Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 / PS5 PKGs.
PS4 CFW and Hacks       Thread starter PSXHAX       Start date Oct 11, 2019 at 1:52 AM       4      
Not open for further replies.
Since his previous PSJoy Project for PC / Android devices and following the Chiaki free and open source PS4 Remote Play Client release from thestr4ng3r, PlayStation 4 homebrew developer @grill2010 recently updated his Github repository with RemotePlayPrototype... which is summarized as a 'quick and dirty tool to play around with the PS4 Remote Play protocol' for those who enjoy learning through tinkering. :geek:

Download: / GIT

And from the RemotePlayPrototype info

Quick and dirty prototype to play around with the protocol. This is just a research project there is no support. If there are some enthusiastic reverse engineers out there it would be great if they could contribute to the project.

It was not implemented only by my own, we are a group of developers who are interested in making the remote play protocol open source. The base of the project was taken from but it seems that the initial creator has unfortunately abandoned the project. I'm not a professional reverse engineer so in case you have some suggestions feel free to let us know.

And again, this is prototype code, it is ugly, and it could contain bugs.

Current status


The prototype is able to register with the PS4, it can perform the initial TCP handshake with the console and it can receive audio and video stream data. The streaming protocol uses a GMAC crypto context for incoming data and for outgoing data.

Unlike many other streaming services Sony also likes to encrypt their audio and video frames so you can't just process them unfortunately but you have to decrypt the payload in the video and audio frames at first.

Thanks to thestr4ng3r and his knowledge we were able to implement the GMAC logic and the connection will not be closed anymore from the PS4.

Furthermore he pointed out that the official PS4 Remote Play is using the jerasure library for the FEC. Particularly cauchy reed solomon. The FEC packages are the additional data in the video frame messages. FEC is also used for audio. In general almost all important information is available now to build a stable client.

General information

The registration and the initial handshake are performed via REST

  • /sce/rp/regist
Please see class PS4RegistrationService method PairConsole. The registration uses a own AES crypto context. You can see how this is done in class CryptoService method GetRegistryAesKeyForPin. The pin is the number which you can obtain like this.

(If the link isn't working -> On your PS4 select [Settings] > [Remote Play Connection Settings] > [Add Device])

  • /sce/rp/session
  • /sce/rp/session/ctrl
Please see class PS4ConnectionService method HandleSessionRequest and HandleControlRequest. The initial connection handshake uses another AES crypto context. You can see how this is done in class CryptoService method GetSessionAesKeyForControl. The rpKey is obtained from the registration process and the rpNonce is obtained from the response header of the /sce/rp/session GET request.

After the /sce/rp/session a ping pong thread is started in order to answer the keep-alive messages. See PingPongHandlerin class PS4ConnectionService.

The UDP protocol basically uses protobuf protocol from Google. The protobuf metadata were extracted with PROTOD. We used the Android file and the RpCtrlWrapper.dll to extract this information. The corresponding protobuf classes can be found in RemotePlayPrototype/Ps4RemotePlayPrototype/Ps4RemotePlay/Protocol/Message/. The file is normally obfuscated when you just try to extract it from the newest RemotePlay apk. The obfuscation was removed so that it can be used for further investigations.

More information about the UDP protocol can be found in the Information directory.

What is missing

The official PS4 Remote Play uses the jerasure library for the FEC correction (cauchy reed solomon). The library is mentioned in the license text of the official PS4 Remote Play project and after thestr4ng3r did some signature matching he found out which FEC mechanism they are using.

FEC is currently not implemented in this project. The FEC is needed to recover lost frame packets and to avoid fragments in the stream.

Which tools did you use?
RemotePlayPrototype PS4 Remote Play Protocol Tool by Grill2010.jpg


Not open for further replies.