search

kinnay / NintendoClients

Python package to communicate with Switch, Wii U and 3DS servers
MIT License
547 stars 66 forks source link

How to get the pia key #100

Closed Lekuruu closed 1 year ago

Lekuruu commented 1 year ago

Hi, I am currently trying to find the pia key for splatoon 3 in a disassembler. Does anyone know how to do that, or if there is a list of all keys that I could use?

Thanks in advance!

Lekuruu commented 1 year ago

Okay I have found a few potential tables that could work:

[
    517966977, 2076156138, 3156944431, 1392279027, 
    1535669767, 746078936, 3746051735, 2490522266, 
    1197348455, 1813139946, 1174316221, 1778071915, 
    1757782054, 3866397045, 4148372655, 500267802, 
    2979573152, 44000454, 4176862961, 2004162775, 
    4069669548, 2080056043, 1088634057, 364444114, 
    1692355202, 744708909, 45406316, 3152384625, 
    4141662163, 2626217471, 2114258207, 4084086713, 
    2903867526, 1093844953, 29194872, 314769080, 
    1957590462, 2543760698, 891649567, 3133008181, 
    2279349098, 1614064782, 2418243761, 162210088, 
    1914180683, 3012908348, 2377118007, 2769473451, 
    1039881898, 920232556, 2526915279, 1276322786, 
    87027582, 3071487929, 3387830236, 3861805263, 
    3873931091, 168785388, 2282261166, 779678384, 
    1528128356, 2280146407, 749641631, 2357301271
]

Potential Seeds: 

[
    2420652491, 3788308201, 3054942013, 4213752340, 
    1730872620, 3190453914, 1152041732, 2252940819, 
    1117559046, 4019319888, 1412659864, 218027067, 
    3018089132, 147433756, 3749746152, 2406873748, 
    122136127, 1945369767, 1501805079, 2246449468, 
    1802020943, 1685172865, 3958934490, 90637503, 
    605959581, 92681710, 572891857, 553728892, 
    13928312, 3550435142, 910971431, 3298879234, 
    3219824328, 3342914186, 4154701112, 1643761394, 
    2933956885, 882615389, 2477610266, 2364878898, 
    4129153969, 1719807714, 700473546, 87927587, 
    3688197966, 4259202359, 4278398862, 1819112042, 
    462246235, 3720057519, 3641802684, 270483804, 
    203085914, 3450177585, 1949154683, 3854045904, 
    1770631348, 158091927, 3110436471, 1858406897, 
    4028138694, 3694849149, 4000915533, 3419881055
]

Potential Seeds: 

[
    3556935466, 172666772, 1565813909, 486293806, 
    4073333995, 2856385351, 2363839894, 4173267499, 
    1841042590, 3350744482, 1059991010, 3047331805, 
    4080980707, 780803492, 1955156344, 2942473575, 
    2697001701, 1688375343, 1269212718, 4093746713, 
    3114162026, 2311622601, 1450204233, 360762866, 
    711180458, 3351701707, 1531397746, 762018647, 
    2945283724, 764106704, 3766874687, 2380278825, 
    147628581, 3541159978, 1585155267, 4080502482, 
    3563854972, 331826784, 913183074, 163616459, 
    1498681993, 719067270, 2638890788, 2214035550, 
    1593001377, 3955776682, 2906840257, 334807974, 
    2098353669, 3916658979, 2337572998, 3059657821, 
    2012642252, 1092809676, 3975031314, 2854477795, 
    3419879079, 1372750598, 102530819, 1629768507, 
    2277853986, 3367672999, 3805207970, 707004788
]

Potential Seeds:

The problem is they don't work. When I try to use the key, to decrypt one of the packets, it either buffer overflows because of a wrong payload size, or the output just doesn't make sense.

kinnay commented 1 year ago

Pia packets are encrypted with the session key, which depends on the network type (NPLN, LDN or LAN). See Pia Protocol. This is not the same as the game key, although the game key may be used to generate the session key.

There is not one specific way to find the game key, because it really depends on how the game is implemented. Some games simply store it as a string, while others use a RNG with a fixed seed to generate the key. There is a table here, but it is very incomplete.

Lekuruu commented 1 year ago

Yeah I have realized that a bit too late with the session key. Anyways, @0raffy0 may have found a game key in memory, but my session key implementation is probably wrong...

Here it is: 78deee82d86875782c40b15278f37815

Lekuruu commented 1 year ago

If you could write an example function that creates the session key, I would appreciate it! Also I was wondering, if the browse reply in pia 6.25 contains the same session param at the end...

0raffy0 commented 1 year ago

@ full-game.zip So... I'm the second guy that wants to decrypt the packet with Lekuru. Basically our situation is that we have a bunch of packets and the game specific key. The packets are those attached to this message (it could be obvious to you but you have to open them with Wireshark). And the game specific key is this: 78deee82d86875782c40b15278f37815 (I'm sure at 99.99% this is the right Lan specific key) We rode your documentation about the packet structure but we still have some troubles in decrypting them. Are the info that we have enough to decrypt the packets or do we still need something? If we don't, could you tell us the process to decrypt the packet? Thanks in advice!

kinnay commented 1 year ago

@Lekuruu Sorry, I won't be writing any code for you. The information is on the wiki, so you should be able to do it yourself. However, I may be able to tell you what's wrong if you show me your code. Also, I haven't really looked into Pia 6.x. It's possible that they changed the algorithm.

@0raffy0 This looks like LAN mode. Unless Nintendo changed something, all you need to generate the session key are the browse reply, which is the third packet in your pcap, and the game-specific key. I think that you have enough information.

Lekuruu commented 1 year ago

@kinnay Thanks for your reply and sorry if we annoyed you. It seems like Pia 6.25 has changed the browse request/reply quite a bit, but the session param should still be in the last 32 bytes. We will look into this ourselves now.