ACNH: Island Transfer Tool

[shomykohai]

Would it be possible to use this in combo with the ldn python package to somehow mimic the island transfer tool behaviour?

The ldn package would be the best of the two I guess considering that the island transfer tool relies on wireless communication.

[shomykohai]

For now this is all I found

protocol_id: 0x0100F380011CFE000 # AC:NH island transfer tool title_id

password: "LunchPack2DefaultPhrase" # not sure about this though

game_mode: 31

max_partecipants: 2

I'm not really good at understanding binary and hex data so I can't really understand what the application_data field needs. Pretty sure though that the island name is there.

As for the password, this is what I came up with but I'm not sure, especially because it didn't connect. Probably there's a different one and I don't really know how to get it.

[still1987]

I have no idea
But I find it difficult
But I have to remind you
Hacking Nintendo may incur legal risks, so it's too risky to do it.

[kinnay]

I would not worry about the legal risks in this case. I've been hacking Nintendo games for ~10 years and never got into trouble. In fact, Nintendo even rewards people that find new ways to hack their systems: https://hackerone.com/nintendo.

That said, I'm sure that it's possible to mimic the island transfer tool. Unfortunately I don't have time to reverse engineer it myself.

[shomykohai]

I would not worry about the legal risks in this case. I've been hacking Nintendo games for ~10 years and never got into trouble. In fact, Nintendo even rewards people that find new ways to hack their systems: https://hackerone.com/nintendo.

That said, I'm sure that it's possible to mimic the island transfer tool. Unfortunately I don't have time to reverse engineer it myself.

What I've tried for now is using the LDN package and it gave me an output so surely it uses wireless communication and it does not connect to the internet. Based on this I'd say that it would be possible to mimic it, just have to understand how it communicates and send the data.
Do you have any tip for finding the password?

[shomykohai]

Been trying some stuff.
Found some stuff about the application data:
Obviously, it has a PIA Header, version 5.39

	stream = Stream()
	stream.u32(random.randint(0, 0xFFFFFFFF)) # Session id
	stream.u32(0) # CRC-32, Seem to be 0 even here
	stream.u8(8) # System communication version
	stream.u8(16) # Header size
	stream.pad(2)
	stream.u32(random.randint(0, 0xFFFFFFFF)) # Session param
	
        stream.u8(1)
        stream.u8(0)
	stream.data += "Switch's name".encode() # The name of the console, max 32 chars
        stream.data.pad(128 - len("Switch's name")) # This seem to be consistent
        stream.data.pad(2)
        
        ... other data

I've also noticed the island name is sent as wchars.

[shomykohai]

Right now the hard part would be retrieving the network key.
According to the documentation the joining console sends an encrypted authentication request that contains the network key.
I suppose the LDN package already knows how to decrypt the request, the only problem is that i don't have a console without an island that could try it.

[sir1st]

Right now the hard part would be retrieving the network key. According to the documentation the joining console sends an encrypted authentication request that contains the network key. I suppose the LDN package already knows how to decrypt the request, the only problem is that i don't have a console without an island that could try it.

hi, i'm really interested for this work. and fortunately i have that console with an island, if possible, how about we work together to find the truth? you could contact me with discord id 912336365105065984. i'd like be happy for that.

[shomykohai]

hi, i'm really interested for this work. and fortunately i have that console with an island, if possible, how about we work together to find the truth? you could contact me with discord id 912336365105065984. i'd like be happy for that.

Wait maybe I didn't explain myself well or I didn't got your point, to find the password we probably would need a console without an island!! My console has an island so I can only host the wireless communication,

what I wanted to do is host the program and then make the console try to join the communication so that I can retrieve the authentication request and somehow decrypt it!

[sir1st]

hi, i'm really interested for this work. and fortunately i have that console with an island, if possible, how about we work together to find the truth? you could contact me with discord id 912336365105065984. i'd like be happy for that.

Wait maybe I didn't explain myself well or I didn't got your point, to find the password we probably would need a console without an island!! My console has an island so I can only host the wireless communication,

what I wanted to do is host the program and then make the console try to join the communication so that I can retrieve the authentication request and somehow decrypt it!

i see. don't worry, i also have another console which does not have any island. i think this could satisfy the requirement.

[shomykohai]

i see. don't worry, i also have another console which does not have any island. i think this could satisfy the requirement.

Nice! This makes it easier surely.
Though I was just checking the source code and it seems like it's not possible to do what I've wanted to try, because the network key that gets compared is, first of all, hashed and then it gets cut off to 16 chars. This really makes it harder to find the password.
I guess @kinnay is the only one who could guide us to the right track to find the password.

[sir1st]

i see. don't worry, i also have another console which does not have any island. i think this could satisfy the requirement.

Nice! This makes it easier surely. Though I was just checking the source code and it seems like it's not possible to do what I've wanted to try, because the network key that gets compared is, first of all, hashed and then it gets cut off to 16 chars. This really makes it harder to find the password. I guess @kinnay is the only one who could guide us to the right track to find the password.

have you ever try the ldn_mitm to log the key? there is a source code link for latest ldn_mitm: https://github.com/DefenderOfHyrule/ldn_mitm

[shomykohai]

have you ever try the ldn_mitm to log the key? there is a source code link for latest ldn_mitm: https://github.com/DefenderOfHyrule/ldn_mitm

Unfortunately I don't have a modded switch to try, would have been useful surely.

[sir1st]

have you ever try the ldn_mitm to log the key? there is a source code link for latest ldn_mitm: https://github.com/DefenderOfHyrule/ldn_mitm

Unfortunately I don't have a modded switch to try, would have been useful surely.

i have a CFW swicth, maybe i can try to find something. besides, you could also use the Ryujinx switch emulator, i guess it has familiar functions.

[shomykohai]

i have a CFW swicth, maybe i can try to find something. besides, you could also use the Ryujinx switch emulator, i guess it has familiar functions.

If you manage to find something it would be amazing!
As for Ryujinx, I've already tried a whole ago and the island transfer tool crashes upon booting.

[sir1st]

i have a CFW swicth, maybe i can try to find something. besides, you could also use the Ryujinx switch emulator, i guess it has familiar functions.

If you manage to find something it would be amazing! As for Ryujinx, I've already tried a whole ago and the island transfer tool crashes upon booting.

ignore the missed services in system setting, and use ldnRyu, it could works for transfer tool

[shomykohai]

ignore the missed services in system setting, and use ldnRyu, it could works for transfer tool

This did the trick!
I'll look if i manage to log the password.

[sir1st]

ignore the missed services in system setting, and use ldnRyu, it could works for transfer tool

This did the trick! I'll look if i manage to log the password.

after logging the ldn_mitm, i find the passphrase info, the code is
LogFormat("SecurityConfig");
LogHex(securityConfig->passphrase, securityConfig->passphraseSize);
the corresponding log is
[ts: 96501ms t: (446) ldn_mitm::Thread p: 34/34] SecurityConfig
[ts: 96508ms t: (446) ldn_mitm::Thread p: 34/34] Bin Log: 20 (0x2c99724874)
61324f5f58696e673a634d6f76655f6e
6e746e64
besides, this is the entire log for the full transfer process. hope this could offer some help.
ldn_mitm.log
also, when i enable the log function, the entire island transfer will not success. it breaks during the transmission, so i only got the host log which records the source switch host the LDN network.

[shomykohai]

after logging the ldn_mitm, i find the passphrase info, the code is
LogFormat("SecurityConfig");
LogHex(securityConfig->passphrase, securityConfig->passphraseSize);
the corresponding log is
[ts: 96501ms t: (446) ldn_mitm::Thread p: 34/34] SecurityConfig
[ts: 96508ms t: (446) ldn_mitm::Thread p: 34/34] Bin Log: 20 (0x2c99724874)
61324f5f58696e673a634d6f76655f6e
6e746e64
besides, this is the entire log for the full transfer process. hope this could offer some help.
ldn_mitm.log
also, when i enable the log function, the entire island transfer will not success. it breaks during the transmission, so i only got the host log which records the source switch host the LDN network.

So, I tried the passphrase and it seems to be working! Now the LDN package gives me a new error: Failed to obtain IP address after joining network (timeout)

Now I have to figure out this problem.

Thanks for the log, I'll see what I can do with it.

Edit:
The error seem to be caused by my network device: https://github.com/kinnay/LDN/wiki/Common-Issues