How can I get the PSN Account-ID required for pairing?

[Occhioverde]

Good morning.
I recently discovered Chiaki and "followed" the issue with firmware version 7. I then installed version 1.0.4 and tried to connect to the console.
The problem is that I can't figure out how to recover the ID account required by the software even though I tried to run the script shared in Issue #51 using Frida.re with the command frida "C:\Program Files(x86)\Sony\PS4 Remote Play\RemotePlay.exe" --load "C:\Users\Riccardo Sacchetto\Downloads\main.ts" (which, among other things, reported a Parse Error on line 6).
I would therefore like to ask, if an alternative method is not available, how to use Frida to retrieve the value from the Windows client.

[Erfboom]

Just tried to do the exact same thing and received the script(line 6) SyntaxError: parse error.

Tried messing with the script to change some of the syntax but that didn't fix anything. As I understand, you load the program through frida with the script loaded, or do you load the program first and then run frida with the script loaded?

[Occhioverde]

Just tried to do the exact same thing and received the script(line 6) SyntaxError: parse error.

Tried messing with the script to change some of the syntax but that didn't fix anything. As I understand, you load the program through frida with the script loaded, or do you load the program first and then run frida with the script loaded?

This is the first time I ever try a Frida script, but from what I understand it is necessary to load the executable file to "analyze" through the command I specified in the text of my first message...

[sdipede]

I had the same syntax error when launching Remote Play first and then attaching via process name: frida RemotePlay.exe -l main.ts

When I launch RemotePlay as regular user and then frida as Administrator, it seems to attach but then RemotePlay.exe crashes. I attached the output I saw from my Visual Studio 2017 debug log.

remoteplay_frida_hook_crash.txt

[thestr4ng3r]

It's a Typescript script which has to be built with frida-compile. If you don't have any experience with Frida, please just wait until an easier method is available. I prefer spending time on searching for that instead of giving Frida tutorials, sorry.

[pdevq]

How to retrieve your Np-Account Id with Frida

As thestr4ng3r noted, Frida should not be the main method to retrieve your Np-Account Id.
If the following instructions work for you, great, if not, please wait until an easier method is found.

The following was done on a fresh Windows 10 (x64, Version 1903, Build 18362.30):

Prerequisite:

• install PS4 Remote Play

• [optional] get Microsoft Process Explorer
  (Task Manager can also be used to get the process id (pid) of a running program)

• save the script main.js in the attachment of this post somewhere accessible, e.g. C:\Users\user\main.js

  • this is just the javascript equivalent of the original typescript

• if using a VM, make sure the network adapter of the VM is in the same network as the Playstation (mode should be bridge, not NAT)

• on a fresh Windows install, a couple extra steps may need to be done to get Python and pip to work:

  • install Microsoft Visual C++ 2015 Redistributable
  • literally just visit files.pythonhosted.org in Edge (this adds the SSL certs for pip to use)

Getting your Np-Account Id:

1. install python 3.7 (was done via the Microsoft store, the login can be skipped)

2. open a cmd window and install Frida with pip install frida-tools

• if pip outputs an error like [SSL: CERTIFICATE_VERIFY_FAILED] just visit files.pythonhosted.org in Edge and try again (this adds the SSL certs for pip to use)

3. note the install path of the script in the console output and switch into the directory
   (if you run dir in that directory, frida.exe should be displayed)

cd C:\Users\user\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.7_qkb10okhta44j\LocalCache\local-packages\Python37\Scripts

4. start PS4 Remote Play and the Microsoft Process Explorer, note the process id of RemotePlay.exe, e.g. 9580

5. back in the console within the Scripts folder, attach Frida with the script using the v8 runtime to RemotPlay.exe by suppling the path of the script and process id:

frida -l C:\Users\user\main.js -p 9580 --runtime=v8

• the following should be outputed on the console:

Attaching...
Waiting for RpCtrlWrapper.dll
RpCtrlWrapper.dll is at 0x686b0000
[Local::PID::9580]->

6. go back to the PS4 Remote Play window
   a. press start
   b. login with your psn account
   c. press register manually, don't wait for the auto search
   d. input the access number and press register
   e. once connected close PS4 Remote Play

7. back in the console scroll up until you see the output from step 5. again:

Attaching...
Waiting for RpCtrlWrapper.dll
RpCtrlWrapper.dll is at 0x686b0000
[Local::PID::9580]->

• located in the first hex dump should be your Np-Account Id:

RpCryptAes.Encrypt(arg0 = 0x123e850, buf_inout = 0xa551090, buf_len = 0x32, bright = 0xdef2890, ambassador = 0xabcd2880, arg5 = 0xbd442a0
Buffer In:
           0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
0c7e1090  03 66 f3 53 b3 d8 1a 45 51 f6 2d 02 68 75 a9 1a  Client-Type: Win
0c7e10a0  90 8a 27 6b 7c 0c 73 8d c0 61 05 21 c9 bc b7 c1  dows..Np-Account
0c7e10b0  07 a2 ac a1 50 84 64 17 46 f9 06 a9 f2 1a 0f a1  Id: krxT58zQt7A=
0c7e10c0  0d 0a                                            ..

• In this example: krxT58zQt7A= (equal signs are part of the id)

main.zip

[thestr4ng3r]

Very nice, thanks for writing this down!

[sdipede]

Thank you for providing the JavaScript and instructions! Worked like a charm.

[Erfboom]

Thanks, worked perfectly! Great writeup.

[Occhioverde]

Thank you very much, @pdevq, it worked perfectly for me too!

[thestr4ng3r]

A script for easily obtaining the ID is now provided: https://github.com/thestr4ng3r/chiaki/blob/master/scripts/psn-account-id.py