Hacking Discovered a METHOD for UPDATING outdated Games

Status
Not open for further replies.
guily6669

guily6669

GbaTemp is my Drug
Member
Level 10
Joined
Jun 3, 2013
Messages
2,360
Trophies
1
Age
34
Location
Doomed Island
XP
2,165
Country
United States
Leonidas87 said:
.......
Was apart of a team for Remote Play on all android devices for the PS4. Was able to play my PS4 on my S7 edge at a park with my PS4 at home.
Click to expand...
You mean the one from XDA forum? It's a patched Sony remote app, I have no luck with it using my crap ADSL and crap router...

Even some PC remote apps still work better with lower latency and jitter than the PS4 remote from Sony.

Anyway I don't understand why don't you just post the method so ppl can try... I'm on 3.02 and wanted to update Zelda.
 
D

Deleted-442439

Guest
guily6669 said:
You mean the one from XDA forum? It's a patched Sony remote app, I have no luck with it using my crap ADSL and crap router...

Even some PC remote apps still work better with lower latency and jitter than the PS4 remote from Sony.

Anyway I don't understand why don't you just post the method so ppl can try... I'm on 3.02 and wanted to update Zelda.
Click to expand...

It is confirmed fake, it is technically impossible, check the link I posted above, SciresM will give us the details for this exact situation.
 
Sephirosu

Sephirosu

Well-Known Member
Member
Level 4
Joined
Jan 28, 2015
Messages
266
Trophies
0
Age
34
Location
Boca Raton, Florida
XP
436
Country
Leonidas87 said:
I'm hoping one of the main developers in the switch community to give me the go-ahead on releasing a how to.

I wanted to be sure when the info is released that everyone has the opportunity to benefit, say before the method is fixed for example.
Click to expand...


Well technically a Dev (SciresM himself) said that it's impossible to do that so in a way it's kind of like saying "go ahead show me proof". Not trying to sound snarky btw. Just really curious how you did it when a Dev said it's impossible :x
 
Last edited by Sephirosu,
D

Deathscreton

Well-Known Member
Member
Level 7
Joined
Oct 1, 2009
Messages
826
Trophies
0
XP
1,092
Country
United States
Leonidas87 said:
Speaking of SciresM if he wants to communicate on the subject I'm hear. Let him know.
Click to expand...
He's literally here on the thread with us. All you have to do is message him, or post here as you've done.

At this point, you're at a crossroads. You've pissed off the main reader portion of GBATemp in a bait and switch tactic gone wrong, you've got a respected Dev calling you out on your shit with technical reasoning as to why you're bluffing, and you're stalling for time. I'm legitimately interested in what you have to say at this point.
 
  • Like
Reactions: peteruk, guily6669, blueYOSHI and 2 others
Leonidas87

Leonidas87

Well-Known Member
OP
Member
Level 6
Joined
Jul 15, 2014
Messages
651
Trophies
0
Location
Toronto, Ontario
Website
www.youtube.com
XP
960
Country
Canada
Sephirosu said:
Well technically a Dev (SciresM himself) said that it's impossible to do that so in a way it's kind of like saying "go ahead show me proof". Not trying to sound snarky btw. Just really curious how you did it when a Dev said it's impossible :x
Click to expand...

And if Scires is incorrect on his assumption, if he really did give his input what if my method allows for a 5.0.0 exploit using a similar method.

The video is timestamped on YouTube almost ready for public viewing. Making a second one as we speak.

Does everyone want the VIDEO????

Does everyone want to see my findings????

Stay glued to your seats ladies and gentleman.

Let SciresM know I'm sure he'd be interested.
 
  • Like
Reactions: WaterFox
yardie

yardie

Banned!
Banned
Level 8
Joined
Mar 27, 2016
Messages
1,334
Trophies
1
XP
1,549
Country
United States
Leonidas87 said:
And if Scires is incorrect on his assumption, if he really did give his input what if my method allows for a 5.0.0 exploit using a similar method.

The video is timestamped on YouTube almost ready for public viewing. Making a second one as we speak.

Does everyone want the VIDEO????

Does everyone want to see my findings????

Stay glued to your seats ladies and gentleman.

Let SciresM know I'm sure he'd be interested.
Click to expand...
time to go the fck away man
 
  • Like
Reactions: peteruk, supermario18, Deathscreton and 2 others
M

Mnecraft368

I hate my name.
Member
Level 13
Joined
Aug 8, 2015
Messages
1,763
Trophies
0
XP
3,351
Country
United Kingdom
Leonidas87 said:
And if Scires is incorrect on his assumption, if he really did give his input what if my method allows for a 5.0.0 exploit using a similar method.

The video is timestamped on YouTube almost ready for public viewing. Making a second one as we speak.

Does everyone want the VIDEO????

Does everyone want to see my findings????

Stay glued to your seats ladies and gentleman.

Let SciresM know I'm sure he'd be interested.
Click to expand...
Ok then show us...
 
SciresM

SciresM

Developer
Developer
Level 19
Joined
Mar 21, 2014
Messages
973
Trophies
3
Age
33
XP
8,301
Country
United States
Here's the high level overview of the "updating a game on your console" process:
  • Your console contacts Nintendo to see if there is an update available. It does this by contacting the "sun" (System Update Notification? Also a dual pun with the "beach/ocean" theme the servers have this time) and "aqua" servers, to see what the current system update for online is, and the required system updates are to go online. That these are different servers is why the "grace period" exists -- aqua updates a few days after sun, typically, and so even though your console knows there is a system update available it will not make you update to go online until aqua says you must.
  • Once your console decides that it is allowed to go online, it contacts the "dauth" server (Device Authorization) in order to get an OAuth token required to use all of the other online services. This authentication process requires your console pass both the system version and a hardcoded, per-firmware hex string (?system_version=%08x&client_id=%s). These are both validated to be correct in order for your console to get a token.
  • Once your console is authenticated, it contacts "pushmo", Nintendo's server for push notifications, downloading [your device ID].json. This describes new things that your console should download (updates, etc). Pushmo validates the token that gets sent to it.
  • If there's an update (or if your console has specifically requested to update a title), your console will begin downloading it.
  • Your console will download the CNMT (CoNtent MeTadata -- it's the equivalent of a TMD for the 3ds, but stored inside of an NCA) for the update from the "atum" server.
  • Your console will decrypt and parse the CNMT, which lists the other NCAs. If an update has previously been downloaded, it will download a number of "Delta" NCAs, which will describe how to transform the already downloaded NCA content into the new NCA content (Because updates will often share the same titlekey, this can lead to some minor bandwidth savings. However, when new masterkeys release, they typically change the titlekey to a new one which causes this to be kinda pointless. You win some, you lose some). If an update has not been previously downloaded, the plain NCAs for the new content will be downloaded.
  • Your console will check the NCA headers to see what Rights IDs are required to play the update. Rights IDs are essentially "handles" to titlekeys -- every rights ID corresponds exactly to one titlekey, globally. Typically, there is one Rights ID per (title ID, master key revision) combination. I'll also observe that that's pointless because titlekeys get transformed by master key-derived data when decrypted *anyway*, so they don't actually need to change the Rights IDs, but whatever.
  • Your console will request from the CDN the tickets for those Rights IDs -- first it will try to obtain a common ticket, and then if that fails it will try to obtain a "personalized" ticket from "ecs" (ECommerce Services). Once both the contents are downloaded, and the tickets are downloaded, the update is installed.
Cool, so that's the process. Let's see why this thread is not possible:

First, your console must decide for itself that it's allowed to go online. sun and aqua both require your console's unique client cert to talk to, and use SSL -- you would need to patch the SSL module to interfere with this process. But let's suppose that the author of the thread has done so, with some secret 4.1.0 hax that he has that I don't know about, for the sake of argument.

Your console must then successfully authenticate with the dauth server. This requires it to know secret information stored in sysmodule NSOs in the latest sysupdate. Thus, for you to do this, you would need to have both patched the SSL sysmodule to disable verification, and patched the system's authentication code to send the correct data and user agents. This would require you to have dumped the code for the latest system update. You'll understand, I hope, if I simply do not believe you have done those things.

If you've done that patching correctly, the rest of the process should go totally smoothly -- you'd run into problems with "ecs", but since all updates use common tickets you don't have to worry about that.

However, your process is not one you're claiming is based on secret 4.1.0 haxx. I do not believe you have developed the relevant system patches, nor that you've dumped the 5.x sysmodule code required to know the secrets you need to authenticate. Hence: this thread's claims are not possible.
 
Last edited by SciresM,
  • Like
Reactions: RednaxelaNnamtra, unravel1, Zulnoth and 30 others
MachRc

MachRc

Well-Known Member
Member
Level 7
Joined
Nov 30, 2017
Messages
162
Trophies
0
XP
1,140
Country
United States
thereitis.gif
 
  • Like
Reactions: Mnecraft368
Biuz

Biuz

Well-Known Member
Newcomer
Level 3
Joined
Jan 19, 2017
Messages
47
Trophies
0
Location
Ravioli, IT
XP
268
Country
Italy
SciresM said:
Here's the high level overview of the "updating a game on your console" process:
  • Your console contacts Nintendo to see if there is an update available. It does this by contacting the "sun" (System Update Notification? Also a dual pun with the "beach/ocean" theme the servers have this time) and "aqua" servers, to see what the current system update for online is, and the required system updates are to go online. That these are different servers is why the "grace period" exists -- aqua updates a few days after sun, typically, and so even though your console knows there is a system update available it will not make you update to go online until aqua says you must.
  • Once your console decides that it is allowed to go online, it contacts the "dauth" server (Device Authorization) in order to get an OAuth token required to use all of the other online services. This authentication process requires your console pass both the system version and a hardcoded, per-firmware hex string (?system_version=%08x&client_id=%s). These are both validated to be correct in order for your console to get a token.
  • Once your console is authenticated, it contacts "pushmo", Nintendo's server for push notifications, downloading [your device ID].json. This describes new things that your console should download (updates, etc). Pushmo validates the token that gets sent to it.
  • If there's an update (or if your console has specifically requested to update a title), your console will begin downloading it.
  • Your console will download the CNMT (CoNtent MeTadata -- it's the equivalent of a TMD for the 3ds, but stored inside of an NCA) for the update from the "atum" server.
  • Your console will decrypt and parse the CNMT, which lists the other NCAs. If an update has previously been downloaded, it will download a number of "Delta" NCAs, which will describe how to transform the already downloaded NCA content into the new NCA content (Because updates will often share the same titlekey, this can lead to some minor bandwidth savings. However, when new masterkeys release, they typically change the titlekey to a new one which causes this to be kinda pointless. You win some, you lose some). If an update has not been previously downloaded, the plain NCAs for the new content will be downloaded.
  • Your console will check the NCA headers to see what Rights IDs are required to play the update. Rights IDs are essentially "handles" to titlekeys -- every rights ID corresponds exactly to one titlekey, globally. Typically, there is one Rights ID per (title ID, master key revision) combination. I'll also observe that that's pointless because titlekeys get transformed by master key-derived data when decrypted *anyway*, so they don't actually need to change the Rights IDs, but whatever.
  • Your console will request from the CDN the tickets for those Rights IDs -- first it will try to obtain a common ticket, and then if that fails it will try to obtain a "personalized" ticket from "ecs" (ECommerce Services). Once both the contents are downloaded, and the tickets are downloaded, the update is installed.
Cool, so that's the process. Let's see why this thread is not possible:

First, your console must decide for itself that it's allowed to go online. sun and aqua both require your console's unique client cert to talk to, and use SSL -- you would need to patch the SSL module to interfere with this process. But let's suppose that the author of the thread has done so, with some secret 4.1.0 hax that he has that I don't know about, for the sake of argument.

Your console must then successfully authenticate with the dauth server. This requires it to know secret information stored in sysmodule NSOs in the sysupdate. Thus, for you to do this, you would need to have both patched the SSL sysmodule to disable verification, and patched the system's authentication code to send the correct data and user agents. This would require you to have dumped the code for the latest system update. You'll understand, I hope, if I simply do not believe you have done those things.

If you've done that patching correctly, the rest of the process should go totally smoothly -- you'd run into problems with "ecs", but since all updates use common tickets you don't have to worry about that.

However, your process is not one you're claiming is based on secret 4.1.0 haxx. I do not believe you have developed the relevant system patches, nor that you've dumped the 5.x sysmodule code required to know the secrets you need to authenticate. Hence: this thread's claims are not possible.
Click to expand...
We finally got some reality on this clearly fake thread, peace.
 
Last edited by Biuz,
  • Like
Reactions: guily6669, Tumoche, blueYOSHI and 2 others
M

Mnecraft368

I hate my name.
Member
Level 13
Joined
Aug 8, 2015
Messages
1,763
Trophies
0
XP
3,351
Country
United Kingdom
SciresM said:
Here's the high level overview of the "updating a game on your console" process:
  • Your console contacts Nintendo to see if there is an update available. It does this by contacting the "sun" (System Update Notification? Also a dual pun with the "beach/ocean" theme the servers have this time) and "aqua" servers, to see what the current system update for online is, and the required system updates are to go online. That these are different servers is why the "grace period" exists -- aqua updates a few days after sun, typically, and so even though your console knows there is a system update available it will not make you update to go online until aqua says you must.
  • Once your console decides that it is allowed to go online, it contacts the "dauth" server (Device Authorization) in order to get an OAuth token required to use all of the other online services. This authentication process requires your console pass both the system version and a hardcoded, per-firmware hex string (?system_version=%08x&client_id=%s). These are both validated to be correct in order for your console to get a token.
  • Once your console is authenticated, it contacts "pushmo", Nintendo's server for push notifications, downloading [your device ID].json. This describes new things that your console should download (updates, etc). Pushmo validates the token that gets sent to it.
  • If there's an update (or if your console has specifically requested to update a title), your console will begin downloading it.
  • Your console will download the CNMT (CoNtent MeTadata -- it's the equivalent of a TMD for the 3ds, but stored inside of an NCA) for the update from the "atum" server.
  • Your console will decrypt and parse the CNMT, which lists the other NCAs. If an update has previously been downloaded, it will download a number of "Delta" NCAs, which will describe how to transform the already downloaded NCA content into the new NCA content (Because updates will often share the same titlekey, this can lead to some minor bandwidth savings. However, when new masterkeys release, they typically change the titlekey to a new one which causes this to be kinda pointless. You win some, you lose some). If an update has not been previously downloaded, the plain NCAs for the new content will be downloaded.
  • Your console will check the NCA headers to see what Rights IDs are required to play the update. Rights IDs are essentially "handles" to titlekeys -- every rights ID corresponds exactly to one titlekey, globally. Typically, there is one Rights ID per (title ID, master key revision) combination. I'll also observe that that's pointless because titlekeys get transformed by master key-derived data when decrypted *anyway*, so they don't actually need to change the Rights IDs, but whatever.
  • Your console will request from the CDN the tickets for those Rights IDs -- first it will try to obtain a common ticket, and then if that fails it will try to obtain a "personalized" ticket from "ecs" (ECommerce Services). Once both the contents are downloaded, and the tickets are downloaded, the update is installed.
Cool, so that's the process. Let's see why this thread is not possible:

First, your console must decide for itself that it's allowed to go online. sun and aqua both require your console's unique client cert to talk to, and use SSL -- you would need to patch the SSL module to interfere with this process. But let's suppose that the author of the thread has done so, with some secret 4.1.0 hax that he has that I don't know about, for the sake of argument.

Your console must then successfully authenticate with the dauth server. This requires it to know secret information stored in sysmodule NSOs in the sysupdate. Thus, for you to do this, you would need to have both patched the SSL sysmodule to disable verification, and patched the system's authentication code to send the correct data and user agents. This would require you to have dumped the code for the latest system update. You'll understand, I hope, if I simply do not believe you have done those things.

If you've done that patching correctly, the rest of the process should go totally smoothly -- you'd run into problems with "ecs", but since all updates use common tickets you don't have to worry about that.

However, your process is not one you're claiming is based on secret 4.1.0 haxx. I do not believe you have developed the relevant system patches, nor that you've dumped the 5.x sysmodule code required to know the secrets you need to authenticate. Hence: this thread's claims are not possible.
Click to expand...
And now, mods close the thread.
Thanks for clearing that up @SciresM
 
  • Like
Reactions: KiiWii
Leonidas87

Leonidas87

Well-Known Member
OP
Member
Level 6
Joined
Jul 15, 2014
Messages
651
Trophies
0
Location
Toronto, Ontario
Website
www.youtube.com
XP
960
Country
Canada
SciresM said:
Here's the high level overview of the "updating a game on your console" process:
  • Your console contacts Nintendo to see if there is an update available. It does this by contacting the "sun" (System Update Notification? Also a dual pun with the "beach/ocean" theme the servers have this time) and "aqua" servers, to see what the current system update for online is, and the required system updates are to go online. That these are different servers is why the "grace period" exists -- aqua updates a few days after sun, typically, and so even though your console knows there is a system update available it will not make you update to go online until aqua says you must.
  • Once your console decides that it is allowed to go online, it contacts the "dauth" server (Device Authorization) in order to get an OAuth token required to use all of the other online services. This authentication process requires your console pass both the system version and a hardcoded, per-firmware hex string (?system_version=%08x&client_id=%s). These are both validated to be correct in order for your console to get a token.
  • Once your console is authenticated, it contacts "pushmo", Nintendo's server for push notifications, downloading [your device ID].json. This describes new things that your console should download (updates, etc). Pushmo validates the token that gets sent to it.
  • If there's an update (or if your console has specifically requested to update a title), your console will begin downloading it.
  • Your console will download the CNMT (CoNtent MeTadata -- it's the equivalent of a TMD for the 3ds, but stored inside of an NCA) for the update from the "atum" server.
  • Your console will decrypt and parse the CNMT, which lists the other NCAs. If an update has previously been downloaded, it will download a number of "Delta" NCAs, which will describe how to transform the already downloaded NCA content into the new NCA content (Because updates will often share the same titlekey, this can lead to some minor bandwidth savings. However, when new masterkeys release, they typically change the titlekey to a new one which causes this to be kinda pointless. You win some, you lose some). If an update has not been previously downloaded, the plain NCAs for the new content will be downloaded.
  • Your console will check the NCA headers to see what Rights IDs are required to play the update. Rights IDs are essentially "handles" to titlekeys -- every rights ID corresponds exactly to one titlekey, globally. Typically, there is one Rights ID per (title ID, master key revision) combination. I'll also observe that that's pointless because titlekeys get transformed by master key-derived data when decrypted *anyway*, so they don't actually need to change the Rights IDs, but whatever.
  • Your console will request from the CDN the tickets for those Rights IDs -- first it will try to obtain a common ticket, and then if that fails it will try to obtain a "personalized" ticket from "ecs" (ECommerce Services). Once both the contents are downloaded, and the tickets are downloaded, the update is installed.
Cool, so that's the process. Let's see why this thread is not possible:

First, your console must decide for itself that it's allowed to go online. sun and aqua both require your console's unique client cert to talk to, and use SSL -- you would need to patch the SSL module to interfere with this process. But let's suppose that the author of the thread has done so, with some secret 4.1.0 hax that he has that I don't know about, for the sake of argument.

Your console must then successfully authenticate with the dauth server. This requires it to know secret information stored in sysmodule NSOs in the sysupdate. Thus, for you to do this, you would need to have both patched the SSL sysmodule to disable verification, and patched the system's authentication code to send the correct data and user agents. This would require you to have dumped the code for the latest system update. You'll understand, I hope, if I simply do not believe you have done those things.

If you've done that patching correctly, the rest of the process should go totally smoothly -- you'd run into problems with "ecs", but since all updates use common tickets you don't have to worry about that.

However, your process is not one you're claiming is based on secret 4.1.0 haxx. I do not believe you have developed the relevant system patches, nor that you've dumped the 5.x sysmodule code required to know the secrets you need to authenticate. Hence: this thread's claims are not possible.
Click to expand...

SciresM is that really you.

Been waiting all day for you input.

Glad your hear and I appreciate your insight. I'll clarify myt finding really soon. All I asked from the community was to be patient.
 
Status
Not open for further replies.

Site & Scene News

Go to forum More news

Popular threads in this forum

Paper Mario TTYD 60fps patch?

Paper Mario Thousand Year Door got leaked

Tutorial  How to play Pokerogue on Nintendo Switch

TTYD patch for AMD black screen sewer issue?

Help a noob with if I need to update CFW to 18.0 or not

Is there any point upgrading to 18.0?

Paper Mario TTYD Resolution Patch?

18.0.1 crash - Atmosphere

General chit-chat
Help Users
    SylverReZ @ SylverReZ: https://www.youtube.com/watch?v=mvWZq1S9x0g +1