ppsspp icon indicating copy to clipboard operation
ppsspp copied to clipboard

Published 20 hours ago verified publisher icon hrydgard

PSP to Computer AD HOC

Open tilkinsc opened this issue 8 years ago • 97 comments

How does the PPSSPP and PSP ad hoc system work?

Is it possible to pair a device to a computer? What if the computer broadcasted a network? A lot of PSP games had an infrastructure mode in which would let two devices communicate over a network. This would be a cool addition feature to what has been worked on recently aside from graphical bugs.

tilkinsc avatar Feb 20 '17 13:02 tilkinsc

Well, what I've actually been working on recently is a UWP port, and to do that correctly I needed a DX11 backend, which in turn required a LOT of reworking if I didn't want to end up with a ton of mostly-duplicate code again. And might as well fix bugs as I find them.

Anyway, that's beside the point. I really don't know more than rough overview about how the PSP networking works, all PPSSPP's network stuff has been contributed by others, so in this case, don't put your hopes on me.

hrydgard avatar Feb 20 '17 13:02 hrydgard

Alright fair enough.

tilkinsc avatar Feb 20 '17 13:02 tilkinsc

Well, could still leave it open, maybe someone else will pick it up.

hrydgard avatar Feb 20 '17 22:02 hrydgard

Since infrastructure didn't mean using a public server, it would mean that one of the PSP devices was either used as a server and managed everything or they both managed everything, but updated a server on one of the PSP devices. Actually, the updated each other. The PSP does indeed show capabilities to host a server - even internet connections. So it is just a matter of supporting such a thing, faking the computer as a PSP. That may require some more internal lookat.

As for emulating AD HOC, I don't know enough about this still to make a hypothesis on how that would go down. I would need to check the code on PPSSPP.

tilkinsc avatar Feb 23 '17 06:02 tilkinsc

Okay so I am venturing on learning more about this. I am attempting to figure out what calls are made in a specific, downloaded game (monster hunter freedom unite). This will lead me to understanding what exactly is going on with the PSP to open sockets as necessary.

However, I don't know how to achieve seeing the specific code that will do this. How would one debug what is being called to open the infrastructure?

tilkinsc avatar Feb 26 '17 17:02 tilkinsc

Well, I guess you'd add more logging to the various HLE function in Core/HLE/sceNetAdhoc*...

hrydgard avatar Feb 26 '17 17:02 hrydgard

I was taking a look at the AdHoc code the other day. And it's kind of a mess. There are a lot of TODO and commented lines. So maybe it's not the "best" way to do it. But hey it work :)

ghost avatar Feb 26 '17 17:02 ghost

~~One huge issue I am facing right now in actually debugging is PPSSPP dictates the WLAN switch is off. So I will look through some disassembly. Another thing that is drawing me back is that the game crashes with the last version of PPSSPP that I use on game load, which is strange. So I defaulted back to official release. Some kind of 'stack error' says the weird windows issue report. Who knows.~~ One last thing is the lack of resizability of the various frames in the disassembler...

The config file manages the mac and wlan switch and the like.

tilkinsc avatar Feb 26 '17 17:02 tilkinsc

This specific entry is going to document stuff. Definitely common knowledge coming back to edit this line.

sceWlanGetSwitchState returns 0 (1 on) inside of the config file. sceWlanDevIsPowerOn ^^^ sceWlanGetEtherAddr returns an ethernet mac address inside of the config file. http://pastebin.com/pN2LqM80 This homebrew gives light on how sockets go down. Given the example, it appears that it is typical socket stuff that could pretty well be emulated correctly through the correct returns from the psp libraries. This doesn't demonstrate how to connect to sockets using psp. It appears that the other thing that matters is the switch state being active as well as Dev is powered on. It just boils down to connecting to a server or hosting one for the intranet. I am sure it is possible to port forward to let outsiders in...

Final remark would be there is no checking if the device referenced is a PSP as long as it operates within the ROMs.

tilkinsc avatar Feb 26 '17 19:02 tilkinsc

I have findings.

So I was talking with someone on Evolve (p2p tunnel network, like tunngle and hamachi) and they host a server for my favorite game which replaces coldbird.net. Evidently a person built it and they are just the host. While I didn't go further into that topic, I figured out that a little bit more of what I wanted.

So I was broadcasting ad hoc via psp in my game on (ad hoc) channel 1. I couldn't discover the network immediately. Idk. However, I got it to show by making a new network ad hoc and open. I assume this just forcefully updated my list of networks like it should of done it the first place..... but yeah. So I was able to connect and everything psp to computer. The question now is hooking up some sniffing and check out what is going on, as well as looking at PPSSPP ad hoc code.

I think there was already an attempt at this, but without PPSSPP being the target... I am thinking the target was more of a service like tunngle. Anyways, it is definitely possible as far as I can tell.

One thing that is certain is in order to play over the internet with something like tunngle, you must have 2 forms of connection. 1 is the psp and 2 is the internet. That requires an ethernet and a wireless or two wirelesses.

tilkinsc avatar Mar 08 '17 20:03 tilkinsc

This post is mine and is being edited as I go.

Data list: (12/03/2017) (added entries)

  • Censored's chat log http://pastebin.com/yf4iczsJ
  • Connecting to ad hoc network.... http://pastebin.com/snyhWL46
  • Connected to ad hoc network http://pastebin.com/QR3Rb0Qs
  • proAdhocServer used with CFW http://forums.ppsspp.org/showthread.php?tid=11398 which adenovan was talking about. I am less concerned with hacks around it then trying to fake a computer as a PSP.
  • adenovan's suggested lookat source https://github.com/adenovan/AdhocServerPro
  • Holy mother of documentation http://www.edepot.com/reviews_sony_psp.html
  • As per the Marvell Libertas chip the psp has, http://download.cnet.com/Marvell-Libertas-802-11g-b-Wireless-LAN-Client-Adapter/3000-2112_4-166388.html might be the driver for such a thing, or at least give some lookat on how it works
  • Link that details out PSP and PS3 Remote Play stuff http://www.neogaf.com/forum/showthread.php?t=361116
  • Possible program that utilizes PSP and PS3 ad hoc WHICH MIGHT BE NATIVE so we can understand better the connection to PSP-PS3 that could be PSP-PC now https://store.playstation.com/#!/en-us/games/addons/adhoc-party/cid=UP9000-NPUA70069_00-ADHOCPARTY000000
  • Wikipedia on Promiscuous mode https://en.wikipedia.org/wiki/Promiscuous_mode "In non-promiscuous mode, when a NIC receives a frame, it drops it unless the frame is addressed to that NIC's MAC address or is a broadcast or multicast addressed frame. In promiscuous mode, however, the NIC allows all frames through, thus allowing the computer to read frames intended for other machines or network devices."
  • https://en.wikipedia.org/wiki/Promiscuous_mode#Some_applications_that_use_promiscuous_mode Some programs that can help us

Learn list: (12/03/2017) (solved 1 entry, added entry)

  • What happens at the PSP level? (need bios/kernel for this)
  • Is what happen at the PSP level something that matters? (5 frames then drop connection)

Resolved learn list: (09/07/2017) (added 2 entry)

  • ~~https://en.wikipedia.org/wiki/Wi-Fi_Direct Is psp ad hoc actually wifi direct?!~~ no.
  • ~~What about the IPs? Do they use mac address as IP? Perhaps the adhoc code will let me understand.~~ It actually communicates with device IDs rather than MAC or IP, MAC is just to give it a definite name and IP is a protocol. We would need to get the system to accept the device ID by handshaking okay. Only then will it allow communication between the two.
  • ~~What is the difference between channels automatic, 1, 9. and 11~~ Each channel operates on a different hop length, which is basically the difference between 90fm and 106fm in radio frequency modulation. So you can have two people in a network on channel 11 and two people on the same-named network on channel 9.
  • ~~I wonder if the PSP is its own DHCP, or if the PSP (when connecting ad hoc) does a whois that devices can do with the router. If you picked up wireshark you would understand.~~ Actually, the PSP doesn't have a findable DHCP, since DHCP works the same in all situations. It is actually much different, and probably geared something more of ISATAP.
  • ~~It appears that CFW is hiding my MAC address... how to circumvent?~~ There is a setting for this somewhere in CFW settings
  • ~~How tf do I connect an ad hoc computer to a server on either machine~~ It is actually really simple. However, the problem is the PSP is a bit more embedded when it comes to ad hoc. A low level mechanic needs to be put in place to make the PSP recognize the computer as a psp and do its handshakes (hello, ping).
  • ~~Does PSP's ad hoc do UDP or TCP or any~~ It actually can do any, and is dependant on the app when it has matchmade using ad hoc. The whole ad hoc system is a matchmaking server then direct connection through ip address through the matchmade ips.
  • ~~What packets do the PSP send and how can a protocol handler handle such a thing? This may be mandatory so that one can communicate with the other. Whether it would be monitoring networks via xlink kai or something, it needs figured out.~~ https://en.wikipedia.org/wiki/Promiscuous_mode#Some_applications_that_use_promiscuous_mode We have tons of programs to do such a thing. Better get cracking. Probably want to do this on linux?

Tasklist: (04/17/2017) 0. Make a model that connects a PC, fake as PSP, to PSP

  1. Clean up some ad hoc code
  2. Add g_Config option to enable psp -> ppsspp
  3. If already broadcasted, don't have to broadcast a new ad hoc network (Broadcast ad hoc network using an idle network card?) The PSP doesn't broadcast a new ad hoc network unless the respective network isn't found.
  4. Open matchmaking server if needed on the network owner's psp (ip)
  5. Open respective sockets the PSP expects (ports sniff?)
  6. Relay information

tilkinsc avatar Mar 09 '17 16:03 tilkinsc

@Hydroque for your learn list number 2

  1. TCP used on the host server (proAdhocServer). this server written by coldbird and the goal is to make the PSP work over internet. The server purpose is to emulate the matchmaking/matching system on game. Each Game create a group when matchmaking happen. you must look at this server code if you want to emulate the infrastructure mode like a real PSP do. i guess PSP infrastructure mode just a broadcast of this implementation on a wireless access point to let other PSP know a server is listening on that Access Point.

  2. Most of the game communicate directly and use both TCP and UDP (commonly the Game use TCP for matching / matchmaking. and UDP after matchmaking to send game data to other peer) , each game also pick its own port to communicate. this one hard to emulate especially over internet and behind a nat. thats why most user use vpn service to tunnel the traffic, the vpn goal is to make user under one network and same subnet so they can communicated directly without their traffic blocked by firewall or nat. the solution of this point is available on Adamn's post http://forums.ppsspp.org/showthread.php?tid=16972&pid=121429#pid121429

  3. PPSSPP and PSP communication use Pro-C CFW and Atpro.prx plugin on the PSP side , there is a psp/discovery function that not implemeted yet, im not sure but its maybe what you're looking at to implement. go look on the source here https://github.com/MrColdbird/aemu

adenovan avatar Mar 10 '17 19:03 adenovan

I appreciate the help, adenovan.

  1. Currently I feel it is more appropriate to support the AD HOC feature (as per my intent) before getting into infrastructure. I feel like infrastructure would be easy. Since the PSP, when connected, is definitely a member of a router (modem/modem-router), you can port forward and potentially have the public send data to your psp. Your psp can indeed be a server. Correct me if I am wrong. With proAdhoc, this is a hacky way around something I want to be more direct. I guess that is what I am researching. Yunno http://forums.ppsspp.org/showthread.php?tid=11398

  2. I am aware with what the vpn/tunnel software is doing in the background. They actually open a different strain of ips to host and the like on. Any tunnel software will make you install a driver/virtual network device which handles such a thing. However another thing is I am talking PSP to pc/android ppsspp - not pc ppsspp to android ppsspp. I desire playing the console with the computer. However, I hope to have immediate results when I sniff out the ad hoc connection broadcasted to see what is up.

I am still not sure what TCP or UDP is used for in this scenario. I believe censored's server is an implementation of coldbird too. I dunno. I forget. Censored may say it in that pastebin link. I actually don't know much about the coldbird project other than its general overview. But one thing is that the log from censored's server spits out UDP connections in the matchmaking which clashes with what you are trying to tell me. I assume that the port wouldn't be a problem as it is two identical games since the PSP does indeed broadcast the ad hoc network.

One issue I have is the understanding on how IPs line up in an ad hoc network. https://superuser.com/questions/109177/ip-address-of-host-of-wi-fi-ad-hoc-network Also, I did some connection and lookat. It appears that it takes a second for the computer to connect ad hoc to the PSP. It will give http://pastebin.com/snyhWL46 until http://pastebin.com/QR3Rb0Qs. However, I am not surprised if it just takes a second to actually connect because I am using a 2007 win7 laptop for testing.

  1. I would need more information on what you are talking about. Are you saying there is successful ppsspp -> PSP connection? This seems only possible in hombrew?

tilkinsc avatar Mar 11 '17 01:03 tilkinsc

i look into your list of data, AFAIK

  1. based on your data i think its possible to use PSP as a server and do an Adhoc directly without access point involved. we need to dig more information on PSP side adhoc network and fake the PPSSPP as PSP (hacking, sniffing needed,reverse engineering on psp side is needed) . this is a neat feature looking forward if you can dig more info on it and replace the proAdhocServer. current ADHOC implementation is indeed a hacky way to play ADHOC Game because the purpose it was build is to hook the PSP adhoc function with homebrew/plugin (atpro.prx) and emulate the communication to public IP.

  2. the censored server you're talking about definitely based on coldbird server and looks like its only tunneled through evolve and the player status displayed on web. im host a similiar server by myself ( http://proindovpn.net ) and tunnel it with openvpn for android user , they love it , i drop the psp support because i didn't find any vpn homebrew / client on psp. my goal is only to create a large adhoc community over internet and centralized to play so we can easily play together without complicated setup (like Enable DMZ on router). if you're need a server code before it was ported to ppsspp you can find it here https://github.com/adenovan/AdhocServerPro

  3. there is only successfull connection if proAdhocServer running on PPSSPP side or stand alone server is running on the server machine. yes the psp side need a homebrew / plugin to connect to it ( atpro.prx) with static ip configured. i think you already find out that info in my thread by yourself. there is no implementation of PPSSPP -> PSP successfull connection with PSP default adhoc function as host / server.

adenovan avatar Mar 14 '17 12:03 adenovan

I have been experimented with a Java application which opens a socket server on the pc, accepts connections from PSP (thru atpro.prx static/dynamic ip (only thing bad about dynamic is you have to refresh it when you relog into router and can't host servers public ip thereof longterm without updating users)). and connects the ports known to the evolve host. Information is gathered from the evolve host and sent from the computer to the PSP then. Basic, but it doesn't work. One of the problems I collide with is the lack of UPnP support. Sockets require a definite port and there are some ports that I can't listen to because I have no idea that they were attempted to be communicated with. While I believe I failed doing that, I learned that ports on ad hoc are a bitch.

The problem with connecting my computer to the PSP is I don't know what the PSP's ip is, how to open ports for listening and transfer (UDP/TCP), and how to acquire the PSP's ip. I am not familiar with ad hoc networks enough. I know that I get a cool ip, which I should of talked about. Summery: Learn how to connect two ad hoc devices to a server of either side. I also need to admit that I need to look at the names of the known ad hoc functions in the PSP. A pattern might show to me, But that is a little out of scope because I should be able to link a server easily.

It is possible that I can't continue with my efforts.

  1. Can't build ppsspp
  2. Why does MSVS exist as bigger than a modern game????
  3. Lack of resources documenting ad hoc (sad, 'init?)

In reply,

  1. I think it would be just a matter of relaying data to and from. I don't think it will be near as much bulk as the proadhoc server stuff. You just need to know the ports open, or have this so-called upnp that I am lightly familiar with.

  2. It is good to have reference material.

  3. I have successfully linked a ppsspp and psp using atpro.prx, and my efforts failed at the point of trying to link evolve with psp. (Thank god for the possibility of not a thousand relays)

A little bit more of my tunneling to evolve host. I did in-fact be able to connect and relay data. The TCP over 27513 or whatever the adhoc server runs on was known and that was how the people congregated. I failed at the part where actually connecting to the people the psp wanted. I have no idea what the ports were. However, for MHFU, censor reported that they were 20,000:20,004 give or take 1 max as index. So yeah the psp communicated to my computer (through atpro.prx infrastructure) to the evolve server. I have snapshots of such packets sent and received.

tilkinsc avatar Mar 16 '17 02:03 tilkinsc

http://www.thewindowsclub.com/smb-port-what-is-port-445-port-139-used-for I believe that the PSP is netBIOs enabled. Reading this article alerts me that I may be able to communicate (and destroy) a psp by this port. I have this port open and listening.

Using NBSTAT command, the attacker can obtain some or all of the critical information related to

  • A list of local NetBIOS names
  • Computer name
  • A list of names resolved by WINS
  • IP addresses
  • Contents of the session table with the destination IP addresses

With the above details at hand, the attacker has all the important information about the OS, services, and major applications running on the system. Besides these, he also has private IP addresses that the LAN/WAN and security engineers have tried hard to hide behind NAT. Moreover, User IDs are also included in the lists provided by running NBSTAT.


I don't really think so anymore.

tilkinsc avatar Mar 16 '17 03:03 tilkinsc

After loafing around in the headers of pspnet_adhocmatching.h I determined that there is a specific communication that goes down between PSP and PSP. A hello message that is game-specific is present that also has a neat callback, which I assume it is to handle the person joining. There is also a ping.

/** 
 * Linked list for sceNetAdhocMatchingGetMembers
 */
struct pspAdhocMatchingMember
{
	struct pspAdhocMatchingMember *next;
	unsigned char mac[6];
	char unknown[2];
};

^ this is the only thing that I could find that has any form of identification on who the hell connected.

@hrydgard Hey do you have a list of all functions with respect to their memory address visible in that disassembler which are actually used? I think there is more internal things to be observed in the bios, , anyways, I just wanted to correctly observe the functions in use.

I need to test further and will complete this post.

tilkinsc avatar Mar 16 '17 05:03 tilkinsc

If anyone has any binaries (prx) or disassembly that I can use to look at the PSP's internal ad hoc mechanics that would be great. My PSP 1000 won't let me go into kernel mode to rip at CFW 6.60 ._.

I added a new link that documents the PSP like a hawk. It is nice. So much stuff I didn't know as well as the history. It has a more full file structure. But I wanted to note that firmware 1.5 and 1.0 allows running unencrypted code, the first needed two PBPs or so it went. I wonder if the ad hoc change severly between these two. The documentation article stated that there was a lot of changes which gave birth to so much that it was preferred to change the psp to running unencrypted code (unsigned I guess) as CFW. Pretty neat. I assume it DIDN'T change it if at all as per the documentation detailing each of the patches that sony threw out in the article.

tilkinsc avatar Mar 16 '17 18:03 tilkinsc

I am still updating the learn list and the such as I figure this stuff out. I have it down to the hardware. We already know the the ad hoc works sufficiently. But we need the lower level depth for knowing how they truely work at the machine level.

tilkinsc avatar Mar 26 '17 06:03 tilkinsc

http://www.neogaf.com/forum/showthread.php?t=361116

So this is a link to 'PSP Remote Play Reverse Engineered', in which, talks about the 'hacking' of PSP to PS3. My thoughts on this is that the PSP AdHoc could be more directly monitored closely when it comes to connections. We already can use infrastructure instead of ad hoc with CFW, and that works flawlessly with adhoc server. I am not sure if the code builds upon the exact operations of the PSP, but it seems to solve the 'I am connected to the network but idk how to broadcast to other PSP using my PC to tell them I claim this IP, have a game with me'

Perhaps pissing with PS3 and PSP ad hoc may be in the future, as that is definitely possible... and homebrew exists for PS3.

tilkinsc avatar Apr 17 '17 19:04 tilkinsc

Some Europe user mention about adhoc party to play betwenn psp and ps3. You might interested to reverse this one https://store.playstation.com/#!/en-us/games/addons/adhoc-party/cid=UP9000-NPUA70069_00-ADHOCPARTY000000 he use adhoc party on ps3

adenovan avatar Apr 18 '17 02:04 adenovan

That was what I was getting at, @adenovan . Good find.

" Because it uses the PS3™ system's built-in Wi-Fi," Meaning the PS3™ understands the PSP wifi adhoc config thereof?

"The PlayStation®3 system must be connected to the Internet with a broadband network " Makes me wonder if there is a patch, which is hacky...

"Each player must have both a PSP® system and a PS3™ system in order to use this feature" This one is a 'no crap'

"Perfect for gamers with a PSP® system who want to play online but don't have access to a wireless internet connection " Makes me seriously think it is a hack, and not really ad hoc and... "with some games that include the Ad Hoc feature " justifies my fear.

I am not sure how to use this either.

tilkinsc avatar Apr 18 '17 03:04 tilkinsc

At least it an official software from Sony. Some user tell me they have like 30 channel (psp network) on online mode, in ppsspp we can simulate this with 30 proadhocserver but the difference is we can't fake the server as legit psp adhoc network without hacking the client. if we can implement that server hack on ppsspp it will be great it can reduce complexity of playing adhoc in ppsspp. The mechanic looks like same with psp infrastructure mode.

adenovan avatar Apr 18 '17 04:04 adenovan

Oh. I was not aware that it was official from Sony. That makes it a bit different. The point of not knowing how to use it and how to obtain files to look at is still up there. I will do some research in the near future.

tilkinsc avatar Apr 19 '17 03:04 tilkinsc

I wonder if it is possible to create an ad hoc network of a certain type similar to psp, and name it what it would be expected to find. Then I can use software to see what the PSP tries to communicate with the machine. I should really learn more about the process of connecting via driver level.

tilkinsc avatar Jun 01 '17 23:06 tilkinsc

So I actually got somewhere. I started back up today. I made an ad hoc network on my computer named 'PSP_AULUS103901_L_MH3P000'. I got some broadcast packets from the network when the PSP turned on ad hoc (channel 11). It seems like it also made my computer break from having the ad hoc connection, and instead, connect to that network. Pretty neat. I could probably figure out something off of this. My psp died though, ~~~and my makeshift cord I made isn't charging it now :(~~~ is super picky

tilkinsc avatar Jun 02 '17 00:06 tilkinsc

I wrote some update on #7268 that should belong here. Referencing it. I should really create a post saying everything current as this may be better read as a single blob of text.

tilkinsc avatar Jul 12 '17 02:07 tilkinsc

I think Xlink Kai is able to fake a console or handheld broadcasts but requires a compatible network adapter (PSP-Xlink Mode or have promiscuous mode) with customized driver sometimes as i remember.

As i remember promiscuous mode is often used by hackers to monitor a network :) https://landetective.com/products/internet-monitor/manual/traffic-analysis.html https://www.teamxlink.co.uk/wiki/doku.php?id=evo7:how_to_tell_if_you_adapter_will_work_on_xlinkkai

anr2me avatar Jul 12 '17 18:07 anr2me

Once hydroque can dig that handshake on driver leve I guess we can start developing the psp mode adhoc.

Its on transport layer so the matching library need to modified as close as matching library on psp. If the network is not an ip protocol I think the current matching library will not understand what is going on (the pro adhoc server).

So for what im understanding if we planned to do a development on this mode every single ppsspp instance should run new matching library and its must close to the original on the psp or we modifybthe adhoc server to make it understand the handshake and register the game . The driver level handshake digging by hydroque just to make the host machine adapter connect to the adhoc network.

After matching library complete the game will open the socket they need to communicate to each other. Just make sure the communication is not blocked on the network.

Thats all, it should work if we can really dig what is going on in the original psp matching library.

adenovan avatar Jul 12 '17 19:07 adenovan

@adenovan From what I know so far, and I believe I said this (too lazy to scroll up), the beginning of the handshake occurs when the PSP inits ad hoc and looks for an available network under the same ssid. If one isn't found, then it broadcasts one itself. It will try to do a handshake when one is found, though, so that is what I need to look into. I want to recapture some packets using microsofts network monitor.

tilkinsc avatar Jul 13 '17 12:07 tilkinsc