My PlayJam GameStick replacement server is now able to deliver firmware updates to the GameSticks: Version 2049 to 2058, and 2058 to 2071.
Firmware images
The GameStick server was shut down in 2017, long before we tried to preserve the system. We thus could not download firmware images from the server, but GameStick Fans member Ryo found the firmware files for 2058 and 2071 somewhere on the internet and collected them for us.
Joe, a new GameStick Fan who joined in 2024-11, found the firmware image for 2049 on his stick.
Those full firmware images are ~180 MiB large and fully reset your GameStick - all settings and games are wiped. They can't be used for automatic updates.
Firmware updates
After I manged to build a firmware update that enables the Android debug bridge, Ryo found an official firmware update on one of his GameSticks in 2023: Update-2058-to-2071.img. It was located in the /cache/ folder and only 3.2 MiB large.
Another stick contained Update-2049-to-2058.img (9.9 MiB).
Those .img files are small downloads and keep all the settings and games as they are - the right ones for automatic updates.
Firmware update process
The initial request to check for firmware updates is pretty standard: A HTTP POST request to http://update.gamestickservices.net/check.php (actually 2 different domains and one hard-coded IP address), which returns a JSON structure that tells the stick if a firmware update is available, the textual changelog and if the stick must install it ("forced update") - and of course the download URL.
By reading the decompiled OOBE code, I figured out that the download URL gets modified and URL parameters are appended:
- &i=-2 - return the total size of the download
- &i=-1 - return the number of chunks
- &i=0, &i=1 etc. - download the firmware parts
The firmware update is split into parts (chunks) of 100 kiB, and each chunk is "encrypted" by XORing it with the magic number 0x5b, and the binary SHA1 sum is put before the data itself.
My guess is that the developers did that to prevent people installing their own updates - a measure that was already defied in 2014-03, known as the lukepanic hack method. That hack supposedly (I don't have the files) opens a web server and delivers a custom firmware update :)
Server implementation
My server now contains a script that takes a firmware update, splits it into chunks, encrypts and signs them - so that the download files can be delivered statically.
All firmware images and updates known to us have been uploaded to the Internet Archive: 0.9.2049, 0.9.2059 and 0.9.2071.
Next we'd really like to have a developer firmware, and also know that there was a 0.9.2079 version we do not possess yet. Let's hope we'll find more sticks with cached firmware files on them.
Screenshots
Console UI update process
OOBE update process
