# Wiimmfi Traffic Analysis: Decoding POST Data

This section of the notebook is dedicated to decoding the plaintext fields captured from communications of the Wii with the Wiimmfi network. While higher-level encryption (like TLS) has protected data on the Pretendo Network from being unovered, the same cannot be said here, as the bulk of this data relies on simpler encoding methods like Base64.

### Script Purpose:

This script serves as a utility to decode a specific set of Base64-encoded values, which originate from raw POST data captured from the Wii's network communication.

* **`safe_base64_decode(value)` function:** This robust custom function handles Base64 decoding. It intelligently adds missing padding characters (`=`) often omitted in Base64 strings, and includes error handling (`try-except` with `errors='ignore'`) to prevent crashes from malformed data, returning `[Undecodable]` for problematic inputs. This ensures reliable decoding even with imperfect capture data.
* **`raw_data` dictionary:** This dictionary represents a captured segment of network data, containing various parameters such as `gamecd` (game code), `passwd` (password), `token`, `macadr` (MAC address), `region`, `country`, and `action`. Each of these values is initially in a Base64-encoded string format.
* **Decoding Process:** The script iterates through each key-value pair in the `raw_data` dictionary, applying the `safe_base64_decode` function to convert the Base64 strings into their original, human-readable text.
* **Output:** The decoded key-value pairs are then printed, providing clear insight into the actual information being transmitted.

**Significance to the Project:**

This decoding process is crucial for cybersecurity analysis of aging network infrastructure, particularly in the case of retro gaming services. It highlights that even when higher-level encryption (like TLS) is in use for the main data flow (as observed in our Wireshark traces for Pretendo), **specific parameters or headers might still be simply encoded (not encrypted)**. The presence of fields like "passwd" (password) in such a form, even if Base64 is only an encoding, underscores the importance of verifying that these are *always* transmitted within an encrypted tunnel (e.g., inside an HTTPS/TLS connection) to prevent sensitive information from being easily readable by an eavesdropper. This demonstrates a practical step in uncovering and analyzing specific data points within network captures.

In [None]:
import urllib.parse
import base64

def safe_base64_decode(value):
    value += '=' * ((4 - len(value) % 4) % 4)
    try:
        return base64.b64decode(value).decode('utf-8', errors='ignore')
    except:
        return '[Undecodable]'

# Raw POST data (URL-decoded first) taken from a Wii network capture
# Note: In practice, this data would be captured from a network trace, not hardcoded
raw_data = {
    "gamecd": "UlZMLVJTQko",
    "rhgamecd": "UlNCUA",
    "passwd": "TGVOS1hUcFp5OVk0OHN3Sg",
    "token": "TkRTL1NWQ0xPQy9UT0tFTi80OS4xODAuMTA0LjExfEd2SWtUQWVNSWRjd2w2OWxyWlExUk5qdQ",
    "cfc": "NDEzNDA4MTg2MDY4NTM2Mw",
    "macadr": "MTgyYTdiODJhYWRi",
    "region": "MDI",
    "country": "QVU",
    "action": "Y291bnQ",
    "attr1": "c2V0dGluZw"
}

decoded = {k: safe_base64_decode(v) for k, v in raw_data.items()}
for k, v in decoded.items():
    print(f"{k}: {v}")


gamecd: RVL-RSBJ
rhgamecd: RSBP
passwd: LeNKXTpZy9Y48swJ
token: NDS/SVCLOC/TOKEN/49.180.104.11|GvIkTAeMIdcwl69lrZQ1RNju
cfc: 4134081860685363
macadr: 182a7b82aadb
region: 02
country: AU
action: count
attr1: setting
