iQue Player hacking possibility with ique_diag.exe?

[Krem Quay]

Kevinpuerta's CD?

 

[emoose]

hxxp://gbatemp.net/threads/so-im-going-to-buy-an-ique-64-depot-machine-possibility-of-dumping-or-modding-the-ique-with-this.465442/

Not sure if that's just a normal iQue@Home CD or not, interested in finding out about it though.

 

[Krem Quay]

https://archive.org/details/iQuehomeCDROM

You did see this one, right?

 

[emoose]

Yeah I only saw that just after posting lel, grabbing it now. Do you know if this disc came as a pack-in with USB iQues?

Kevins looks like it could be the "iQue USB Cable Upgrade", saw that mentioned in a few places (hxxp://www.gamespot.com/articles/nintendo-ique-goes-online/1100-6111231/) but haven't seen any pics of it before, makes sense though since his USB connects to the AV instead of the miniUSB, maybe his disc has something extra on it for doing the upgrade through that AV port.

 

[Krem Quay]

I'm not entirely sure about the origin of the disc but I know that when I talked to HNKii on Tieba Baidu for uploading the iQue CD-ROMs, he willingly posted it. iQue only produced three CD-ROMs, and they all circulated online by now. It probably is included with that thing he posted (iQue Player?). I'd say it most likely is the same, but we never know, so maybe he can dump an iso of that disc.

 

[HNKii]

Hmm, I guess if the encryption is figured out I'd probably just post a tool for it and let others decide how to release them, that'd probably be the safest option (we're not anywhere near that yet though but I'm hoping Kevinpuerta's CD could have some surprises for us)

Yeah I did see talk about that mystery game, would be sweet if we can get somewhere with that.
Right now I'm not sure if we'd be able to just decrypt any app using a common key or if we'd need a matching eticket for it though... with Wii/3DS the eticket contains the encryption key IIRC, could be the same here too but I'm not really sure.


Most likely, I saw you guys work out that it was an RPG, and since they only released first-party games I can't really think of any other first-party RPG besides MM that isn't already on there.

(but who knows, perhaps cracking the iQue crypto and decrypting that mystery game is how Miyamoto wanted Ura Zelda to be released? )

21061 Is not the cancelled game Majora's Mask. Krem Quay found a number of Majora's Mask related images under the ID 21031

Also, I made a few interesting discoveries from the ticket file dumped from iQue Player contents dumped using the diag tool:
https://imgur.com/a/Dpk1q

(These are all the files dumped using commands GI thru GU)
The ticket file is the largest, and there are a significant number of lines of zeroes between blocks of non zero HEX values.
The ticket data seems messy, but is actually quite easy to locate each game.
To do that, you will need to convert the official name of the games(Chinese) into HEX values using the GB2312 formula.
(Conversion tool avaliable here: http://tool.haooyou.com/code?group=convert&type=strToHex&charset=GB2312. Type/paste the game name on the top textbox and click the blue button)
For instance, the game name "神游马力欧" (Super Mario 64) is C9F1 D3CE C2ED C1A6 C5B7 in HEX.
Search for the HEX value in the entire ticket file and you will find two results: One at the end of a non-zero HEX collection (Followed by nothing or just the game's ISBN), or followed by the HEX values B2D9 D7F7 D6B8 C4CF --That's the GB2312 code for “操作指南” (Control guide)--As I mentioned before, all manuals are considered paid(non-trial licence) games on the iQue Player.

I'm now working on splitting the non-zero region of the ticket file into individual ticket files. The ticket region for each individual game seems to be unequal in Length, but they all seem to have the same strings "Root-CPCA00000108-CP00000110" and "Root-XSCA00000107-XS0000010". Also, most game and manual ticket files end in an ISBN (Right after the game's name in GB2312), but some do not have that (Ending right in the game's name)
In case anyone's interested, I'm sharing the files obtained by using the GET command: http://www.mediafire.com/file/k7p8b9k8efvr56y/iQuePlayerHNKrar.zip
For your information, I have all 14 iQue Player games purchased, so there should be 26 permanent(non-trial) tickets. (Every game except Custom Robo and Animal Crossing has a manual)

--------------------- MERGED ---------------------------

hxxp://gbatemp.net/threads/so-im-going-to-buy-an-ique-64-depot-machine-possibility-of-dumping-or-modding-the-ique-with-this.465442/

Not sure if that's just a normal iQue@Home CD or not, interested in finding out about it though.

I believe it's just an iQue@Home CD.
I doubt the disk has varying contents as a new disk would require a new ISBN from the government, and AFAIK iQue only has 3 ISBN numbers for CD-ROMs: The iQue GBASP disk, the iQue DS disk, and the iQue@Home CD.
I'll try to ask about the iQue player cable that connect both the AV and the USB input. I personally don't have one of them but I know a number of people that do.
Edit: It's likely that the cable is just for power supply purposes. The AV input for the iQue Player is also the power input.

 

[emoose]

Oh right, doesn't look like there's any content available to download under that 21031 ID neither

Wonder what other game 21061 could be then, can't really think of any other Nintendo-developed RPGs that could fit, but I admit I'm not really much of an N64 enthusiast so maybe I'm missing something.

Also individual tickets are different sizes because of the compressed images inside, if you go to 0x44 in the ticket (0x48 in tickets.sys, because of 4 byte numTickets field) the next 4 bytes are the thumb image length and title image length (2 bytes for each, big-endian), add those together + 0x1586 should be the ticket length.

If you have hex workshop installed I've wrote up some structures for it here: hxxp://pastebin.com/V1RRpgqh
To open in hex workshop save that as tickets.hsl, then click the 'select structure library' button, choose the tickets.hsl, go to 0x0 in the tickets file and click the 'add structure' button (the + icon in the pic) then choose tagETICKET_DB (pic: hxxp://i.imgur.com/Te9faLn.png)

I also wrote up a C# tool for reading them, the code is a bit messy to release atm but I'll probably be open-sourcing it soon, seems to work well though (output for your tickets file: hxxp://pastebin.com/YDZF9BJf)

Also many thanks for the share, I grabbed it before from a different link you posted, was extremely helpful

I'm not entirely sure about the origin of the disc but I know that when I talked to HNKii on Tieba Baidu for uploading the iQue CD-ROMs, he willingly posted it. iQue only produced three CD-ROMs, and they all circulated online by now. It probably is included with that thing he posted (iQue Player?). I'd say it most likely is the same, but we never know, so maybe he can dump an iso of that disc.

Hmm, yeah it's probably the same like you said, would be best to make sure though.. could just be a rare disc or something (can barely find anything about the USB Upgrade Kit thing besides news sites anyway, but I haven't tried searching in chinese though)

(edit: just saw HNKii's edit too, that kinda sucks about the CDs, was really hoping it could be something special But still I wouldn't mind a dump just to be sure though
I didn't actually notice it was USB+AV hah, looked like it was just AV to me but now I see the miniUSB connector, I guess USB+AV does make more sense too
I wonder how the USB-update gets sent to it though, doesn't seem like there's any signal coming through the USB on my non-updated unit, hm..)

(edit2: if anyone's interested in what I'm working on atm: hxxp://i.imgur.com/2xgTnBJ.png - still a lot more work to go though!)

(edit3: related to above, is there anyone here who can connect to their iQue with the ique_diag tool, and could do a quick test with my DiagExtender mod?
It won't affect your iQue at all, all it does is print some values that I need from ique_diag.exe memory after using BBCInit.
If you don't mind testing it please PM me!)

 

[Krem Quay]

Why doesn't your unit work, @emoose ? Also, thank you very much for helping us work on this. This is like the perfect Christmas present.

--------------------- MERGED ---------------------------

ALso, i talked to @HNKii via QQ (China of Skype), and he told me that iQue Players only connect to 32-bit Windows systems. A workaround could be using Windows XP on VMware. I assume you're using 64-bit, @emoose ?

 

[emoose]

AFAIK it's one of the early ones without USB support, Taobao seller failed to mention it
Gonna try seeing if I can update it manually soon, saw a few things about connecting an RPi to a NAND, and seems most NANDs work the same way so it should work out hopefully.

Only thing I'm kinda worried about is the ECC code (a sorta checksum on every 512 bytes in the NAND), no idea what algorithm they use and I haven't found anything in the exes about recalculating it yet...
Could mean it gets calculated by the iQue itself, which would mean no way of modifying the NAND externally ; _ ;

But if I can get a raw NAND dump of an updated iQue it should have all the correct ECC codes already, so I'm hoping I can get this DiagExtend mod working soonish so that someone might help me out with a dump.

And no problem, glad I can be of help
I've actually been working on this stuff on and off for the past month or so, probably should have posted about it sooner, but I guess this is perfect timing really

Also yeah I'm on Win10 x64, plugging it in doesn't show any new devices for me, did try using an XP VM but even then there's no option for a passthrough or anything showing up...
Actually I haven't even tried a different USB cable yet lol, I probably should before I go getting out the soldering iron.

Pretty sure this is an early model though, card mentions 181003 which I guess is Oct 2003, kinda weird that it wouldn't be updated already though since there's 5 unlocked games on here...

 

[Krem Quay]

@emoose Are you sure it's a hardware fault? Have you tried installing the latest iQue@Home on your 32-bit XP (like from the installer and not just launching iQu@home) with all the drivers included? HNK doesn't believe that the iQue Player doesn't have USB support. Does it have a USB port?

 

[emoose]

@emoose Are you sure it's a hardware fault? Have you tried installing the latest iQue@Home on your 32-bit XP (like from the installer and not just launching iQu@home) with all the drivers included? HNK doesn't believe that the iQue Player doesn't have USB support. Does it have a USB port?

Yeah it does have the port, saw a few places mention that it needs an update for USB though, hxxp://retroactive.be/personal/ique/ says

Here's how you put games onto it:

- Kiosk/depot in China
- USB standard cable and custom software on Windows PC

The latter required an updated device software which was only possible to get from a kiosk. Since there are no more kiosks anymore, you must send the device to iQue China to have it upgraded.

IIRC I also saw somewhere that said only 2004+ models came with USB support built in, also just checked my manual and it doesn't even mention a USB cable being included neither
Maybe I just got unlucky with the iQue lottery... (did just look up the iQue release date though and it looks like mine could be part of the first batch )

I didn't actually try installing iQue@Home on the XP VM though, figured it'd show a "found new hardware" thing if it was working, I'll have to try it out properly later.

 

[HNKii]

Yeah it does have the port, saw a few places mention that it needs an update for USB though, hxxp://retroactive.be/personal/ique/ says

IIRC I also saw somewhere that said only 2004+ models came with USB support built in, also just checked my manual and it doesn't even mention a USB cable being included neither
Maybe I just got unlucky with the iQue lottery... (did just look up the iQue release date though and it looks like mine could be part of the first batch )

I didn't actually try installing iQue@Home on the XP VM though, figured it'd show a "found new hardware" thing if it was working, I'll have to try it out properly later.

When you turn on the iQue Player, what is displayed on the main menu?

This is from my iQue Player when I made the screenshot earlier this year(I don't have access to it now) If you have the 4 colored characters 神游在线 on the top left corner then your iQue Player is bundled with iQue@Home support.
According to iQue updates can be done from the user. The disk contents from the iQue@Home CD （神游加油装）should work as an updator.

 

[KevinLSX]

My ique disc seems to be the ique@home from their website, put on a disc.

Yes, the av port cable is to get power using the usb cable.

--------------------- MERGED ---------------------------

And I do recall there being and exe program for updating. Crashes for me. Probably cause my pc is 64 bit

 

[emoose]

When you turn on the iQue Player, what is displayed on the main menu?

This is from my iQue Player when I made the screenshot earlier this year(I don't have access to it now) If you have the 4 colored characters 神游在线 on the top left corner then your iQue Player is bundled with iQue@Home support.
According to iQue updates can be done from the user. The disk contents from the iQue@Home CD （神游加油装）should work as an updator.

Yeah looks like mine is missing that also no date display on the top right, instead looks like mine is showing space used on the bottom where yours doesn't? hxxp://i.imgur.com/bFQJNZ3.jpg

Guess my iQue really never has been updated, which is weird because it has 5 unlocked games...

I'll have to try out the I@H CD later, how do updates work with I@H anyway? I just open the client and it'll ask or should I run the updater.exe?

My ique disc seems to be the ique@home from their website, put on a disc.

Yes, the av port cable is to get power using the usb cable.

Ah dang, well thanks for the offer to dump it earlier anyway

 

[Krem Quay]

I don't know how they work. I thought since you had the latest, it wouldn't matter?

 

[emoose]

I don't know how they work. I thought since you had the latest, it wouldn't matter?

Oh I meant system updates lol, I guess the client will tell me if it can update my iQue, updater.exe looks like its for the client itself

 

[Krem Quay]

Will your unit have working USB support soon? To me, it sounds like you're making progress

 

[emoose]

I'll try testing out that CD with the VM tomorrow (pretty late here atm), hope that'll work so I won't have to go messing with the raw NAND and crap...

If not though I probably won't try anything else till after christmas, probably after boxing day (27th or so)

and if I can't get anywhere with that I guess I'll have to order another one from Taobao, I did see a few there which were actually dated in 2004 but none of them had AV cables etc, only one I could find that did was this one and it just had to be an early model ; _ ;

Anyway thanks for all the help again guys hope we can get somewhere with this soon!

 

[Krem Quay]

Yeah, and even if it takes a while, it will be worth it. I hope we get somewhere soon as well.

 

[HNKii]

Yeah looks like mine is missing that also no date display on the top right, instead looks like mine is showing space used on the bottom where yours doesn't? hxxp://i.imgur.com/bFQJNZ3.jpg

Guess my iQue really never has been updated, which is weird because it has 5 unlocked games...

I'll have to try out the I@H CD later, how do updates work with I@H anyway? I just open the client and it'll ask or should I run the updater.exe?


Ah dang, well thanks for the offer to dump it earlier anyway

Man, that is sure an old version... that's quite rare.
The second option is the old iQue Club registration tool which is not available on the newer version anymore.
Since my iQue Player has the newest version pre-installed, I do not know how to do the update exactly. But I once read that the purpose of the 神游加油装 is to update iQue Player systems to the latest version without the use of a depot system(In other words, iQue@Home should be able to detect an un-updated model)