PlayStation 2
The PlayStation 2 is a video game console created by Sony.
DNAS
"DNAS" (Dynamic Network Authentication System) is a proprietary authentication system created by Sony Computer Entertainment Inc. ("SCEI").
DNAS retrieves information about a user’s hardware and software for authentication,
copy protection, account blocking, system, rules, or game management and other purposes.
The information collected does not identify the user personally. A publisher can combine
this information with personally identifying information from the publisher’s records if
the user provides the personally identifying information. Before providing any personal
information to a publisher please be sure to review the publisher’s privacy policy and
terms and conditions of use. Do not provide personally identifying information to a
publisher unless you accept the conditions of use and terms of their privacy policy.
SCEI, Sony Computer Entertainment America ("SCEA") and their affiliates cannot guarantee
the continuous operation of the "DNAS" servers. SCEA shall not be liable for any delay or
failure of the "DNAS" servers to perform.
On April 4, 2016; SCEI discontinued the official DNAS servers, thus forcefully taking down hundreds of multiplayer game titles with it.
Official DNAS server domains:
- gate1.us.dnas.playstation.org
- gate1.jp.dnas.playstation.org
- gate1.eu.dnas.playstation.org
Status Codes
DNAS status code definitions:
- -101 to -108: Authentication
- -201 to -204: Downloading
- -401 to -404: Hardware
- -601 to -625: Network
- -701 to -703: Unique ID
- -800 to -1099: Unexpected
Possible resolutions for errors -402 or -403:
- Most likely mod chip related. Try disabling the mod chip.
Possible resolutions for errors -611 or -612:
- Related to a firewall issue or network with closed ports.
- Try opening the suggested ports.
Code | Name | Description |
---|---|---|
-101 | sceDNAS2_SS_SERVER_BUSY | DNAS server is busy. "DNAS Error (-101) The network authentication server is busy. Please try again later." |
-102 | sceDNAS2_SS_BEFORE_SERVICE | DNAS authentication service period has not started for this title. "DNAS Error (-102) This software title is not in service." |
-103 | sceDNAS2_SS_OUT_OF_SERVICE | DNAS authentication service period has ended for this title. "DNAS Error (-103) This software title is not in service." |
-104 | sceDNAS2_SS_END_OF_SERVICE | All DNAS services have stopped. "DNAS Error (-104) The network authentication server is not in service." |
-105 | sceDNAS2_SS_SESSION_TIME_OUT | Session timeout. "DNAS Error (-105) Connection to the network authentication server has timed out. Please try again later." |
-106 | sceDNAS2_SS_INVALID_SERVER | DNAS library (PS2) received an invalid server response. "DNAS Error (-106) A network authentication system error has occurred." |
-107 | sceDNAS2_SS_INTERNAL_ERROR | DNAS library (PS2) internal error while authentication DNAS server. "DNAS Error (-107) A network authentication system error has occurred." |
-108 | sceDNAS2_SS_EXTERNAL_ERROR | DNAS server received corrupted data. "DNAS Error (-108) A network authentication system error has occurred." |
-201 | sceDNAS2_SS_DL_NODATA | This title does not have a data download service. "DNAS Error (-201) A download error has occurred." |
-202 | sceDNAS2_SS_DL_BEFORE_SERVICE | Data download service has not started for this title. "DNAS Error (-202) A download error has occurred." |
-203 | sceDNAS2_SS_DL_OUT_OF_SERVICE | Data download service has ended for this title. "DNAS Error (-203) A download error has occurred." |
-204 | sceDNAS2_SS_DL_NOT_UPDATED | No new download data. "DNAS Error (-204) A download error has occurred." |
-401 | sceDNAS2_SS_INVALID_PS2 | Invalid PS2 hardware. "DNAS Error (-401) A PS2 hardware information error has occurred." |
-402 | sceDNAS2_SS_INVALID_MEDIA | Invalid disc. "DNAS Error (-402) A PS2 disc information error has occurred." |
-403 | sceDNAS2_SS_INVALID_AUTHDATA | Invalid or corrupted disc authentication data. "DNAS Error (-403) A PS2 disc information error has occurred." |
-404 | sceDNAS2_SS_INVALID_HDD_BINDING | Current PS2 and HDD combination is different than registered combination. "DNAS Error (-404) A PS2 hardware information error has occurred." |
-601 | GLUE_ABORT | An network connection was aborted. "DNAS Error (-601) A network error has occurred." Please double-check your network connection and/or network configuration. |
-602 | NET_PROXY | Proxy server error. "DNAS Error (-602) A network error has occurred." Please double-check your network connection and/or network configuration. |
-603 | NET_TIMEOUT | Connection timed out. "DNAS Error (-603) Connection timed out." Please try connection again at a later time. |
-610 | NET_SSL | An SSL session error occured. "DNAS Error (-610) A network error has occurred." Please double-check your network connection and/or network configuration. |
-611 | NET_DNS_HOST_NOT_FOUND | The DNS resolver did not recognize the DNAS server host name. "DNAS Error (-611) A network error has occurred." Please double-check your network connection and/or network configuration. |
-612 | NET_DNS_TRY_AGAIN | The DNS resolver cannot be found. "DNAS Error (-612) A network error has occurred." Please double-check your network connection and/or network configuration. |
-613 | NET_DNS_NO_RECOVERY | The DNS resolver response is invalid. "DNAS Error (-613) A network error has occurred." Please double-check your network connection and/or network configuration. |
-614 | NET_DNS_NO_DATA | The DNS resolver found no IP address for the DNAS server host name. "DNAS Error (-614) A network error has occurred." Please double-check your network connection and/or network configuration. |
-615 | NET_DNS_OTHERS | Other DNS resolver-related errors. "DNAS Error (-615) A network error has occurred." Please double-check your network connection and/or network configuration. |
-616 | NET_EISCONN | A server connection already exists from this client IP address. "DNAS Error (-616) A network error has occurred." Please double-check your network connection and/or network configuration. |
-617 | NET_ETIMEOUT | A network timeout occurred. "DNAS Error (-617) A network error has occurred." Please double-check your network connection and/or network configuration. |
-618 | NET_ECONNREFUSED | The connection was refused (the server is not running). "DNAS Error (-618) A network error has occurred." Please double-check your network connection and/or network configuration. |
-619 | NET_ENETUNREACH | The network destination is unreachable. "DNAS Error (-619) A network error has occurred." Please double-check your network connection and/or network configuration. |
-620 | NET_ENOTCONN | The network connection is down. "DNAS Error (-620) A network error has occurred." Please double-check your network connection and/or network configuration. |
-621 | NET_ENOBUFS | An out-of-memory error occured. "DNAS Error (-621) A network error has occurred." Please double-check your network connection and/or network configuration. |
-622 | NET_EMFILE | Unable to create any more network connections. "DNAS Error (-622) A network error has occurred." Please double-check your network connection and/or network configuration. |
-623 | NET_EBADF | The title requested a network connection using an invalid value. "DNAS Error (-623) A network error has occurred." Please double-check your network connection and/or network configuration. |
-624 | NET_EINVAL | The title requested a network function using invalid options. "DNAS Error (-624) A network error has occurred." Please double-check your network connection and/or network configuration. |
-625 | NET_OTHERS | Other network-related errors. "DNAS Error (-625) A network error has occurred." Please double-check your network connection and/or network configuration. |
-626 | "Connection to the DNAS server failed." The server and port the client attempted connecting to is closed. | |
-701 | sceDNAS2_SS_ID_NOUSE | The title does not use the unique *category* ID feature. "DNAS Error (-701) A software category error has occurred." |
-702 | sceDNAS2_SS_ID_CAT_NOT_EXIST | The specified unique *category* ID category does not exist. "DNAS Error (-702) A software category error has occurred." |
-703 | sceDNAS2_SS_ID_NOT_JOIN_TO_CAT | The title does not belong to the specified unique *category* ID category. "DNAS Error (-703) A software category error has occurred." |
832 | Unregistered title ID. Incorrect title ID in SYSTEM.CNF. Using the wrong regional DNAS library, thus talking to the wrong DNAS server. Using the production server (debug=0) without DNS redirection. | |
-848 | Unregistered title ID. Incorrect title ID in SYSTEM.CNF. Using the wrong regional DNAS library, thus talking to the wrong DNAS server. Using the production server (debug=0) without DNS redirection. | |
-848 | Wrong authentication data or passphrase. | |
-833 | Region Error. | |
-840 | Server is down, try again later. | |
-864 | Invalid media, Invalid DNAS Disc ID, Media Error e.g. using CD-R and DVD-R discs against the production server, or using manufactured discs against the development server. | |
-880 | PS2 hardware incompatibility. | |
-881 | PS2 hardware incompatibility. |
Service Revival
The shutdown of DNAS has caused hundreds of multiplayer titles go offline with it. The community has went above and beyond to try to revive many game servers.
Since SCEI discontinued DNAS, there have been a few replacement services out there, such as:
Name | Primary DNS | Secondary DNS | Website |
---|---|---|---|
Cristian | 45.7.228.197 | 0.0.0.0 | https://ps2online.com |
Bobz | 66.66.23.98 | 0.0.0.0 | http://bobzent.info |
Outbreak | 173.198.207.99 | 0.0.0.0 | http://obsrv.org |
MGO | 192.3.217.61 | 192.3.217.162 | https://snake.savemgo.com |
TM:BO | 173.198.252.240 | 0.0.0.0 | http://173.198.252.240 |
SWBFSpy | 66.85.14.80 | 0.0.0.0 | http://www.swbfgamers.com |
These public services are running a DNAS replacement server, however it is far more convenient to run a Docker containerized version instead.
More information regarding game servers here: https://docs.google.com/spreadsheets/d/1bbxOGm4dPxZ4Vbzyu3XxBnZmuPx3Ue-cPqBeTxtnvkQ
Medius
Medius (SCE-RT) was a networking engine solution that most top-title games would have implemented for their multiplayer games as the underlying protocol. There is very little documentation regarding it therefore it's not fully understood and the only parts that we know of have to be reverse-engineered.
Medius uses Textbook RSA (512-bit) in conjunction with a custom RC4 or RCQ algorithm for encryption.
Factored public key:
p = 0xDFB02A1599450D529CEF34774EDAA76F0D46663B42469476D45AA764B0CDC98D
q = 0xE16B03F8AC618A461B545D8697949C8597EC9306D03F82D950257A9E0013D0E9
d = 0x5CB0A1743310A44CC64F5A26965D2485A3DB53B2A3CE436A208E3024DD7721E1FFB72135F578033ED5D6A8B58B4013FF616A47CADB6072B5752495EBF2A7B7F1
Where p
and q
are the prime numbers, and d
being the private exponent.
But if you just care about the RSA private key:
RSA Private-Key: (512 bit, 2 primes)
modulus:
00:c4:f7:57:16:ec:83:5d:23:25:68:9f:91:ff:85:
ed:9b:fc:32:11:db:9c:16:4f:41:85:2e:26:4e:56:
9d:28:02:00:80:54:a0:ef:45:9e:7e:3e:ab:b8:7f:
ae:57:6e:73:54:34:d1:d1:24:b3:0b:11:bd:6d:e0:
98:14:86:01:55
publicExponent: 17 (0x11)
privateExponent:
5c:b0:a1:74:33:10:a4:4c:c6:4f:5a:26:96:5d:24:
85:a3:db:53:b2:a3:ce:43:6a:20:8e:30:24:dd:77:
21:e1:ff:b7:21:35:f5:78:03:3e:d5:d6:a8:b5:8b:
40:13:ff:61:6a:47:ca:db:60:72:b5:75:24:95:eb:
f2:a7:b7:f1
prime1:
00:df:b0:2a:15:99:45:0d:52:9c:ef:34:77:4e:da:
a7:6f:0d:46:66:3b:42:46:94:76:d4:5a:a7:64:b0:
cd:c9:8d
prime2:
00:e1:6b:03:f8:ac:61:8a:46:1b:54:5d:86:97:94:
9c:85:97:ec:93:06:d0:3f:82:d9:50:25:7a:9e:00:
13:d0:e9
exponent1:
4e:f2:e1:ad:45:27:6e:1d:28:54:6c:de:d0:89:68:
45:4f:fa:ba:ab:80:cd:9d:cf:96:3e:1c:f6:5c:84:
dd:b9
exponent2:
00:84:99:4d:a1:56:57:7e:83:97:9b:09:d6:b3:84:
98:4e:95:9a:38:5e:5c:61:98:43:98:8e:84:5c:f0:
fc:99:01
coefficient:
26:32:fd:71:73:4a:cc:ad:11:ad:f7:5c:14:15:0d:
1f:79:cd:b9:a5:0b:ee:6b:96:f4:9a:88:e2:85:40:
8b:9b
RSA key ok
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIIBOAIBAAJBAMT3Vxbsg10jJWifkf+F7Zv8MhHbnBZPQYUuJk5WnSgCAIBUoO9F
nn4+q7h/rlduc1Q00dEkswsRvW3gmBSGAVUCARECQFywoXQzEKRMxk9aJpZdJIWj
21Oyo85DaiCOMCTddyHh/7chNfV4Az7V1qi1i0AT/2FqR8rbYHK1dSSV6/Knt/EC
IQDfsCoVmUUNUpzvNHdO2qdvDUZmO0JGlHbUWqdksM3JjQIhAOFrA/isYYpGG1Rd
hpeUnIWX7JMG0D+C2VAlep4AE9DpAiBO8uGtRSduHShUbN7QiWhFT/q6q4DNnc+W
Phz2XITduQIhAISZTaFWV36Dl5sJ1rOEmE6VmjheXGGYQ5iOhFzw/JkBAiAmMv1x
c0rMrRGt91wUFQ0fec25pQvua5b0mojihUCLmw==
-----END RSA PRIVATE KEY-----
Here are some PDF's and documentation that explain parts of Medius for the PlayStation 2:
- File:Medius Components-API.pdf
- File:SOCOM GDC 2003 Presentation.pdf
- File:Medius changes.txt
- File:SCE-RT SDK Medius API Overview.pdf
- File:SCE-RT SDK Medius API Reference.pdf
- File:SCE-RT SDK DME API Overview.pdf
- File:SCE-RT SDK DME API Reference.pdf
- File:SCE-RT SDK MGCL API Overview.pdf
- File:SCE-RT SDK MGCL API Reference.pdf
Medius Games
Medius App IDs
Medius App IDs are what each game uses to identify each other from what game it is for. Here is a list of known PS2 Medius App IDs:
Name | AppID | Region | DNS Domain | Entry Point |
---|---|---|---|---|
R&C: UYA Prod | 10684 | NTSC-U | ||
R&C: DL Prod | 11184 | NTSC-U | ||
Jak X Prod | 10994 | NTSC-U | ||
Killzone Prod | 10724 | NTSC-U | ||
WRC 4 | 67794 | PAL | wrc04-master.online.scee.com | MAS |
Medius Components
Medius servers are split into 6 major components:
Medius Universe Manager (MUM)
Keeps track of lobby rooms, game information, and players.
This server generally runs on port 10076
.
Medius Authentication Server (MAS)
Allows users to login, authenticate and obtain a session token to login to the Medius Lobby Server.
This server generally runs on port 10075
.
Medius Lobby Server (MLS)
Handles license agreement, announcements, global chat room, clans, create games, and join games.
This server generally runs on port 10077
or sometimes 10078
.
Medius Proxy Server (MPS)
Global chat room, clans, create games, and join games.
This server generally runs on port 10078
.
DME Game Server (Distributed Memory Engine)
The DME Game Server is a "Reliable UDP" server that handles connections between clients on a game's current status.
Medius Network Address Translation (NAT)
A UDP server used to give the client their IP Address.
Medius Universe Information Server (MUIS)
Server for providing the client with multiple other Medius stacks (MAS/MLS/MPS/DME).
This server generally runs on port 10071
.
Medius Protocol
All encrypted Medius packets are structured as follows:
(This is an example MAS login packet from a PlayStation 2 client)
Packet ID (1) | Length (2) | Checksum (4) | Data (64) |
---|---|---|---|
92 | 40 00 | f8 7a f7 34 | 25 c8 9a 6d a9 dd eb ab a8 3c a6 e6 b4 72 6d ef 51 23 00 de ea 43 d5 8f 22 50 3f af 9c 52 96 10 7c a4 be a9 57 8a ae 49 68 06 20 73 c6 24 a8 07 ad 44 d2 54 29 8d 58 b6 3c da 3b e4 33 8c 57 |
00000000 92 40 00 f4 f8 7a f7 34 25 c8 9a 6d a9 dd eb ab [email protected] %..m....
00000010 a8 3c a6 e6 b4 72 6d ef 51 23 00 de ea 43 d5 8f .<...rm. Q#...C..
00000020 22 50 3f af 9c 52 96 10 7c a4 be a9 57 8a ae 49 "P?..R.. |...W..I
00000030 68 06 20 73 c6 24 a8 07 ad 44 d2 54 29 8d 58 b6 h. s.$.. .D.T).X.
00000040 3c da 3b e4 33 8c 57 <.;.3.W
The first byte (e.g. 0x92
) is the encrypted Packet ID, which has 0x80
added to the original (unencrypted) Packet ID value to indicate it's encrypted. The following two bytes (e.g. 0x40 0x00
) (in little-endian) refer to the length of packet's payload data. After that, there are four bytes (e.g. 0xf8 0x7a 0xf7 0x34
) which is the checksum of the payload data of the packet. Finally after that is the payload data.
"The first packet (92) holds a public 512-bit RSA key the game created on the fly. But the packet is encrypted with Sony‘s public Medius RSA key. You need to crack that key or find a way to deactivate encryption in the game (patch). The second packet holds the session key for a RC like algorithm, it’s encrypted with the public key the server got from game. It’s a slightly modified variant of RC4 that is used for decryption from now on." -Fog23
So far what we know is the MAS Packet ID conversation goes like this:
- Client Connects
- Client:
0x12 [len 64]
The contents is an RSA key generated by the PS2, which is encrypted using public-key of the server (512-bit Textbook RSA). The server's public-key is burned in the game client's iso. - Server:
0x13 [len 64]
The contents is a custom RC4 or RCQ "session key" used to encrypt/decrypt messages going forward, this message is encrypted via the public RSA key sent by the client. - Client:
0x00 [len 73]
Unknown. Encrypted RC4/RCQ key? - Server:
0x14 [len 64]
Unknown. Static key? - Server:
0x07 [len 23]
Server sends the client their own IP address. Starts with0x01 0x08 0x00 0x00 0x01 0x00
, followed by the client's IP address. - Server:
0x1a [len 2]
Continuation of 0x07 packet, just0x01 0x00
. - Client:
0x0b [len 30]
Set world id. Starts with0x01 0x03 0x31
and at byte 270x01
(world id). - Server:
0x0a [len 50]
Set player id. Starts with0x01 0x04
, at byte 30x31
(world id) and at byte 310x32
(player id). The player id increments each time a player connects. - Client:
0x0b [len 50]
Unknown. Appears to be static. Starts with0x01 0xa3
and at byte 430x02
, at byte 470x01
. - Server:
0x0a [len 30]
Unknown. Appears to be static. Starts with0x01 0xa4
. - Client:
0x0b [len 82]
Unknown. Starts with0x04 0x0a
at byte 30x31
(world id?), at byte 240x32
(player id), at byte 470x20 0x28 0x75 0x0F 0xCE 0x19 0x65 0x56 0x61 0x65 0x14 0x0B 0xF6 0xB4 0xC4 0x13 0x63 0xD3 0xD0 0x20 0x02 0x0F 0xE4 0x09 0xF4 0x4D 0xF5 0x36 0x76 0xB8 0xEF 0x50 0x93 0x00 0x00 0x00
(static key?). - Client:
0x0b [len 104]
Login details. Starts with0x01 0x07
, at byte 30x31
(world id), at byte 240x32
(player id), at byte 41 (username), at byte 73 (password). - Server:
0x0a [len 198]
Successful authentication, give client MLS address and access token. At byte 51 (MLS IP Address) followed by the port as a short (2 bytes), at byte 75 (NAT IP Address) followed by the port as a short (2 bytes). - Client:
0x01 [len 0]
Client sends disconnect packet. - Client Disconnects
After authenticating with the Medius Authentication Server, the MAS will send the IP address and port of the Medius Lobby Server (MLS) which by default runs on port 10078
.
Custom RC4 Crypto
PlayStation 2 titles that use Medius are noticed to use a custom RC4 implementation, or RCQ for the encryption scheme after the RSA handshake completes.
Below are a couple of utilities that can be used to encrypt/decrypt Medius packets (custom RC4 works, RCQ works only partially).
You can also use the Medius Crypto Test Tool to verify if your own library implementation works.
- Medius Crypto Test Tool: https://github.com/hashsploit/medius-test-tools
Encryption example:
private void encrypt(byte[] input, int inOff, int length, byte[] output, int outOff) {
for (int i = 0; i < length; ++i) {
x = (x + 5) & 0xff;
y = (y + engineState[x]) & 0xff;
// Swap
byte temp = engineState[x];
engineState[x] = engineState[y];
engineState[y] = temp;
// Xor
output[i + outOff] = (byte) (input[i + inOff] ^ engineState[(engineState[x] + engineState[y]) & 0xff]);
y = (engineState[input[i + inOff]] + y) & 0xff;
}
}
Decryption example:
private void decrypt(byte[] input, int inOff, int length, byte[] output, int outOff) {
for (int i = 0; i < length; ++i) {
y = (y + 5) & 0xFF;
int v0 = engineState[y];
byte a2 = (byte) (v0 & 0xFF);
v0 += x;
x = (byte) (v0 & 0xFF);
v0 = engineState[x];
engineState[y] = (byte) (v0 & 0xFF);
engineState[x] = a2;
byte a0 = input[i];
v0 += a2;
v0 &= 0xFF;
int v1 = engineState[v0];
a0 ^= (byte) v1;
output[i] = a0;
v1 = engineState[a0] + x;
x = v1 & 0xFF;
}
}
Packet IDs
The Packet ID type is the first byte in each packet that define what type of packet this is. If it's encrypted it will have 0x80
added to the original Packet ID.
ID | Name | Description |
---|---|---|
0x00 | RT_MSG_CLIENT_CONNECT_TCP | Normal client connect request, contains Medius version and Game ID. |
0x01 | RT_MSG_CLIENT_DISCONNECT | Normal client disconnect. |
0x02 | RT_MSG_CLIENT_APP_BROADCAST | |
0x03 | RT_MSG_CLIENT_APP_SINGLE | |
0x04 | RT_MSG_CLIENT_APP_LIST | |
0x05 | RT_MSG_CLIENT_ECHO | |
0x06 | RT_MSG_SERVER_CONNECT_REJECT | |
0x07 | RT_MSG_SERVER_CONNECT_ACCEPT_TCP | Login Client IP Address: The server sends the client their ip address. This might be used for NAT hole-punching down the line. |
0x08 | RT_MSG_SERVER_CONNECT_NOTIFY | |
0x09 | RT_MSG_SERVER_DISCONNECT_NOTIFY | |
0x0a | RT_MSG_SERVER_APP | Generic data message to client from server. |
0x0b | RT_MSG_CLIENT_APP_TOSERVER | Generic data message to server from client. |
0x0c | RT_MSG_UDP_APP | |
0x0d | RT_MSG_CLIENT_SET_RECV_FLAG | |
0x0e | RT_MSG_CLIENT_SET_AGG_TIME | |
0x0f | RT_MSG_CLIENT_FLUSH_ALL | |
0x10 | RT_MSG_CLIENT_FLUSH_SINGLE | |
0x11 | RT_MSG_SERVER_FORCED_DISCONNECT | |
0x12 | RT_MSG_CLIENT_CRYPTKEY_PUBLIC | The client is requesting to start encryption. The contents is an RSA key generated by the PS2, which is encrypted using public-key of the server (512-bit Textbook RSA). The public-key is burned in the games iso. |
0x13 | RT_MSG_SERVER_CRYPTKEY_PEER | The server is accepting encryption. The contents is a custom RC4 or RCQ "session key" used to encrypt/decrypt messages going forward, this message is encrypted via the RSA key in the client. |
0x14 | RT_MSG_SERVER_CRYPTKEY_GAME | Game encryption key. |
0x15 | RT_MSG_CLIENT_CONNECT_TCP_AUX_UDP | |
0x16 | RT_MSG_CLIENT_CONNECT_AUX_UDP | |
0x17 | RT_MSG_CLIENT_CONNECT_READY_AUX_UDP | |
0x18 | RT_MSG_SERVER_INFO_AUX_UDP | |
0x19 | RT_MSG_SERVER_CONNECT_ACCEPT_AUX_UDP | |
0x1a | RT_MSG_SERVER_CONNECT_COMPLETE | Connection successful. |
0x1b | RT_MSG_CLIENT_CRYPTKEY_PEER | |
0x1c | RT_MSG_SERVER_SYSTEM_MESSAGE | |
0x1d | RT_MSG_SERVER_CHEAT_QUERY | |
0x1e | RT_MSG_SERVER_MEMORY_POKE | |
0x1f | RT_MSG_SERVER_ECHO | |
0x20 | RT_MSG_CLIENT_DISCONNECT_WITH_REASON | |
0x21 | RT_MSG_CLIENT_CONNECT_READY_TCP | |
0x22 | RT_MSG_SERVER_CONNECT_REQUIRE | |
0x23 | RT_MSG_CLIENT_CONNECT_READY_REQUIRE | |
0x24 | RT_MSG_CLIENT_HELLO | |
0x25 | RT_MSG_SERVER_HELLO | |
0x26 | RT_MSG_SERVER_STARTUP_INFO_NOTIFY | |
0x27 | RT_MSG_CLIENT_PEER_QUERY | |
0x28 | RT_MSG_SERVER_PEER_QUERY_NOTIFY | |
0x29 | RT_MSG_CLIENT_PEER_QUERY_LIST | |
0x2a | RT_MSG_SERVER_PEER_QUERY_LIST_NOTIFY | |
0x2b | RT_MSG_CLIENT_WALLCLOCK_QUERY | |
0x2c | RT_MSG_CLIENT_WALLCLOCK_QUERY_NOTIFY | |
0x2d | RT_MSG_CLIENT_TIMEBASE_QUERY | |
0x2e | RT_MSG_SERVER_TIMEBASE_QUERY_NOTIFY | |
0x2f | RT_MSG_CLIENT_TOKEN_MESSAGE | |
0x30 | RT_MSG_SERVER_TOKEN_MESSAGE | |
0x31 | RT_MSG_CLIENT_SYSTEM_MESSAGE | |
0x32 | RT_MSG_CLIENT_APP_BROADCAST_QOS | |
0x33 | RT_MSG_CLIENT_APP_SINGLE_QOS | |
0x34 | RT_MSG_CLIENT_APP_LIST_QOS | |
0x35 | RT_MSG_CLIENT_MAX_MSGLEN | |
0x36 | RT_MSG_SERVER_MAX_MSGLEN |
Graceful Disconnect (0x01)
The Graceful Disconnect packet is sent by the client to notify the server of a graceful disconnect.
- Bind Type:
client
- Packet ID:
0x01
- Encrypted Packet ID:
0x01
Encrypted packet: [ID: 0x01, LENGTH: 0x03 [3], DATA LENGTH: 0x00 [0]]
00000000 01 00 00 |...|
Decrypted packet data: (without packet id, length, or checksum): [ID: 0x1c, LENGTH: 0x00 [0]]
00000000
Login RSA Request (0x12)
The Login RSA Request packet is sent by the client to initiate a connection to MAS, it uses the MAS's public key embedded in the ISO to encrypt a custom RC4 or RCQ key.
- Bind Type:
server
- Packet ID:
0x12
- Encrypted Packet ID:
0x92
It is the first packet sent by the client. This packet contains data encrypted using the MAS's RSA 512-bit public key, which we believe is stored in the game's ISO ELF file.
Raw Structure:
RSA Data (64) |
---|
6B 8F 99 EC 1B AF 06 D2 67 42 84 B5 30 5E E6 E3 8B 1D E7 33 1F 2F BF 31 DE 49 72 28 B7 C5 21 62 F1 8D AE 89 13 C4 0C 43 C0 E8 90 D1 4E EE 16 AD 07 C6 4F D9 28 1D 8B 97 2D 78 BE 78 D1 B2 90 CE |
Encrypted packet: [ID: 0x9c, LENGTH: 0x46 [71], DATA LENGTH: 0x40 [64]]
00000000 92 40 00 f4 f8 7a f7 34 25 c8 9a 6d a9 dd eb ab |[email protected]%..m....|
00000010 a8 3c a6 e6 b4 72 6d ef 51 23 00 de ea 43 d5 8f |.<...rm.Q#...C..|
00000020 22 50 3f af 9c 52 96 10 7c a4 be a9 57 8a ae 49 |"P?..R..|...W..I|
00000030 68 06 20 73 c6 24 a8 07 ad 44 d2 54 29 8d 58 b6 |h. s.$...D.T).X.|
00000040 3c da 3b e4 33 8c 57 |<.;.3.W|
Decrypted packet data: (without packet id, length, or checksum): [ID: 0x12, LENGTH: 0x40 [64]]
00000000 6b 8f 99 ec 1b af 06 d2 67 42 84 b5 30 5e e6 e3 |k.......gB..0^..|
00000010 8b 1d e7 33 1f 2f bf 31 de 49 72 28 b7 c5 21 62 |...3./.1.Ir(..!b|
00000020 f1 8d ae 89 13 c4 0c 43 c0 e8 90 d1 4e ee 16 ad |.......C....N...|
00000030 07 c6 4f d9 28 1d 8b 97 2d 78 be 78 d1 b2 90 ce |..O.(...-x.x....|
Login RSA Response (0x13)
The Login RSA Response packet is sent by the server to establish encrypted communication
with the client. The response is a custom RC4 or RCQ key used later that is
encrypted with the client's public RSA key that is sent in the Login RSA Request 0x12
packet.
- Bind Type:
server
- Packet ID:
0x13
- Encrypted Packet ID:
0x93
It is the first packet sent by the server.
Raw Structure:
RSA Data (64) |
---|
E7 47 74 38 E0 23 4B B8 19 6D 57 4F 09 33 7B E7 A7 29 71 62 8C 55 1C 33 73 A6 8B E7 F1 F1 08 18 1E AA C2 41 9A FA 75 83 21 5E 79 77 5E 9D 6D BC 8D 44 25 45 EF 39 6F 29 C6 29 4C 69 FC 97 E1 77 |
Encrypted packet: [ID: 0x93, LENGTH: 0x46 [71], DATA LENGTH: 0x40 [64]]
00000000 93 40 00 73 a1 bb f9 45 93 0a 9e 59 40 35 b2 63 |[email protected]@5.c|
00000010 90 46 cd 56 f5 cc e6 59 98 bd dd 16 e9 2e c0 fd |.F.V...Y........|
00000020 75 63 95 1c 74 88 da 4e 23 41 67 5e 3f 69 26 45 |uc..t..N#Ag^?i&E|
00000030 ad 8b 06 4a 0b 5d 3d 52 01 7f e1 b4 fc c1 b7 cd |...J.]=R........|
00000040 48 43 cd db a3 b8 c1 |HC.....|
Decrypted packet data: (without packet id, length, or checksum): [ID: 0x13, LENGTH: 0x40 [64]]
00000000 e7 47 74 38 e0 23 4b b8 19 6d 57 4f 09 33 7b e7 |.Gt8.#K..mWO.3{.|
00000010 a7 29 71 62 8c 55 1c 33 73 a6 8b e7 f1 f1 08 18 |.)qb.U.3s.......|
00000020 1e aa c2 41 9a fa 75 83 21 5e 79 77 5e 9d 6d bc |...A..u.!^yw^.m.|
00000030 8d 44 25 45 ef 39 6f 29 c6 29 c6 29 4c 69 fc 97 |.D%E.9o).).)Li..|
00000040 e1 77 |.w|
Server Message (0x1c)
The Server Message packet is sent by the server to the client to show a message notification on screen.
- Bind Type:
server
- Packet ID:
0x1c
- Encrypted Packet ID:
0x9c
This packet is structured with the first byte referencing the message severity 0x9f
(159). The message severity appears to be a value ranging from 0 to 255, followed by 3 unknown bytes that appear to be constants 0x02 0x01 0x01
, followed by the message contents and finally terminated by two null bytes 0x00 0x00
.
Raw Structure:
Severity (1) | Unknown (3) | Message (97*) | Terminator (2) |
---|---|---|---|
0x9f | 0x02 0x01 0x01 | Notification test: Broadcasting message...Time=1594431135 (Fri Jul 10 18:32:15 2020) Severity=159 | 0x00 0x00 |
Encrypted packet: [ID: 0x9c, LENGTH: 0x6e [110], DATA LENGTH: 0x67 [103]]
00000000 9c 67 00 b8 61 0e 24 b6 e9 12 a1 61 b7 30 26 e4 |.g..a.$....a.0&.|
00000010 4e 6f b4 3d 81 7f 09 9b 35 7d 88 05 cc 1c 45 f0 |No.=....5}....E.|
00000020 88 94 75 7d 19 51 71 b7 81 49 26 8d 59 b1 ba 62 |..u}.Qq..I&.Y..b|
00000030 77 51 eb f7 af 75 ae ab 24 69 4f d6 12 25 18 c3 |wQ...u..$iO..%..|
00000040 14 05 40 f4 33 44 d7 81 ef 01 43 b3 50 70 93 a8 |[email protected]|
00000050 a4 97 5c 25 db bc 6c 89 4c 2d d6 b1 9a 76 37 6d |..\%..l.L-...v7m|
00000060 a6 d5 56 4c 52 ea 48 46 fc cc 69 4d 03 b6 |..VLR.HF..iM..|
Decrypted packet data: (without packet id, length, or checksum): [ID: 0x1c, LENGTH: 0x67 [103]]
00000000 9f 02 01 01 4e 6f 74 69 66 69 63 61 74 69 6f 6e |....Notification|
00000010 20 74 65 73 74 3a 20 42 72 6f 61 64 63 61 73 74 | test: Broadcast|
00000020 69 6e 67 20 6d 65 73 73 61 67 65 2e 2e 2e 54 69 |ing message...Ti|
00000030 6d 65 3d 31 35 39 34 34 33 31 31 33 35 20 28 46 |me=1594431135 (F|
00000040 72 69 20 4a 75 6c 20 31 30 20 31 38 3a 33 32 3a |ri Jul 10 18:32:|
00000050 31 35 20 32 30 32 30 29 20 53 65 76 65 72 69 74 |15 2020) Severit|
00000060 79 3d 31 35 39 00 00 |y=159..|