The mainland China version of maimai has received another round of security changes with patch 1.53, following an earlier emergency update. The background is simple: the game’s original security design was never really built for the local arcade environment, especially not for a situation where someone could physically pull a machine’s hard drive.

Cheating and account-targeting tools have also been a long-running problem on the Chinese server. The immediate trigger this time was the public release of a player database and an account-destruction script by ttnk. Even before that, there had already been repeated large-scale account sweeps and mass punishments. After that incident, the service went down for five days of maintenance, and a China-specific security patch was added. Version 1.53 is a further upgrade on top of that work.

The first added patch

QR code service URL was changed

The QR code endpoint was switched from:

http://wq.sys-allnet.cn/qrcode/req/

to:

https://wq.wahlap.net/qrcode/req/

The key change here is the move from HTTP to HTTPS, which blocks QR code hijacking.

It is worth being precise about what changed and what did not. Only the QR code service URL was replaced. The actual game servers were not moved in this step. Changing game server addresses would require shipping updated machine software, so claims that this update was a full game server URL migration are simply false.

Token enforcement, Level Alpha

Before a User ID login can happen, the machine now forcibly requires obtaining a UID through the QR code flow, and that UID must be signed using Chiral Matter. On top of that, UID Login and Logout must use the same signature.

In practical terms, direct login by user ID alone no longer works. Malicious tools can no longer log into an account through that old method. At this stage, the impact was mainly on upload-related behavior.

What patch 1.53 adds

Token enforcement, Level Beta

After 1.53 was pushed, QR-token validation became mandatory for almost every action, including preview requests used to fetch basic player information. This is clearly aimed at scripts that were building large-scale databases of the entire player base.

Fix for 0010

Patch 1.53 also addresses the crash issue caused by malicious tools sending the "rolling log" collectible to machines. Known methods for using that exploit to crash cabinets have now been fixed.

Communication method changed

The patch also alters the known implementation method used for communication with the Chiral Network servers, which had already leaked through currently circulating scripts. Once 1.53 is applied, those scripts break across the board.

If your account was damaged

If an account was hit by a destructive script and injected with abnormal data, the recommended solution is to use the official appeal form. Reports indicate that this route is handled quickly.

What this means in practice

Taken together, these two rounds of updates are meant to wipe out nearly all clearly malicious cheating tools, while also knocking out most low-end script users and the secondhand hard-drive resellers who relied on these methods. For ordinary players, this is overwhelmingly good news.

The exact rollout timing is still unclear, but the rough expectation is around two weeks. During that period, the developers are likely still busy tightening validation. It is also not yet clear when machine song data updates will fully line up with the patch deployment. Even so, the current protection level appears stricter than what the international version has in place.

A rumor that should be ignored

Claims that SEGA officially adopted Kumagai Ryo’s proposed solution are false. The screenshots circulating about that were part of a joke and roleplay in a group chat. The fixes included in this update are unrelated to that proposal.