194 lines
4.8 KiB
Markdown
194 lines
4.8 KiB
Markdown
# 🔍 CDN URL Discovery - Critical Finding
|
|
|
|
## The Problem: CDN URL Not in APK
|
|
|
|
After thorough analysis:
|
|
- ❌ CDN URL is **NOT hardcoded** in the APK
|
|
- ❌ Not in config files (checked all .json, .bin, .xml)
|
|
- ❌ Not in game binary strings
|
|
- ❌ Not in smali bytecode
|
|
|
|
## The Solution: Dynamic Discovery via Director Service
|
|
|
|
### How RR3 Actually Works:
|
|
|
|
```
|
|
1. Game starts
|
|
↓
|
|
2. Connects to EA Director Service
|
|
GET https://prod.director-services.firemonkeys.com.au/director
|
|
↓
|
|
3. Director returns service URLs including:
|
|
{
|
|
"synergy.account": "https://...",
|
|
"synergy.commerce": "https://...",
|
|
"synergy.content": "https://ACTUAL-CDN-URL", ← THIS!
|
|
...
|
|
}
|
|
↓
|
|
4. Game uses synergy.content URL to download assets
|
|
```
|
|
|
|
**The CDN URL is returned dynamically by EA's Director service!**
|
|
|
|
---
|
|
|
|
## 🎯 Two Approaches to Get the URL
|
|
|
|
### Approach 1: Intercept Live Game Traffic (BEST)
|
|
|
|
**Tools Needed:**
|
|
- mitmproxy, Charles Proxy, or Fiddler
|
|
- Android device with RR3 installed
|
|
- USB debugging enabled
|
|
|
|
**Steps:**
|
|
```bash
|
|
# 1. Install mitmproxy on PC
|
|
pip install mitmproxy
|
|
|
|
# 2. Start mitmproxy
|
|
mitmweb --listen-port 8080
|
|
|
|
# 3. Configure Android device proxy to PC's IP:8080
|
|
|
|
# 4. Install mitmproxy CA certificate on device
|
|
|
|
# 5. Launch Real Racing 3
|
|
|
|
# 6. Watch for Director service request/response
|
|
|
|
# 7. Look for "synergy.content" URL in the JSON response
|
|
```
|
|
|
|
**Expected Response:**
|
|
```json
|
|
{
|
|
"synergy.account": "https://prd1.echo.ea-mct-live.com/synergy/account",
|
|
"synergy.commerce": "https://prd1.echo.ea-mct-live.com/synergy/commerce",
|
|
"synergy.content": "https://[ACTUAL-CDN]/",
|
|
"synergy.social": "https://...",
|
|
...
|
|
}
|
|
```
|
|
|
|
### Approach 2: Call EA's Director Service Directly
|
|
|
|
**Try these Director URLs:**
|
|
```bash
|
|
# Primary (from binary strings)
|
|
curl https://prod.director-services.firemonkeys.com.au/director
|
|
|
|
# Alternatives
|
|
curl https://director.firemonkeys.com.au/director
|
|
curl https://prod1.director.ea.com/director
|
|
curl https://director-services.ea.com/director
|
|
```
|
|
|
|
**Expected JSON response will contain the CDN URL!**
|
|
|
|
---
|
|
|
|
## 🧪 Quick Test Script
|
|
|
|
```powershell
|
|
# Test EA Director Services
|
|
$directorUrls = @(
|
|
"https://prod.director-services.firemonkeys.com.au/director",
|
|
"https://director.firemonkeys.com.au/director",
|
|
"https://prod1.director.ea.com/director"
|
|
)
|
|
|
|
foreach ($url in $directorUrls) {
|
|
Write-Host "Testing: $url"
|
|
try {
|
|
$headers = @{
|
|
"User-Agent" = "RealRacing3/12.6.0 (Android)"
|
|
"X-App-Version" = "12.6.0"
|
|
}
|
|
$response = Invoke-RestMethod -Uri $url -Headers $headers
|
|
if ($response.'synergy.content') {
|
|
Write-Host "✅ FOUND CDN URL: $($response.'synergy.content')" -ForegroundColor Green
|
|
$response | ConvertTo-Json
|
|
}
|
|
} catch {
|
|
Write-Host "❌ Failed: $_"
|
|
}
|
|
}
|
|
```
|
|
|
|
---
|
|
|
|
## 📝 URLs Found in APK (for reference)
|
|
|
|
From binary analysis:
|
|
- `https://media.contentapi.ea.com` - EA content API (404 for direct asset access)
|
|
- `https://prd1.echo.ea-mct-live.com` - EA Echo services (account/commerce)
|
|
- `https://prd1.gevs.glulive.com` - Glu analytics (timeout)
|
|
|
|
**None of these are the asset CDN!** They're service endpoints.
|
|
|
|
---
|
|
|
|
## 🚀 Once We Have the CDN URL
|
|
|
|
Update the downloader:
|
|
```powershell
|
|
# Edit download-assets.ps1
|
|
$EaCdnBaseUrl = "https://[CDN-FROM-DIRECTOR]"
|
|
|
|
# Run downloader
|
|
.\download-assets.ps1 -TestMode # Test first
|
|
.\download-assets.ps1 # Download critical assets
|
|
```
|
|
|
|
---
|
|
|
|
## 🎯 Action Items
|
|
|
|
### Option A: You have Android device with RR3
|
|
1. Setup mitmproxy on your PC
|
|
2. Configure device to use proxy
|
|
3. Launch RR3 and capture Director response
|
|
4. Extract `synergy.content` URL
|
|
5. Update downloader script
|
|
6. Download assets while EA servers are up!
|
|
|
|
### Option B: No device available
|
|
1. Try calling Director service directly (test script above)
|
|
2. If that fails, wait for EA shutdown
|
|
3. Use community contributions approach
|
|
4. Players with the game installed extract from their devices
|
|
|
|
### Option C: Check our community server
|
|
Since we're building a replacement Director service:
|
|
1. When a real device connects to our server
|
|
2. We can capture what Director URL they expect
|
|
3. Or we can make up our own URL structure
|
|
4. Point it at our downloaded assets
|
|
|
|
---
|
|
|
|
## 💡 Key Insight
|
|
|
|
**The APK doesn't know the CDN URL - it discovers it at runtime!**
|
|
|
|
This is actually GOOD for our community server:
|
|
- We can return OUR OWN CDN URL from our Director
|
|
- Game will happily download from our server
|
|
- We control the entire asset delivery chain!
|
|
|
|
Our DirectorController should return:
|
|
```csharp
|
|
{
|
|
"synergy.content": "https://your-community-server.com/assets/",
|
|
...
|
|
}
|
|
```
|
|
|
|
Game downloads from YOUR server, problem solved! 🎉
|
|
|
|
---
|
|
|
|
**Next Step**: Try the test script above to call EA's Director directly, or setup mitmproxy to capture from a real device.
|