iQue Player hacking possibility with ique_diag.exe?

[Byokugen]

So it is possible to do it. Hmmm

 

[Sliter]

Lol yeah I took advantage of the unused port so I could have the n64 contol plugs

whenyou told, I was thinking something like the the image I sent, an individual adaptor per controller, but going inside and making a "second option" slot was nice hehhe

Now let's see about the games... there where was any progress?:x and about the one I gonna get from you? XD

 

[Krem Quay]

Well, .rec file is the game that, reading the above link, is encrypted with a per-console specific key that probably is inside recrypt.sys. Keys are usually 16bytes and Nintendo encryption formats are (read here and here for more info):

0x010000 RSA_4096 SHA1 (Unused for 3DS) 0x200 0x3C
0x010001 RSA_2048 SHA1 (Unused for 3DS) 0x100 0x3C
0x010002 Elliptic Curve with SHA1 (Unused for 3DS) 0x3C 0x40
0x010003 RSA_4096 SHA256 0x200 0x3C
0x010004 RSA_2048 SHA256 0x100 0x3C
0x010005 ECDSA with SHA256 0x3C 0x40

Also more info about Nintendo ticket system can be read here.

Then the decrypted game must be decrypted again with a "common key" that must stored somewhere in the system dump.

Can someone post a screenshot of the 1st bytes (at least 0x200) .sys files opened with an hex editor ?

EDIT: 0-8192 partial dump taken from one of the above posted-link is surely encrypted.

Sure, I can help with that.

recrypt.sys (the rest is followed by zeroes):

recrypt-marsh.sys (the rest is followed by zeroes):

timer.sys:

 

[asper]

You know, i'm pretty sure that text before the ROOT CPCA is the encrypted titlekey or something.

what is the name of this file? Can you screenshot the 1st 0x800 bytes?

 

[Krem Quay]

asper, the filename is "tickets", and it was a part from HNKii's dump diagnostics dump. Download here: -snip-

--------------------- MERGED ---------------------------

Also, how do I screencap that many bytes? Wouldn't it be easier if you reviewed the file yourself?

 

[asper]

It is copyrighted material, you shouldn't post those files here I suppose.

 

[Krem Quay]

Ok sorry, well I just wanted you download, since it's easier if you can have a look at it yourself. I cannot screencap 0x800 bytes though.

 

[GHANMI]

If I may ask, were the iQue N64 games ever converted to regular ROM files?
And that "mystery game" might be Majora's Mask, considering its iQue version was cancelled very late in development.

 

[Krem Quay]

If I may ask, were the iQue N64 games ever converted to regular ROM files?
And that "mystery game" might be Majora's Mask, considering its iQue version was cancelled very late in development.

Yeah, I agree that it's Majora's Mask. And no, that's what the thread is for--figuring out how to crack the files.

 

[GHANMI]

Can't they be sniffed out of the hardware during runtime?
Kind of like the Wii U universal keys were obtained, or Wii U discs were dumped using a modded optical drive as it's running. (though this would be destructive to an already dwindling supply of iQue's)

Aside from this (not so informed) question, I wish you success. I find these versions quite intriguing.

 

[Krem Quay]

I made some comments earlier in the thread with some discoveries that I made. I can't hex edit well, so I did all that I could really.

Me and others agree that the encryption is similar to Wii & 3DS titles.

 

[Zhongtiao1]

I made some comments earlier in the thread with some discoveries that I made. I can't hex edit well, so I did all that I could really.

Me and others agree that the encryption is similar to Wii & 3DS titles.

Have the commands had any success pushing a game to the ique?

Also, if you could route the network traffic from the ique@home software when you download a game to the unknown one, it may trick it into loading the unknown game onto the ique. Then we could see what it is.

Sent from my Q5 using Tapatalk 2

 

[Krem Quay]

It is copyrighted material, you shouldn't post those files here I suppose.

Did you get to decrypting the titles yet?

 

[asper]

Did you get to decrypting the titles yet?

I had just a quick look and found the following stuff (far away from being correct, just speculations):

1 - Crls file starts with 00000001 while Wii tickets starts with 00010001 and I think signature type is
RSA_2048 SHA1 with signature size 0x100 (it matches) even if zero-padding size is not matching.

2 - downloaded games are identical to games found in GAMECACHE.zip so I suppose they are encrypted just 1 time because when I download a file the server cannot know my ique id because I am downloading from a device different from ique: maybe someone can check if a game inside gamechache is different or identical compared to a game present in another ique folder (are there other ique folders? http://retroactive.be/personal/ique/): if it is the case we have the same file with a second encryption and GAMECAHCE files are already decrypted against this second encryption. Reading HERE those double-encrypted files should be .rec files. If so you have a single-encrypted game and the same game double-encrypted, this can be useful to get the encryption algorythm (maybe debugging the .exe ? In the above link it is stated that the second encryption is made by the clien using device pubkey). Files inside 3n5np9.zip "should" be the following if compared to the above link information:
cert = cert.sys
Crls = crl.sys
identity = id.sys
PrivateData = depot.sys
tickets = ticket.sys
(you can find more files to compare in the same above link)

3 - Another good thing is that, if my above statement about 1st and 2nd encryption is true (i do not have an ique unit to test), you can also have a full decrypted game downloading it form some N64 rom sites so you can have all the 3 form of the same file:
- unencrypted form (from rom sites),
- single-encrypted form (from http://cds.idc.ique.com)
- double-encrypted form (from single console unit under .rec file form)
to test some encryption algorythms !

4 - in my humble opinion tickets (or tickets.sys) is encrypted.

Now the "only" missing thing seems to be the encryption key (or encryption keys).

@crediar and/or @FIX94 and/or @dimok may help.


EDIT: there is the possibility about an sqlinjection "problem" in cds.idc.ique ...

 

[Krem Quay]

EDIT: there is the possibility about an sqlinjection "problem" in cds.idc.ique ...

Whoa, sqlinjection problem? What do you mean by that?

 

[raulpica]

Would you like to make an iso dump of the disc?

Yep, sure. I'll just have to dig the box out. Not sure where I placed it...

 

[Krem Quay]

Any updates yet?

 

[comix88]

About ique_diag.exe ，How to ues the GI~GU？？

 

[Matts]

Hey guys I'm new to this forum. I've wanted a ique forever and now I realize that they've taken down the online service. I read this whole thread and it goes over my head but has anyone figured out how to get these games on the system?
Thanks Matt

 

[KevinLSX]

Hey guys I'm new to this forum. I've wanted a ique forever and now I realize that they've taken down the online service. I read this whole thread and it goes over my head but has anyone figured out how to get these games on the system?
Thanks Matt

No, we haven't yet.