Theme Shop support?

[KLanausse]

Never thought about it until now, but it would maybe be a good idea to add support for scraping the Theme Shop. Correct me if I'm wrong, but I believe that it will also go down along side with the eShop

[KLanausse]

Found these URLs after running strings on the Home Menu binary

https://npdl.cdn.nintendowifi.net/p01/nsa/%s/thmnews/%s/news
https://npdl.cdn.nintendowifi.net/p01/nsa/%s/thmtop/%s/%s/top
https://npdl.cdn.nintendowifi.net/p01/nsa/%s/thmlist/%s/%s/%d
https://npdl.cdn.nintendowifi.net/p01/nsa/%s/thmdtls/%s/%s/%08u

Now I just need to figure out what is being passed to it. I assume the first %s is the Region Actually, comparing with other nintendowifi.net URLs, it probably isn't

[neobrain]

Yes, that would definitely be interesting!

People have been bouncing some ideas around on IRC on how to access those endpoints. There's no clear conclusion yet, but it seems to involve SOAP requests and parsing BOSS containers? Not sure how deep the rabbit hole goes here, but if can find anything out about this that would definitely be useful. The URLs are a good starting point in any case :)

[KLanausse]

Got around to capturing my 3DS Network Packets and was able to get this

https://npfl.c.app.nintendowifi.net/p01/filelist/YapN7dMun6U6CVPx/thmdtls?c=US&l=en&a3=1&tm=4

User-Agent: PBOS-8.0/0000000000000000-0000000000000000/11.16.0-49U/62452/4

I redacted the section between PBOS-8.0/ and /11.16.0-49U ~as I believe that my console ID~ According to 3DBrew, its actually my LocalFriendCodeSeed

[KLanausse]

Yeah that was it. Using this User-Agent, I was able to download the eShop BGM

https://npdl.cdn.nintendowifi.net/p01/nsa/CtfKXACbUPl8s7lk/BGM1/US_BGM1?tm=4 US_BGM1.zip

[KLanausse]

It seems like most requests respond with a BOSS Container like you said. This would mean we would have to pass the KeySlot 0x38 to decrypt it. Could maybe use save3ds to do so

[neobrain]

Good findings! Not sure you already implied this, but conveniently the URL above can be accessed with the verbatim User-Agent you mentioned, i.e. there are no server-side checks for the LocalFriendCodeSeed:

curl --insecure -A "PBOS-8.0/0000000000000000-0000000000000000/11.16.0-49U/62452/4" https://npdl.cdn.nintendowifi.net/p01/nsa/CtfKXACbUPl8s7lk/BGM1/US_BGM1?tm=4 > US_BGM1

For reference, the BOSS container can be decrypted using:

dd if=US_BGM1 of=US_BGM1.content bs=40 skip=1
dd if=US_BGM1 of=US_BGM1.iv bs=1 skip=28 count=12
openssl enc -aes-128-ctr -nosalt -d -in US_BGM1.content -K <aeskey_0x38> -iv `xxd -p US_BGM1.iv`00000001 > US_BGM1.content.dec

[neobrain]

I'm not sure what magic exactly is going on there, but apparently you can just feed the decrypted SpotPass container into FFmpeg and it will turn it into a perfectly valid m4a that you can listen to:

ffmpeg -i US_BGM1.content.dec -codec:a aac US_BGM1.m4a

[www2000]

Do any one have the EU and JP versions of the eshop music?

[KLanausse]

Do any one have the EU and JP versions of the eshop music?

Sorry for the late response. Here are all the URLs

https://a248.e.akamai.net/f/248/103046/10m/npdl.c.app.nintendowifi.net/p01/nsa/7RW9z5Cb71Fpt1OE/BGM1/JP_BGM1
https://a248.e.akamai.net/f/248/103046/10m/npdl.c.app.nintendowifi.net/p01/nsa/vD1TyxppgptrZdfK/BGM1/KR_BGM1
https://a248.e.akamai.net/f/248/103046/10m/npdl.c.app.nintendowifi.net/p01/nsa/CtfKXACbUPl8s7lk/BGM1/US_BGM1
https://a248.e.akamai.net/f/248/103046/10m/npdl.c.app.nintendowifi.net/p01/nsa/AH3oZwrEbne6qHCO/BGM1/EU_BGM1
https://a248.e.akamai.net/f/248/103046/10m/npdl.c.app.nintendowifi.net/p01/nsa/kRlrRG3XMEZShz9a/BGM1/TW_BGM1
https://a248.e.akamai.net/f/248/103046/10m/npdl.c.app.nintendowifi.net/p01/nsa/7RW9z5Cb71Fpt1OE/BGM2/JP_BGM2
https://a248.e.akamai.net/f/248/103046/10m/npdl.c.app.nintendowifi.net/p01/nsa/vD1TyxppgptrZdfK/BGM2/KR_BGM2
https://a248.e.akamai.net/f/248/103046/10m/npdl.c.app.nintendowifi.net/p01/nsa/CtfKXACbUPl8s7lk/BGM2/US_BGM2
https://a248.e.akamai.net/f/248/103046/10m/npdl.c.app.nintendowifi.net/p01/nsa/AH3oZwrEbne6qHCO/BGM2/EU_BGM2
https://a248.e.akamai.net/f/248/103046/10m/npdl.c.app.nintendowifi.net/p01/nsa/kRlrRG3XMEZShz9a/BGM2/TW_BGM2

[www2000]

Any curl commants for downloading *_BGM2

[KLanausse]

Any curl commands for downloading *_BGM2

I don't think is currently possible Correction. There is nothing there

[KLanausse]

Random notice since the eShop has shutdown but I manually archived every Theme Category and Listing for the US region by hand ._. so they aren't lost.

[www2000]

Thanks can you post a link to this with the urls?

[KLanausse]

Thanks can you post a link to this with the urls?

Unfortunate news... I was planning on doing this after I fully removed any info that could identify my console, but just yesterday I had my external SSD's index structure corrupt on me and ended up losing both ThemeShop.har & ThemeShopPt1.chls. I (ironically) didn't get around to making a backup of them. I'll check if any data from them still exist on my ssd, but for now they are lost...

[KLanausse]

Thanks can you post a link to this with the urls?

Unfortunate news... I was planning on doing this after I fully removed any info that could identify my console, but just yesterday I had my external SSD's index structure corrupt on me and ended up losing both ThemeShop.har & ThemeShopPt1.chls. I (ironically) didn't get around to making a backup of them. I'll check if any data from them still exist on my ssd, but for now they are lost...

Just found out I did make a backup of them :]

[KLanausse]

Uploaded the .har here

[www2000]

Thank any plans that you upload ThemeShopPt1.chls?

[KLanausse]

Thank any plans that you upload ThemeShopPt1.chls?

Not really as ThemeShopPt1.chls is just an earlier version of ThemeShop.har

[www2000]

Thanks i was just wondering.