iQue Player hacking possibility with ique_diag.exe?

Discussion in 'Other Consoles & Oldies' started by HNKii, Apr 7, 2017.

  1. HNKii
    OP

    HNKii GBAtemp Fan

    Member
    448
    77
    Jan 28, 2014
    Switzerland
    Mario Kart Wii-DS Link Play Stadium
    ique_diag.exe is a diagnosis software for the iQue Player, bundled with the latest iQue@Home update V1.4.2 2005101909. (The latest version has a "diagnosis" feature, which probably uses ique_diag.exe
    The latest version is neither downloadable here:http://ique.com/products/M_athome.htm, nor is it included on any disk. It can only be aquired after running the update utility.
    (The update server went defunct even before the iQue Player shop shutdown, so there's no way to obtain the update officially now. My iQue@Home was updated to the latest version in mid-2013)
    The executable is located at iQue@Home/pkgs/diag.
    The software requires hooking an iQue Player to it(not possible if your computer/virtual machine is 64-bit as iQue Player only has a 32-bit driver)but can actually be run without running the entire iQue@Home software, though.
    Here are all the commands for ique_diag.exe:
    [​IMG]
    This exe might be helpful for iQue Player hacking because it extracts tickets and other stuff from the iQue Player, and I've not yet seen any attempts to hack the iQue Player tried using this tool.


    Download:http://www.mediafire.com/file/g1xaf6q9k84y5ah/ique_diag.exe
     
    Last edited by HNKii, Apr 7, 2017


  2. HNKii
    OP

    HNKii GBAtemp Fan

    Member
    448
    77
    Jan 28, 2014
    Switzerland
    Mario Kart Wii-DS Link Play Stadium
    I played around with ique_diag.exe and found out what some of the commands do:
    B: Initializes the iQue Player (Called BB Controller internally) hooked to the PC. No commands can be run without initializing.
    A: Possibly uses to check if the iQue card is inserted into the iQue Player.
    C: Prints stats of the iQue Player:
    [​IMG]
    These "blocks" are not the same unit as the blocks presented to the user at iQue@Home. My iQue card has 28 free blocks out of all 240 blocks in terms of the "blocks" displayed on iQue@Home client.
    I: Gets player identity
    [​IMG]
    GI~GU: writes the corresponding info from the iQue Player into a file. Say, if I use GT tickets.dat, a ticket.dat file will be created in the same directory as ique_diag.
    H ledval: I didn't figure out what LED pattern comes from what LED value yet.
    J: Possibly syncs the iQue Player's internal clock to that of the PC as there is no time setting option for this command. I cannot test it as my iQue Player's clock battery is dead.
    L: Gets all the contents currenly installed on iQue Player.
    Here's mine:
    [​IMG]
    The content id is in Hex. Translate to Dec to get the original ID.
    For instance, the largest file has id 201358, which is 2102104 in Dec.
    21012104 is the game Paper Mario. (21021 is Paper Mario's internal code, as can be seen on iQue's website&Game Manual.)
    The game size matches the size of the corresponding size of the encrypted cache file for that game( Unit: Bytes)
    [Paper Mario occupies 160 blocks shown on iQue Player client.]
    For the smaller games, say 201678, is 2101904 in Dec.
    That's Paper Mario's on-console manual. (The first four digits are the same, the fifth digit changes into 9 for manuals) Size matches that of its corresponding cache file.
    [Paper Mario Manual occupies 2 blocks shown on client]
    On-console manuals can be executed as games on iQue Player, and the're recoginized always as purchased titles.

    *The last two digits don't have to be the same for manuals and games, but there's still a pattern:
    Encrypted cache files with only the last two digits different have almost, if not 100%, identical sizes, and only the caches with the largest ending digit gets downloaded from the server if a user is sending a request to purchase, trial or retrieve a games from server.
    So I guess the last 2 digits might be the version indicator.

    U\M\R: Gets, restores and removes the corresponding game/manual from/to iQue Player.
    Getting a game to file will create a file that's identical to the corresponding cache downloaded from server and included in iQue@Home download.
    (Files match on MD5)
     
    Last edited by HNKii, Apr 7, 2017
    Sliter likes this.
  3. HNKii
    OP

    HNKii GBAtemp Fan

    Member
    448
    77
    Jan 28, 2014
    Switzerland
    Mario Kart Wii-DS Link Play Stadium
    Some useful information on game id and their encrypted caches:

    Download link for encrypted game cache from server
    http://cds.idc.ique.com:16963/cds/download?content_id=x
    (*old version is guessed, not 100% sure)

    x:
    10000003-Unknown, included in iQue@Home download from iQue.com
    1082-Unknown, included in iQue@Home download from iQue.com
    1101104-Super Mario 64
    1101902-SM64 Manual(old version)
    1101906-SM64 Manual
    1102101-Yoshi's Story
    1102902-Yoshi's Story manual(old version)
    1102904-Yoshi's Story manual(old version)
    1102906-Yoshi's Story manual
    1106-Unknown,not included in older versions of iQue@Home, and only available in the update version(like ique_diag.exe?)
    1201105 - Super Smash Bros.
    1201901- SSB manual
    2101104-Ocarina of Time
    2101902-OOT manual (old)
    2101904-OOT manual
    2102104-Paper Mario
    2102902-PM manual (old)
    2102904-PM manual
    2104108 - Animal Crossing
    2105103 - Custom Robo
    4101104-Star Fox (old version)
    4101105-Star Fox
    4101902-Star Fox manual(old version)
    4101904-Star Fox manual
    4102103-Sin&Punishment
    4102901-Sin&Punishment manual
    5101104-Wave Race
    5101902-WR manual(old)
    5101904-WR manual
    5102108 - Excitebike 64
    5102902- EB64 manual
    5201104-Mario Kart 64(old version)
    5201105-Mario Kart 64
    5201902-MK64 manual(old)
    5201906-MK64 manual
    5202103-F-Zero
    5202902-F-Zero Manual(old)
    5202904-F-Zero Manual
    6101104-Dr.Mario
    6101902-Dr.Mario Manual(old version)
    6101904-Dr.Mario Manual

    I'm not sure if this list is complete! If anyone can make a crawler for http://cds.idc.ique.com:16963/cds/download?content_id=, please do find all the files!

    Other files found:
    10XX&11XXes: Unknown, possibly for iQue Player Firmware updates:
    1009
    1010
    1011
    1012
    1013

    1041
    1042
    1043
    1044
    1045
    1046
    1047
    1048
    1049
    1050
    1051
    1052
    1053
    1054

    1062

    1071
    1072

    1091

    1095

    1099


    1101

    10000000+s: Unknown, also possibly for iQue Player Firmware updates:
    10000001
    10000002


    **Explanations on Game IDs:
    Warning: Spoilers inside!
     
    Last edited by HNKii, Apr 12, 2017
    Sliter likes this.
  4. Kevinpuerta

    Kevinpuerta GBAtemp Regular

    Member
    275
    92
    Mar 6, 2016
    United States
    Hope this works. The fact that it can get the games tickets means we can probably use it with the unknown formatted game files for it.

    — Posts automatically merged - Please don't double post! —

    Im wondering, the ique can be read from the video and power cord that im buying, but it also has a separate usb plug thst was used for the ique@home. I dont have time now but tomorrow im going to check if using the usb cord to the pc with this program, if it can read and write to the Ique. Ill post the results tomorrow.
     
  5. Byokugen

    Byokugen Unit_01

    Member
    1,384
    863
    May 16, 2016
    Serbia, Republic of
    Just a bit to the right, or was left...
    2-3 years ago, se dude managed to dump and upload some games to the iQue. I can't remember where the post was, i think i have it stashed on my home server somewhere. Will have to dig it up, I know I saved all data he uploaded
     
    Kevinpuerta likes this.
  6. Sliter

    Sliter GBAtemp Psycho!

    Member
    3,039
    801
    Dec 7, 2013
    Brazil
    ᕕ( ᐛ )ᕗ
    this is really interesting!
    do it have any acess to the FW? like, I was thinking if it gonna be possible do something like NES/Famicom mini that they found a way to add games there or even a cfw that let it even play more games? hahaha
    (I should get a Ique before that, because I'm sure it's price gonna increase crazily after that e3e)
     
  7. Kevinpuerta

    Kevinpuerta GBAtemp Regular

    Member
    275
    92
    Mar 6, 2016
    United States
    So im back. Found the usb wire for the ique. Time to test it out.
     
    Sliter likes this.
  8. ScarletDreamz

    ScarletDreamz [Debug Mode]

    Member
    2,659
    1,152
    Feb 16, 2015
    United States
    California
    Sliter likes this.
  9. Sliter

    Sliter GBAtemp Psycho!

    Member
    3,039
    801
    Dec 7, 2013
    Brazil
    ᕕ( ᐛ )ᕗ
  10. ScarletDreamz

    ScarletDreamz [Debug Mode]

    Member
    2,659
    1,152
    Feb 16, 2015
    United States
    California
  11. Sliter

    Sliter GBAtemp Psycho!

    Member
    3,039
    801
    Dec 7, 2013
    Brazil
    ᕕ( ᐛ )ᕗ
    right XD
    well a strange idea come up here since they don't produce this or sell the games any more, what if we ask the iQue guys about it?:P lololol

    by the way I'm curious about the multiplayer .. I know that the IQue have an acessory to add "just controllers" and be abe to play it in multiplayer, also saw a guy that used the Ique as a common n64 controller... so it would be so much complex to connect the common controllers on a Ique or better look the accessory for that? XD
    I'm not sure if it have any hardware :P
     
    Last edited by Sliter, Apr 7, 2017
  12. Kevinpuerta

    Kevinpuerta GBAtemp Regular

    Member
    275
    92
    Mar 6, 2016
    United States
    Keep getting BADHANDLE errors
     

    Attached Files:

  13. Byokugen

    Byokugen Unit_01

    Member
    1,384
    863
    May 16, 2016
    Serbia, Republic of
    Just a bit to the right, or was left...
    What commands did you try? Also, windows version?
     
  14. Kevinpuerta

    Kevinpuerta GBAtemp Regular

    Member
    275
    92
    Mar 6, 2016
    United States
    First (B) to sync the system
    Then (L) to cooy the contents.
     
  15. Zhongtiao1

    Zhongtiao1 GBAtemp Fan

    Member
    458
    113
    Feb 24, 2015
    United States
    If you replace the contentid=x with the contentid of the game it automatically downloads it for you
     
    CaptainSodaPop likes this.
  16. Kevinpuerta

    Kevinpuerta GBAtemp Regular

    Member
    275
    92
    Mar 6, 2016
    United States
    Ill try that.
     
  17. Byokugen

    Byokugen Unit_01

    Member
    1,384
    863
    May 16, 2016
    Serbia, Republic of
    Just a bit to the right, or was left...
    Did you update? @HNKii posted some usefull stuff
     
  18. Kevinpuerta

    Kevinpuerta GBAtemp Regular

    Member
    275
    92
    Mar 6, 2016
    United States
    Ive seen that too. Im going to try and open my ique swim box and see if I can solder some n64 controller extension cords to it.
    Also I found this wierd port at the back of it

     
    Sliter likes this.
  19. Zhongtiao1

    Zhongtiao1 GBAtemp Fan

    Member
    458
    113
    Feb 24, 2015
    United States
    A serial or parallel port variant?

    Sent from my Q5 using Tapatalk 2
     
  20. Kevinpuerta

    Kevinpuerta GBAtemp Regular

    Member
    275
    92
    Mar 6, 2016
    United States
    Do you think its for the swim controllers pinout?