newserv icon indicating copy to clipboard operation
newserv copied to clipboard
verified publisher icon fuzziqersoftware

PSO DC Hunter License server support

Open patapancakes opened this issue 3 years ago • 6 comments

It's known that the Japanese and US versions of Phantasy Star Online Ver. 2 for Dreamcast connect to a server to validate the user's Hunter License before connecting to the game server, and this has always had to be either patched out through cheats or a custom disc.

If this server could instead be emulated (and a way to bypass the SSL certificate validation is found) it becomes possible to play on unmodified discs through just a custom DNS server.

I'm not sure if you have any interest in working on something like this, but if you do I've already started trying to find out how the SSL implementation works.

patapancakes avatar Jan 09 '23 00:01 patapancakes

I'd guess that due to the age of the SSL implementation, it wouldn't support anything newer than TLS 1.0, and it's likely possible to downgrade the connection server-side to something even older (and easier to defeat) like SSLv2.

This is a good idea and I am interested in it, but I probably won't have much time to work on it in the near future. (Also, the only version of PSO DC I have already has that check patched out, so I can't test it.) I'll leave this issue open, though, since it's a good potential future subproject.

fuzziqersoftware avatar Jan 14 '23 06:01 fuzziqersoftware

I don't think a downgrade to SSLv2 is going to work, the version listed in the handshake is SSLv3 and it refuses to connect to a SSLv2 server (gets unsupported protocol). It does list two supported SSLv2 ciphers though, so maybe I'm doing something wrong.

Cipher Specs (10 specs)
    Cipher Spec: SSL2_RC4_128_WITH_MD5 (0x010080)
    Cipher Spec: SSL2_RC4_128_EXPORT40_WITH_MD5 (0x020080)
    Cipher Spec: TLS_NULL_WITH_NULL_NULL (0x000000)
    Cipher Spec: TLS_RSA_WITH_NULL_MD5 (0x000001)
    Cipher Spec: TLS_RSA_WITH_NULL_SHA (0x000002)
    Cipher Spec: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x000003)
    Cipher Spec: TLS_RSA_WITH_RC4_128_MD5 (0x000004)
    Cipher Spec: TLS_RSA_WITH_RC4_128_SHA (0x000005)
    Cipher Spec: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x000008)
    Cipher Spec: TLS_RSA_WITH_DES_CBC_SHA (0x000009)

patapancakes avatar Jan 14 '23 12:01 patapancakes

TLS_NULL_WITH_NULL_NULL apparently is no authentication with no encryption? I don't have a web server that supports this cipher but if the DC really accepts it then it could be an easy way around the validation problem.

patapancakes avatar Jan 14 '23 12:01 patapancakes

Maybe look into how Socom 2 for PS2 bypasses the server check by patching the game via memory card on ps2online. Could probably work for this game.

sirdankz avatar Jan 14 '23 12:01 sirdankz

Maybe look into how Socom 2 for PS2 bypasses the server check by patching the game via memory card on ps2online. Could probably work for this game.

Even if possible I don't think that is the best way. The point of doing it through a server exploit is that there's minimal work for the player to do, if it needs writing something to a memory card then why not just take the extra step to burn a disc? Changing the DNS server is just a setting on the console.

patapancakes avatar Jan 14 '23 12:01 patapancakes

Here's another method, and something even the DS and DSi were vulnerable to. Defeating SSL

tldr: Most old SSL implementations stop checking the cert tree as soon as it finds a valid node, if we have a cert/key the DC trusts we could sign a new cert with it and possibly bypass validation.

Does anyone have any console certificates or similar for the DC? Just needs to be something with a CA it trusts.

patapancakes avatar Jan 14 '23 13:01 patapancakes