Category PS4 CFW and Hacks       Thread starter PSXHAX       Start date Oct 11, 2019 at 1:52 AM       2,543       4            
Since his previous PSJoy Project for PC / Android devices and following the Chiaki free and open source PS4 Remote Play Client release from thestr4ng3r, PlayStation 4 homebrew developer @grill2010 recently updated his Github repository with RemotePlayPrototype... which is summarized as a 'quick and dirty tool to play around with the PS4 Remote Play protocol' for those who enjoy learning through tinkering. :geek:

Download: RemotePlayPrototype-master.zip / GIT

And from the README.md: RemotePlayPrototype info

Quick and dirty prototype to play around with the protocol. This is just a research project there is no support. If there are some enthusiastic reverse engineers out there it would be great if they could contribute to the project.

It was not implemented only by my own, we are a group of developers who are interested in making the remote play protocol open source. The base of the project was taken from https://github.com/grill2010/ps4-remote-play but it seems that the initial creator has unfortunately abandoned the project. I'm not a professional reverse engineer so in case you have some suggestions feel free to let us know.

And again, this is prototype code, it is ugly, and it could contain bugs.

Current status

INFO: REGISTER IS CURRENTLY NOT WORKING DUE RECENT FIRMWARE 7.0 UPDATE

The prototype is able to register with the PS4, it can perform the initial TCP handshake with the console and it can receive audio and video stream data. The streaming protocol uses a GMAC crypto context for incoming data and for outgoing data.

Unlike many other streaming services Sony also likes to encrypt their audio and video frames so you can't just process them unfortunately but you have to decrypt the payload in the video and audio frames at first.

Thanks to thestr4ng3r and his knowledge we were able to implement the GMAC logic and the connection will not be closed anymore from the PS4.

Furthermore he pointed out that the official PS4 Remote Play is using the jerasure library for the FEC. Particularly cauchy reed solomon. The FEC packages are the additional data in the video frame messages. FEC is also used for audio. In general almost all important information is available now to build a stable client.

General information

The registration and the initial handshake are performed via REST

Registration:
  • /sce/rp/regist
Please see class PS4RegistrationService method PairConsole. The registration uses a own AES crypto context. You can see how this is done in class CryptoService method GetRegistryAesKeyForPin. The pin is the number which you can obtain like this.

(If the link isn't working -> On your PS4 select [Settings] > [Remote Play Connection Settings] > [Add Device])

Connection:
  • /sce/rp/session
  • /sce/rp/session/ctrl
Please see class PS4ConnectionService method HandleSessionRequest and HandleControlRequest. The initial connection handshake uses another AES crypto context. You can see how this is done in class CryptoService method GetSessionAesKeyForControl. The rpKey is obtained from the registration process and the rpNonce is obtained from the response header of the /sce/rp/session GET request.

After the /sce/rp/session a ping pong thread is started in order to answer the keep-alive messages. See PingPongHandlerin class PS4ConnectionService.

The UDP protocol basically uses protobuf protocol from Google. The protobuf metadata were extracted with PROTOD. We used the Android libremote.so file and the RpCtrlWrapper.dll to extract this information. The corresponding protobuf classes can be found in RemotePlayPrototype/Ps4RemotePlayPrototype/Ps4RemotePlay/Protocol/Message/. The libremote.so file is normally obfuscated when you just try to extract it from the newest RemotePlay apk. The obfuscation was removed so that it can be used for further investigations.

More information about the UDP protocol can be found in the Information directory.

What is missing

The official PS4 Remote Play uses the jerasure library for the FEC correction (cauchy reed solomon). The library is mentioned in the license text of the official PS4 Remote Play project and after thestr4ng3r did some signature matching he found out which FEC mechanism they are using.

FEC is currently not implemented in this project. The FEC is needed to recover lost frame packets and to avoid fragments in the stream.

Which tools did you use?
RemotePlayPrototype PS4 Remote Play Protocol Tool by Grill2010.jpg
 

Comments

Recent Articles
Call of Duty: Modern Warfare & MediEvil Join New PS4 Games Next Week
Next week the PlayStation 4 gets some heavy hitters, including Call of Duty: Modern Warfare for PS4 on October 24th, and both MediEvil and The Outer Worlds on October 25th. šŸ˜ƒ Without further ado...
Sony Rumored to Unveil PS5 at PlayStation Meeting on February 12, 2020
Yesterday we saw the first PS5 DevKit Prototype Images, and although Sony confirmed the PlayStation 5 will launch during the Holiday 2020 season they haven't announced an official PS5 unveiling...
Leaked PS5 Dev Kit Prototype Images Surface from ZONEofTECH
Following the PS5 Development Kit Design Patent and PlayStation 5 Development Kit 3D Renders, this weekend ZONEofTECH shared some leaked Sony PS5 Dev Kit Prototype Images on Twitter with a video...
Sony Confirms PS5 Will Support PlayStation Now, New Controller Patent
In a recent interview with Famitsu Magazine, Sony's Yasuhiro Osaki confirmed that PlayStation 5 will support their digital streaming and downloading video game subscription service PlayStation...
Top