Post: PS Vita PFS (PlayStation File System) Keys Documented by St4rk
Options
01-21-2017, 09:14 PM
#1
OfficialJesseP
How's it going, eh?
Following his PKGDecrypt homebrew application, PlayStation Vita developer St4rk documented the PS Vita PFS PlayStation File System) encryption and secret keys today on the You must login or register to view this content. for developers!
Here are the keys:
GameArchives ArchiveExplorer You must login or register to view this content.
(Library) Add PSARC support, for zlib-compressed archives.
(Library) Begin work on archive modification.
(ArchiveExplorer) Add property view.
For binaries (You must login or register to view this content. required) download "Release-0.8.0.zip" below.
Downloads:
You must login or register to view this content.
You must login or register to view this content.
You must login or register to view this content.
GameArchives ArchiveExplorer You must login or register to view this content.
(Library) Fixed a bug in PFS direct reading that could leave files missing
(ArchiveExplorer) Added editor window with Disk Defragmenter-esque usage chart and file replacement (for Xbox ISOs only)
For binaries (You must login or register to view this content. required) download "Release-0.9.0.zip" below.
Downloads:
You must login or register to view this content.
You must login or register to view this content.
You must login or register to view this content.
To quote from yifan_lu on the significance of Sony's PFS protection: "So the vita has many layers of encryption. Let's look at a game cart and digital game:
The cart has encryption on the raw data (that's why if you dump it externally, you'll see encrypted data). However, as soon as the game is placed into the vita, that layer is decrypted before the vita sees the game. Then we have "gro0" mounted, which is the unencrypted FAT partition.
Digital games are encrypted in the SCE PKG format. Basically there is an encryption key chosen (at random) by the developer. The package is encrypted and signed by sony. Package Installer can get past this encryption (and it does for drm-free packages). For other packages, package installer sees that you don't have a license and errors out, but you can bypass this without kernel or anything (exercise left for the reader). Once the package is decrypted, it is basically an archive of files that is extracted to "ux0"
The second layer of encryption is PFS. All game data (images, textures, executables, etc) are encrypted with PFS. PFS key is derived from a passphrase chosen by the developer. It is also signed (either with a key derived from the passphrase or with sony's key, I'm not sure). This layer is decrypted when a game is mounted (gro0: => app0: or ux0:app/titleid => app0). mr.gas & major_tom's trick gets you past this layer.
Now, the showstopper. Game executable files (eboot.self, *.suprx, etc) are encrypted through NPDRM. The key to decrypt this is derived from ux0:license/titleid/*.rif AND tm0:npdrm/act.dat (for digital games) or just gro0:license/titleid/*.rif (for game cart). Of course, the key derivation process includes secrets that userland/system does not have access to and therefore there is no current public way of decrypting it. This is the last line of defense for Sony.
Here are the keys:
PFS EncKey : { 0x00, 0x29, 0x8C, 0xDF, 0x44, 0x28, 0xE7, 0x2C, 0x87, 0x85, 0xDA, 0xE0, 0x92, 0x3C, 0x60, 0xBD };
PFS Secret: { 0x8C, 0x5D, 0x3A, 0x4B, 0x9D, 0x9B, 0xF4, 0xB4, 0x53, 0xBC, 0xE6, 0xCD, 0xC3, 0x43, 0x31, 0xD8 };
GameArchives ArchiveExplorer You must login or register to view this content.
(Library) Add PSARC support, for zlib-compressed archives.
(Library) Begin work on archive modification.
(ArchiveExplorer) Add property view.
For binaries (You must login or register to view this content. required) download "Release-0.8.0.zip" below.
Downloads:
You must login or register to view this content.
You must login or register to view this content.
You must login or register to view this content.
GameArchives ArchiveExplorer You must login or register to view this content.
(Library) Fixed a bug in PFS direct reading that could leave files missing
(ArchiveExplorer) Added editor window with Disk Defragmenter-esque usage chart and file replacement (for Xbox ISOs only)
For binaries (You must login or register to view this content. required) download "Release-0.9.0.zip" below.
Downloads:
You must login or register to view this content.
You must login or register to view this content.
You must login or register to view this content.
To quote from yifan_lu on the significance of Sony's PFS protection: "So the vita has many layers of encryption. Let's look at a game cart and digital game:
The cart has encryption on the raw data (that's why if you dump it externally, you'll see encrypted data). However, as soon as the game is placed into the vita, that layer is decrypted before the vita sees the game. Then we have "gro0" mounted, which is the unencrypted FAT partition.
Digital games are encrypted in the SCE PKG format. Basically there is an encryption key chosen (at random) by the developer. The package is encrypted and signed by sony. Package Installer can get past this encryption (and it does for drm-free packages). For other packages, package installer sees that you don't have a license and errors out, but you can bypass this without kernel or anything (exercise left for the reader). Once the package is decrypted, it is basically an archive of files that is extracted to "ux0"
The second layer of encryption is PFS. All game data (images, textures, executables, etc) are encrypted with PFS. PFS key is derived from a passphrase chosen by the developer. It is also signed (either with a key derived from the passphrase or with sony's key, I'm not sure). This layer is decrypted when a game is mounted (gro0: => app0: or ux0:app/titleid => app0). mr.gas & major_tom's trick gets you past this layer.
Now, the showstopper. Game executable files (eboot.self, *.suprx, etc) are encrypted through NPDRM. The key to decrypt this is derived from ux0:license/titleid/*.rif AND tm0:npdrm/act.dat (for digital games) or just gro0:license/titleid/*.rif (for game cart). Of course, the key derivation process includes secrets that userland/system does not have access to and therefore there is no current public way of decrypting it. This is the last line of defense for Sony.
01-21-2017, 10:31 PM
#2
Frosty
error
Originally posted by xJustJesse
Following his PKGDecrypt homebrew application, PlayStation Vita developer St4rk documented the PS Vita PFS PlayStation File System) encryption and secret keys today on the You must login or register to view this content. for developers!
Here are the keys:
GameArchives ArchiveExplorer You must login or register to view this content.
(Library) Add PSARC support, for zlib-compressed archives.
(Library) Begin work on archive modification.
(ArchiveExplorer) Add property view.
For binaries (You must login or register to view this content. required) download "Release-0.8.0.zip" below.
Downloads:
You must login or register to view this content.
You must login or register to view this content.
You must login or register to view this content.
GameArchives ArchiveExplorer You must login or register to view this content.
(Library) Fixed a bug in PFS direct reading that could leave files missing
(ArchiveExplorer) Added editor window with Disk Defragmenter-esque usage chart and file replacement (for Xbox ISOs only)
For binaries (You must login or register to view this content. required) download "Release-0.9.0.zip" below.
Downloads:
You must login or register to view this content.
You must login or register to view this content.
You must login or register to view this content.
To quote from yifan_lu on the significance of Sony's PFS protection: "So the vita has many layers of encryption. Let's look at a game cart and digital game:
The cart has encryption on the raw data (that's why if you dump it externally, you'll see encrypted data). However, as soon as the game is placed into the vita, that layer is decrypted before the vita sees the game. Then we have "gro0" mounted, which is the unencrypted FAT partition.
Digital games are encrypted in the SCE PKG format. Basically there is an encryption key chosen (at random) by the developer. The package is encrypted and signed by sony. Package Installer can get past this encryption (and it does for drm-free packages). For other packages, package installer sees that you don't have a license and errors out, but you can bypass this without kernel or anything (exercise left for the reader). Once the package is decrypted, it is basically an archive of files that is extracted to "ux0"
The second layer of encryption is PFS. All game data (images, textures, executables, etc) are encrypted with PFS. PFS key is derived from a passphrase chosen by the developer. It is also signed (either with a key derived from the passphrase or with sony's key, I'm not sure). This layer is decrypted when a game is mounted (gro0: => app0: or ux0:app/titleid => app0). mr.gas & major_tom's trick gets you past this layer.
Now, the showstopper. Game executable files (eboot.self, *.suprx, etc) are encrypted through NPDRM. The key to decrypt this is derived from ux0:license/titleid/*.rif AND tm0:npdrm/act.dat (for digital games) or just gro0:license/titleid/*.rif (for game cart). Of course, the key derivation process includes secrets that userland/system does not have access to and therefore there is no current public way of decrypting it. This is the last line of defense for Sony.
Here are the keys:
PFS EncKey : { 0x00, 0x29, 0x8C, 0xDF, 0x44, 0x28, 0xE7, 0x2C, 0x87, 0x85, 0xDA, 0xE0, 0x92, 0x3C, 0x60, 0xBD };
PFS Secret: { 0x8C, 0x5D, 0x3A, 0x4B, 0x9D, 0x9B, 0xF4, 0xB4, 0x53, 0xBC, 0xE6, 0xCD, 0xC3, 0x43, 0x31, 0xD8 };
GameArchives ArchiveExplorer You must login or register to view this content.
(Library) Add PSARC support, for zlib-compressed archives.
(Library) Begin work on archive modification.
(ArchiveExplorer) Add property view.
For binaries (You must login or register to view this content. required) download "Release-0.8.0.zip" below.
Downloads:
You must login or register to view this content.
You must login or register to view this content.
You must login or register to view this content.
GameArchives ArchiveExplorer You must login or register to view this content.
(Library) Fixed a bug in PFS direct reading that could leave files missing
(ArchiveExplorer) Added editor window with Disk Defragmenter-esque usage chart and file replacement (for Xbox ISOs only)
For binaries (You must login or register to view this content. required) download "Release-0.9.0.zip" below.
Downloads:
You must login or register to view this content.
You must login or register to view this content.
You must login or register to view this content.
To quote from yifan_lu on the significance of Sony's PFS protection: "So the vita has many layers of encryption. Let's look at a game cart and digital game:
The cart has encryption on the raw data (that's why if you dump it externally, you'll see encrypted data). However, as soon as the game is placed into the vita, that layer is decrypted before the vita sees the game. Then we have "gro0" mounted, which is the unencrypted FAT partition.
Digital games are encrypted in the SCE PKG format. Basically there is an encryption key chosen (at random) by the developer. The package is encrypted and signed by sony. Package Installer can get past this encryption (and it does for drm-free packages). For other packages, package installer sees that you don't have a license and errors out, but you can bypass this without kernel or anything (exercise left for the reader). Once the package is decrypted, it is basically an archive of files that is extracted to "ux0"
The second layer of encryption is PFS. All game data (images, textures, executables, etc) are encrypted with PFS. PFS key is derived from a passphrase chosen by the developer. It is also signed (either with a key derived from the passphrase or with sony's key, I'm not sure). This layer is decrypted when a game is mounted (gro0: => app0: or ux0:app/titleid => app0). mr.gas & major_tom's trick gets you past this layer.
Now, the showstopper. Game executable files (eboot.self, *.suprx, etc) are encrypted through NPDRM. The key to decrypt this is derived from ux0:license/titleid/*.rif AND tm0:npdrm/act.dat (for digital games) or just gro0:license/titleid/*.rif (for game cart). Of course, the key derivation process includes secrets that userland/system does not have access to and therefore there is no current public way of decrypting it. This is the last line of defense for Sony.
And that last line of defense would mean downgrading/spoofing would be possible, yeah? Vita has the chance to be an incredible emulating machine, but soon enough Sony will stop supporting it, and leave devs be.
01-21-2017, 10:33 PM
#3
OfficialJesseP
How's it going, eh?
Originally posted by Frosty
And that last line of defense would mean downgrading/spoofing would be possible, yeah? Vita has the chance to be an incredible emulating machine, but soon enough Sony will stop supporting it, and leave devs be.
Yes once that's figured out the doors of "piracy" and other neat things will be opened
01-21-2017, 10:39 PM
#5
OfficialJesseP
How's it going, eh?
Originally posted by Frosty
Piracy's already been opened. Vita's been rekt with piracy. Only issue is not being to go online, and not being able to run 3.61+ games
Yes that's what i was referring to my bad
01-22-2017, 08:12 PM
#7
TheMightyMoJo
Rookie
I cant wait for trophy modding i have so many vita games i got free with ps+ that i could plat 
Copyright © 2024, NextGenUpdate.
All Rights Reserved.
