Key Negotiation Protocol

The 3DS Monster Hunter games use Blowfish to encrypt all the files available on their DLC servers. There is an initial key negotiation with the DLC server to get that Blowfish key before accessing any of the DLC files.

Monster Hunter 4G and Monster Hunter 4 Ultimate uses protocol version 1 Monster Hunter X (v1.0.0-v1.2.0) uses protocol version 2 Monster Hunter Generationsi and Monster Hunter X (v1.3.0) uses protocol version 3

Protocol Version 1

Request

char protocol_version = 1;
char len;
char service_locator_data[len];
int unknown = 1;
int unknown = 0;
int unknown = 0;
short unknown = 0;
char unknown = 0;

Response

short key_len;
char blowfish_key[key_len];
short url_len;
char dlc_url[url_len];

Service Locator Data

The service_data_locator string is retrieved by the game using the RequestServiceLocator and GetServiceLocatorData functions of the frd:u service.

Blowfish Key

The blowfish_key is the key used to decrypt the any files retrieved from the DLC server.

Protocol Version 2

Request

char protocol_version = 2;
char len;
char service_locator_data[len];
int unknown = 1;
int unknown = 0;
int unknown = 0;
short unknown = 0;
char unknown = 0;
int client_nonce;
char client_hmac[32];

Response

short key_len;
char encrypted_blowfish_key[key_len];
short url_len;
char dlc_url[url_len];
int server_nonce;
char server_hmac[32];

HMAC

HMAC-SHA256 is used to authenticate both the request and the response. The key for the HMAC is found by concatenating the network byte order, raw data of a couple values and getting their SHA256 hash. For the request the you concatenated the user's friend key and the client_nonce that is sent in the request. For the response you do the same as the request only you also concatenate the server_nonce from the in response.

Friend Key

The user's friend key is found with the GetMyFriendKey command of the frd:u service on your 3DS. The command will actually returns four 32-bit integers but only the first one is used.

Blowfish Key

In this and newer versions of the protocol the encrypted_blowfish_key is encrypted with AES128 in CBC mode. The key to decrypt the Blowfish key is the concatenated, network order bytes of the friend key, client_nonce from the request, server_nonce from the response and finally the friend key again.

Protocol Version 3

Request

char protocol_version = 3;
char len;
char service_locator_data[len];
int unknown = 1;
int unknown = 0;
int unknown = 0;
short unknown = 0;
char unknown = 0;
int client_nonce;
char client_hmac[32];

Response

short bkey_len;
char encrypted_blowfish_key[bkey_len];
short rkey_len;
char rsa_pubkey[rkey_len];
short url_len;
char dlc_url[url_len];
int server_nonce;
char server_hmac[32];

RSA Public Key

This key is a 2048-bit RSA public key used to validate the signatures on any files retrieved from the DLC server.