Much like Wipeout Pure, TM also calls to some remote files for its online play features. I'm sure most of you have noticed the User Agreement download when you go into Infastructure mode after you've selected your connection. Possibley, if someone can run Ethereal here (I would... but it hates my network) and see what file it's calling to. If we could do that then change the DNS of the PSP to a local computer hosting a file of the same name (like the Wipeout picture) and see if it retrieved it, we might be able to learn a thing or two about the embedded GET stuff that is going on in there. Also when you get in the game lobby it retrieves some news from the devs on the Network Status and such... this might also be a good place to hack around.
Just some ideas...
Possibilities with Twisted Metal: Head On Online
There are no GETs involved.... In fast, the protocol isn't even HTTP. It's a binary game lobby protocol run over TCP. I have performed multiple dumps, but I don't want to paste them since i think some kind of gameid or serial number is passed in the authentication phase. I have replayed packets up to the point where I retrieve the user agreement. I think the PSP online game lobby runs on the same environment as the PS2 online game lobbies. It looks like you first connect of port 10075 and get an incrementing sequence number, the agreement and create a psp online account. Then you connect to a authentication server or port 10078 where you get some kind of authentication string. I believe this is the Medius Authentication Server or the MAS. Once you authenticate, you reconnect of port 10075 and get into the actual game lobby. The protocol looks similar to the gamespy game lobby protocol. Each request or command packet starts with a 2 byte header terminated by a null byte. With some packet types you also get a random 2 byte sequence number after that first header which is simply incremented in the response packet.
To see for yourself, the initial connection sequence goes like this:
send this on 10075:
2408 0001 006d 0001 0000 00
and you'll get this packet:
2504 006d 0000 00
i'm still trying to figure out what all these packets are. One I'm sure of is
0501 00a5
that is a keepalive to keep the tcp connection open when nothing is being sent for awhile.
To see for yourself, the initial connection sequence goes like this:
send this on 10075:
2408 0001 006d 0001 0000 00
and you'll get this packet:
2504 006d 0000 00
i'm still trying to figure out what all these packets are. One I'm sure of is
0501 00a5
that is a keepalive to keep the tcp connection open when nothing is being sent for awhile.