Hacking Apparently, somebody Decrypted a PKG
- Joined
- Jul 22, 2011
- Messages
- 281
- Trophies
- 1
- Location
- Internetus Exploratis
- Website
- www.mixwaves.net
- XP
- 746
- Country
Nothing personal... But people need to stop this "Pity over piracy" sh*t. Why even bother hang around here with this kind of thinking attitude.
Why are people having trouble with saves? It works just find on my vita.
And like others I'm more towards it being a real dump rather than a devkit.
I mean ppl are saying stuff like "oh you have to unzip files into the vita, obvs a devkit rip", but that was the case for most PS3 dumps as well (depending on where you got it/how it was packaged) and those where all real dumps and not devkit leaks. (I also don't see how a zip file = devkit, not sure if I'm missing something there)
Also, I've not tested the adventure time game, but I imagine if it has no DRM then it would boot on the vita without having to first install henkaku right? (after the reboot I mean)
This new leak doesn't run without henkaku enabled, is that the case for adventure time or not?
And like others I'm more towards it being a real dump rather than a devkit.
I mean ppl are saying stuff like "oh you have to unzip files into the vita, obvs a devkit rip", but that was the case for most PS3 dumps as well (depending on where you got it/how it was packaged) and those where all real dumps and not devkit leaks. (I also don't see how a zip file = devkit, not sure if I'm missing something there)
Also, I've not tested the adventure time game, but I imagine if it has no DRM then it would boot on the vita without having to first install henkaku right? (after the reboot I mean)
This new leak doesn't run without henkaku enabled, is that the case for adventure time or not?
Last edited by Rasa39,
It's not just that, here's what yifan_lu said about it:
"I said this elsewhere, but in these situations, when we don't have complete information, it is best to apply Occam's razor. Right now we have a eboot.bin that looks exactly like a debug build. Now one explanation (the one people want to believe) is that an unknown individual found a previously unknown means of decrypting a retail eboot, and then managed to obtain/generate the right metadata, then in order to hide their tracks, modified the eboot to look exactly like the output of a debug build (there's many tell-tale signs in the binary that shows the difference between a decrypted retail eboot and a debug eboot). All this effort done in secrecy and without the help (as far as we know) of any of the known figures in the scene.
Or... some enterprising individual with access to the files working at some company decide to leak them (for fame? for lulz?) and claim it is decrypted retail to throw off the scent of any upper-management who decides to investigate."
Why would someone who's claiming he has a way to dump games he's that he's going to release go through the trouble of disguising the first "example" dump ?
Zipping has nothing to do with devkit or not, but the fact that the metainformation still can be found in the eboot.bin meaning someone has the ability to decrypt the eboot and then regenerate the meta-information back, not an easy feat and requires deep knowledge of the SELF-format.
the only reason we had to put the files manually on the vita is because the homebrew tools wouldn't handle a vpk that big
i don't think adventure time would run without henkaku, just like any custom or developer content
Last edited by cearp,
lol no sorry just blessing big papa for his rundown on why he thinks this is baloney
Back to the point of a decrypted game,
http://wololo.net/talk/viewtopic.php?f=65&t=45348
What make this method by Mr.Gas different from the Xanado release?
Is this pfs protection the DRM that prevent game from loading on Henkaku?
yes, I'm a noob. Pls help me connecting the dot.
http://wololo.net/talk/viewtopic.php?f=65&t=45348
What make this method by Mr.Gas different from the Xanado release?
Is this pfs protection the DRM that prevent game from loading on Henkaku?
yes, I'm a noob. Pls help me connecting the dot.
Last edited by texthebear,
Basically, this lets us dump the game files in order for them to be readable; this doesn't mean it's runnable.
Maybe, if we can make the Vita expect decrypted data, playing those dumps would be possible... but we probably need a CFW for that.
So the vita has many layers of encryption. Let's look at a game cart and digital game:
1a) The cart has encryption on the raw data (that's why if you dump it externally, you'll see encrypted data). However, as soon as the game is placed into the vita, that layer is decrypted before the vita sees the game. Then we have "gro0" mounted, which is the unencrypted FAT partition.
1b) Digital games are encrypted in the SCE PKG format. Basically there is an encryption key chosen (at random) by the developer. The package is encrypted and signed by sony. Package Installer can get past this encryption (and it does for drm-free packages). For other packages, package installer sees that you don't have a license and errors out, but you can bypass this without kernel or anything (exercise left for the reader). Once the package is decrypted, it is basically an archive of files that is extracted to "ux0"
2) The second layer of encryption is PFS. All game data (images, textures, executables, etc) are encrypted with PFS. PFS key is derived from a passphrase chosen by the developer. It is also signed (either with a key derived from the passphrase or with sony's key, I'm not sure). This layer is decrypted when a game is mounted (gro0: => app0: or ux0:app/titleid => app0). mr.gas & major_tom's trick gets you past this layer.
3) Now, the showstopper. Game executable files (eboot.self, *.suprx, etc) are encrypted through NPDRM. The key to decrypt this is derived from ux0:license/titleid/*.rif AND tm0:npdrm/act.dat (for digital games) or just gro0:license/titleid/*.rif (for game cart). Of course, the key derivation process includes secrets that userland/system does not have access to and therefore there is no current public way of decrypting it. This is the last line of defense for sony.
Basically #1 can be bypassed through Blackfin or HENkaku's FS access. #2 was bypassed by mr.gas and Major_Tom's pfs mounting trick. And we are waiting for #3 to be bypassed before the floodgates of piracy opens.
Ok, how about the new dump method with molecularshell, where the near app decrypt the game and we can modify everything related to the game? Can we swap all the game file with the decrypted dump?
Yes, that's what I mean in #2. That's mr.gas & major_tom's method.
And what is it that ebootSegs does? Looking at the source code you just tell the kernel to load an encrypted self?
Does the PSV has some sort of hardware crypto engine like KIRK or the SPUs whcih you can ask to decrypt stuff?
Thank you yifan_lu, I've been looking for exactly this.
Though the .rif file remind me of reactPSN, which I think PS3 can break the last defense line.
Ebootsegs does not work with npdrm selfs. System selfs are encrypted differently.
You need to patch npdrm in kernel to load these hacked rifs.
- No one is chatting at the moment.
-
@ HiradeGirl:
Any TV with your PC connected with Citra and any smartphone to use as a screen using a free play store app.+1 -
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@
NinStar:
quite ironic that brawlhalla has a far superior netcode compared to smash bros ultimate while offering free online play with crossplay support -
