @@
 This is identical to [[#ConnectPrivate]] (besides the below), except the data internally passed for [[#SecurityParameter]]/[[#NetworkConfig]] are loaded from the input [[#NetworkInfo]].
-[1.0.0-?] This overwrites the u16 field at [[#SecurityConfig]]+0. When the cached [[SPL_services#IsDevelopment|IsDevelopment]] value is false (retail), value 1 is used, otherwise the used value is: original_field == 0 ? {u16 [[#NetworkInfo]]+0x60} : original_field. [?+] This now uses the same SecurityMode override as [[#CreateNetwork|CreateNetwork]].
+[1.0.0-?] This overwrites the u16 field at [[#SecurityConfig]]+0. When the cached [[SPL_services#IsDevelopment|IsDevelopment]] value is false (retail), value 1 is used, otherwise the used value is: original_field == 0 ? {u16 [[#NetworkInfo]]+0x60} : original_field. [18.0.0+] This now uses the same SecurityMode override as [[#CreateNetwork|CreateNetwork]].
 u32 LocalCommunicationVersion>>15 must be 0.
@@ Line 359: / Line 359: @@
 See [[#Connect]].
-[1.0.0-?] This overwrites the u16 field at [[#SecurityConfig]]+0. When the cached [[SPL_services#IsDevelopment|IsDevelopment]] value is false (retail), value 1 is used, otherwise the original value is used. [?+] This now uses the same SecurityMode override as [[#Connect|Connect]].
+[1.0.0-?] This overwrites the u16 field at [[#SecurityConfig]]+0. When the cached [[SPL_services#IsDevelopment|IsDevelopment]] value is false (retail), value 1 is used, otherwise the original value is used. [18.0.0+] This now uses the same SecurityMode override as [[#Connect|Connect]].
 === Disconnect ===
@@ Line 419: / Line 419: @@
 === SendActionFrame ===
 Takes a type-0x21 input buffer, two input [[#MacAddress]], two input s16s ('''Band''' and '''ChannelNumber''') and an input [[#MessageFlagSet]]. No output.
+[20.0.0+] The input s16s were replaced with a single u16, which has the same format as [[#SetHomeChannel|SetHomeChannel]].
+The first [[#MacAddress]] is the destination, the second [[#MacAddress]] is the Bssid.
+The ChannelNumber must be non-zero.
 [[#State|State]] must be 3-4 (AccessPointCreated/Station).
-On NX this sends a raw action frame with the input buffer as the data?
+=== RecvActionFrame ===
+Takes a type-0x22 output buffer and an input [[#MessageFlagSet]]. Returns two output [[#MacAddress]], two output s16s ('''Band''' and '''ChannelNumber'''), an output u32 '''Size''', and an output s32 '''LinkLevel'''.
-=== RecvActionFrame ===
+[20.0.0+] The output s16s were replaced with a single u16, which has the same format as [[#SetHomeChannel|SetHomeChannel]].
-Takes a type-0x22 output buffer and an input [[#MessageFlagSet]]. Returns an output u32 '''Size''', two output [[#MacAddress]], two output s16s ('''Band''' and '''ChannelNumber''') and an output s32 '''LinkLevel'''.
 [[#EnableActionFrame|EnableActionFrame]] must be used prior to this.
@@ Line 432: / Line 438: @@
 Takes two input s16s '''Band''' and '''ChannelNumber'''. No output.
-[20.0.0+] Now takes a total of 2-bytes of input instead of 4-bytes.
+[20.0.0+] Now takes an input u16 instead of two s16s, merging the two params. Bitmask 0x3FF (low 10-bits) is the ChannelNumber, while the remaining upper 6-bits is the Band. The Band is used as an array index to load the actual Band for passing to a func. Only the following Band input is valid, others return 0x0/0xFFFF: 2 - > 2400, 5 -> 5000, 6 -> 6000.
+On NX Band must be ([20.0.0+] converted Band from the above array) 50 ([20.0.0+] 5000) or 24 ([20.0.0+] 2400).
+The ChannelNumber must be non-zero.
+The [[#State|State]] must be Station.
+sdknso uses the input channel to convert to the input needed by the cmd.
 === SetTxPower ===
 Takes an input s16 '''Power'''. No output.
+The input must be 0x0..0xFF.
+A state field must be non-zero.
+The [[#State|State]] must be 2-5 (AccessPoint*/Station*).
 === ResetTxPower ===
 No input/output.
+The same state field checked by [[#SetTxPower|SetTxPower]] must be non-zero. The [[#State|State]] check is also the same as [[#SetTxPower|SetTxPower]].
 == IClientProcessMonitor ==
@@ Line 975: / Line 997: @@
 | 0xC || 0x21 || UserName
 |-
-| 0x2D || 0x1 || [?+] Platform? (0 = NX, 1 = Ounce)
+| 0x2D || 0x1 || [19.0.0+] Platform? (0 = NX, 1 = Ounce)
 |-
 | 0x2E || 0x2 || LocalCommunicationVersion
@@ Line 1,412: / Line 1,434: @@
 | 0x3C || 0x2 || SecurityMode
 |-
-| 0x3E || 0x2 || PassphraseSize
+| 0x3E || 0x2 || PassphraseSize (Must be 0x10-0x40)
 |-
 | 0x40 || 0x40 || Passphrase
 |}
+SecurityMode must be 1-2. The same SecurityMode override functionality from elsewhere is used later with this.
+The same LocalCommunicationId override/validation from elsewhere is used with the input as well.
 = MessageFlagSet =
@@ Line 1,430: / Line 1,456: @@
 | 0 ||
 |}
+[[#SendActionFrame|SendActionFrame]]/[[#RecvActionFrame|RecvActionFrame]] handles bit0 the same way as the MessageFlag with lp2p [[#SendToOtherGroup|SendToOtherGroup]]/[[#RecvFromOtherGroup|RecvFromOtherGroup]].
 = MacAddress =
@@ Line 1,611: / Line 1,639: @@
 | 0x4 || 0x1 || [6.0.0+] High u8 for the size.
 |-
-| 0x5 || 0x1 || [?+] AuthEncryptionType, must match the type being used by the [[#Protocol|Protocol]]. 0 = plaintext ([[#Protocol|Protocol]] NX), 1 = AES-128-GCM ([[#Protocol|Protocol]] 3).
+| 0x5 || 0x1 || [20.0.0+] AuthEncryptionType, must match the type being used by the [[#Protocol|Protocol]]. 0 = plaintext ([[#Protocol|Protocol]] NX), 1 = AES-128-GCM ([[#Protocol|Protocol]] 3).
 |-
 | 0x6 || 0x2 || Unused, zeros.
@@ Line 1,653: / Line 1,681: @@
 | 0x20 || 0x2 || Big-endian LocalCommunicationVersion. Byte-swapped by the AccessPoint then copied into state. [?+] This is now ignored.
 |-
-| 0x22 || 0x1 || [?+] [[#NodeInfo|NodeInfo]] +0x2D. Copied into state by the AccessPoint. On NX the Station always sets this to 0 in the sent payload-data.
+| 0x22 || 0x1 || [19.0.0+] [[#NodeInfo|NodeInfo]] +0x2D. Copied into state by the AccessPoint. On NX the Station always sets this to 0 in the sent payload-data.
 |-
 | 0x23 || 0x1D || Zeros, unused by the AccessPoint.
@@ Line 1,670: / Line 1,698: @@
 ! Description
 |-
-| 0x0 || 0x40 || Zeros. [6.0.0-?] Only included in the frame if it's enabled (+0x0 [[#AuthVersion]] >= 3). Unused by the Station.
+| 0x0 || 0x1 ||
+|-
+| 0x1 || 0x3F || Zeros. [6.0.0-?] Only included in the frame if it's enabled (+0x0 [[#AuthVersion]] >= 3). Unused by the Station.
 |-
 | 0x40 || 0x44 || [6.0.0-?] Only included in the frame if it's enabled (+0x0 [[#AuthVersion]] >= 3). Unused by the Station.
@@ Line 1,692: / Line 1,722: @@
 | 3 || [6.0.0+]
 |-
-| 4 || ?
+| 4 || [19.0.0+]
 |}
@@ Line 1,729: / Line 1,759: @@
 | 0x20 || 0x1 || [[#AuthVersion]]. Copied to [[#NetworkInfo]]+0x63. When comparing with a previous frame is enabled, this must match the value from the previous frame.
 |-
-| 0x21 || 0x1 || Encryption type: 1 = plaintext, 2 = AES-128-CTR, 3 = AES-128-GCM, {frames with other values are ignored by [[#Scan]]/[[#ScanPrivate]]}. Must match the type which is currently being used: with [[#Scan]]/[[#ScanPrivate]] this is determined via this field, otherwise [[#SecurityConfig]] is used to determine this.
+| 0x21 || 0x1 || Encryption type: 1 = plaintext, 2 = AES-128-CTR, [20.0.0+] 3 = AES-128-GCM, {frames with other values are ignored by [[#Scan]]/[[#ScanPrivate]]}. Must match the type which is currently being used: with [[#Scan]]/[[#ScanPrivate]] this is determined via this field, otherwise [[#SecurityConfig]] is used to determine this.
 |-
 | 0x22 || 0x2 || Big-endian u16 size for the data starting at +0x48 (+0x38 with EncryptionType3), and must match {total frame size relative to +0x0 above} - {header_size}.
@@ Line 1,743: / Line 1,773: @@
 When encryption is enabled, the encrypted data is at +0x28 (+0x38 with EncryptionType3) with size {remaining frame size}. The key is derived from the raw 0x20-bytes at +0x0. The CTR/IV is {raw Counter above without byte-swap}, with the rest cleared to zeros. The AAD for AES-128-GCM is at +0x0 size 0x28-bytes.
+Originally [[#Scan]]/[[#ScanPrivate]] used the EncryptionType field to determine encryption handling. With [18.0.0+] these now set an internal SecurityMode field to 0 (Any) initially, then later uses the same SecurityMode override as [[#CreateNetwork|CreateNetwork]]. The internal SecurityMode field is used to determine encryption handling: Any uses the EncryptionType field like before. With non-zero the encryption handling is determined as required by the SecurityMode.
 The content data at +{above_header_size} follows, which has the size specified above (which must be >=0x500 with EncryptionType1-2), where all fields are big-endian. For EncryptionType1-2:
@@ Line 1,828: / Line 1,860: @@
 | 0xA || 0x1 || bool IsConnected
 |-
-| 0xB || 0x1 || [?+] [[#NodeInfo|NodeInfo]] +0x2D
+| 0xB || 0x1 || [19.0.0+] [[#NodeInfo|NodeInfo]] +0x2D
 |-
 | 0xC || 0x20 || First 0x20-bytes of [[#UserConfig]].
@@ Line 1,857: / Line 1,889: @@
 | 0x2C || 0x4 || Unused
 |}
+=== ActionFrame2 ===
+The Action frames used by [[#SendActionFrame|SendActionFrame]]/[[#RecvActionFrame|RecvActionFrame]] have the following structure:
+* "Fixed parameters":
+** "Category code: Vendor Specific (127)"
+** "OUI: 00:22:aa (Nintendo Co., Ltd.)"
+* The Data starts with the following header:
+{| class="wikitable" border="1"
+|-
+! Offset
+! Size
+! Description
+|-
+| 0x0 || 0x2 || 04 00
+|-
+| 0x2 || 0x2 || Protocol ID, must match big-endian 0x0102.
+|-
+| 0x4 || 0x2 || 00 00
+|-
+| 0x6 || 0x2 || 00 00
+|}
+Then the actual data follows (all fields big-endian):
+{| class="wikitable" border="1"
+|-
+! Offset
+! Size
+! Description
+|-
+| 0x0 || 0x1 || [[#AuthVersion]]
+|-
+| 0x1 || 0x1 || EncryptionType, must match the expected type for the current SecurityMode. 1 = plaintext, 2 = AES-128-GCM.
+|-
+| 0x2 || 0x2 || Padding
+|-
+| 0x4 || 0x4 || Counter
+|-
+| 0x8 || 0x8 || LocalCommunicationId
+|-
+| 0x10 || 0x10 || Used with key derivation.
+|-
+| 0x20 || 0x10 || EncryptionType2: AES-128-GCM MAC tag.
+|-
+| 0x30 || Remaining frame size || Data payload
+|}
+The 0xC-byte IV for AES-128-GCM is the raw 4-bytes from the above Counter, with the rest cleared to zeroes. The encrypted data is at +0x30, with the remaining frame size. The AAD is the 0x20-bytes at +0x0.
+The key is derived similar to the regular action-frame key (same KeySource), except: the Generation is always [[17.0.0|0x11]], with the following data for hashing: {big-endian LocalCommunicationId} {+0x10 size 0x10-bytes} {[[#ActionFrameSettings]] Passphrase with the specified PassphraseSize}.
 == lp2p ==