NWM Services

NWM Services

These NWM services are used for local-WLAN communications, NWM module handles regular wifi APs as well. These services are used for creating/connecting to networks, and for sending/receiving data over the network etc. NWM module uses the wifi SDIO hardware via the IO registers for this.

NWM local-WLAN service “nwm::UDS” #

Command HeaderAvailable since system versionDescription
0x000102C2Initialize Deprecated. Appears to be handled about the same way as NWMUDS:InitializeWithVersion, except this uses version=0x100 internally instead of loading it from the command request.
0x00020000Scrap Not used by sub-wars. This sets a state value to 0x2 then signals an event. This is probably some sort of shutdown command since this state write will result in all UDS commands returning an error if used afterwards.
0x00030000Finalize
0x00040402CreateNetwork Deprecated. Only used by very old titles.
0x00050040EjectClient
0x00060000EjectSpectator
0x00070080UpdateNetworkAttribute
0x00080000DestroyNetwork
0x00090442ConnectNetwork Deprecated. Only used by very old titles.
0x000A0000DisconnectNetwork
0x000B0000GetConnectionStatus
0x000C0000This writes two output u8 values to cmdreply[2] +0/+1. Not used by sub-wars.
0x000D0040GetNodeInformation
0x000E0006Identical to GetNodeInformationList. Deprecated, only used by old titles.
0x000F0404StartScan
0x00100042SetApplicationData
0x00110040GetApplicationData
0x00120100Bind
0x00130040Unbind
0x001400C0PullPacket
0x00150080SetMaxSendDelay(u64 unk) Not used by sub-wars.
0x00160040(u8 inputval) Unknown. Not used by sub-wars.
0x00170182SendTo
0x00180040(u16 inputval) Unknown. Not used by sub-wars.
0x00190040(u32 inputval) Unknown. Not used by sub-wars.
0x001A0000GetChannel
0x001B0302InitializeWithVersion
0x001C0040(u8 inputval) Unknown. Not used by sub-wars.
0x001D0044Unknown, > 2.0.0-2CreateNetwork2 This is a replacement for the original network-creation command.
0x001E0084Unknown, > 2.0.0-2ConnectNetwork2 This is a replacement for the original network-connection command.
0x001F0006Unknown, > 2.0.0-2GetNodeInformationList
0x00200040Unknown, > 2.0.0-2Flush (u8 data_frame_index) Unknown. Not used by sub-wars.
0x00210080Unknown, > 2.0.0-2SetProbeResponseParam
0x00220402Unknown, > 2.0.0-2ScanOnConnection
0x00230000Unknown, > 2.0.0-2This writes an output u16 value to cmdreply[2]. Unknown. Not used by sub-wars.

PullPacket is used for receiving data over the network and SendTo is for sending data over the network.

NWM infrastructure service “nwm::INF” #

Command HeaderDescription
0x00010000?
0x00020000?
0x00030000?
0x00040000?
0x00050000?
0x000603C4RecvBeaconBroadcastData
0x00070742ConnectToEncryptedAP
0x00080302ConnectToAP
0x00090000?
0x000A0000?
0x000B0000?, return event handle in cmdbuf[3]
0x000C0040?
0x000D0000?
0x000E0002?
0x000F0082?
0x00100040?

NWM socket service “nwm::SOC” #

Command HeaderDescription
0x00010042(u32 size, <static_buffer translate-hdr with static_buf_id=0>, addr) ?
0x00020080(u32 unk, u32 size) Unknown. Uses size=0x5F8 internally unless the input is <=0x5F8. Uses an ipc static_buffer(static_buf_id=0) for output with the specified size(also used when writing the translate-hdr). Writes an output u32 to cmdreply[2].
0x00030042(u32 unk, u32 size, <static_buffer translate-hdr with static_buf_id=0>, addr) ?
0x00040042(u32 size, u32 unk, <static_buffer translate-hdr with static_buf_id=1>, addr) ?
0x00050040(u32 unk) ?
0x00060080(u32 unk0, u16 unk1) ?
0x00070040(u16 unk) This writes an output u32 to cmdreply[2].
0x00080040GetMACAddress
0x00090000This just copies data from state to the cmdreply, this always returns 0. u32 cmdreply[2] = sharedmem_size, cmdreply[4] = sharedmem_handle, cmdreply[5] = eventhandle.
0x000A0040(u32 unk) ?
0x000B0040(u32 unk) This writes an output u32 to cmdreply[2].
0x000C0040(u32 unk) ?
0x000D0002( kernel_processid_translatehdr, u32 processid) ?

The only sysmodule which uses this is socket-sysmodule. The first command used by socket-module is cmd9.

NWM service “nwm::SAP” #

NWM local-WLAN StreetPass service “nwm::CEC” #

Command HeaderDescription
0x00060002Unknown, called by CECD module, cmdbuf[2] takes an event handle.
0x000D0082SendProbeRequest

NWM service “nwm::EXT” #

Command HeaderAvailable since system versionDescription
0x00010000<= 2.0.0-2?
0x00020000<= 2.0.0-2?
0x00030000<= 2.0.0-2?
0x00040040<= 2.0.0-2?
0x00050002<= 2.0.0-2?
0x00060000<= 2.0.0-2?
0x00070000<= 2.0.0-2This copies 0x1C-bytes from NWM-module state to the data starting at cmdreply[2].
0x00080040<= 2.0.0-2ControlWirelessEnabled
0x00090000<= 2.0.0-2?

NWM service “nwm::TST” #

BeaconDataReply Structure #

OffsetSizeDescription
0x00x4Max output size, from the command request.
0x40x4Total amount of output data written relative to struct+0. 0xC when there’s no entries.
0x80x4Total entries, 0 for none.
0xCBeacon entries.

Beacon entry:

OffsetSizeDescription
0x00x4Size of this entire entry. The next entry starts at curentry_startoffset+curentry_size.
0x40x1?
0x50x1AP wifi channel.
0x60x1?
0x70x1?
0x80x6AP MAC address.
0xE0x6?
0x140x4Size of this entire entry, games use this value to traverse the beacons list.
0x180x4Value 0x1C(size of this header and/or offset to the actual beacon data).
0x1CEntry_size - 0x1CThe actual beacon data is located here, starting at the 802.11 management frame header.

This section describes the structure returned by NWMINF:RecvBeaconBroadcastData and NWMUDS:RecvBeaconBroadcastData.

ScanInputStruct #

Index WordDescription
0Two unknown u16s.
1Two unknown u16s.
2-3Host MAC address. The 6-bytes located here are normally all 0xFF, for all hosts. Otherwise when not set to broadcast-MAC, the command will only return info for the specified host MAC address.
4-12Uninitialized for UDS.

This section describes the 0x34-byte input structure used by NWMINF:RecvBeaconBroadcastData and NWMUDS:RecvBeaconBroadcastData.

Local-WLAN #

UDS is used for 3DS<>3DS local-WLAN communications, and for 3DS<>Wii U communications. The latter is mainly only used for multi-player in games.

All UDS local-WLAN communications have the CCMP key for data encryption generated via NWM module. The CCMP key passed to nwm::CEC commands(stored in a 0x44-byte input structure) for StreetPass is generated by the CECD module. The input data used with EncryptDecryptAes with keytype1 is a MD5 hash over the input passphrase. This input passphrase is fixed for Download Play, it’s unique per local-WLAN application. The CTR is a MD5 hash over the below 0x10-byte structure. The output from encrypting that data with AES-CTR is the final CCMP key. This passphrase is a raw input buffer: while the passphrase specified by user-processes is normally a string with the NUL-terminator included, it can be anything(like the WirelessRebootPassphrase for example).

The maximum number of nodes(including the host) which can be on an UDS network is 16.

NodeID #

There are two types of client connections: regular Client, and Spectator. The latter never sends any 802.11 frame at all to the host, hence nothing actually connected to the network(including the host) can know about any spectators. Once a spectator is “connected” to a network, it can only receive broadcasted data, no sending.

DLP-client connects to the network as a spectator during DLP scanning to get various metadata including icon data.

NetworkNodeID #

This is the network u16 ID for each device on the UDS network. NodeID 0xFFFF is a broadcast alias. 0x1 is for the host, the 0x2 for the first client, 0x3 for the second client, and so on.

The spectator doesn’t have a NetworkNodeID, since it can’t send any data.

NetworkNodeIDs for clients do not change when any clients disconnect, likewise for the encrypted node-listing stored in the wifi beacons. When a client disconnects, the corresponding NetworkNodeID bit in the node_bitmask is cleared. When a client is connecting, the client is assigned the NetworkNodeID with the lowest corresponding clear-bit in the node_bitmask, then that bit is set.

BindNodeID #

This u32 is an ID only used on the local device. How many devices are on the network or which device this system is does not affect this ID.

The spectator uses BindNodeID 0x1. DLP uses BindNodeID 0x3 when connecting as an actual client. Hence, it seems BindNodeID bit0 is spectator-related. All normal nodes(host/client) start with BindNodeID 0x2. When connecting to a network again(and probably with network creation) without reinitializing NWMUDS, official user processes increase the used BindNodeID by 0x2.

BindNodeID value 0x0 is invalid. The maximum number of BindNodeIDs which can be open at the same time is 16.

Application data transfer #

The protocol used for sending/receiving data over the network with UDS by official applications is PRUDP(in some cases at least). Mario Kart 7 uses PRUDP here. Triforce Heroes uses plaintext for whatever protocol it uses for UDS.

The UDS version of PRUDP is different from the normal UDP version it appears(no afa1/a1af data for example).

Communication protocol #

The process of connecting to a host and exchanging data follows the sequence:

Client->Server: Authentication frame SEQ1

Server->Client: Authentication frame SEQ2

[There does not appear to be an association request frame sent by the client to the server, it is however possible that it was sent and just not captured by the test equipment]

Server->Client: Association Response frame with association id

[From here on, the client is connected to the server]

Client->Server: Encrypted data packet containing an 8-byte 802.2 LLC header with ethertype = EAPoL (0x888E) and an u16 header of 0x201 ( EAPoL-Start)

Server->Broadcast: Encrypted data packet containing the updated node information after the client connected (Using ethertype = SecureData).

Server->Client: Encrypted data packet containing an 8-byte 802.2 LLC header with ethertype = EAPoL (0x888E) and an u16 header of 0x0202( EAPoL-Logoff)

[From here on, data packets sent using SendTo are encapsulated with an LLC header with ethertype = 0x876D ( SecureData)]

[The client also sends periodic SecureData data frames on its own, these are probably ping frames]

Data frames #

Data is transferred over the network using NWMUDS:PullPacket/ NWMUDS:SendTo. That data is transferred using 802.11 data frames using CCMP encryption. The encrypted data contained in the frame starts with the 0x8-byte 🔗 LLC header, then the 0xE-byte NWM header, followed by the actual application data from the previously mentioned commands. When NWMUDS:SendTo was used with dst_NodeID = broadcast, the data frame is sent to the 802.11 broadcast MAC address. Otherwise with a specific NodeID, the data frame is sent to the actual MAC address for that device.

Official application data is normally stored here as big-endian.

Application data packets are sent to the host using 802.11 unicast, which then acts as a router and forwards the packet to the right destination node id based on the SecureData header using either broadcast or unicast, it is not yet known how it chooses which to use.

Special data channels #

ChannelDescription
0x101Used when broadcasting the updated node information after a new client connects.
0x103Used when sending what appears to be “ping” or “null” frames.
0x104Used to signal the ejection of all spectators in the network.

SecureData NWM header #

OffsetSizeDescription
0x00x2Size of the entire frame minus the 8 bytes from the LLC header.
0x20x2unknown
0x40x2Size of the entire frame minus 12 bytes.
0x60x2Data channel. Applications can only use the low 8 bits, channels greater than 255 are reserved for management functions.
0x80x2Sequence number, incremented after each sent packet.
0xA0x2Destination network node id
0xC0x2Source network node id

This data is stored as big-endian.

EAPoL-Start frame #

OffsetSizeDescription
0x00x2Always 0x201 in big-endian.
0x20x2Association id of the sending client in big-endian.
0x40x2Unknown. Always 0x1 in big-endian. The parser for this packet errors out if this is > 3.
0x60x2Unknown
0x80x28NodeInfo structure with all fields in big-endian

This data is stored as big-endian.

EAPoL-Logoff frame #

OffsetSizeDescription
0x00x2Always 0x202 in big-endian.
0x20x2Unknown. Always 0?
0x40x2Assigned network node id.
0x60x6Mac address of the newly connected client.
0xC0x4Unknown
0x100x2Unknown. Always 0.
0x120x1Number of connected nodes, including the new client.
0x130x1Max number of nodes.
0x140x2Always 0.
0x160x2Unknown.
0x180x280List of 16 NodeInfo structures with all fields in big-endian

This data is stored as big-endian.

Structure used for generating the CTR for CCMP key generation #

OffsetSizeDescription
0x00x4wlancommID
0x40x4networkID
0x80x6Host MAC address.
0xE0x2id8

This data is stored as little-endian.

CTR used for beacon tags crypto #

OffsetSizeDescription
0x00x6Host MAC address
0x60x4wlancommID
0xA0x1id8
0xB0x1Padding, value zero.
0xC0x4networkID

This data is stored as little-endian. All data here is all-zero except for the MAC address, when the u8 at offset 0x8 in the network-struct is 0.

Network structure #

OffsetSizeDescription
0x00x6This is the MAC address of the host. This is used for when connecting to the network.
0x60x1This is actually written as an u16 without byte-swapping. This is the network wifi channel. When connecting this is normally non-zero. When hosting, this can be 0 to automatically select a channel, otherwise the specified channel is used. When non-zero official user-processes require this value to be one of the following when hosting: 1, 6, or 11.
0x70x1Padding
0x80x1Initialized flag. Must be non-zero otherwise NWM-module will use value 0x0 for most/all(?) fields in this structure when reading these fields.
0xC0x3This is the OUI value for use with the beacon tags. Normally this is 001F32.
0xF0x1OUI type (21/0x15)
0x100x4wlancommID. Local-WLAN communication ID, normally this is: (user_process uniqueID << 8) | val. Where val is 0x10 on retail(ENVINFO bit0 set), 0x90 for devunit. Official software includes an input bool flag parameter for setting bit0 in this wlancommID, normally that flag isn't set. For Download Play, this is always 0x2810 on retail(0x2890 on devunit).

This wlancommID can have the side affect of region-locking when the title uses the uniqueID for the current title(hard-coded in .text normally), instead of using a fixed input uniqueID for each region of the title.

0x140x1id8. ID, for Download Play this is 0x55. 0x55/'U' seems to be used for networks where Wii U can host it(Download Play, Smash Bros, ...) - this value isn't known to be actually checked anywhere however.
0x150x1Number of times the network structure hash was updated.
0x160x2This network attributes u16 bitmask can be written via NWMUDS:UpdateNetworkAttribute. Bitmasks:

  • 0x1: When set, spectators are not allowed to connect(see here). Checked by official user-processes before using NWMUDS:ConnectToNetwork, when connecting as a Spectator. Must be clear otherwise that code returns error 0xE10113EA. If the initialized_flag at offset 0x8 is zero, this code handles it the same way as if this bit was set. The latest NWM-module handles checking this bit itself however.
  • 0x2: When set, new regular-clients are not allowed to connect.
  • 0x4: Unknown, has no affect on new clients/spectators connecting. Official software has an option for setting this bit via an input flag from the same code using bitmask 0x2. Official software always clears bitmask 0x6 when unblocking new connections.
0x180x4u32 networkID, randomly-generated when creating the network. The network SSID used when a client connects to the network is sprintf(out, "%08X", networkID).
0x1C0x1Total number of currently connected nodes, including the host.
0x1D0x1Maximum number of nodes, including the host. This also is the total number of entries stored under the array in the encrypted beacon data.
0x1E0xD?
0x2B0x14SHA1 hash of the network structure, starting at the OUI field (offset 0xC) and spanning SizeOfAppData + 0x34. The unused space of the app data buffer is not hashed.
0x3F0x1Size of appdata.
0x400xC8Appdata(Application data), if any. Size of the appdata is specified via the u8 at offset 0x3F. This data is not used when the size-field is zero.

This 0x108-byte structure is used for NWMUDS:BeginHostingNetwork, NWMUDS:ConnectToNetwork, etc. This data is stored as big-endian.

NodeInfo structure #

OffsetSizeDescription
0x00x8u64 ID, this is the UDS version of the FriendCodeSeed. This is loaded from BlkID 0x00090000 in the system-config via CfgS:GetConfigInfoBlk2.
0x80x14The first 0x18-bytes from BlkID 0x000A0000 in the system-config loaded via CfgS:GetConfigInfoBlk2 is written here by user-processes. However, the data at +0x14(absolute offset 0x1C) is written by NWM-module later.
0x1C0x2u16, unknown. Set to 0x0 with the output from NWMUDS:DecryptBeaconData.
0x1E0x1u8 flag, unknown. Originates from the u16 bitmask in the beacon node-list header. This flag is normally 0 since that bitmask is normally 0?
0x1F0x1Padding?
0x200x2u16 NetworkNodeID
0x220x6Normally zero?

The first 0x20-bytes are written by the user-process before using this structure with NWMUDS:InitializeWithVersion. The data starting at offset 0x8 is only initialized by NWM-module.

UDS Beacons #

The UDS host broadcasts a beacon containing at least two Nintendo-vendor tags(tag number 0xDD, see above for the OUI), normally the data stored in these tags are static. The second tag contains the big-endian u32 networkID, used by the clients when connecting to the host and for the above CCMP key generation. The Nintendo-vendor tag(s) following the first two are unique to the process using UDS, these tags are used for broadcasting metadata regarding the host.

A tool for these beacons is available here: 🔗 1

UDS Beacon Tags #

The following is the structure of each tag, starting at the OUI. The order of the tags is the same as listed below. All data stored under these tags are stored as big-endian.

OUI Type 20 #

OffsetSizeDescription
0x00x3OUI, see above.
0x30x1OUI type (20/0x14)
0x40x3Sample data: 0a 00 00

Normally the size of this tag(from the tag size field) is 0x07.

OUI Type 21 #

OffsetSizeDescription
0x00x1FThis is the network structure starting at offset 0xC, with the first 0x1F-bytes from there.
0x1F0x14SHA1 hash. When doing the hashing, this hash is cleared to zero. The hash data starts at offset 0x0(OUI), and the size is 0x34 + <value of the u8 at offset 0x33>.
0x330x1Size of appdata. Normally zero. When non-zero this appdata is located at offset 0x34.

Normally the size of this tag(from the tag size field) is 0x34, not including appdata.

OUI Type 24 #

OffsetSizeDescription
0x00x3OUI, see above.
0x30x1OUI type (24/0x18)
0x4See belowEncrypted data

This is the tag0 used with NWMUDS:DecryptBeaconData. The size of data stored under this tag has a maximum size of 0xFA-bytes, however normally the size is smaller than that. Additional encrypted data, if any, is stored under the below tag1.

OUI Type 25 #

OffsetSizeDescription
0x00x3OUI, see above.
0x30x1OUI type (25/0x19)
0x4See aboveEncrypted data

When this exists in the beacon, this is the tag1 used with NWMUDS:DecryptBeaconData. The data stored here is the 0xFA-bytes following the previous encrypted data in tag0, for more space for storing the encrypted data.

Encrypted beacon data #

The following structure is for the plaintext version of the encrypted data, stored as big-endian.

This data is encrypted with AES-CTR, by NWM module in software. The AES key is stored in NWM module itself. See above for the CTR. The size of this encrypted data is 0x12 + (0x1E*val), where val is the u8 from networkstruct offset 0x1D.

Structure #
OffsetSizeDescription
0x00x10MD5 over the rest of the data following this(plaintext).
0x100x2u16 bitmask. Unknown, normally 0? Bit0 is for entry0, bit1 for entry1, and so on.
0x120x1E * This is an array of entries for each of the devices on this network, the first entry is for the host and the rest is for the client(s).
Array entry #
OffsetSizeDescription
0x00x1CThis is the first 0x1C-bytes of the NodeInfo structure, stored as big-endian.
0x1C0x2u16 NetworkNodeID, stored as big-endian.

Each entry is for a node.

Mapped IO #

All of the IO mapped under the NWM-module process is listed below:

Userland addressPhysical addressSizeDescription
0x1EC220000x101220000x1000WIFI_Registers
0x1EC400000x101400000x1000PDN_Registers
0x1EE220000x103220000x1000

Errors #

Error codeDescription
0xC8A06C0DThe operation being performed is already done (e.g., if you run NWMEXT_ControlWirelessEnabled to turn wifi on when it’s on already, you can’t turn it on again).
0xC8A113EAReturned when the command isn’t allowed to be used on this device.
0xC90113FANode doesn’t exist / invalid NetworkNodeID?
0xC92113FBReturned when trying to connect to a host when the host has the specified connection-type blocked via the network attributes. There might be other causes too.
0xE10113E9Returned when the input size is invalid. Returned by NWMUDS:PullPacket when the input size is smaller than the frame_size.
0xE10113EAInvalid bind / data_channel is invalid(0x0).

Category:Services