LDN services: Difference between revisions

From Nintendo Switch Brew
Jump to navigation Jump to search
 
(57 intermediate revisions by 2 users not shown)
Line 1: Line 1:
LDN handles all local network communication.
LDN handles all local network communication.
There's 2 IPC handler threads for all ldn:* services.


= ldn:m =
= ldn:m =
This is "nn::ldn::detail::IMonitorServiceCreator".
This is "nn::ldn::detail::IMonitorServiceCreator".
This has IPC max_sessions 5.
[20.2.0+] This has max_sessions 6.


{| class="wikitable" border="1"
{| class="wikitable" border="1"
Line 84: Line 90:
= ldn:s =
= ldn:s =
This is "nn::ldn::detail::ISystemServiceCreator".
This is "nn::ldn::detail::ISystemServiceCreator".
This has IPC max_sessions 5.
[18.0.0+] The sdknso uses SessionManager with this, where the additional session-count is 0x3.


{| class="wikitable" border="1"
{| class="wikitable" border="1"
Line 97: Line 107:
No input. Returns an [[#ISystemLocalCommunicationService]].
No input. Returns an [[#ISystemLocalCommunicationService]].


The user-process closes the ISystemServiceCreator object immediately after using this cmd. Official sw ignores errors from this cmd.
The user-process closes the ISystemServiceCreator object once finished with it during initialization. Official sw ignores errors from this cmd.


== CreateClientProcessMonitor ==
== CreateClientProcessMonitor ==
Line 175: Line 185:
| 404 || [19.0.0+] [[#InitializeWithPriority|InitializeWithPriority]]
| 404 || [19.0.0+] [[#InitializeWithPriority|InitializeWithPriority]]
|-
|-
| 500 || [18.0.0+] EnableActionFrame
| 500 || [18.0.0+] [[#EnableActionFrame|EnableActionFrame]]
|-
|-
| 501 || [18.0.0+] DisableActionFrame
| 501 || [18.0.0+] [[#DisableActionFrame|DisableActionFrame]]
|-
|-
| 502 || [18.0.0+] SendActionFrame
| 502 || [18.0.0+] [[#SendActionFrame|SendActionFrame]]
|-
|-
| 503 || [18.0.0+] RecvActionFrame
| 503 || [18.0.0+] [[#RecvActionFrame|RecvActionFrame]]
|-
|-
| 505 || [18.0.0+] [[#SetHomeChannel|SetHomeChannel]]
| 505 || [18.0.0+] [[#SetHomeChannel|SetHomeChannel]]
|-
|-
| 600 || [18.0.0+] SetTxPower
| 600 || [18.0.0+] [[#SetTxPower|SetTxPower]]
|-
|-
| 601 || [18.0.0+] ResetTxPower
| 601 || [18.0.0+] [[#ResetTxPower|ResetTxPower]]
|}
|}


Line 257: Line 267:
This cmd was implemented with [20.0.0+], prior to that this just returned an error.
This cmd was implemented with [20.0.0+], prior to that this just returned an error.


The sdk user-process func will pass value 1 to the cmd when the input [[#Protocol|Protocol]] is 0/1, 3 is passed directly if specified, otherwise Abort.
The sdk user-process func will pass value 1 to the cmd when the input [[#Protocol|Protocol]] is 0/1, 3 is passed directly if specified, otherwise Abort. User-processes use SetProtocol immediately after initializing ldn.
 
[20.0.0+] The ldn initialization functionality in sdknso also uses this with value 1 (NX) eventually after the init cmd was used successfully.


The input is validated, then a vfunc is called.
The input is validated, then a vfunc is called.
Line 267: Line 279:
The vfunc sends a message to another thread with the input u32 as the param, and returns the response from that.
The vfunc sends a message to another thread with the input u32 as the param, and returns the response from that.


The thread msg-queue-handler (besides other validation) uses the input param to select what values to write to state fields. Only input value 1 or 3 is allowed, with an error being thrown otherwise.
The thread msg-queue-handler (besides other validation) uses the input param to select what values to write to state fields. Only input value 1 or 3 is allowed, with an error being thrown otherwise. The previously mentioned validation includes verifying that [[#GetState|State]] is Initialized.


=== OpenAccessPoint ===
=== OpenAccessPoint ===
Line 286: Line 298:
Unlike CreateNetworkPrivate, this overwrites the channel field in the [[#NetworkConfig]]. When the cached [[SPL_services#IsDevelopment|IsDevelopment]] value is true, the output from [[Settings_services|GetLdnChannel]] will overwrite that field if the s32 setting value is >=0, otherwise the original value is used. Otherwise when the IsDevelopment field is false (retail), the channel is overwritten with value 0.
Unlike CreateNetworkPrivate, this overwrites the channel field in the [[#NetworkConfig]]. When the cached [[SPL_services#IsDevelopment|IsDevelopment]] value is true, the output from [[Settings_services|GetLdnChannel]] will overwrite that field if the s32 setting value is >=0, otherwise the original value is used. Otherwise when the IsDevelopment field is false (retail), the channel is overwritten with value 0.


This overwrites the u16 field at [[#SecurityConfig]]+0. When the cached [[SPL_services#IsDevelopment|IsDevelopment]] value is false (retail), value 1 is used, otherwise the original value is used.
This overwrites the u16 field at [[#SecurityConfig]]+0. When the cached [[SPL_services#IsDevelopment|IsDevelopment]] value is false (retail) ([18.0.0+] [[System_Settings|system-setting]] <code>ldn!enable_static_security_mode_configuration</code> is checked for being true instead), value 1 is used ([18.0.0+] value from [[System_Settings|system-setting]] <code>ldn!static_security_mode</code> is used, with fallback to value 1 if the setting is >=0x4), otherwise the original value is used.


[[#GetState|State]] must be 2, this cmd eventually sets the State to value 3.
[[#GetState|State]] must be 2, this cmd eventually sets the State to value 3.
Line 350: Line 362:
This is identical to [[#ConnectPrivate]] (besides the below), except the data internally passed for [[#SecurityParameter]]/[[#NetworkConfig]] are loaded from the input [[#NetworkInfo]].
This is identical to [[#ConnectPrivate]] (besides the below), except the data internally passed for [[#SecurityParameter]]/[[#NetworkConfig]] are loaded from the input [[#NetworkInfo]].


This overwrites the u16 field at [[#SecurityConfig]]+0. When the cached [[SPL_services#IsDevelopment|IsDevelopment]] value is false (retail), value 1 is used, otherwise the used value is: original_field == 0 ? {u16 [[#NetworkInfo]]+0x60} : original_field.
[1.0.0-?] This overwrites the u16 field at [[#SecurityConfig]]+0. When the cached [[SPL_services#IsDevelopment|IsDevelopment]] value is false (retail), value 1 is used, otherwise the used value is: original_field == 0 ? {u16 [[#NetworkInfo]]+0x60} : original_field. [18.0.0+] This now uses the same SecurityMode override as [[#CreateNetwork|CreateNetwork]].


u32 LocalCommunicationVersion>>15 must be 0.
u32 LocalCommunicationVersion>>15 must be 0.
Line 359: Line 371:
See [[#Connect]].
See [[#Connect]].


This overwrites the u16 field at [[#SecurityConfig]]+0. When the cached [[SPL_services#IsDevelopment|IsDevelopment]] value is false (retail), value 1 is used, otherwise the original value is used.
[1.0.0-?] This overwrites the u16 field at [[#SecurityConfig]]+0. When the cached [[SPL_services#IsDevelopment|IsDevelopment]] value is false (retail), value 1 is used, otherwise the original value is used. [18.0.0+] This now uses the same SecurityMode override as [[#Connect|Connect]].


=== Disconnect ===
=== Disconnect ===
Line 371: Line 383:
This is used immediately after object creation.
This is used immediately after object creation.


With [7.0.0+] [[#InitializeWithVersion|InitializeWithVersion]] is used instead.
On old sysvers the cmd impl for User/System are identical, except different params are used for the funcs called internally.
 
With [7.0.0+] [[#InitializeWithVersion|InitializeWithVersion]] is used instead. The cmd impl for Initialize uses [[#InitializeWithVersion|InitializeWithVersion]] with version=0.


=== Finalize ===
=== Finalize ===
Line 390: Line 404:


=== InitializeWithVersion ===
=== InitializeWithVersion ===
Takes an input PID, an u32, and an u64 pid_placeholder.
Takes an input PID, a s32 version, and an u64 pid_placeholder.


Official sw uses hard-coded value 0x1 for the u32.
The priority is determined by whether the interface is User/System: System = 0x38, User = 0x5A.


The input u32 is ignored, the impl for this cmd is identical to [[#Initialize_2|Initialize]].
It then calls the init func, with the cmd input params and the above priority, returning the Result on failure.


Internally this calls a func with params: (..., PID, &{u16 value 0x38}). On success, this then calls another func (which sets two state fields to the input) with params: (state, 0) (these state fields are used during [[#Authentication]] to check which service is being used).
On newer sysvers this then adds an entry for the state array used by [[#RegisterClient|RegisterClient]].


The first func uses various [[Network_Interface_services|nifm]] funcs. The input value is used to determine the value for [[Network_Interface_services#CreateRequest|nn::nifm::RequestParameters]]: essentially, value 0x4 is used for ldn:u, and value 0x8 is used for ldn:s. The input value is also copied into state.
Lastly the input PID and version are written into state, then this returns.


[[#GetState|State]] must be 0, this cmd eventually sets the State to value 1.
The init func does the following:
* The PID must be non-zero, and the version must not be negative. The priority must be 0x5A or 0x38.
* An error is returned if state fields are invalid.
* The input PID and version are written into state (a state field is also set to interface == User).
* Lastly, a vfunc is called with the input priority, returning the Result from that.


=== InitializeWithPriority ===
The vfunc does the following:
Takes an input PID, an u32, an u32, and an u64 pid_placeholder.
* On newer sysvers, this uses [[Shared_Database_services|pl:s]] RequestApplicationFunctionAuthorizationByProcessId with the input PID and [[Shared_Database_services|ApplicationFunctionAuthorizationId]] = 2 (SecureLdnLocalCommunication), returning the Result on failure.
* Then a message is sent to a msg-queue with the input priority.


This is similar to [[#InitializeWithVersion|InitializeWithVersion]], with the additional cmd input u32 now being passed directly to the init func which is called here.
The handler for the above message does the following:
* When state is already initialized, runs handling for that. An error is also thrown if the input priority is larger than a state field.
* Initializes state, etc.
* Various [[Network_Interface_services|nifm]] funcs are eventually used. The input priority is used to determine the value for [[Network_Interface_services#CreateRequest|nn::nifm::RequestParameters]]: value 0x4 or value 0x8 is used, depending on priority > 0x59.
** Newer versions also handle ldn lan_emulation [[System_Settings|sys-settings]] here. For the above value, when lan_emulation is enabled it uses value 0x17, with 0x18 additionally used for priority <= 0x59.
* The rest is state init, including setting [[#State|State]] to value 1. Then 0 is returned.


=== SetHomeChannel ===
On old sysvers the cmd impl for User/System are identical, except different params are used for the funcs called internally. With newer sysvers the cmd impl is now identical.
[20.0.0+] Now takes a total of 2-bytes of input instead of 4-bytes.


== IClientProcessMonitor ==
Version values passed by official sw:
This is "nn::ldn::detail::IClientProcessMonitor".
 
This was added with [18.0.0+].


{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
! Cmd || Name
! Value || SystemVersion
|-
|-
| 0 || RegisterClient
| 0x1 || [7.0.0+]
|}
 
= ldn:u =
This is "nn::ldn::detail::IUserServiceCreator".
 
{| class="wikitable" border="1"
|-
|-
! Cmd || Name
| 0x2 || [18.0.0+]
|-
|-
| 0 || [[#CreateUserLocalCommunicationService|CreateUserLocalCommunicationService]]
| 0x3 || [19.0.0+]
|-
|-
| 1 || [18.0.0+] [[#CreateClientProcessMonitor|CreateClientProcessMonitor]]
| 0x4 || [20.0.0+]
|}
|}


== CreateUserLocalCommunicationService==
=== InitializeWithPriority ===
Returns an [[#IUserLocalCommunicationService]].
Takes an input PID, a s32 version, a s32 priority, and an u64 pid_placeholder.


The user-process closes the IUserServiceCreator object immediately after using this cmd. Official sw ignores errors from this cmd.
This is similar to [[#InitializeWithVersion|InitializeWithVersion]]. The input priority is passed directly to the init func which is called here, instead of determining it from whether the interface is User/System.


== IUserLocalCommunicationService ==
Official sw passes input value 0x38 for the priority as the default, when the user doesn't specify the priority.
This is "nn::ldn::detail::IUserLocalCommunicationService".
 
=== EnableActionFrame ===
Takes an input [[#ActionFrameSettings]]. No output.
 
[[#State|State]] must be Initialized.
 
=== DisableActionFrame ===
No input/output.
 
[[#State|State]] must be Initialized.
 
=== SendActionFrame ===
Takes a type-0x21 input buffer, two input [[#MacAddress]], two input s16s ('''Band''' and '''ChannelNumber''') and an input [[#MessageFlagSet]]. No output.
 
[20.0.0+] The input s16s were replaced with a single u16, which has the same format as [[#SetHomeChannel|SetHomeChannel]].
 
The first [[#MacAddress]] is the destination, the second [[#MacAddress]] is the Bssid.
 
The ChannelNumber must be non-zero.
 
[[#State|State]] must be 3-4 (AccessPointCreated/Station).
 
=== RecvActionFrame ===
Takes a type-0x22 output buffer and an input [[#MessageFlagSet]]. Returns two output [[#MacAddress]], two output s16s ('''Band''' and '''ChannelNumber'''), an output u32 '''Size''', and an output s32 '''LinkLevel'''.
 
[20.0.0+] The output s16s were replaced with a single u16, which has the same format as [[#SetHomeChannel|SetHomeChannel]].


This is identical to [[#ISystemLocalCommunicationService]], except for the System-only cmd(s), and [[#Initialize_3|Initialize]]/[[#InitializeWithVersion_2|InitializeWithVersion]] differ.
[[#EnableActionFrame|EnableActionFrame]] must be used prior to this.


{| class="wikitable" border="1"
=== SetHomeChannel ===
|-
Takes two input s16s '''Band''' and '''ChannelNumber'''. No output.
! Cmd || Name
 
|-
[20.0.0+] Now takes an input u16 instead of two s16s, merging the two params. Bitmask 0x3FF (low 10-bits) is the ChannelNumber, while the remaining upper 6-bits is the Band. The Band is used as an array index to load the actual Band for passing to a func. Only the following Band input is valid, others return 0x0/0xFFFF: 2 - > 2400, 5 -> 5000, 6 -> 6000.
| 0 || [[#GetState_2|GetState]]
 
|-
On NX Band must be ([20.0.0+] converted Band from the above array) 50 ([20.0.0+] 5000) or 24 ([20.0.0+] 2400).
| 1 || [[#GetNetworkInfo_2|GetNetworkInfo]]
 
|-
The ChannelNumber must be non-zero.
| 2 || [[#GetIpv4Address_2|GetIpv4Address]]
 
|-
The [[#State|State]] must be Station.
| 3 || [[#GetDisconnectReason_2|GetDisconnectReason]]
 
|-
sdknso uses the input channel to convert to the input needed by the cmd.
| 4 || [[#GetSecurityParameter_2|GetSecurityParameter]]
 
=== SetTxPower ===
Takes an input s16 '''Power'''. No output.
 
The input must be 0x0..0xFF.
 
A state field must be non-zero.
 
The [[#State|State]] must be 2-5 (AccessPoint*/Station*).
 
=== ResetTxPower ===
No input/output.
 
The same state field checked by [[#SetTxPower|SetTxPower]] must be non-zero. The [[#State|State]] check is also the same as [[#SetTxPower|SetTxPower]].
 
== IClientProcessMonitor ==
This is "nn::ldn::detail::IClientProcessMonitor".
 
This was added with [18.0.0+].
 
{| class="wikitable" border="1"
|-
|-
| 5 || [[#GetNetworkConfig_2|GetNetworkConfig]]
! Cmd || Name
|-
|-
| 100 || [[#GetStateChangeEvent|GetStateChangeEvent]]
| 0 || RegisterClient
|-
|}
| 101 || [[#GetNetworkInfoAndHistory|GetNetworkInfoAndHistory]]
 
=== RegisterClient ===
Takes an input PID and an u64 pid_placeholder.
 
[18.0.0+] [[#CreateClientProcessMonitor|CreateClientProcessMonitor]] and RegisterClient are used by sdknso at the end of the ldn initialization functionality.
 
If the objptr in IClientProcessMonitor state is already set from using this cmd previously, this just returns 0.
 
This goes through global state to locate an entry with a matching PID, if none found 0 is returned. The objptr from the state entry is loaded, if NULL this returns 0. This obj is then incref'd and written into the IClientProcessMonitor state. When PID is 0, 0 is returned. It then locates the above state entry again with a matching PID, clearing the entry which matches. Lastly 0 is returned.
 
The initialization [[#InitializeWithPriority|cmds]] adds an entry to the above global state.
 
= ldn:u =
This is "nn::ldn::detail::IUserServiceCreator".
 
This has IPC max_sessions 3.
 
[18.0.0+] The sdknso uses SessionManager with this, where the additional session-count is 0x3.
 
{| class="wikitable" border="1"
|-
|-
| 102 || [[#Scan|Scan]]
! Cmd || Name
|-
|-
| 103 || [[#ScanPrivate|ScanPrivate]]
| 0 || [[#CreateUserLocalCommunicationService|CreateUserLocalCommunicationService]]
|-
|-
| 104 || [5.0.0+] [[#SetWirelessControllerPolicy|SetWirelessControllerPolicy]]
| 1 || [18.0.0+] [[#CreateClientProcessMonitor|CreateClientProcessMonitor]]
|}
 
== CreateUserLocalCommunicationService==
Returns an [[#IUserLocalCommunicationService]].
 
The user-process closes the IUserServiceCreator object once finished with it during initialization. Official sw ignores errors from this cmd.
 
== IUserLocalCommunicationService ==
This is "nn::ldn::detail::IUserLocalCommunicationService".
 
{| class="wikitable" border="1"
|-
! Cmd || Name
|-
| 0 || [[#GetState_2|GetState]]
|-
| 1 || [[#GetNetworkInfo_2|GetNetworkInfo]]
|-
| 2 || [[#GetIpv4Address_2|GetIpv4Address]]
|-
| 3 || [[#GetDisconnectReason_2|GetDisconnectReason]]
|-
| 4 || [[#GetSecurityParameter_2|GetSecurityParameter]]
|-
| 5 || [[#GetNetworkConfig_2|GetNetworkConfig]]
|-
| 100 || [[#GetStateChangeEvent|GetStateChangeEvent]]
|-
| 101 || [[#GetNetworkInfoAndHistory|GetNetworkInfoAndHistory]]
|-
| 102 || [[#Scan|Scan]]
|-
| 103 || [[#ScanPrivate|ScanPrivate]]
|-
| 104 || [5.0.0+] [[#SetWirelessControllerPolicy|SetWirelessControllerPolicy]]
|-
|-
| 105 || [13.1.0+] [[#SetWirelessAudioPolicy|SetWirelessAudioPolicy]]
| 105 || [13.1.0+] [[#SetWirelessAudioPolicy|SetWirelessAudioPolicy]]
Line 504: Line 617:
| 304 || [[#Disconnect|Disconnect]]
| 304 || [[#Disconnect|Disconnect]]
|-
|-
| 400 || [[#Initialize_3|Initialize]]
| 400 || [[#Initialize_2|Initialize]]
|-
|-
| 401 || [[#Finalize_3|Finalize]]
| 401 || [[#Finalize_2|Finalize]]
|-
|-
| 402 || [7.0.0+] [[#InitializeWithVersion_2|InitializeWithVersion]]
| 402 || [7.0.0+] [[#InitializeWithVersion|InitializeWithVersion]]
|-
|-
| 403 || [19.0.0+] [[#InitializeWithPriority|InitializeWithPriority]]
| 403 || [19.0.0+] [[#SetOperationMode|SetOperationMode]]
|-
|-
| 500 || [18.0.0+] EnableActionFrame
| 500 || [18.0.0+] [[#EnableActionFrame|EnableActionFrame]]
|-
|-
| 501 || [18.0.0+] DisableActionFrame
| 501 || [18.0.0+] [[#DisableActionFrame|DisableActionFrame]]
|-
|-
| 502 || [18.0.0+] SendActionFrame
| 502 || [18.0.0+] [[#SendActionFrame|SendActionFrame]]
|-
|-
| 503 || [18.0.0+] RecvActionFrame
| 503 || [18.0.0+] [[#RecvActionFrame|RecvActionFrame]]
|-
|-
| 505 || [18.0.0+] [[#SetHomeChannel|SetHomeChannel]]
| 505 || [18.0.0+] [[#SetHomeChannel|SetHomeChannel]]
|-
|-
| 600 || [18.0.0+] SetTxPower
| 600 || [18.0.0+] [[#SetTxPower|SetTxPower]]
|-
|-
| 601 || [18.0.0+] ResetTxPower
| 601 || [18.0.0+] [[#ResetTxPower|ResetTxPower]]
|}
|}


=== Initialize ===
= ndd =
Takes an input PID and an u64 pid_placeholder.
This is "nn::ndd::IService".
 
This is used immediately after object creation.
 
With [7.0.0+] [[#InitializeWithVersion_2|InitializeWithVersion]] is used instead.
 
This is identical to [[#Initialize_2|Initialize]] except different params are used for the funcs called internally.
 
=== Finalize ===
No input/output.
 
This is used during service exit, prior to closing the object. Official sw will Abort if this fails.
 
=== InitializeWithVersion ===
Takes an input PID, an u32, and an u64 pid_placeholder.
 
Official sw uses hard-coded value 0x1 for the u32.
 
The input u32 is ignored, the impl for this cmd is identical to [[#Initialize_3|Initialize]].
 
This is identical to [[#InitializeWithVersion|InitializeWithVersion]] except different params are used for the funcs called internally: the u16 value is 0x5A, and the value for the second func is 1.
 
= ndd =
This is "nn::ndd::IService".


This was added with [5.0.0] and removed with [6.0.0].
This was added with [5.0.0] and removed with [6.0.0].
Line 928: Line 1,018:
= NodeInfo =
= NodeInfo =
This is "nn::ldn::NodeInfo".
This is "nn::ldn::NodeInfo".
The first node in the nodes array is always the AccessPoint (NodeId 0x0). NodeId is the index of the node in the nodes array.


{| class="wikitable" border="1"
{| class="wikitable" border="1"
Line 945: Line 1,037:
| 0xC || 0x21 || UserName
| 0xC || 0x21 || UserName
|-
|-
| 0x2D || 0x1 || [?+]
| 0x2D || 0x1 || [19.0.0+] Platform? (0 = NX, 1 = Ounce)
|-
|-
| 0x2E || 0x2 || LocalCommunicationVersion
| 0x2E || 0x2 || LocalCommunicationVersion
Line 983: Line 1,075:
| 0xC || 0x4 || Reserved
| 0xC || 0x4 || Reserved
|}
|}
* LocalCommunicationId: [[#CreateNetwork|CreateNetwork]], [[#CreateNetworkPrivate|CreateNetworkPrivate]], [[#Connect|Connect]], [[#ConnectPrivate|ConnectPrivate]] (also [[#ScanFilter|ScanFilter]] when enabled with the flag): When -1, this is overwritten with the first LocalCommunicationId from the user-process [[NACP]], if loading fails value 0 is written instead. Otherwise when not -1, if [[NACP]] loading is successful, this field must match one of the LocalCommunicationIds from there.
* SceneId: Arbitrary user data, this can be used for filtering with [[#ScanFilter|ScanFilter]] for example.


= SessionId =
= SessionId =
This is "nn::ldn::SessionId".
This is "nn::ldn::SessionId".
This is used to generate/overwrite the Ssid when needed.


{| class="wikitable" border="1"
{| class="wikitable" border="1"
Line 1,089: Line 1,186:
This is "nn::ldn::ScanFilter". This is a 0x60-byte struct with 8-byte alignment.
This is "nn::ldn::ScanFilter". This is a 0x60-byte struct with 8-byte alignment.


sdknso copies the input ScanFilter to a tmp struct on stack, which is then used with the cmd.
sdknso copies the input ScanFilter to a tmp struct on stack (with [[#ScanFilterFlag|Flag]] masking), which is then used with the cmd. sdknso only copies Bssid with [[#ScanPrivate|ScanPrivate]], with [[#Scan|Scan]] it also masks out the [[#ScanFilterFlag|Flag]] for Bssid.


{| class="wikitable" border="1"
{| class="wikitable" border="1"
Line 1,109: Line 1,206:
| 0x5C || 0x4 || [[#ScanFilterFlag|Flag]]
| 0x5C || 0x4 || [[#ScanFilterFlag|Flag]]
|}
|}
Each [[#ScanFilterFlag|Flag]] bit when set enables using the corresponding ScanFilter data. This is usually a compare with the ScanFilter data and the internal [[#NetworkInfo|NetworkInfo]] data.
* NetworkType: (ScanFilter_NetworkType & NetworkInfo_NetworkType) must be non-zero.
* Ssid: The length fields must match, then memcmp is used.
The filtering func also handles validating the Band/Channel, however these fields are internal only and are not exposed in the user ScanFilter.


= ScanFilterFlag =
= ScanFilterFlag =
Line 1,207: Line 1,311:
| 3 || SystemDebug
| 3 || SystemDebug
|}
|}
Value:
* 1-2: Broadcast Action frame data is encrypted.
* 3: Broadcast Action frame data is plaintext.
* 1: Data frames are encrypted.
* 2-3: Data frames for normal data-transfer are plaintext - the network is Open.


= SecurityConfig =
= SecurityConfig =
Line 1,223: Line 1,334:
| 0x4 || 0x40 || Passphrase (used with key derivation)
| 0x4 || 0x40 || Passphrase (used with key derivation)
|}
|}
Type:
* 1-2: Broadcast Action frame data is encrypted and is verified with SHA256.
* 3: Broadcast Action frame data is plaintext and is verified with SHA256.
* 1: Data frames are encrypted.
* 2-3: Data frames for normal data-transfer are plaintext - the network is Open.


= SecurityParameter =
= SecurityParameter =
Line 1,248: Line 1,352:
This is "nn::ldn::UserConfig". This is a 0x30-byte struct with 1-byte alignment.
This is "nn::ldn::UserConfig". This is a 0x30-byte struct with 1-byte alignment.


sdknso copies the input UserConfig to a tmp struct on stack, which is then used with the cmd.
An error is thrown if UserName+0x20 is non-zero.
 
sdknso copies the input UserConfig to a tmp struct on stack, which is then used with the cmd. Only the first 0x20-bytes are copied, with the rest cleared.


{| class="wikitable" border="1"
{| class="wikitable" border="1"
Line 1,256: Line 1,362:
! Description
! Description
|-
|-
| 0x0 || 0x21 || UserName (NUL-terminated string for the user nickname)
| 0x0 || 0x21 || UserName (NUL-terminated string for the user name)
|-
|-
| 0x21 || 0xF || Reserved (cleared to zero during the copy)
| 0x21 || 0xF || Reserved
|}
|}


Line 1,360: Line 1,466:
|}
|}


There's presumably a S2-only value which enables using Ounce-only keys. Attempting to decrypt Ounce-only ldn with the Protocol3 keys fails (including with [[#Scan|Scan]]/[[#ScanPrivate|ScanPrivate]]), with the following:
The Initialize* cmds configure state the same as using [[#SetProtocol|SetProtocol]] with Protocol NX.
 
There's presumably a S2-only value which enables using Ounce-only keys. Attempting to decrypt Ounce-only ldn with the Protocol3 keys fails (including with [[#Scan|Scan]]/[[#ScanPrivate|ScanPrivate]]), with the following (with S2 hosting):
* In-game ldn-usage for a S2-only Application.
* In-game ldn-usage for a S2-only Application.
* Local-game-update with a S2-only Application.
* Local-game-update with a S2-only Application.
* Local-game-update for a S1-game which has a Nintendo Switch 2 Edition available, even without the S2-Edition being installed.
* Local-game-update for a S1-game which has a Nintendo Switch 2 Edition available, even without the S2-Edition being installed.


= MacAddress =
There's system-titles which [[20.0.0|use]] SetProtocol. While there's game(s) which use SetProtocol, there's no known (?) games using Protocol3 (excluding GameShare which is system).
This is "nn::lp2p::MacAddress". Same as [[#MacAddress|MacAddress]].
 
= GroupId =
This is "nn::lp2p::GroupId". This is a 6-byte struct with 1-byte alignment.


This is a WiFi BSSID.
= ActionFrameSettings =
 
This is "nn::ldn::ActionFrameSettings". This is a 0x80-byte struct.
= NodeInfo =
This is "nn::lp2p::NodeInfo". This is a 0x80-byte struct.


{| class="wikitable" border="1"
{| class="wikitable" border="1"
Line 1,382: Line 1,484:
! Description
! Description
|-
|-
| 0x0 || || <code>struct sockaddr</code> for the IP address.
| 0x0 || 0x8 || LocalCommunicationId
|-
| 0x8 || 0x34 || Reserved
|-
| 0x3C || 0x2 || SecurityMode
|-
| 0x3E || 0x2 || PassphraseSize (Must be 0x10-0x40)
|-
|-
| 0x24 || 0x6 || [[#MacAddress_2|MacAddress]]
| 0x40 || 0x40 || Passphrase
|}
|}


= GroupInfo =
SecurityMode must be 1-2. The same SecurityMode override functionality from elsewhere is used later with this.
This is "nn::lp2p::GroupInfo". This is a 0x200-byte struct.
 
The same LocalCommunicationId override/validation from elsewhere is used with the input as well.


[[Mario Kart Live: Home Circuit|mklive]] sets the SSID to a string generated from random data.
= MessageFlagSet =
This is "nn::ldn::MessageFlagSet". This is a BitFlagSet object for [[#MessageFlag]].


[[#Scan_2|Scan]] only uses the following fields for the cmd input struct: SupportedPlatform/Priority, Frequency/Channel, and PresharedKeyBinarySize/PresharedKey.
= MessageFlag =
This is "nn::ldn::MessageFlag".


{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
! Offset
!  Value
!  Description
|-
| 0 ||
|}
 
[[#SendActionFrame|SendActionFrame]]/[[#RecvActionFrame|RecvActionFrame]] handles bit0 the same way as the MessageFlag with lp2p [[#SendToOtherGroup|SendToOtherGroup]]/[[#RecvFromOtherGroup|RecvFromOtherGroup]].
 
= MacAddress =
This is "nn::lp2p::MacAddress". Same as [[#MacAddress|MacAddress]].
 
= GroupId =
This is "nn::lp2p::GroupId". This is a 6-byte struct with 1-byte alignment.
 
This is a WiFi BSSID.
 
= NodeInfo =
This is "nn::lp2p::NodeInfo". This is a 0x80-byte struct.
 
{| class="wikitable" border="1"
|-
! Offset
! Size
! Size
! Description
! Description
|-
|-
| 0x0 || 0x10 || Wrapped master key. When zero, set to randomly-generated data. This is decrypted with a "static AES key" and used to derive the 4 encryption keys for the session.
| 0x0 || || <code>struct sockaddr</code> for the IP address.
|-
|-
| 0x10 || 0x8 || LocalCommunicationId. When zero, the value from control.nacp is loaded. This is later validated by [[#Join]]/[[#CreateGroup]] the same way as the [[#NetworkConfig]] field. Used during key derivation to derive keys B and D.
| 0x24 || 0x6 || [[#MacAddress_2|MacAddress]]
|-
|}
| 0x18 || 0x6 || [[#GroupId]] ("GROUP ID  (BSSID)"). When zero, the default is used. The default should be used here: an error is thrown if the data here doesn't match the output from [[WLAN_services|wlan:lcl]] cmd2.
 
= GroupInfo =
This is "nn::lp2p::GroupInfo". This is a 0x200-byte struct.
 
[[Mario Kart Live: Home Circuit|mklive]] sets the SSID to a string generated from random data.
 
[[#Scan_2|Scan]] only uses the following fields for the cmd input struct: SupportedPlatform/Priority, Frequency/Channel, and PresharedKeyBinarySize/PresharedKey.
 
{| class="wikitable" border="1"
|-
! Offset
! Size
! Description
|-
| 0x0 || 0x10 || Wrapped master key. When zero, set to randomly-generated data. This is decrypted with a "static AES key" and used to derive the 4 encryption keys for the session.
|-
| 0x10 || 0x8 || LocalCommunicationId. When zero, the value from control.nacp is loaded. This is later validated by [[#Join]]/[[#CreateGroup]] the same way as the [[#NetworkConfig]] field. Used during key derivation to derive keys B and D.
|-
| 0x18 || 0x6 || [[#GroupId]] ("GROUP ID  (BSSID)"). When zero, the default is used. The default should be used here: an error is thrown if the data here doesn't match the output from [[WLAN_services|wlan:lcl]] cmd2.
|-
|-
| 0x1E || 0x21 || ServiceName ("GROUP NAME (SSID)"). NUL-terminated string. See below.
| 0x1E || 0x21 || ServiceName ("GROUP NAME (SSID)"). NUL-terminated string. See below.
Line 1,500: Line 1,650:
= Network protocol =
= Network protocol =
== ldn ==
== ldn ==
A beacon and Action frame are broadcasted. The SSID in the beacon is hidden (32-bytes with value 0). For [[#Scan]]/[[#ScanPrivate]] it doesn't matter if no beacon is available ([[#NetworkInfo]] is the same), as long as the Action frame is broadcasted. However, the Station will not send a probe-request during connection if no beacon is available (and therefore not attempt any communication with the AccessPoint). The beacon doesn't have any custom Nintendo data, that data is in the Acton frame.
A beacon and Action frame are broadcasted. The SSID in the beacon is hidden (32-bytes with value 0). For [[#Scan]]/[[#ScanPrivate]] it doesn't matter if no beacon is available ([[#NetworkInfo]] is the same), as long as the Action frame is broadcasted. However, the Station will not send a probe-request during connection if no beacon is available (and therefore not attempt any communication with the AccessPoint). The beacon doesn't have any custom Nintendo data, that data is in the Action frame.


During connection, the Station first sends a probe-request using the [[#NetworkInfo|generated]] SSID from the Action frame. If the probe-response contains the expected data for the [[#SecurityConfig]] type, the Station then proceeds to connect to the AccessPoint. The key for data-frames, if [[#SecurityConfig|enabled]], is derived from a buffer containing: {[[#SecurityParameter]]+0x0} followed by {[[#SecurityConfig]] data with the specified data-size}. The [[#ActionFrame]]/data-frame keys are derived with the same func, the only difference is the input passed to this func + the passed constant data. The key derived by ldn is used directly as the static CCMP key for all data-frames (CCMP / MIC is standard). When [[#Protocol|Protocol]] is 3 the [[SPL_services|Generation]] is [[19.0.0|0x13]] instead of 0x0, for all of the previously mentioned keys derivation.
During connection, the Station first sends a probe-request using the [[#NetworkInfo|generated]] SSID from the Action frame. If the probe-response contains the expected data for the [[#SecurityConfig]] type, the Station then proceeds to connect to the AccessPoint.
 
Keys are derived with: <code>GenerateAesKek(AccessKey, KeySource, Generation, Option=0); GenerateAesKey(out_key, AccessKey, {output from SHA256(data_to_hash)});</code> The key for data-frames, if [[#SecurityConfig|enabled]], is derived from a buffer containing: {[[#SecurityParameter]]+0x0} followed by {[[#SecurityConfig]] Passphrase with the specified PassphraseSize}. The [[#ActionFrame]]/data-frame keys are derived roughly the same, the only difference is the data for hashing + the [[SPL_services|KeySource]]. The key derived by ldn is used directly as the static CCMP key for all data-frames (CCMP / MIC is standard). When [[#Protocol|Protocol]] is 3 the [[SPL_services|Generation]] is [[19.0.0|0x13]] instead of 0x0, for all of the previously mentioned keys derivation.


Then the Station scans for an [[#ActionFrame]] for loading the [[#NetworkInfo]].
Then the Station scans for an [[#ActionFrame]] for loading the [[#NetworkInfo]].
Line 1,510: Line 1,662:
After Authentication the Station will scan for another [[#ActionFrame]], with frame-comparision enabled with the above frame (frame must have been updated since the previous scan). The Station locates the index for a [[#MacAddress|MacAddress]] matching itself in the [[#NetworkInfo]] [[#NodeInfo|NodeInfo]] array (the entry for the AccessPoint is skipped), throwing an error if not found. After validating the LocalCommunicationVersion, it proceeds to handle ARP setup below.
After Authentication the Station will scan for another [[#ActionFrame]], with frame-comparision enabled with the above frame (frame must have been updated since the previous scan). The Station locates the index for a [[#MacAddress|MacAddress]] matching itself in the [[#NetworkInfo]] [[#NodeInfo|NodeInfo]] array (the entry for the AccessPoint is skipped), throwing an error if not found. After validating the LocalCommunicationVersion, it proceeds to handle ARP setup below.


This does not use DHCP, each node on the network has to manually setup ARP (without sending ARP network requests) with the [[#NodeInfo|NodeInfo]] array in [[#NetworkInfo]]. When [[#Protocol|Protocol]] is 3, after the client is [[#EthFrame|authenticated]] the host sends an ARP reply to the client (there's no ARP usage besides this).
This does not use DHCP, each node on the network has to manually setup IP-config with the [[#NodeInfo|NodeInfo]] array in [[#NetworkInfo]]. [?+] After the client is [[#EthFrame|authenticated]] ARP may be used in some cases however.


At this point standard sockets can be used over Data frames.
At this point standard sockets can be used over Data frames.
Line 1,539: Line 1,691:
| 0x2 || 0x1 || Status. 0 = success, non-zero = error.
| 0x2 || 0x1 || Status. 0 = success, non-zero = error.
|-
|-
| 0x3 || 0x1 || [2.0.0+] bool flag. The AccessPoint verifies that this is not set. Always set to 1 by the AccessPoint in the response. The Station only uses this when the [[#AuthVersion]] is >=2.
| 0x3 || 0x1 || [2.0.0+] bool flag. The AccessPoint verifies that this is not set. Always set to 1 by the AccessPoint in the response. [2.0.0-?] The Station only uses this when the [[#AuthVersion]] is >=2.
|-
|-
| 0x4 || 0x1 || [6.0.0+] High u8 for the size.
| 0x4 || 0x1 || [6.0.0+] High u8 for the size.
|-
|-
| 0x5 || 0x1 || [?+] AuthEncryptionType, must match the type being used by the [[#Protocol|Protocol]]. 0 = plaintext ([[#Protocol|Protocol]] NX), 1 = AES-128-GCM ([[#Protocol|Protocol]] 3).
| 0x5 || 0x1 || [20.0.0+] AuthEncryptionType, must match the type being used by the [[#Protocol|Protocol]]. 0 = plaintext ([[#Protocol|Protocol]] NX), 1 = AES-128-GCM ([[#Protocol|Protocol]] 3).
|-
|-
| 0x6 || 0x2 || Unused, zeros.
| 0x6 || 0x2 || Unused, zeros.
Line 1,553: Line 1,705:
AccessPoint->Station frame, the Station verifies that this matches the data previously sent to the AccessPoint.
AccessPoint->Station frame, the Station verifies that this matches the data previously sent to the AccessPoint.
|-
|-
| 0x38 || 0x10 || See below.
| 0x38 || 0x10 || AuthEncryptionType1: Used for key derivation.
Station->AccessPoint: The Station sets this to random data. Unused by the AccessPoint (besides the above), except for copying into the response.
 
AccessPoint->Station: +0x38 from the data originally sent by the Station. The Station verifies that this matches the previously sent data.
|-
|-
| 0x48 || 0x10 || Only present with AuthEncryptionType1: AES-128-GCM MAC tag.
| 0x48 || 0x10 || Only present with AuthEncryptionType1: AES-128-GCM MAC tag.
|-
|-
| 0x48 (0x58 with AuthEncryptionType1) || || Frame-specific data, with the above size. The total frame size - {offset of the start of this data in the frame} must match the above size.
| 0x48 (0x58 with AuthEncryptionType1) || || Frame-specific payload data, with the above size. The total frame size - {offset of the start of this data in the frame} must match the above size.
|}
|}


The Station sets the above size to 0x40 ([6.0.0+] if [[#NetworkInfo]]+0x13 is <3). [6.0.0+] The Authentication challenge is only used/enabled if that value is >=3, and [[#IUserLocalCommunicationService]] is being used.
The Station sets the above size to 0x40 ([6.0.0+] if [[#NetworkInfo]]+0x13 is <3) ([?+] 0x64 regardless of [[#AuthVersion]]). [6.0.0+] The Authentication challenge is only used/enabled if that value is >=3, and [[#IUserLocalCommunicationService]] is being used.


The AccessPoint sets the above size to 0x40 ([6.0.0+] 0x0 if the +0x0 [[#AuthVersion]] is <3). [6.0.0+] The AccessPoint will only use/enable the Authentication challenge when the +0x0 [[#AuthVersion]] is >=3, and [[#IUserLocalCommunicationService]] is being used. This data will not be included in the frame if the status field indicates error.
The AccessPoint sets the above size to 0x40 ([6.0.0+] 0x0 if the +0x0 [[#AuthVersion]] is <3) ([?+] 0x84 regardless of [[#AuthVersion]]). [6.0.0+] The AccessPoint will only use/enable the Authentication challenge when the +0x0 [[#AuthVersion]] is >=3, and [[#IUserLocalCommunicationService]] is being used. This data will not be included in the frame if the status field indicates error.


[6.0.0+] Support for the Authentication challenge with [[ETicket_services|es]] cmds 1501-1504 was added.
[6.0.0+] Support for the Authentication challenge with [[ETicket_services|es]] cmds 1501-1504 was added.
Line 1,568: Line 1,723:
AuthEncryptionType1: The key is derived essentially the same as the data-frame CCMP key, except the input data for hashing is the 0x10-bytes at +0x38 (this also only supports using [[SPL_services|Generation]] 0x13, returning immediately if the input param indicates otherwise due to the [[#Protocol|Protocol]]). The encrypted AES-128-GCM data starts at +0x58 with the above size. The 0xC-bytes IV is at +0x0, the AAD is at +0x0 size 0x48-bytes.
AuthEncryptionType1: The key is derived essentially the same as the data-frame CCMP key, except the input data for hashing is the 0x10-bytes at +0x38 (this also only supports using [[SPL_services|Generation]] 0x13, returning immediately if the input param indicates otherwise due to the [[#Protocol|Protocol]]). The encrypted AES-128-GCM data starts at +0x58 with the above size. The 0xC-bytes IV is at +0x0, the AAD is at +0x0 size 0x48-bytes.


Station->AccessPoint frame, relative to +0x0 above (frame size depends on whether +0xAC is enabled):
The AccessPoint will not respond to frames where the source mac-address is unrecognized.


The AccessPoint will not respond to frames where the source mac-address is unrecognized.
Station->AccessPoint payload data, relative to frame_end above (frame size depends on whether the challenge is enabled):


{| class="wikitable" border="1"
{| class="wikitable" border="1"
Line 1,578: Line 1,733:
! Description
! Description
|-
|-
| 0x38 || 0x10 || The Station sets this to random data. Unused by the AccessPoint, except for copying into the response.
| 0x0 || 0x20 || [[#UserConfig]]+0. Copied into state by the AccessPoint.
|-
|-
| 0x48 || 0x20 || [[#UserConfig]]+0. Copied into state by the AccessPoint.
| 0x20 || 0x2 || Big-endian LocalCommunicationVersion. Byte-swapped by the AccessPoint then copied into state. [?+] This is now ignored.
|-
|-
| 0x68 || 0x2 || Big-endian LocalCommunicationVersion. Byte-swapped by the AccessPoint then copied into state.
| 0x22 || 0x1 || [19.0.0+] [[#NodeInfo|NodeInfo]] +0x2D. Copied into state by the AccessPoint. On NX the Station always sets this to 0 in the sent payload-data.
|-
|-
| 0x6A || 0x1E || Zeros, unused by the AccessPoint.
| 0x23 || 0x1D || Zeros, unused by the AccessPoint.
|-
|-
| 0x88 || 0x24 || [6.0.0+] Zeros, unused by the AccessPoint.
| 0x40 || 0x24 || [6.0.0+] Zeros, unused by the AccessPoint.
|-
|-
| 0xAC || 0x300 || [6.0.0+] Authentication challenge data. If enabled, the total frame size must be >= {end offset of this data in the frame}. The frame data does not include this if it's not enabled.
| 0x64 || 0x300 || [6.0.0+] Authentication challenge data. If enabled, the total frame size must be >= {end offset of this data in the frame}. The frame data does not include this if it's not enabled.
|}
|}


AccessPoint->Station response frame, relative to +0x0 above (frame size depends on whether +0x48/+0xCC are enabled):
AccessPoint->Station response payload data, relative to frame_end above (frame size depends on whether the challenge is enabled):


{| class="wikitable" border="1"
{| class="wikitable" border="1"
Line 1,599: Line 1,754:
! Description
! Description
|-
|-
| 0x38 || 0x10 || +0x38 from the data originally sent by the Station. The Station verifies that this matches the previously sent data.
| 0x0 || 0x1 ||  
|-
|-
| 0x48 || 0x40 || Zeros. [6.0.0+] Only included in the frame if it's enabled (+0x0 [[#AuthVersion]] >= 3). Unused by the Station.
| 0x1 || 0x3F || Zeros. [6.0.0-?] Only included in the frame if it's enabled (+0x0 [[#AuthVersion]] >= 3). Unused by the Station.
|-
|-
| 0x88 || 0x44 || [6.0.0+] Only included in the frame if it's enabled (+0x0 [[#AuthVersion]] >= 3). Unused by the Station.
| 0x40 || 0x44 || [6.0.0-?] Only included in the frame if it's enabled (+0x0 [[#AuthVersion]] >= 3). Unused by the Station.
|-
|-
| 0xCC || 0x100 || [6.0.0+] If enabled, Authentication challenge response data. Not included in the frame if it's not enabled.
| 0x84 || 0x100 || [6.0.0+] If enabled, Authentication challenge response data. Not included in the frame if it's not enabled.
|}
|}


Line 1,623: Line 1,778:
| 3 || [6.0.0+]
| 3 || [6.0.0+]
|-
|-
| 4 || ?
| 4 || [19.0.0+]
|}
|}


Line 1,660: Line 1,815:
| 0x20 || 0x1 || [[#AuthVersion]]. Copied to [[#NetworkInfo]]+0x63. When comparing with a previous frame is enabled, this must match the value from the previous frame.
| 0x20 || 0x1 || [[#AuthVersion]]. Copied to [[#NetworkInfo]]+0x63. When comparing with a previous frame is enabled, this must match the value from the previous frame.
|-
|-
| 0x21 || 0x1 || Encryption type: 1 = plaintext, 2 = AES-128-CTR, 3 = AES-128-GCM, {frames with other values are ignored by [[#Scan]]/[[#ScanPrivate]]}. Must match the type which is currently being used: with [[#Scan]]/[[#ScanPrivate]] this is determined via this field, otherwise [[#SecurityConfig]] is used to determine this.
| 0x21 || 0x1 || Encryption type: 1 = plaintext, 2 = AES-128-CTR, [20.0.0+] 3 = AES-128-GCM, {frames with other values are ignored by [[#Scan]]/[[#ScanPrivate]]}. Must match the type which is currently being used: with [[#Scan]]/[[#ScanPrivate]] this is determined via this field, otherwise [[#SecurityConfig]] is used to determine this.
|-
|-
| 0x22 || 0x2 || Big-endian u16 size for the data starting at +0x48 (+0x38 with EncryptionType3), and must match {total frame size relative to +0x0 above} - {header_size}.
| 0x22 || 0x2 || Big-endian u16 size for the data starting at +0x48 (+0x38 with EncryptionType3), and must match {total frame size relative to +0x0 above} - {header_size}.
Line 1,674: Line 1,829:


When encryption is enabled, the encrypted data is at +0x28 (+0x38 with EncryptionType3) with size {remaining frame size}. The key is derived from the raw 0x20-bytes at +0x0. The CTR/IV is {raw Counter above without byte-swap}, with the rest cleared to zeros. The AAD for AES-128-GCM is at +0x0 size 0x28-bytes.
When encryption is enabled, the encrypted data is at +0x28 (+0x38 with EncryptionType3) with size {remaining frame size}. The key is derived from the raw 0x20-bytes at +0x0. The CTR/IV is {raw Counter above without byte-swap}, with the rest cleared to zeros. The AAD for AES-128-GCM is at +0x0 size 0x28-bytes.
Originally [[#Scan]]/[[#ScanPrivate]] used the EncryptionType field to determine encryption handling. With [18.0.0+] these now set an internal SecurityMode field to 0 (Any) initially, then later uses the same SecurityMode override as [[#CreateNetwork|CreateNetwork]]. The internal SecurityMode field is used to determine encryption handling: Any uses the EncryptionType field like before. With non-zero the encryption handling is determined as required by the SecurityMode.


The content data at +{above_header_size} follows, which has the size specified above (which must be >=0x500 with EncryptionType1-2), where all fields are big-endian. For EncryptionType1-2:
The content data at +{above_header_size} follows, which has the size specified above (which must be >=0x500 with EncryptionType1-2), where all fields are big-endian. For EncryptionType1-2:
Line 1,726: Line 1,883:
| 0x19 || 0x1 || [[#NetworkInfo]]+0x62
| 0x19 || 0x1 || [[#NetworkInfo]]+0x62
|-
|-
| 0x1A || 0x2 || s16 LocalCommunicationVersion. Bit7 must be clear.
| 0x1A || 0x2 || s16 LocalCommunicationVersion. Must not be negative.
|-
|-
| 0x1C || 0x8 || Unused?
| 0x1C || 0x8 || Unused?
Line 1,759: Line 1,916:
| 0xA || 0x1 || bool IsConnected
| 0xA || 0x1 || bool IsConnected
|-
|-
| 0xB || 0x1 || [?+] [[#NodeInfo|NodeInfo]] +0x2D
| 0xB || 0x1 || [19.0.0+] [[#NodeInfo|NodeInfo]] +0x2D
|-
|-
| 0xC || 0x20 || First 0x20-bytes of [[#UserConfig]].
| 0xC || 0x20 || First 0x20-bytes of [[#UserConfig]].
Line 1,788: Line 1,945:
| 0x2C || 0x4 || Unused
| 0x2C || 0x4 || Unused
|}
|}
=== ActionFrame2 ===
The Action frames used by [[#SendActionFrame|SendActionFrame]]/[[#RecvActionFrame|RecvActionFrame]] have the following structure:
* "Fixed parameters":
** "Category code: Vendor Specific (127)"
** "OUI: 00:22:aa (Nintendo Co., Ltd.)"
* The Data starts with the following header:
{| class="wikitable" border="1"
|-
! Offset
! Size
! Description
|-
| 0x0 || 0x2 || 04 00
|-
| 0x2 || 0x2 || Protocol ID, must match big-endian 0x0102.
|-
| 0x4 || 0x2 || 00 00
|-
| 0x6 || 0x2 || 00 00
|}
Then the actual data follows (all fields big-endian):
{| class="wikitable" border="1"
|-
! Offset
! Size
! Description
|-
| 0x0 || 0x1 || [[#AuthVersion]]
|-
| 0x1 || 0x1 || EncryptionType, must match the expected type for the current SecurityMode. 1 = plaintext, 2 = AES-128-GCM.
|-
| 0x2 || 0x2 || Padding
|-
| 0x4 || 0x4 || Counter
|-
| 0x8 || 0x8 || LocalCommunicationId
|-
| 0x10 || 0x10 || Used with key derivation.
|-
| 0x20 || 0x10 || EncryptionType2: AES-128-GCM MAC tag.
|-
| 0x30 || Remaining frame size || Data payload
|}
The 0xC-byte IV for AES-128-GCM is the raw 4-bytes from the above Counter, with the rest cleared to zeroes. The encrypted data is at +0x30, with the remaining frame size. The AAD is the 0x20-bytes at +0x0.
The key is derived similar to the regular action-frame key (same KeySource), except: the Generation is always [[17.0.0|0x11]], with the following data for hashing: {big-endian LocalCommunicationId} {+0x10 size 0x10-bytes} {[[#ActionFrameSettings]] Passphrase with the specified PassphraseSize}.
The data payload is the data buffer for [[#SendActionFrame|SendActionFrame]]/[[#RecvActionFrame|RecvActionFrame]].


== lp2p ==
== lp2p ==

Latest revision as of 22:54, 21 September 2025

LDN handles all local network communication.

There's 2 IPC handler threads for all ldn:* services.

ldn:m

This is "nn::ldn::detail::IMonitorServiceCreator".

This has IPC max_sessions 5.

[20.2.0+] This has max_sessions 6.

Cmd Name
0 CreateMonitorService

CreateMonitorService

Returns an #IMonitorService.

The user-process closes the IMonitorServiceCreator object immediately after using this cmd.

IMonitorService

This is "nn::ldn::detail::IMonitorService".

Cmd Name
0 GetState
1 GetNetworkInfo
2 GetIpv4Address
3 GetDisconnectReason
4 GetSecurityParameter
5 GetNetworkConfig
100 #Initialize
101 #Finalize

GetState

No input, returns an output u32.

sdknso implements this by returning the u32, with 0 being returned on error.

GetNetworkInfo

Takes a type-0x1A output buffer containing a #NetworkInfo.

GetIpv4Address

No input, returns an output #Ipv4Address and a #SubnetMask.

GetDisconnectReason

No input, returns an output s16.

This is not exposed by sdknso.

This just returns 0.

GetSecurityParameter

No input, returns an output #SecurityParameter.

This is not exposed by sdknso.

GetNetworkConfig

No input, returns an output #NetworkConfig.

This is not exposed by sdknso.

Initialize

No input/output.

This is used immediately after object creation. Official sw will Abort if this fails.

This just returns 0.

Finalize

No input/output.

This is used during service exit, prior to closing the object. Official sw will Abort if this fails.

This just returns 0.

ldn:s

This is "nn::ldn::detail::ISystemServiceCreator".

This has IPC max_sessions 5.

[18.0.0+] The sdknso uses SessionManager with this, where the additional session-count is 0x3.

Cmd Name
0 CreateSystemLocalCommunicationService
1 [18.0.0+] CreateClientProcessMonitor

CreateSystemLocalCommunicationService

No input. Returns an #ISystemLocalCommunicationService.

The user-process closes the ISystemServiceCreator object once finished with it during initialization. Official sw ignores errors from this cmd.

CreateClientProcessMonitor

No input. Returns an #IClientProcessMonitor.

ISystemLocalCommunicationService

This is "nn::ldn::detail::ISystemLocalCommunicationService".

Cmd Name
0 GetState
1 GetNetworkInfo
2 GetIpv4Address
3 GetDisconnectReason
4 GetSecurityParameter
5 GetNetworkConfig
100 GetStateChangeEvent
101 GetNetworkInfoAndHistory
102 Scan
103 ScanPrivate
104 [5.0.0+] SetWirelessControllerPolicy
105 [13.1.0+] SetWirelessAudioPolicy
106 [18.0.0+] SetProtocol
200 OpenAccessPoint
201 CloseAccessPoint
202 CreateNetwork
203 CreateNetworkPrivate
204 DestroyNetwork
205 Reject
206 SetAdvertiseData
207 SetStationAcceptPolicy
208 AddAcceptFilterEntry
209 ClearAcceptFilter
300 OpenStation
301 CloseStation
302 Connect
303 ConnectPrivate
304 Disconnect
400 Initialize
401 Finalize
402 [4.0.0+] SetOperationMode
403 [7.0.0+] InitializeWithVersion
404 [19.0.0+] InitializeWithPriority
500 [18.0.0+] EnableActionFrame
501 [18.0.0+] DisableActionFrame
502 [18.0.0+] SendActionFrame
503 [18.0.0+] RecvActionFrame
505 [18.0.0+] SetHomeChannel
600 [18.0.0+] SetTxPower
601 [18.0.0+] ResetTxPower

GetState

No input, returns an output #State.

sdknso implements this by returning the u32, with 0 being returned on error / when service isn't initialized.

GetNetworkInfo

Takes a type-0x1A output buffer containing a #NetworkInfo.

GetIpv4Address

No input, returns an output #Ipv4Address and a #SubnetMask.

GetDisconnectReason

No input, returns an output #DisconnectReason.

sdknso implements this by returning the s16 as a s32, with -1 being returned on error.

GetSecurityParameter

No input, returns an output #SecurityParameter.

GetNetworkConfig

No input, returns an output #NetworkConfig.

GetStateChangeEvent

No input, returns an output Event handle.

sdknso uses EventClearMode=1 with this. sdknso will Abort if this cmd fails.

This is signaled when the data returned by #GetNetworkInfo/#GetNetworkInfoAndHistory is updated.

GetNetworkInfoAndHistory

Takes a type-0x1A output buffer containing a #NetworkInfo and a type-0xA output buffer containing an array of #NodeLatestUpdate.

The array count must be 8.

Scan

Takes a type-0x22 output buffer containing an array of #NetworkInfo, a s16 channel, a #ScanFilter, returns an output s16 total_out.

sdknso copies the output s16 to a s32, the value passed for the input s16 is from an user-specified s32 (user-apps generally use value 0 for this).

This is the same as #ScanPrivate, except this also has the same channel-override functionality as #CreateNetwork.

State must be 3-5.

The array count must be at least 1. This is clamped to a maximum of 0x18.

ScanPrivate

Takes a type-0x22 output buffer containing an array of #NetworkInfo, a s16 channel, a #ScanFilter, returns an output s16 total_out.

sdknso copies the output s16 to a s32, the value passed for the input s16 is from an user-specified s32.

See #Scan.

SetWirelessControllerPolicy

Takes an input #WirelessControllerRestriction, no output.

State must be 1.

The input value is written into state.

SetWirelessAudioPolicy

Takes an input #BluetoothAudioDeviceConnectableMode, no output.

SetProtocol

Takes an input u32, no output.

This cmd was implemented with [20.0.0+], prior to that this just returned an error.

The sdk user-process func will pass value 1 to the cmd when the input Protocol is 0/1, 3 is passed directly if specified, otherwise Abort. User-processes use SetProtocol immediately after initializing ldn.

[20.0.0+] The ldn initialization functionality in sdknso also uses this with value 1 (NX) eventually after the init cmd was used successfully.

The input is validated, then a vfunc is called.

The cmd_input must be non-zero. BIT(cmd_input) must be set in a state-field, otherwise a separate Result is returned.

The above state field originates from a ldn:u/ldn:s state field, which on NX is always set to 0xA. Therefore, on NX the above bit check only allows value 1 or 3.

The vfunc sends a message to another thread with the input u32 as the param, and returns the response from that.

The thread msg-queue-handler (besides other validation) uses the input param to select what values to write to state fields. Only input value 1 or 3 is allowed, with an error being thrown otherwise. The previously mentioned validation includes verifying that State is Initialized.

OpenAccessPoint

No input/output.

State must be 1, this cmd eventually sets the State to value 2.

CloseAccessPoint

No input/output.

State must be 2-3, this cmd eventually sets the State to value 1.

CreateNetwork

Takes an input #SecurityConfig, an #UserConfig, a #NetworkConfig, no output.

This is the same as #CreateNetworkPrivate, except the #AddressEntry params are 0, and the #SecurityParameter is generated from "nn::util::TinyMt::GenerateRandomBytes".

Unlike CreateNetworkPrivate, this overwrites the channel field in the #NetworkConfig. When the cached IsDevelopment value is true, the output from GetLdnChannel will overwrite that field if the s32 setting value is >=0, otherwise the original value is used. Otherwise when the IsDevelopment field is false (retail), the channel is overwritten with value 0.

This overwrites the u16 field at #SecurityConfig+0. When the cached IsDevelopment value is false (retail) ([18.0.0+] system-setting ldn!enable_static_security_mode_configuration is checked for being true instead), value 1 is used ([18.0.0+] value from system-setting ldn!static_security_mode is used, with fallback to value 1 if the setting is >=0x4), otherwise the original value is used.

State must be 2, this cmd eventually sets the State to value 3.

CreateNetworkPrivate

Takes an input #SecurityConfig, a #SecurityParameter, an #UserConfig, a #NetworkConfig, a type-0x9 input buffer containing an array of #AddressEntry, no output.

The buffer/count for #AddressEntry can be 0, in which case the network will be non-Private like #CreateNetwork. The count must be <=8.

See #CreateNetwork.

DestroyNetwork

No input/output.

State must be 3, this cmd eventually sets the State to value 2.

Reject

Takes an input #Ipv4Address, no output.

State must be 3.

SetAdvertiseData

Takes a type-0x21 input buffer, no output.

The input buffer contains arbitrary user data.

The buffer size must be <=0x180. An empty buffer (addr=NULL/size=0) can be used to reset the AdvertiseData size in state to zero.

State must be 2-3.

SetStationAcceptPolicy

Takes an input #AcceptPolicy, no output.

State must be 2-3.

AddAcceptFilterEntry

Takes an input MacAddress, no output.

There are two sdknso funcs implementing this: one which takes a MacAddress directly, the other loads the MacAddress from the input NodeInfo.

State must be 2-3.

ClearAcceptFilter

No input/output.

State must be 2-3.

OpenStation

No input/output.

State must be 1, this cmd eventually sets the State to value 4.

CloseStation

No input/output.

State must be 4-5, this cmd eventually sets the State to value 1.

Connect

Takes a type-0x19 input buffer containing a #NetworkInfo, a #SecurityConfig, an #UserConfig, a s32 LocalCommunicationVersion, a #ConnectOption, no output.

State must be 4, this cmd eventually sets the State to value 5.

This is identical to #ConnectPrivate (besides the below), except the data internally passed for #SecurityParameter/#NetworkConfig are loaded from the input #NetworkInfo.

[1.0.0-?] This overwrites the u16 field at #SecurityConfig+0. When the cached IsDevelopment value is false (retail), value 1 is used, otherwise the used value is: original_field == 0 ? {u16 #NetworkInfo+0x60} : original_field. [18.0.0+] This now uses the same SecurityMode override as CreateNetwork.

u32 LocalCommunicationVersion>>15 must be 0.

ConnectPrivate

Takes a #SecurityConfig, #SecurityParameter, an #UserConfig, a s32 LocalCommunicationVersion, a #ConnectOption, a #NetworkConfig, no output.

See #Connect.

[1.0.0-?] This overwrites the u16 field at #SecurityConfig+0. When the cached IsDevelopment value is false (retail), value 1 is used, otherwise the original value is used. [18.0.0+] This now uses the same SecurityMode override as Connect.

Disconnect

No input/output.

State must be 5, this cmd eventually sets the State to value 4.

Initialize

Takes an input PID and an u64 pid_placeholder.

This is used immediately after object creation.

On old sysvers the cmd impl for User/System are identical, except different params are used for the funcs called internally.

With [7.0.0+] InitializeWithVersion is used instead. The cmd impl for Initialize uses InitializeWithVersion with version=0.

Finalize

No input/output.

This is used during service exit, prior to closing the object. Official sw will Abort if this fails.

If State is set for it, this will run the equivalent of #CloseAccessPoint/#CloseStation when needed.

State must be non-zero, this cmd eventually sets the State to value 0.

SetOperationMode

Takes an input #OperationMode, no output.

State must be 1.

The input value is written into state.

InitializeWithVersion

Takes an input PID, a s32 version, and an u64 pid_placeholder.

The priority is determined by whether the interface is User/System: System = 0x38, User = 0x5A.

It then calls the init func, with the cmd input params and the above priority, returning the Result on failure.

On newer sysvers this then adds an entry for the state array used by RegisterClient.

Lastly the input PID and version are written into state, then this returns.

The init func does the following:

  • The PID must be non-zero, and the version must not be negative. The priority must be 0x5A or 0x38.
  • An error is returned if state fields are invalid.
  • The input PID and version are written into state (a state field is also set to interface == User).
  • Lastly, a vfunc is called with the input priority, returning the Result from that.

The vfunc does the following:

  • On newer sysvers, this uses pl:s RequestApplicationFunctionAuthorizationByProcessId with the input PID and ApplicationFunctionAuthorizationId = 2 (SecureLdnLocalCommunication), returning the Result on failure.
  • Then a message is sent to a msg-queue with the input priority.

The handler for the above message does the following:

  • When state is already initialized, runs handling for that. An error is also thrown if the input priority is larger than a state field.
  • Initializes state, etc.
  • Various nifm funcs are eventually used. The input priority is used to determine the value for nn::nifm::RequestParameters: value 0x4 or value 0x8 is used, depending on priority > 0x59.
    • Newer versions also handle ldn lan_emulation sys-settings here. For the above value, when lan_emulation is enabled it uses value 0x17, with 0x18 additionally used for priority <= 0x59.
  • The rest is state init, including setting State to value 1. Then 0 is returned.

On old sysvers the cmd impl for User/System are identical, except different params are used for the funcs called internally. With newer sysvers the cmd impl is now identical.

Version values passed by official sw:

Value SystemVersion
0x1 [7.0.0+]
0x2 [18.0.0+]
0x3 [19.0.0+]
0x4 [20.0.0+]

InitializeWithPriority

Takes an input PID, a s32 version, a s32 priority, and an u64 pid_placeholder.

This is similar to InitializeWithVersion. The input priority is passed directly to the init func which is called here, instead of determining it from whether the interface is User/System.

Official sw passes input value 0x38 for the priority as the default, when the user doesn't specify the priority.

EnableActionFrame

Takes an input #ActionFrameSettings. No output.

State must be Initialized.

DisableActionFrame

No input/output.

State must be Initialized.

SendActionFrame

Takes a type-0x21 input buffer, two input #MacAddress, two input s16s (Band and ChannelNumber) and an input #MessageFlagSet. No output.

[20.0.0+] The input s16s were replaced with a single u16, which has the same format as SetHomeChannel.

The first #MacAddress is the destination, the second #MacAddress is the Bssid.

The ChannelNumber must be non-zero.

State must be 3-4 (AccessPointCreated/Station).

RecvActionFrame

Takes a type-0x22 output buffer and an input #MessageFlagSet. Returns two output #MacAddress, two output s16s (Band and ChannelNumber), an output u32 Size, and an output s32 LinkLevel.

[20.0.0+] The output s16s were replaced with a single u16, which has the same format as SetHomeChannel.

EnableActionFrame must be used prior to this.

SetHomeChannel

Takes two input s16s Band and ChannelNumber. No output.

[20.0.0+] Now takes an input u16 instead of two s16s, merging the two params. Bitmask 0x3FF (low 10-bits) is the ChannelNumber, while the remaining upper 6-bits is the Band. The Band is used as an array index to load the actual Band for passing to a func. Only the following Band input is valid, others return 0x0/0xFFFF: 2 - > 2400, 5 -> 5000, 6 -> 6000.

On NX Band must be ([20.0.0+] converted Band from the above array) 50 ([20.0.0+] 5000) or 24 ([20.0.0+] 2400).

The ChannelNumber must be non-zero.

The State must be Station.

sdknso uses the input channel to convert to the input needed by the cmd.

SetTxPower

Takes an input s16 Power. No output.

The input must be 0x0..0xFF.

A state field must be non-zero.

The State must be 2-5 (AccessPoint*/Station*).

ResetTxPower

No input/output.

The same state field checked by SetTxPower must be non-zero. The State check is also the same as SetTxPower.

IClientProcessMonitor

This is "nn::ldn::detail::IClientProcessMonitor".

This was added with [18.0.0+].

Cmd Name
0 RegisterClient

RegisterClient

Takes an input PID and an u64 pid_placeholder.

[18.0.0+] CreateClientProcessMonitor and RegisterClient are used by sdknso at the end of the ldn initialization functionality.

If the objptr in IClientProcessMonitor state is already set from using this cmd previously, this just returns 0.

This goes through global state to locate an entry with a matching PID, if none found 0 is returned. The objptr from the state entry is loaded, if NULL this returns 0. This obj is then incref'd and written into the IClientProcessMonitor state. When PID is 0, 0 is returned. It then locates the above state entry again with a matching PID, clearing the entry which matches. Lastly 0 is returned.

The initialization cmds adds an entry to the above global state.

ldn:u

This is "nn::ldn::detail::IUserServiceCreator".

This has IPC max_sessions 3.

[18.0.0+] The sdknso uses SessionManager with this, where the additional session-count is 0x3.

Cmd Name
0 CreateUserLocalCommunicationService
1 [18.0.0+] CreateClientProcessMonitor

CreateUserLocalCommunicationService

Returns an #IUserLocalCommunicationService.

The user-process closes the IUserServiceCreator object once finished with it during initialization. Official sw ignores errors from this cmd.

IUserLocalCommunicationService

This is "nn::ldn::detail::IUserLocalCommunicationService".

Cmd Name
0 GetState
1 GetNetworkInfo
2 GetIpv4Address
3 GetDisconnectReason
4 GetSecurityParameter
5 GetNetworkConfig
100 GetStateChangeEvent
101 GetNetworkInfoAndHistory
102 Scan
103 ScanPrivate
104 [5.0.0+] SetWirelessControllerPolicy
105 [13.1.0+] SetWirelessAudioPolicy
106 [18.0.0+] SetProtocol
200 OpenAccessPoint
201 CloseAccessPoint
202 CreateNetwork
203 CreateNetworkPrivate
204 DestroyNetwork
205 Reject
206 SetAdvertiseData
207 SetStationAcceptPolicy
208 AddAcceptFilterEntry
209 ClearAcceptFilter
300 OpenStation
301 CloseStation
302 Connect
303 ConnectPrivate
304 Disconnect
400 Initialize
401 Finalize
402 [7.0.0+] InitializeWithVersion
403 [19.0.0+] SetOperationMode
500 [18.0.0+] EnableActionFrame
501 [18.0.0+] DisableActionFrame
502 [18.0.0+] SendActionFrame
503 [18.0.0+] RecvActionFrame
505 [18.0.0+] SetHomeChannel
600 [18.0.0+] SetTxPower
601 [18.0.0+] ResetTxPower

ndd

This is "nn::ndd::IService".

This was added with [5.0.0] and removed with [6.0.0].

Cmd Name
0 EnableAutoCommunication
1 DisableAutoCommunication
2 IsAutoCommunicationEnabled
3 EnablePowerSave
4 DisablePowerSave
5 IsPowerSaveEnabled
6 IsNetworkActive
7 AcquireSendDataUpdateEvent
8 AddSendData
9 ClearSendData
10 GetSendData
11 AcquireReceiveDataEvent
12 GetCurrentReceiveDataCounter
13 GetOldestReceiveDataCounter
14 GetNextReceiveDataCounter
15 GetAvailableReceiveDataCount
16 GetRecentReceiveDataCounter
17 GetReceiveData
18 AddReceiveData
19 ClearReceiveData
20 ClearDataIdFilter
21 AcquireDeviceScanEvent
22 StartDeviceScan
23 CancelDeviceScan
24 GetDeviceScanResult

lp2p:app, lp2p:sys

These are "nn::lp2p::detail::ISfServiceCreator".

These were added with [9.0.0+].

lp2p:app is used by Mario Kart Live: Home Circuit. lp2p:sys is used by LibraryAppletPhotoViewer with [11.0.0+].

Cmd Name
0 CreateNetworkService
8 CreateNetworkServiceMonitor

CreateNetworkService

Takes a PID-descriptor, a reserved input u64 and an input u32. Returns an output #ISfService.

The input u32 must be value 0x1.

CreateNetworkServiceMonitor

Takes a PID-descriptor and a reserved input u64. Returns an output #ISfServiceMonitor.

ISfService

This is "nn::lp2p::detail::ISfService".

Cmd Name
0 Initialize
256 [9.0.0-9.0.1] AttachNetworkInterfaceStateChangeEvent
264 [9.0.0-9.0.1] GetNetworkInterfaceLastError
272 [9.0.0-9.0.1] GetRole
280 [9.0.0-9.0.1] GetAdvertiseData
288 [9.0.0-9.0.1] GetGroupInfo
296 [9.0.0-9.0.1] GetGroupInfo2
304 [9.0.0-9.0.1] GetGroupOwner
312 [9.0.0-9.0.1] GetIpConfig
320 [9.0.0-9.0.1] GetLinkLevel
512 Scan
768 CreateGroup
776 DestroyGroup
784 SetAdvertiseData
1536 SendToOtherGroup
1544 RecvFromOtherGroup
1552 AddAcceptableGroupId
1560 [9.1.0+] ClearAcceptableGroupId

Initialize

No input/output.

Returns 0.

Unused by official sw.

Scan

Takes a type-0x19 input buffer containing a #GroupInfo and a type-0x22 output buffer containing an array of #ScanResult. Returns an output s32 TotalOut.

CreateGroup

Takes a type-0x31 input buffer containing a #GroupInfo. No output.

mklive uses the following string with this: "Failed to create a group: %08X".

The role must be 0. This eventually sets the role to value 1.

DestroyGroup

No input/output.

This destroys the previously created group. If no group was previously created (role is not 1), this just returns 0.

SetAdvertiseData

Takes a type-0x21 input buffer. No output.

The buffer size must be <=0x80. The role must be <=1.

A string in mklive refers to the buffer data as "scan advertise data".

SendToOtherGroup

Takes an input MacAddress, a #GroupId, a s16 Frequency, a s16 Channel, an u32 MessageFlag and a type-0x21 input buffer. No output.

The buffer size must be <=0x400.

The MacAddress must be non-zero. The s16s must be >=1.

Only bit0 is used from flags: clear = block until the data can be sent, set = return error when the data can't be sent.

A string in mklive refers to the buffer data as "Action frame".

The role must be non-zero. The error from #GetNetworkInterfaceLastError will be returned if it's set.

[11.0.0+] #GroupInfo+0x8A must be value 2, otherwise an error is returned.

This sends an Action frame to the specified #GroupId, with the specified destination MacAddress (can be a broadcast address).

The frequency param is the same as the #GroupInfo+0x84 field.

RecvFromOtherGroup

Takes an input u32 MessageFlag and a type-0x22 output buffer. Returns a MacAddress, an u16 Frequency, a s16 Channel, an u32 OutSize and a s32.

The OutSize is the original size used for copying to the output buffer, before it's clamped to the output-buffer size.

Only bit0 is used from MessageFlag: clear = block until data is available, set = return error when data is not available.

When data is not available, the error from #GetNetworkInterfaceLastError will be returned if it's set.

The role must be non-zero.

This receives an Action frame.

AddAcceptableGroupId

Takes an input #GroupId. No output.

ClearAcceptableGroupId

No input/output.

ISfServiceMonitor

This is "nn::lp2p::detail::ISfServiceMonitor".

This interface has no commands, until [9.1.0+] which added actual commands.

Cmd Name
0 Initialize
256 AttachNetworkInterfaceStateChangeEvent
264 GetNetworkInterfaceLastError
272 GetRole
280 GetAdvertiseData
281 GetAdvertiseData2
288 GetGroupInfo
296 GetGroupInfo2
304 GetGroupOwner
312 GetIpConfig
320 GetLinkLevel
328 AttachJoinEvent
336 GetMembers

Initialize

Returns 0.

Unused by official sw.

AttachNetworkInterfaceStateChangeEvent

No input. Returns an output Event handle with EventClearMode=0.

GetNetworkInterfaceLastError

No input/output.

GetRole

No input. Returns an output u8.

GetAdvertiseData

Takes a type-0x22 output buffer. Returns two output u16s.

Validates that the role is value 2, then copies data from state into the output buffer. The first output u16 is the size used for the memcpy, the second u16 is the original size from state.

GetAdvertiseData2

Takes a type-0x22 output buffer. Returns two output u16s.

This is identical to #GetAdvertiseData except this doesn't run the role validation.

GetGroupInfo

Takes a type-0x32 output buffer containing a #GroupInfo.

Validates that the role is non-zero, then copies the struct from state into the output buffer.

GetGroupInfo2

Takes a type-0x32 output buffer containing a #GroupInfo and a type-0x31 input buffer containing a #GroupInfo.

This runs the same code as #CreateGroup to generate the #GroupInfo for the input struct (which with #CreateGroup would be available with #GetGroupInfo). The input struct is the same as #CreateGroup.

GetGroupOwner

No input. Returns an output NodeInfo.

Validates that the role is non-zero, then copies the data from state to output.

GetIpConfig

Takes a type-0x1A output buffer containing a 0x100-byte struct.

Validates that the role is non-zero, then copies the struct from state into the output buffer.

+0x20 is the struct sockaddr IP address, +0x40 is the struct sockaddr subnet-mask, +0x60 is the struct sockaddr gateway(?). The address for the last one is set to localhost.

GetLinkLevel

No input. Returns an output u32.

AttachJoinEvent

No input. Returns an output Event handle with EventClearMode=0.

GetMembers

Takes a type-0x22 output buffer containing an array of NodeInfo. Returns an output s32 TotalOut.

Validates that the role is value 1. Then any entries from state which are available are copied into the output array buffer, if there's space available. A maximum of 8 entries can be returned.

A string in mklive refers to the array data as "connected members".

lp2p:m

This is "nn::lp2p::monitor::detail::ISfMonitorServiceCreator".

This was added with [9.1.0+].

Cmd Name
0 CreateMonitorService

CreateMonitorService

Takes a PID-descriptor, a reserved input u64 and an input u64. Returns an #ISfMonitorService.

ISfMonitorService

This is "nn::lp2p::monitor::detail::ISfMonitorService".

Cmd Name
0 Initialize
288 GetGroupInfo
320 GetLinkLevel

Initialize

Returns 0.

State

This is "nn::ldn::State".

Value Description
0 None
1 Initialized
2 AccessPoint
3 AccessPointCreated
4 Station
5 StationConnected
6 Error

Ipv4Address

This is "nn::ldn::Ipv4Address". This is a 0x4-byte struct with 4-byte alignment.

This is essentially the same as struct in_addr, except this is little-endian.

This is generally "169.254.XXX.{...}", where XXX is random per created network.

SubnetMask

This is "nn::ldn::SubnetMask". This is a 0x4-byte struct with 4-byte alignment.

This is essentially the same as struct in_addr, except this is little-endian.

Ssid

This is "nn::ldn::Ssid".

When converting a Ssid to a string, the loaded chars from the string must be in the range of 0x20-0x7F, otherwise the byte written to the string will be 0.

Offset Size Description
0x0 0x1 Length (excluding NUL-terminator, must be 0x1-0x20)
0x1 0x21 Raw (SSID string including NUL-terminator, str[{above length}] must be 0)

MacAddress

This is "nn::ldn::MacAddress". This is a 6-byte struct with 1-byte alignment.

NodeInfo

This is "nn::ldn::NodeInfo".

The first node in the nodes array is always the AccessPoint (NodeId 0x0). NodeId is the index of the node in the nodes array.

Offset Size Description
0x0 0x4 Ipv4Address
0x4 0x6 MacAddress
0xA 0x1 NodeId
0xB 0x1 IsConnected
0xC 0x21 UserName
0x2D 0x1 [19.0.0+] Platform? (0 = NX, 1 = Ounce)
0x2E 0x2 LocalCommunicationVersion
0x30 0x10 Reserved

NodeLatestUpdate

This is "nn::ldn::NodeLatestUpdate". This is a 0x8-byte struct.

Offset Size Description
0x0 0x1 StateChange
0x1 0x7 Reserved

IntentId

This is "nn::ldn::IntentId".

Offset Size Description
0x0 0x8 LocalCommunicationId
0x8 0x2 Reserved
0xA 0x2 SceneId
0xC 0x4 Reserved
  • LocalCommunicationId: CreateNetwork, CreateNetworkPrivate, Connect, ConnectPrivate (also ScanFilter when enabled with the flag): When -1, this is overwritten with the first LocalCommunicationId from the user-process NACP, if loading fails value 0 is written instead. Otherwise when not -1, if NACP loading is successful, this field must match one of the LocalCommunicationIds from there.
  • SceneId: Arbitrary user data, this can be used for filtering with ScanFilter for example.

SessionId

This is "nn::ldn::SessionId".

This is used to generate/overwrite the Ssid when needed.

Offset Size Description
0x0 0x10 Random

NetworkId

This is "nn::ldn::NetworkId". This is a 0x20-byte struct.

Offset Size Description
0x0 0x10 IntentId
0x10 0x10 SessionId

CommonNetworkInfo

This is "nn::ldn::CommonNetworkInfo". This is a 0x30-byte struct.

Offset Size Description
0x0 0x6 Bssid
0x6 0x22 Ssid
0x28 0x2 Channel
0x2A 0x1 LinkLevel
0x2B 0x1 NetworkType
0x2C 0x4 Reserved

LdnNetworkInfo

This is "nn::ldn::LdnNetworkInfo". This is a 0x430-byte struct.

Offset Size Description
0x0 0x10 ServerRandom
0x10 0x2 SecurityMode
0x12 0x1 StationAcceptPolicy
0x13 0x1 Version
0x14 0x2 Reserved
0x16 0x1 NodeCountMax
0x17 0x1 NodeCount
0x18 0x200 (0x40 * 8) Nodes
0x218 0x2 Reserved
0x21A 0x2 AdvertiseDataSize
0x21C 0x180 AdvertiseData
0x39C 0x8C Reserved
0x428 0x8 [6.0.0-?] Challenge (set to the output from es cmd1501 during network creation) ([?+] only used internally, not exposed in LdnNetworkInfo anymore)

NetworkInfo

This is "nn::ldn::NetworkInfo". This is a 0x480-byte struct.

The fields listed as Reserved (besides the fields before +0x10) are cleared during the memset and are not written to again afterwards, with cmds which return NetworkInfo.

Offset Size Description
0x0 0x20 NetworkId
0x20 0x30 Common
0x50 0x430 Ldn

ScanFilter

This is "nn::ldn::ScanFilter". This is a 0x60-byte struct with 8-byte alignment.

sdknso copies the input ScanFilter to a tmp struct on stack (with Flag masking), which is then used with the cmd. sdknso only copies Bssid with ScanPrivate, with Scan it also masks out the Flag for Bssid.

Offset Size Description
0x0 0x20 NetworkId
0x20 0x4 NetworkType
0x24 0x6 Bssid
0x2A 0x22 Ssid
0x4C 0x10 Reserved
0x5C 0x4 Flag

Each Flag bit when set enables using the corresponding ScanFilter data. This is usually a compare with the ScanFilter data and the internal NetworkInfo data.

  • NetworkType: (ScanFilter_NetworkType & NetworkInfo_NetworkType) must be non-zero.
  • Ssid: The length fields must match, then memcmp is used.

The filtering func also handles validating the Band/Channel, however these fields are internal only and are not exposed in the user ScanFilter.

ScanFilterFlag

This is "nn::ldn::ScanFilterFlag".

Value Description
0x0 None
0x1 LocalCommunicationId
0x2 SessionId
0x4 NetworkType
0x8 Bssid
0x10 Ssid
0x20 SceneId
0x21 IntentId
0x23 NetworkId
0x3F All

NetworkConfig

This is "nn::ldn::NetworkConfig". This is a 0x20-byte struct with 8-byte alignment.

sdknso copies the input NetworkConfig to a tmp struct on stack, which is then used with the cmd (#CreateNetwork, #CreateNetworkPrivate, #ConnectPrivate).

Offset Size Description
0x0 0x10 IntentId
0x10 0x2 Channel
0x12 0x1 NodeCountMax
0x13 0x1 Reserved
0x14 0x2 LocalCommunicationVersion
0x16 0xA Reserved

WirelessControllerRestriction

This is "nn::ldn::WirelessControllerRestriction". This is an u32 enum.

This is used to determine the value passed to btm SetWlanMode.

Value Description
0 Disabled
1 Enabled

WirelessAudioRestriction

This is "nn::ldn::WirelessAudioRestriction". This is an u32 enum.

Value Description
0 Disabled
1 Enabled

SecurityMode

This is "nn::ldn::SecurityMode". This is an u32 enum.

Value Description
0 Any
1 Product
2 Debug
3 SystemDebug

Value:

  • 1-2: Broadcast Action frame data is encrypted.
  • 3: Broadcast Action frame data is plaintext.
  • 1: Data frames are encrypted.
  • 2-3: Data frames for normal data-transfer are plaintext - the network is Open.

SecurityConfig

This is "nn::ldn::SecurityConfig". This is a 0x44-byte struct with 2-byte alignment.

Offset Size Description
0x0 0x2 SecurityMode (overwritten by #CreateNetwork/#CreateNetworkPrivate and #Connect/#ConnectPrivate, the value used internally by these cmds must be 1-3)
0x2 0x2 PassphraseSize (must be 0x10-0x40)
0x4 0x40 Passphrase (used with key derivation)

SecurityParameter

This is "nn::ldn::SecurityParameter". This is a 0x20-byte struct with 1-byte alignment.

Offset Size Description
0x0 0x10 ServerRandom (used with the same key derivation as #SecurityConfig)
0x10 0x10 SessionId

UserConfig

This is "nn::ldn::UserConfig". This is a 0x30-byte struct with 1-byte alignment.

An error is thrown if UserName+0x20 is non-zero.

sdknso copies the input UserConfig to a tmp struct on stack, which is then used with the cmd. Only the first 0x20-bytes are copied, with the rest cleared.

Offset Size Description
0x0 0x21 UserName (NUL-terminated string for the user name)
0x21 0xF Reserved

AddressEntry

This is "nn::ldn::AddressEntry". This is a 0xC-byte struct.

Offset Size Description
0x0 0x4 #Ipv4Address
0x4 0x6 MacAddress
0xA 0x2 Reserved

AcceptPolicy

This is "nn::ldn::AcceptPolicy". This is an u8.

Value Description
0 AlwaysAccept
1 AlwaysReject
2 BlackList (addresses in the list are not allowed)
3 WhiteList (only addresses in the list are allowed)

ConnectOption

This is "nn::ldn::ConnectOption". This is an u32 bitmask.

There's two versions of the sdknso funcs for #Connect/#ConnectPrivate: the version where the ConnectOption isn't user-specified uses a default value of 0x1 for it, with the same ShowError code without the bit0 check.

When bit0 here is set after using the above cmds, the sdknso funcs will use ShowError with the returned Result if: (rc & 0x3FE1FF) == 0xE0CB.

This must be <=0x1, besides this validation ConnectOption is ignored by #Connect/#ConnectPrivate.

DisconnectReason

This is "nn::ldn::DisconnectReason".

Value Description
-1 Unknown
0 None
1 DisconnectedByUser
2 DisconnectedBySystem
3 DestroyedByUser
4 DestroyedBySystem
5 Rejected
6 SignalLost

OperationMode

This is "nn::ldn::OperationMode". This is an u32 enum.

This controls bit1 in the value passed to wlan:lcl cmd0/cmd1: bit1 = OperationMode==1.

Value 1 seems to affect power (?) related fields in the beacon tags?

Value Description
0 Stable
1 HighSpeed

Protocol

This is "nn::ldn::Protocol". This is an u32 enum.

Value Description
0 Default
1 NX
3 (NXAndOunce?)

The Initialize* cmds configure state the same as using SetProtocol with Protocol NX.

There's presumably a S2-only value which enables using Ounce-only keys. Attempting to decrypt Ounce-only ldn with the Protocol3 keys fails (including with Scan/ScanPrivate), with the following (with S2 hosting):

  • In-game ldn-usage for a S2-only Application.
  • Local-game-update with a S2-only Application.
  • Local-game-update for a S1-game which has a Nintendo Switch 2 Edition available, even without the S2-Edition being installed.

There's system-titles which use SetProtocol. While there's game(s) which use SetProtocol, there's no known (?) games using Protocol3 (excluding GameShare which is system).

ActionFrameSettings

This is "nn::ldn::ActionFrameSettings". This is a 0x80-byte struct.

Offset Size Description
0x0 0x8 LocalCommunicationId
0x8 0x34 Reserved
0x3C 0x2 SecurityMode
0x3E 0x2 PassphraseSize (Must be 0x10-0x40)
0x40 0x40 Passphrase

SecurityMode must be 1-2. The same SecurityMode override functionality from elsewhere is used later with this.

The same LocalCommunicationId override/validation from elsewhere is used with the input as well.

MessageFlagSet

This is "nn::ldn::MessageFlagSet". This is a BitFlagSet object for #MessageFlag.

MessageFlag

This is "nn::ldn::MessageFlag".

Value Description
0

SendActionFrame/RecvActionFrame handles bit0 the same way as the MessageFlag with lp2p SendToOtherGroup/RecvFromOtherGroup.

MacAddress

This is "nn::lp2p::MacAddress". Same as MacAddress.

GroupId

This is "nn::lp2p::GroupId". This is a 6-byte struct with 1-byte alignment.

This is a WiFi BSSID.

NodeInfo

This is "nn::lp2p::NodeInfo". This is a 0x80-byte struct.

Offset Size Description
0x0 struct sockaddr for the IP address.
0x24 0x6 MacAddress

GroupInfo

This is "nn::lp2p::GroupInfo". This is a 0x200-byte struct.

mklive sets the SSID to a string generated from random data.

Scan only uses the following fields for the cmd input struct: SupportedPlatform/Priority, Frequency/Channel, and PresharedKeyBinarySize/PresharedKey.

Offset Size Description
0x0 0x10 Wrapped master key. When zero, set to randomly-generated data. This is decrypted with a "static AES key" and used to derive the 4 encryption keys for the session.
0x10 0x8 LocalCommunicationId. When zero, the value from control.nacp is loaded. This is later validated by #Join/#CreateGroup the same way as the #NetworkConfig field. Used during key derivation to derive keys B and D.
0x18 0x6 #GroupId ("GROUP ID (BSSID)"). When zero, the default is used. The default should be used here: an error is thrown if the data here doesn't match the output from wlan:lcl cmd2.
0x1E 0x21 ServiceName ("GROUP NAME (SSID)"). NUL-terminated string. See below.
0x3F 0x1 s8 Flags count. Must be <=0x3F.
0x40 0x40 Array of s8 with the above count. Each entry value must be <=0x3F. Each entry is an array index used to load a set of flags from a global array with the specified index. global_flags are also masked with flags loaded from here. User-processes use entryval=1 as the default, with [11.0.0+] entryval=0 can be used for standard WPA2-PSK (see +0x8A).
0x80 0x1 SupportedPlatform. Must match value 1. 0 is PlatformIdNX, 1 is PlatformIdRcd.
0x81 0x1 MemberCountMax. s8, Must be <=0x8. During group creation this is passed to wlan:lcl cmd40, when this is value 0 a default of value 1 is passed. During group-creation when the below +0x88 field is not value 0x2, the passed WlanMode is x81_field_val > 3.
0x82 0x1
0x84 0x2 Frequency. Wifi frequency: 24 = 2.4GHz, 50 = 5GHz.
0x86 0x2 s16 Channel ("CHANNEL"). Wifi channel number. 0 = use default, otherwise this must be one of the following depending on the frequency field:
  • 24: 1, 6, 11.
  • 50: 36, 40, 44, 48.
0x88 0x1 NetworkMode. Used during group-creation to determine the WlanMode to use. When this is value 0x2, mode=3 is used, otherwise it's determined via the +0x81 field.
0x89 0x1 PerformanceRequirement.
0x8A 0x1 Security type, used during key derivation. 0 = use defaults, 1 = plaintext, 2 = encrypted. [11.0.0+] 3: Standard WPA2-PSK.
0x8B 0x1 StaticAesKeyIndex. s8, used as the array-index for selecting the KeySource used with GenerateAesKek during key derivation. Should be 1-2, otherwise GenerateAesKek is skipped and zeros are used for the AccessKey instead.
0x8D 0x1 Priority. Must match one of the following, depending on the used service (doesn't apply to #Join): 55 = SystemPriority (lp2p:sys), 90 = ApplicationPriority (lp2p:app and lp2p:sys).
0x8E 0x1 StealthEnabled. Bool flag, controls whether the SSID is hidden.
0x8F 0x1 If zero, a default value of 0x20 is used.
0x1C0 0x1 PresharedKeyBinarySize. Must be 0x20 for PresharedKeyBinary. [11.0.0+] With WPA2-PSK, this must be value 1.
0x1C1 0x3F ([9.0.0-10.2.0] 0x20) PresharedKey. Used to derive encryption keys A and C. [11.0.0+] With WPA2-PSK, this is the passphrase string (length must be at least 8).

In order for the ServiceName to be valid without a new one being generated, the following checks must pass:

  • It loops through the characters in the string, looking for the first '_' character:
    • The loop will exit once a '_' character is found.
    • The character must be '-', or alphanumeric (lowercase/uppercase), otherwise the function will immediately return failure.
    • The loop will also exit once string_pos is >19, in which case the function will also immediately return failure.
  • Then it checks the 11 characters which follow the above:
    • The character must be hex: '0'-'9', or 'A-F' / 'a-'f.
  • The following character must be a NUL-terminator.
  • The last hex character above, then the characters for the whole string prior to the last hex character are summed. return sum % 0x2B == 0. u32 is used for these calculations. (Return success when sum is a multiple of 0x2B, otherwise return failure)

If the above fails, then the following runs, otherwise it just returns 0:

  • It loops through the characters in the string.
    • The character must be '-', or alphanumeric (lowercase/uppercase), otherwise the function will immediately return failure.
    • The loop will exit once string_pos>20 is reached, or when a NUL-terminator is reached.
  • Once finished, success is returned if string_pos-1 is <20, otherwise failure is returned (which also immediately occurs if the first character is a NUL-terminator).

If the above fails, an error is returned, otherwise a new ServiceName is generated:

  • Up to 20 characters are copied from the original ServiceName to the output ServiceName, stopping once the limit is reached or when a NUL-terminator is reached.
  • '_' is appended to the string.
  • nn::util::TSNPrintf({strptr following the above character}, {remaining size}, "%02X%02X%02X%02X%02X", GroupId_byte3, GroupId_byte4, GroupId_byte5, (IsDevelopment ? 0x80 : 0) | 0x1, 0);
  • Then the last character is set to the output from a calling a function:
    • All string characters which were already written are summed same way as above. Then: return character_lookup_table[sum % 0x2B]; (If the length passed to this function is 0, this will instead just return character_lookup_table[0])
      • character_lookup_table contains 0x2B entries: [V-A][k-a][5-0][Z-W].

loaded_flags are first loaded from elsewhere, then masked with the above flags when available. loaded_flags are used when +0x8A is 0. global_flags are loaded from global data. These flags are only used with #CreateGroup/#Join. Flags (note that the following was updated with [11.0.0+], and differs from below):

  • Bit2 clear:
    • global_flags must be non-zero, and loaded_flags bit1 must be set.
    • u8 +0x8A is set to value 1.
    • When the cached IsDevelopment value is false (retail), an error is thrown.
    • u8 +0x8B is set to value 0.
  • Otherwise, if bit2 is set:
    • u8 +0x8A is set to value 2.
    • global_flags bit1 set:
      • u8 +0x8B is set to value 1.
    • Otherwise, if global_flags bit2 is set:
      • u8 +0x8B is set to value 2.

ScanResult

This is "nn::lp2p::ScanResult". This is a 0x300-byte struct.

Offset Size Description
0x0 0x200 #GroupInfo
0x200 0x1
0x206 0x2 AdvertiseData size.
0x208 0x80 AdvertiseData

Network protocol

ldn

A beacon and Action frame are broadcasted. The SSID in the beacon is hidden (32-bytes with value 0). For #Scan/#ScanPrivate it doesn't matter if no beacon is available (#NetworkInfo is the same), as long as the Action frame is broadcasted. However, the Station will not send a probe-request during connection if no beacon is available (and therefore not attempt any communication with the AccessPoint). The beacon doesn't have any custom Nintendo data, that data is in the Action frame.

During connection, the Station first sends a probe-request using the generated SSID from the Action frame. If the probe-response contains the expected data for the #SecurityConfig type, the Station then proceeds to connect to the AccessPoint.

Keys are derived with: GenerateAesKek(AccessKey, KeySource, Generation, Option=0); GenerateAesKey(out_key, AccessKey, {output from SHA256(data_to_hash)}); The key for data-frames, if enabled, is derived from a buffer containing: {#SecurityParameter+0x0} followed by {#SecurityConfig Passphrase with the specified PassphraseSize}. The #ActionFrame/data-frame keys are derived roughly the same, the only difference is the data for hashing + the KeySource. The key derived by ldn is used directly as the static CCMP key for all data-frames (CCMP / MIC is standard). When Protocol is 3 the Generation is 0x13 instead of 0x0, for all of the previously mentioned keys derivation.

Then the Station scans for an #ActionFrame for loading the #NetworkInfo.

Once connected, the AccessPoint sends Epigram-vendor Action frame(s) (same data) to the Station, the Station doesn't require these frames: dd1afeedfacedeadbeef010000000a00000000000000000000000000. Then the Station must Authenticate with the AccessPoint, this is custom. The Station sends a frame (a maximum of 3 times in some cases if errors occur, with the same data), and the AccessPoint sends a response. Once Authenticated, the node is added to the NodeInfo array in #NetworkInfo. If the Station does not successfully Authenticate X-seconds after connecting, the AccessPoint disconnects the Station. If the Station fails to Authenticate, the Station itself will disconnect as well.

After Authentication the Station will scan for another #ActionFrame, with frame-comparision enabled with the above frame (frame must have been updated since the previous scan). The Station locates the index for a MacAddress matching itself in the #NetworkInfo NodeInfo array (the entry for the AccessPoint is skipped), throwing an error if not found. After validating the LocalCommunicationVersion, it proceeds to handle ARP setup below.

This does not use DHCP, each node on the network has to manually setup IP-config with the NodeInfo array in #NetworkInfo. [?+] After the client is authenticated ARP may be used in some cases however.

At this point standard sockets can be used over Data frames.

EthFrame

The custom Ethernet frames have the following structure:

  • "Type: IEEE 802a OUI Extended Ethertype (0x88b7)"
  • "IEEE802a OUI Extended Ethertype":
    • "Organization Code: 00:22:aa (Nintendo Co., Ltd.)"
    • "Protocol ID: {...}"
  • The first byte of Data is value 0, then the ProtocolID-specific data follows, see below.
    • ProtocolID 0x0103 frames are sent by the AccessPoint to the Station. This is 0x20-bytes of zeros, except for the first byte which is 0x3. This is sent by the AccessPoint prior to destroying the network.

Authentication

Offset Size Description
0x0 0x1 #AuthVersion
0x1 0x1 Low u8 for the size.
0x2 0x1 Status. 0 = success, non-zero = error.
0x3 0x1 [2.0.0+] bool flag. The AccessPoint verifies that this is not set. Always set to 1 by the AccessPoint in the response. [2.0.0-?] The Station only uses this when the #AuthVersion is >=2.
0x4 0x1 [6.0.0+] High u8 for the size.
0x5 0x1 [20.0.0+] AuthEncryptionType, must match the type being used by the Protocol. 0 = plaintext (Protocol NX), 1 = AES-128-GCM (Protocol 3).
0x6 0x2 Unused, zeros.
0x8 0x20 #NetworkInfo+0, must match the corresponding data in #NetworkInfo when the receiving node verifies this. With the

AccessPoint->Station frame, the Station verifies that this matches the data previously sent to the AccessPoint.

0x28 0x10 #NetworkInfo+0x50, must match the corresponding data in #NetworkInfo when the receiving node verifies this. With the

AccessPoint->Station frame, the Station verifies that this matches the data previously sent to the AccessPoint.

0x38 0x10 AuthEncryptionType1: Used for key derivation.

Station->AccessPoint: The Station sets this to random data. Unused by the AccessPoint (besides the above), except for copying into the response.

AccessPoint->Station: +0x38 from the data originally sent by the Station. The Station verifies that this matches the previously sent data.

0x48 0x10 Only present with AuthEncryptionType1: AES-128-GCM MAC tag.
0x48 (0x58 with AuthEncryptionType1) Frame-specific payload data, with the above size. The total frame size - {offset of the start of this data in the frame} must match the above size.

The Station sets the above size to 0x40 ([6.0.0+] if #NetworkInfo+0x13 is <3) ([?+] 0x64 regardless of #AuthVersion). [6.0.0+] The Authentication challenge is only used/enabled if that value is >=3, and #IUserLocalCommunicationService is being used.

The AccessPoint sets the above size to 0x40 ([6.0.0+] 0x0 if the +0x0 #AuthVersion is <3) ([?+] 0x84 regardless of #AuthVersion). [6.0.0+] The AccessPoint will only use/enable the Authentication challenge when the +0x0 #AuthVersion is >=3, and #IUserLocalCommunicationService is being used. This data will not be included in the frame if the status field indicates error.

[6.0.0+] Support for the Authentication challenge with es cmds 1501-1504 was added.

AuthEncryptionType1: The key is derived essentially the same as the data-frame CCMP key, except the input data for hashing is the 0x10-bytes at +0x38 (this also only supports using Generation 0x13, returning immediately if the input param indicates otherwise due to the Protocol). The encrypted AES-128-GCM data starts at +0x58 with the above size. The 0xC-bytes IV is at +0x0, the AAD is at +0x0 size 0x48-bytes.

The AccessPoint will not respond to frames where the source mac-address is unrecognized.

Station->AccessPoint payload data, relative to frame_end above (frame size depends on whether the challenge is enabled):

Offset Size Description
0x0 0x20 #UserConfig+0. Copied into state by the AccessPoint.
0x20 0x2 Big-endian LocalCommunicationVersion. Byte-swapped by the AccessPoint then copied into state. [?+] This is now ignored.
0x22 0x1 [19.0.0+] NodeInfo +0x2D. Copied into state by the AccessPoint. On NX the Station always sets this to 0 in the sent payload-data.
0x23 0x1D Zeros, unused by the AccessPoint.
0x40 0x24 [6.0.0+] Zeros, unused by the AccessPoint.
0x64 0x300 [6.0.0+] Authentication challenge data. If enabled, the total frame size must be >= {end offset of this data in the frame}. The frame data does not include this if it's not enabled.

AccessPoint->Station response payload data, relative to frame_end above (frame size depends on whether the challenge is enabled):

Offset Size Description
0x0 0x1
0x1 0x3F Zeros. [6.0.0-?] Only included in the frame if it's enabled (+0x0 #AuthVersion >= 3). Unused by the Station.
0x40 0x44 [6.0.0-?] Only included in the frame if it's enabled (+0x0 #AuthVersion >= 3). Unused by the Station.
0x84 0x100 [6.0.0+] If enabled, Authentication challenge response data. Not included in the frame if it's not enabled.
AuthVersion

Must be 0x1-0xF (<x010 with newer versions).

[?+] When the AccessPoint is handling the Authentication EthFrame, the AuthVersion must be >=1 for Protocol NX, and >=4 for Protocol 3.

Value SystemVersion
1 [1.0.0+]
2 [2.0.0+]
3 [6.0.0+]
4 [19.0.0+]

ActionFrame

The Action frames have the following structure:

  • "Fixed parameters":
    • "Category code: Vendor Specific (127)"
    • "OUI: 00:22:aa (Nintendo Co., Ltd.)"
  • The Data starts with the following header:
Offset Size Description
0x0 0x2 04 00 in sent frames.
0x2 0x2 Protocol ID, must be 0x0101.
0x4 0x2 Must be 0.
0x6 0x2 Zeros, unused.

Then the actual data follows:

Offset Size Description
0x0 0x20 #NetworkInfo+0x0. The u64/u16 are big-endian. Outside of #Scan/#ScanPrivate, this must match the previously loaded data for this.
0x20 0x1 #AuthVersion. Copied to #NetworkInfo+0x63. When comparing with a previous frame is enabled, this must match the value from the previous frame.
0x21 0x1 Encryption type: 1 = plaintext, 2 = AES-128-CTR, [20.0.0+] 3 = AES-128-GCM, {frames with other values are ignored by #Scan/#ScanPrivate}. Must match the type which is currently being used: with #Scan/#ScanPrivate this is determined via this field, otherwise #SecurityConfig is used to determine this.
0x22 0x2 Big-endian u16 size for the data starting at +0x48 (+0x38 with EncryptionType3), and must match {total frame size relative to +0x0 above} - {header_size}.
0x24 0x4 Big-endian u32 Counter. The initial value is randomly-generated. This is incremented each time the below content is updated (including initial creation). Also used by the Station to determine whether the frame changed compared to a previous one. When comparing against a previous frame, new_counter-prev_counter must be <= 0xFF, and the counters must not match.
0x28 0x20 EncryptionType1-2: SHA256 hash over the entire frame starting at +0x0, with the above size + 0x48. During hashing, this hash is cleared, with the new hash overwriting the original in memory (the original is copied to stack for comparing).
0x28 0x10 EncryptionType3: AES-128-GCM MAC tag (replaces the SHA256 hash).

Using EncryptionType3 outside of #Scan/#ScanPrivate is enabled with Protocol 3.

When encryption is enabled, the encrypted data is at +0x28 (+0x38 with EncryptionType3) with size {remaining frame size}. The key is derived from the raw 0x20-bytes at +0x0. The CTR/IV is {raw Counter above without byte-swap}, with the rest cleared to zeros. The AAD for AES-128-GCM is at +0x0 size 0x28-bytes.

Originally #Scan/#ScanPrivate used the EncryptionType field to determine encryption handling. With [18.0.0+] these now set an internal SecurityMode field to 0 (Any) initially, then later uses the same SecurityMode override as CreateNetwork. The internal SecurityMode field is used to determine encryption handling: Any uses the EncryptionType field like before. With non-zero the encryption handling is determined as required by the SecurityMode.

The content data at +{above_header_size} follows, which has the size specified above (which must be >=0x500 with EncryptionType1-2), where all fields are big-endian. For EncryptionType1-2:

Offset Size Description
0x0 0x10 #NetworkInfo+0x50
0x10 0x2 #NetworkInfo+0x60
0x12 0x1 #NetworkInfo+0x62
0x13 0x1 Unused
0x14 0x2
0x16 0x1 s8 #NetworkInfo+0x66, clamped to range 1-8.
0x17 0x1 s8 #NetworkInfo+0x67, clamped to range 1-8.
0x18 0x1C0(0x38*8) Array of the below node struct.
0x1D8 0x2 Unused
0x1DA 0x2 #NetworkInfo+0x26A
0x1DC 0x180 #NetworkInfo+0x26C
0x35C 0x19C Unused
0x4F8 0x8 [6.0.0+] #NetworkInfo+0x478

For EncryptionType3:

Offset Size Description
0x0 0x10 #NetworkInfo+0x50
0x10 0x8 #NetworkInfo+0x478
0x18 0x1 #NetworkInfo+0x60
0x19 0x1 #NetworkInfo+0x62
0x1A 0x2 s16 LocalCommunicationVersion. Must not be negative.
0x1C 0x8 Unused?
0x24 0x2 Same as +0x14 in the above struct for EncryptionType1-2.
0x26 0x1 s8 #NetworkInfo+0x66 (NodeCountMax)
0x27 0x1 s8 #NetworkInfo+0x67 (NodeCount)
0x28 NodeCount*0x30 Array of the below node struct.
0x28 + (NodeCount*0x30) 0x2 #NetworkInfo+0x26A (AdvertiseDataSize)
0x2A + (NodeCount*0x30) AdvertiseDataSize #NetworkInfo+0x26C (AdvertiseData)

The data here is copied into #NetworkInfo.

Node data used in the above array (all fields big-endian), which are copied into the #NetworkInfo NodeInfo array. For EncryptionType1-2:

Offset Size Description
0x0 0x4 #Ipv4Address
0x4 0x6 MacAddress
0xA 0x1 bool IsConnected
0xB 0x1 [19.0.0+] NodeInfo +0x2D
0xC 0x20 First 0x20-bytes of #UserConfig.
0x2C 0x2 s16 LocalCommunicationVersion
0x2E 0xA Unused

For EncryptionType3:

Offset Size Description
0x0 0x4 #Ipv4Address
0x4 0x6 MacAddress
0xA 0x1 NodeId
0xB 0x1 NodeInfo +0x2D
0xC 0x20 First 0x20-bytes of #UserConfig.
0x2C 0x4 Unused

ActionFrame2

The Action frames used by SendActionFrame/RecvActionFrame have the following structure:

  • "Fixed parameters":
    • "Category code: Vendor Specific (127)"
    • "OUI: 00:22:aa (Nintendo Co., Ltd.)"
  • The Data starts with the following header:
Offset Size Description
0x0 0x2 04 00
0x2 0x2 Protocol ID, must match big-endian 0x0102.
0x4 0x2 00 00
0x6 0x2 00 00

Then the actual data follows (all fields big-endian):

Offset Size Description
0x0 0x1 #AuthVersion
0x1 0x1 EncryptionType, must match the expected type for the current SecurityMode. 1 = plaintext, 2 = AES-128-GCM.
0x2 0x2 Padding
0x4 0x4 Counter
0x8 0x8 LocalCommunicationId
0x10 0x10 Used with key derivation.
0x20 0x10 EncryptionType2: AES-128-GCM MAC tag.
0x30 Remaining frame size Data payload

The 0xC-byte IV for AES-128-GCM is the raw 4-bytes from the above Counter, with the rest cleared to zeroes. The encrypted data is at +0x30, with the remaining frame size. The AAD is the 0x20-bytes at +0x0.

The key is derived similar to the regular action-frame key (same KeySource), except: the Generation is always 0x11, with the following data for hashing: {big-endian LocalCommunicationId} {+0x10 size 0x10-bytes} {#ActionFrameSettings Passphrase with the specified PassphraseSize}.

The data payload is the data buffer for SendActionFrame/RecvActionFrame.

lp2p

This is used for communicating with accessories (external devices on [11.0.0+]) over local wifi. Mario Kart Live: Home Circuit uses this. [11.0.0+] LibraryAppletPhotoViewer uses this.

A beacon is broadcasted.

Action frames are only sent when done so by #SendToOtherGroup (other than the Epigram one mentioned below).

Communication uses sockets with standard Data frames and the above Action frames. Switch consoles presumably only use the Action frames to communicate with each other?

Key A derived by ldn-sysmodule is used directly as the static CCMP key for all data-frames (CCMP / MIC is standard). However, with #GroupInfo+0x8A value 3, standard WPA2-PSK is used instead.

This uses infrastructure-mode (AccessPoint), and DHCP is used. The group-owner is the AccessPoint. Note that the probe response includes the same Nintendo tags included with the beacon. Once connected, the group-owner sends the same Epigram-vendor Action frame(s) described in #ldn. At this point socket communication can begin, including DHCP usage.

The DHCP server thread is started by the "nn.lp2p.StateMachine" thread eventually during group creation. The DHCP Offer option values are the following:

  • "Subnet Mask: 255.255.255.0"
  • "DHCP Server Identifier: {...}"
  • "Broadcast Address: {...}"
  • "IP Address Lease Time: (5s) 5 seconds"
  • "Renewal Time Value: (0s) 0 seconds"
  • "Rebinding Time Value: (0s) 0 seconds"
  • "Interface MTU: 1500"

Note that the above options doesn't include "Domain Name Server" or "Router", the client device may fail to connect if it doesn't allow those DHCP options to be missing.

Beacon

The SSID in the beacon can optionally be hidden (all-zero with the same length as the original SSID). The beacon contains two vendor-specific Nintendo information elements with OUI 00:22:aa; each IE has a 2-byte ID following the OUI. These Nintendo IEs are not used when standard WPA2-PSK is being used.

The beacon is identical to ldn, except for the following (besides SSID length difference and the lp2p-only Nintendo tags):

  • "Tag: HT Capabilities (802.11n D1.10)": "HT Short GI for 20MHz" is set to "Not supported", for ldn it's "Supported".
  • "Tag: Vendor Specific: Microsoft Corp.: WMM/WME: Parameter Element" "Ac Parameters ACI 0": "CW Min: 15" for lp2p, "CW Min: 63" for ldn.

Note that during group creation the beacon may be missing the Nintendo IEs in some cases, since group creation didn't finish yet.

Nintendo IE 0

The first Nintendo IE (ID 0x0600) contains the following fixed parameters:

Offset Size Description
0x0 0x1 Fixed 0x20; perhaps a version or other magic number.
0x1 0x1 SecurityType
0x2 0x1 StaticAesKeyIndex
0x3 0x1 Fixed zero; padding byte.
0x4 0x8 Big-endian (i.e. byte-reversed) version of LocalCommunicationId. This is the only context where LocalCommunicationId is reversed.
0xC 0x10 Wrapped master key. Same as #GroupInfo+0x0.
0x1C 0x4 If encryption is enabled, a randomly-generated nonce, else nothing. Appending 8 zero bytes to this yields the AES-GCM IV.
0x20 0x10 If encryption is enabled, the AES-GCM MAC tag, else nothing. All bytes prior to this (fixed 0x20 through nonce) are the additional authenticated data. All bytes after this are encrypted with key B.

After this, TLV tagged parameters occur. Each TLV tag is formatted as:

Offset Size Description
0x0 0x1 Tag type
0x1 0x1 Length
0x2 {above size} Data for the tag

Known TLV tags:

Type Size Description
0x1 0x2 Additional network parameters: 0xAB 0xCD. A=#GroupInfo+0x82, B=MemberCountMax, C=NetworkMode, D=PerformanceRequirement.
0x2 0x8 Flags: Bitwise-or of (1<<f) for each entry in #GroupInfo+0x40

Nintendo IE 1

The second Nintendo IE (ID 0x0601) contains only TLVs. If encryption is enabled, a 0x4-byte nonce and 0x10-byte AES-GCM tag are written first, as above, and the TLVs are encrypted. Key C is used.

Known TLV tags:

Type Size Description
0x21 Varies AdvertiseData

ActionFrame

The Action frames have the following structure:

  • "Fixed parameters":
    • "Category code: Vendor Specific (127)"
    • "OUI: 00:22:aa (Nintendo Co., Ltd.)"
  • The Data starts with the following:
Offset Size Description
0x0 0x2 Usually 06 00?
0x2 0x2 Usually 20 02?(Second byte depends on whether encryption is used?)
0x4 0x2 Usually 02 00?(varies)
0x6 0x8 Big-endian version of #GroupInfo+0x10.
0xE 0x10 Same as #GroupInfo+0x0.

When encryption is used, the remaining data is:

Offset Size Description
0x0 0x4 Big-endian u32 Counter. The initial value is randomly-generated (?). This is incremented with each sent Action frame.
0x4 {remaining size} Encrypted user-data. Also includes 0x10-bytes of unknown data.

When plaintext is used, the remaining data is:

Offset Size Description
0x0 {remaining size} Plaintext user-data.