Category PS4 CFW and Hacks       Thread starter PSXHAX       Start date Oct 11, 2019 at 1:52 AM       3,923       4            
Status
Not open for further replies.
Since his previous PSJoy Project for PC / Android devices and following the Chiaki free and open source PS4 Remote Play Client release from thestr4ng3r, PlayStation 4 homebrew developer @grill2010 recently updated his Github repository with RemotePlayPrototype... which is summarized as a 'quick and dirty tool to play around with the PS4 Remote Play protocol' for those who enjoy learning through tinkering. :geek:

Download: RemotePlayPrototype-master.zip / GIT

And from the README.md: RemotePlayPrototype info

Quick and dirty prototype to play around with the protocol. This is just a research project there is no support. If there are some enthusiastic reverse engineers out there it would be great if they could contribute to the project.

It was not implemented only by my own, we are a group of developers who are interested in making the remote play protocol open source. The base of the project was taken from https://github.com/grill2010/ps4-remote-play but it seems that the initial creator has unfortunately abandoned the project. I'm not a professional reverse engineer so in case you have some suggestions feel free to let us know.

And again, this is prototype code, it is ugly, and it could contain bugs.

Current status

INFO: REGISTER IS CURRENTLY NOT WORKING DUE RECENT FIRMWARE 7.0 UPDATE

The prototype is able to register with the PS4, it can perform the initial TCP handshake with the console and it can receive audio and video stream data. The streaming protocol uses a GMAC crypto context for incoming data and for outgoing data.

Unlike many other streaming services Sony also likes to encrypt their audio and video frames so you can't just process them unfortunately but you have to decrypt the payload in the video and audio frames at first.

Thanks to thestr4ng3r and his knowledge we were able to implement the GMAC logic and the connection will not be closed anymore from the PS4.

Furthermore he pointed out that the official PS4 Remote Play is using the jerasure library for the FEC. Particularly cauchy reed solomon. The FEC packages are the additional data in the video frame messages. FEC is also used for audio. In general almost all important information is available now to build a stable client.

General information

The registration and the initial handshake are performed via REST

Registration:
  • /sce/rp/regist
Please see class PS4RegistrationService method PairConsole. The registration uses a own AES crypto context. You can see how this is done in class CryptoService method GetRegistryAesKeyForPin. The pin is the number which you can obtain like this.

(If the link isn't working -> On your PS4 select [Settings] > [Remote Play Connection Settings] > [Add Device])

Connection:
  • /sce/rp/session
  • /sce/rp/session/ctrl
Please see class PS4ConnectionService method HandleSessionRequest and HandleControlRequest. The initial connection handshake uses another AES crypto context. You can see how this is done in class CryptoService method GetSessionAesKeyForControl. The rpKey is obtained from the registration process and the rpNonce is obtained from the response header of the /sce/rp/session GET request.

After the /sce/rp/session a ping pong thread is started in order to answer the keep-alive messages. See PingPongHandlerin class PS4ConnectionService.

The UDP protocol basically uses protobuf protocol from Google. The protobuf metadata were extracted with PROTOD. We used the Android libremote.so file and the RpCtrlWrapper.dll to extract this information. The corresponding protobuf classes can be found in RemotePlayPrototype/Ps4RemotePlayPrototype/Ps4RemotePlay/Protocol/Message/. The libremote.so file is normally obfuscated when you just try to extract it from the newest RemotePlay apk. The obfuscation was removed so that it can be used for further investigations.

More information about the UDP protocol can be found in the Information directory.

What is missing

The official PS4 Remote Play uses the jerasure library for the FEC correction (cauchy reed solomon). The library is mentioned in the license text of the official PS4 Remote Play project and after thestr4ng3r did some signature matching he found out which FEC mechanism they are using.

FEC is currently not implemented in this project. The FEC is needed to recover lost frame packets and to avoid fragments in the stream.

Which tools did you use?
RemotePlayPrototype PS4 Remote Play Protocol Tool by Grill2010.jpg
 

Comments

Status
Not open for further replies.
Status
Not open for further replies.
Recent Articles
PS Store Spring Sale Offers Savings Up to Half Off Select PSN Titles
The latest PlayStation Store sale is here featuring savings of up to 50% off select PS4 games and movies including Death Stranding, NBA 2K20, Dragon Ball Z: Kakarot and more! 🤩 PlayStation...
Rebug 4.86.1 LITE PS3 CFW with Cobra 8.2 and Toolbox 2.03.04
A few days back Sony released PS3 Firmware 4.86, and following their previous release today the Rebug Team made available Rebug 4.86.1 LITE (CEX) PS3 CFW with Cobra 8.2 and Toolbox 2.03.04 for...
Sony Unveils PlayStation Plus Free Games for April 2020
It's officially 4/20 all month, and today Sony officially unveiled the free PlayStation Plus games for April 2020 alongside a PS Plus preview trailer video below! 🌺🌼🌸 Headlining the free...
OrbisGl2 LibOrbis Graphic Backend Based on Raylib for PS4 Homebrew
Following the LibOrbisNfs PS4 Port earlier this year, PlayStation 4 scene developer BigBoss announced today that an OrbisGl2 LibOrbis Graphic Backend Library based on Raylib is now available...
Top