Skip to content

Commit

Permalink
Merge pull request #37 from DaniElectra/updates-2025-01-29
Browse files Browse the repository at this point in the history
  • Loading branch information
@jonbarrow
jonbarrow authored Jan 29, 2025
2 parents b89d70a + da5850a commit a3fd478
Show file tree
Hide file tree
Showing 12 changed files with 431 additions and 160 deletions.
3 changes: 3 additions & 0 deletions docs/misc/tls-certificates.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,7 @@ Many client and server certificates that are used by Nintendo are issued by an i
| `01:7C` | `*.xd1.npns.srv.nintendo.net` |
| `01:80` | `*.frs.srv.nintendo.net` |
| `01:A7` | `receive-lp1.er.srv.nintendo.net` |
| `01:C2` | `WS Prod` |
| `01:D7` | `capi.lp1.op2.nintendo.net` |
| `02:0B` | `*.lp1.scsi.srv.nintendo.net` |
| `02:0D` | `*.ndas.srv.nintendo.net` |
Expand All @@ -71,11 +72,13 @@ Many client and server certificates that are used by Nintendo are issued by an i
| `03:D4` | `lp1.nso.nintendo.net` |
| `03:E6` | `*.c.app.nintendowifi.net` |
| `03:F1` | `*.hac.td1.acbaa.srv.nintendo.net` |
| `04:77` | `*.dd1.t.npln.srv.nintendo.net` |
| `04:85` | `uat.account.nintendo.net` |
| `04:95` | `account.nintendo.net` |
| `04:96` | `system-dev.account.nintendo.net` |
| `04:A6` | `*.dg.srv.nintendo.net` |
| `04:B1` | `*.hac.shop.nintendo.net` |
| `04:FA` | `*.lp1.t.npln.srv.nintendo.net` |
| `05:77` | `account.nintendo.net` |

## Nintendo Class 2 CA
Expand Down
6 changes: 4 additions & 2 deletions docs/nat-check.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,10 @@ This server is used to detect NAT properties of the router in order to perform N
This server is at:<br>
- `nncs1.app.nintendowifi.net` (Wii U, primary server)
- `nncs2.app.nintendowifi.net` (Wii U, secondary server)
- `nncs1-%.n.n.srv.nintendo.net` (Switch, primary server)
- `nncs2-%.n.n.srv.nintendo.net` (Switch, secondary server)
- `nncs1-lp1.n.n.srv.nintendo.net` (Switch, primary server)
- `nncs2-lp1.n.n.srv.nintendo.net` (Switch, secondary server)
- `nncs1.p01.lp1.n.n.srv.nintendo.net` (Switch 2, primary server)
- `nncs2.p01.lp1.n.n.srv.nintendo.net` (Switch 2, secondary server)

The protocol consists of simple UDP messages through port 10025 (primary port) or 10125 (secondary port). Messages are encoded in big endian byte order.

Expand Down
2 changes: 2 additions & 0 deletions docs/npln/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ Services are never modified in a backward incompatible way, but new methods and
* `nn.npln.friends.v1.Friends`
* `nn.npln.friends.v1.PresenceService`
* `nn.npln.gamesync.v1.Gamesync`
* `nn.npln.globalcounter.v1.GlobalCounterService`
* `nn.npln.hydro.v1.Datastore`
* `nn.npln.leaderboard.v1.LeaderboardService`
* `nn.npln.maintenance.v1.MaintenanceScheduleService`
Expand Down Expand Up @@ -72,6 +73,7 @@ Pokemon Scarlet and Violet implement custom services as well:
| Splatoon 3 | `dce9377b` |
| Splatoon 3: Splatfest World Premiere | `156eef4e` |
| Super Mario Bros. Wonder | `ba973ec6` |
| Super Mario Party Jamboree | `adf89f68` |

## Useful Tools
* [grpcui](https://github.com/fullstorydev/grpcui) - a simple user interface for gRPC
Expand Down
9 changes: 5 additions & 4 deletions docs/pia/ldn/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,10 +17,11 @@ Also see: [Local Wireless Communication on PC](/docs/misc/local-wireless-communi

## Changelog

| System version | LDN version | Changes |
|----------------|-------------|---------------------------------------------|
| 2.0.0 - 5.1.0 | 2 | Initial version |
| 6.0.0 - 17.0.1 | 3 | Challenge was added to authentication frame |
| System version | LDN version | Changes |
|-----------------|-------------|---------------------------------------------|
| 2.0.0 - 5.1.0 | 2 | Initial version |
| 6.0.0 - 18.1.0 | 3 | Challenge was added to authentication frame |
| 19.0.0 - 19.0.1 | 4 | Unknown difference |

## WLAN Channels
The channel on which LDN operates can be specified by games. Allowed channels are:
Expand Down
424 changes: 295 additions & 129 deletions docs/servers.md
View file

Large diffs are not rendered by default.

63 changes: 50 additions & 13 deletions docs/switch/aauth.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ Because the certificates are signed by Nintendo there is only one way to obtain
The aauth server takes form-encoded requests and responds with json-encoding. It uses base64url, and the client does not add any padding characters.

## Headers
Up to 17.0.1:

| Header | Description |
| --------------------- | --------------------------------------------------------------------------------------------------------------------------------- |
Expand All @@ -25,6 +26,16 @@ The aauth server takes form-encoded requests and responds with json-encoding. It
| Content-Length | Content length |
| Content-Type | `application/x-www-form-urlencoded` |

In 18.0.0 and later, the user agent is no longer present and the headers are reordered:

| Header | Description |
| --------------------- | --------------------------------------------------------------------------------------------------------------------------------- |
| Host | `aauth-lp1.ndas.srv.nintendo.net` |
| Accept | `*/*` |
| Content-Type | `application/x-www-form-urlencoded` |
| X-Nintendo-PowerState | `FA` (fully awake) or `HA` (half awake). This header is only sent in the [application token request](#application-token-request). |
| Content-Length | Content length |

## User Agents

| System Version | User agent |
Expand All @@ -40,7 +51,6 @@ The aauth server takes form-encoded requests and responds with json-encoding. It
| 16.0.0 | `libcurl (nnHttp; 789f928b-138e-4b2f-afeb-1acae821d897; SDK 16.2.0.0; Add-on 16.2.0.0)` |
| 16.0.0 - 16.1.0 | `libcurl (nnHttp; 789f928b-138e-4b2f-afeb-1acae821d897; SDK 16.2.0.0; Add-on 16.2.0.0)` |
| 17.0.0 - 17.0.1 | `libcurl (nnHttp; 789f928b-138e-4b2f-afeb-1acae821d897; SDK 17.5.0.0; Add-on 17.5.0.0)` |
| 18.0.0 | `libcurl (nnHttp; 789f928b-138e-4b2f-afeb-1acae821d897; SDK 18.3.0.0; Add-on 18.3.0.0)` |

## Methods
The following method returns a timestamp and your ip address:
Expand All @@ -55,6 +65,7 @@ In API version 3 and later, one must solve a cryptographic challenge to prove th
| ------ | ------------------------------------- |
| POST | [`/v3/challenge`](#challenge-request) |
| POST | [`/v4/challenge`](#challenge-request) |
| POST | [`/v5/challenge`](#challenge-request) |

The following methods return an application token as JWT:

Expand All @@ -72,7 +83,8 @@ The following methods return an application token as JWT:
| 1.0.0 - 4.1.0 | v1 |
| 5.0.0 - 8.1.1 | v2 |
| 9.0.0 - 14.1.2 | v3 |
| 15.0.0 - 16.0.0 | v4 |
| 15.0.0 - 18.1.0 | v4 |
| 19.0.0 | v5 |

## API Changes

Expand All @@ -82,6 +94,7 @@ The following methods return an application token as JWT:
| v2 | The API path is obfuscated with a random hex string. The `environment` parameter was removed. The online play policy was added. For digital titles, the certificate is encrypted with a random key. The `NO_CERT` media type was added. |
| v3 | The API path is no longer obfuscated. The challenge was added for gamecards. |
| v4 | The `cert_key` parameter was removed for digital titles. A token from dragons is now required. |
| v5 | The `media_type` parameter was renamed to `auth_type` and the gamecard challenge was redesigned. |

## Time Request
This method is unrelated to aauth. It returns a `text/plain` document that contains two lines:
Expand All @@ -90,22 +103,32 @@ This method is unrelated to aauth. It returns a `text/plain` document that conta

It also returns this information in the `X-NINTENDO-UNIXTIME` and `X-NINTENDO-GLOBAL-IP` headers.

This method is no longer used since system version 18.0.0. It is replaced by a [ctest server](/docs/switch/connection-test).

## Challenge Request
This request is only required if the media type is `GAMECARD`.

| Param | Description |
| ------------------ | ------------------------------------------------------------ |
| &device_auth_token | Device token from [dauth server](/docs/switch/dauth) |
| Param | Description |
| ----------------- | ---------------------------------------------------- |
| device_auth_token | Device token from [dauth server](/docs/switch/dauth) |

Note that the device_auth_token parameter is preceded by an ampersand, even though it is the first and only parameter in the request.
Note: up to system version 17.0.1, the device_auth_token was preceded by an ampersand, even though it is the first and only parameter in the request.

Response on success:
Response on success, up to version 4:

| Field | Description |
| ----- | ------------------------- |
| value | Base64-encoded (16 bytes) |
| seed | Base64-encoded (15 bytes) |

Version 5:

| Field | Description |
|---------------|---------------------------|
| challenge | Base64-encoded (32 bytes) |
| challenge_src | Base64-encoded (9 bytes) |
| seed | Base64-encoded (15 bytes) |

The seed value never changes. It is even consistent across environments.

## Application Token Request
Expand Down Expand Up @@ -214,14 +237,28 @@ The `gvt` parameter is calculated with <code><a href="https://switchbrew.org/wik
### Version 4
For digitial titles, the Switch no longer sends the application certificate to the server. Instead, it requests a contents authorization token from the [dragons server](/docs/switch/dragons).

| Param | Description |
| ------------------- | ------------------------------------------------------------------- |
| application_id | Title id (`%016x`) |
| application_version | Title version (`%08x`) |
| device_auth_token | Device token from [dauth server](/docs/switch/dauth) |
| media_type | `DIGITAL` |
| Param | Description |
|---------------------|--------------------------------------------------------------------------|
| application_id | Title id (`%016x`) |
| application_version | Title version (`%08x`) |
| device_auth_token | Device token from [dauth server](/docs/switch/dauth) |
| media_type | `DIGITAL` |
| cert | Contents authorization token from [dragons server](/docs/switch/dragons) |

### Version 5
The media_type parameter was renamed to auth_type. The challenge and challenge_src parameters were added for gamecard authentication.

| Param | Description |
|---------------------|-----------------------------------------------------------------------------------------------------------------|
| application_id | Title id (`%016x`) |
| application_version | Title version (`%08x`) |
| device_auth_token | Device token from [dauth server](/docs/switch/dauth) |
| media_type | `GAMECARD` |
| gvt | Base64-encoded challenge reply, based on the seed and value from the [challenge](#challenge-request) (88 bytes) |
| cert | Base64-encoded gamecard certificate (512 bytes) |
| challenge | Challenge |
| challenge_src | Challenge src |

## Errors
On error, the server sends the following response:

Expand Down
23 changes: 18 additions & 5 deletions docs/switch/baas.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,8 @@ The user agents below are taken from the account sysmodule. If the request is ma
| 15.0.0 - 15.0.1 | `libcurl (nnAccount; 789f928b-138e-4b2f-afeb-1acae821d897; SDK 15.3.0.0; Add-on 15.3.0.0)` |
| 16.0.0 - 16.1.0 | `libcurl (nnAccount; 789f928b-138e-4b2f-afeb-1acae821d897; SDK 16.2.0.0; Add-on 16.2.0.0)` |
| 17.0.0 - 17.0.1 | `libcurl (nnAccount; 789f928b-138e-4b2f-afeb-1acae821d897; SDK 17.5.0.0; Add-on 17.5.0.0)` |
| 18.0.0 | `libcurl (nnAccount; 789f928b-138e-4b2f-afeb-1acae821d897; SDK 18.3.0.0; Add-on 18.3.0.0)` |
| 18.0.0 - 18.1.0 | `libcurl (nnAccount; 789f928b-138e-4b2f-afeb-1acae821d897; SDK 18.3.0.0; Add-on 18.3.0.0)` |
| 19.0.0 | `libcurl (nnAccount; 789f928b-138e-4b2f-afeb-1acae821d897; SDK 19.3.0.0; Add-on 19.3.0.0)` |

## Methods
The following methods do not require an access token:
Expand All @@ -74,6 +75,7 @@ The following methods require a user access token:

| Module | Method | URL |
| ------- | ------ | ------------------------------------------------------------------------------- |
| Account | POST | `/1.0.0/devices/me/delete` |
| Account | POST | `/1.0.0/image_upload` |
| Account | PUT | `/1.0.0/push_channels/<id>/<id>` |
| Friends | GET | `/1.0.0/users` |
Expand All @@ -85,7 +87,7 @@ The following methods require a user access token:
| Friends | PATCH | `/1.0.0/users/<id>/device_accounts/<id>` |
| Account | DELETE | [`/1.0.0/users/<id>/device_accounts/<id>`](#delete-100usersiddevice_accountsid) |
| Friends | POST | [`/1.0.0/users/<id>/generate_code`](#post-100usersidgenerate_code) |
| Account | POST | `/1.0.0/users/<id>/link` |
| Account | POST | [`/1.0.0/users/<id>/link`](#post-100usersidlink) |
| Account | POST | `/1.0.0/users/<id>/unlink` |
| Friends | POST | `/2.0.0/friend_requests` |
| Friends | PATCH | `/2.0.0/friend_requests/<id>` |
Expand All @@ -99,10 +101,11 @@ The following methods require a user access token:
### POST /1.0.0/application/token
This method provides an anonymous access token.

| Param | Description |
| --------- | --------------------------------------------------------------------- |
| grantType | `public_client` |
| Param | Description |
| --------- | ------------------------------------------------------------- |
| grantType | `public_client` |
| assertion | Device token obtained from [dauth server](/docs/switch/dauth) |
| penneId | Penne id (optional) |

Response on success:

Expand Down Expand Up @@ -249,6 +252,16 @@ Generates a new friend code. Returns the new [user information](#user-informatio
| ----- | ----------- |
| type | `NX` |

### POST /1.0.0/users/&lt;id&gt;/link
Links a Nintendo account to the given device account.

| Param | Description |
|-----------|--------------------------------|
| `idp` | `nintendoAccount` |
| `idToken` | ID token from Nintendo account |

Returns the new [user information](#user-information).

### GET /1.0.0/certificates
This method returns the JWK set for the id token that's issued by <code><a href="#post-100login">/1.0.0/login</a></code> and <code><a href="#post-100federation">/1.0.0/federation</a></code>.

Expand Down
7 changes: 6 additions & 1 deletion docs/switch/connection-test.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,17 @@ toc: true
title: Connection Test
---

Nintendo provides three connection test servers for the Nintendo Switch:
Nintendo provides the following connection test servers for the Nintendo Switch:
* http://ctest.cdn.nintendo.net
* http://ctest-dl-lp1.cdn.nintendo.net
* http://ctest-ul-lp1.cdn.nintendo.net
* https://api.hac.lp1.ctest.srv.nintendo.net

On the Switch 2, the following servers are used instead:
* https://ctest-dl.p01.lp1.ctest.srv.nintendo.net
* https://ctest-ul.p01.lp1.ctest.srv.nintendo.net
* https://api.p01.lp1.ctest.srv.nintendo.net

The first server is used to check if the internet connection is working when you connect to a wifi network. The next two are used to measure your download and upload speed.

The last server was introduced in system version 18.0.0 and is a replacement for `/v1/time` of the [AAuth server](/docs/switch/aauth).
Expand Down
Loading

0 comments on commit a3fd478

Please sign in to comment.