Feature : GT7 "B" Telemetry format

[SHWotever]

Hi !

After a random contact message pointing out that if a "B" heartbeat was sent to GT7 another, longer, reply is retrieved. I did some investigations around it.

Turns out that the "IV" is not the same, but the base key is. After some short bruteforce (short as the new key was not that far) : 0xDEADBEAF is replaced by 0xDEADBEEF

The message has the same structure but adds 5 additional floats (316 bytes long in total).

Overall this takes place after the carcode :

public int CarCode;

public float WheelRotationRadians;
public float FillerFloatFB;
public float Sway;
public float Heave;
public float Surge;

I'm not sure yet what is FillerFloatFB, it's clearly direction related, maybe a lateral slip angle. This clearly is an extra bundle of "motion related" fields

I was hoping for a track id .... but ... no ... shame :D

Since lot of people got inspiration from your discoveries, including me I believe giving back my findings to you is the minimum I could do ;)

The only major struggle with that, just like Highlander there must be one. The first heartbeat wins (A/B), and the format can be only changed after the games stops sending telemetry after stopping sending the heartbeat for long enough. And since the crypto differs (length and key) cross compatibility across various software is tedious. I guess it has to be a choice.

I also tested other heartbeats (C ...) , this time it's a shorter message coming back I did not bothered trying to brute force it.

[Nenkai]

Very interesting research, thanks.
I'll see if I can track down when this was introduced.

[Nenkai]

On another note (and for reference), A was seen sent by the tool mentioned initially here, at the time the games were just open to any sort of data which would act as a ping of sorts

If true then PDI expanded over it by making sure to restrict it to specific bytes

[Nenkai]

I found this in 1.44.

Try ~? You should get a packet of 344 bytes. Xor is 0x55FABB4F.

[SHWotever]

Yeah overall the person who brought my attention to it, probably have seen A, and probably thought what if it is a version ? I don't have the whole story but based on the message I got it was just trial and error. Overall the B package was unusable without the new salt. I almost gave up, but the curiosity took the lead. In simhub I was extracting already those accelerations but making the speed difference between two packets. But those new values are more stable

[SHWotever]

I found this in 1.44.

Try ~? You should get a packet of 344 bytes.

Wooo ... You're telling there is a third version??? Please tell me it has track id ...

And damn ... The key is right here ... No brute force needed ... Ok it's time to get my best to guess what is added!

[Nenkai]

I'll see if I can track down the precise version that extended it.

[SHWotever]

I'm not good at decompiling, can you guess from the code the layout (I guess not the fields names). Mapping only names, or the whole layout and name is another story :D assuming it's only floats or similar that's only 7 fields I already did more complex trial and errors :D that said I knew what I was looking for :D I had the names but not the layout.

From this point I guess it's really not worth any extra efforts on this B version and only the ~ version is worth investigating (for the conflicting reasons I was mentioning)

[Nenkai]

1.40 seems to had plans to implement it (switch table with 3 cases, but all three handle A)
1.42 added both B and ~ variants, so 25/01/2024.

I'll see if I can figure out anything. Once again thanks for reaching out 😄

[SHWotever]

I confirm ~ works :D
Time to make some sense of it,

The green field is the last I did map previously (Surge), then comes brake, accelerator (probably filtered, as we already had it)
there is a wide zeroed range, and a static 00 01 which is ... not ... my dreamt track id.
and finally two floats which seems to be acceleration tied, and working around -1 / +1 (but can eventually go above) maybe some sort of torque ratio / power scale ?

[Nenkai]

So far I have:

public byte? Unk1 { get; set; } // Throttle? Filtered?
public byte? Unk2 { get; set; } // Brake? Filtered?
public byte? Unk3 { get; set; } // 2 = tomahawk? 4 = electric?
public byte? Unk4 { get; set; } // 1 on some electric cars? aero related?
public Vector4? Unk5 { get; set; } // confirmed vec4 through code, only the tomahawk seems to trigger these so far
public float? EnergyRecovery { get; set; } // confirmed
public float? Unk7 { get; set; } // ???

[IRIX64]

When Nicolas dreams about the TrackID is would like to add the following to the whishlist

1. Time left within a time based race/session
2. Session Type
3. Position within a session

Regards,
Joerg

[vthinsel]

Great finding indeed, thanks. I updated the GT7Proxy code to use this, and it works nicely. Less compute and more accurate. It is a win/win. vthinsel/GT7Proxy@f4fe6ed

[drowhunter]

Can anyone confirm whether Telemetry packet format B works in Online Sport Mode?

I just had a user tell me that since switching to this format telemetry is no longer there when entering Online Sport Mode, but for single player it works.

He reverted to my previous plugin before Packet B and he says its working online in sport mode.