PSO DC Hunter License server support

[patapancakes]

It's known that the Japanese and US versions of Phantasy Star Online Ver. 2 for Dreamcast connect to a server to validate the user's Hunter License before connecting to the game server, and this has always had to be either patched out through cheats or a custom disc.

If this server could instead be emulated (and a way to bypass the SSL certificate validation is found) it becomes possible to play on unmodified discs through just a custom DNS server.

I'm not sure if you have any interest in working on something like this, but if you do I've already started trying to find out how the SSL implementation works.

[fuzziqersoftware]

I'd guess that due to the age of the SSL implementation, it wouldn't support anything newer than TLS 1.0, and it's likely possible to downgrade the connection server-side to something even older (and easier to defeat) like SSLv2.

This is a good idea and I am interested in it, but I probably won't have much time to work on it in the near future. (Also, the only version of PSO DC I have already has that check patched out, so I can't test it.) I'll leave this issue open, though, since it's a good potential future subproject.

[patapancakes]

I don't think a downgrade to SSLv2 is going to work, the version listed in the handshake is SSLv3 and it refuses to connect to a SSLv2 server (gets unsupported protocol). It does list two supported SSLv2 ciphers though, so maybe I'm doing something wrong.

Cipher Specs (10 specs)
    Cipher Spec: SSL2_RC4_128_WITH_MD5 (0x010080)
    Cipher Spec: SSL2_RC4_128_EXPORT40_WITH_MD5 (0x020080)
    Cipher Spec: TLS_NULL_WITH_NULL_NULL (0x000000)
    Cipher Spec: TLS_RSA_WITH_NULL_MD5 (0x000001)
    Cipher Spec: TLS_RSA_WITH_NULL_SHA (0x000002)
    Cipher Spec: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x000003)
    Cipher Spec: TLS_RSA_WITH_RC4_128_MD5 (0x000004)
    Cipher Spec: TLS_RSA_WITH_RC4_128_SHA (0x000005)
    Cipher Spec: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x000008)
    Cipher Spec: TLS_RSA_WITH_DES_CBC_SHA (0x000009)

[patapancakes]

TLS_NULL_WITH_NULL_NULL apparently is no authentication with no encryption? I don't have a web server that supports this cipher but if the DC really accepts it then it could be an easy way around the validation problem.

[sirdankz]

Maybe look into how Socom 2 for PS2 bypasses the server check by patching the game via memory card on ps2online. Could probably work for this game.

[patapancakes]

Maybe look into how Socom 2 for PS2 bypasses the server check by patching the game via memory card on ps2online. Could probably work for this game.

Even if possible I don't think that is the best way. The point of doing it through a server exploit is that there's minimal work for the player to do, if it needs writing something to a memory card then why not just take the extra step to burn a disc? Changing the DNS server is just a setting on the console.

[patapancakes]

Here's another method, and something even the DS and DSi were vulnerable to. Defeating SSL

tldr: Most old SSL implementations stop checking the cert tree as soon as it finds a valid node, if we have a cert/key the DC trusts we could sign a new cert with it and possibly bypass validation.

Does anyone have any console certificates or similar for the DC? Just needs to be something with a CA it trusts.