Tutorial
Updated
How to dump PSVita Games
Thanks to Mr. Gas for the help getting this set up.
For awhile now, it's been public knowledge that you can dump files from the PS Vita.
However, there's a catch. Every file you dump from a game is (USUALLY) protected by PFS protection.
There's now a clever way to bypass that encryption though-- and I'm gonna show you how.
This means getting ROM dumps of Vita games, actually being able to view and download
the contents for your own use.
NOTE: This does NOT enable piracy or emulation of PSVita games.
The eboot.bin is encrypted with a form OTHER than pfs which can't be bypassed so easily.
For now, this tutorial is good for ripping assets such as models, music, and graphics
FROM PSVITA GAMES.
Before we get started, here's a few requirements.
- First of all, you need to be on a firmware BELOW 3.55.
They patched the email trick that makes database editing possible. - You'll need some form of PSP homebrew capabilities on your Vita.
- And probably a memory card larger than 8 GB (otherwise good luck...)
- Also, the game you need to dump NEEDS to be digital.
If you only have a physical copy, there's a very convoluted way to install it
as a digital game. Here's a link:
http://wololo.net/talk/viewtopic.php?p=402472
Either way it needs to be fully installed on your memory card.
You might be thinking, if I can't update, how do I get the game digitally?
You really can't get on PSN with your Vita without updating it.
The short answer is, you need a PS3 console.
Borrow one from your friend for awhile if you don't have one.
It needs to be on the same PSN account that you registered your Vita to.
Buy the game on the online store from your computer, and log into PSN
on the PS3. You can download the game from there and then transfer it to your
Vita, where it will be installed without even connecting to the internet.
You might get pesky Update prompts trying to use the content manager, though.
A way to get around that is to first switch your Vita into airplane mode, then reboot.
It's also a good idea to replace the content manager assistant on your computer
with the open source alternative qCMA, which doesn't require an internet connection
or the latest firmware to operate.
--- DUMPING ---
I suggest you make an email account specifically for this process, because it'll
get messy in your inbox real quick. Trust me...
Set up your new email on the Vita.
Then on the computer, send yourself this mail.db file.
The name of the file has to be exactly THIS:
\..\..\..\email\message\mail.db
Since you can't do this from gmail, do it from Mozilla thunderbird.
then on the Vita, open it.
It should say that you can't view the image. Do NOT ever click okay on the errors,
just close the app or you'll have to start over from this step.
This'll wipe the mail database so you have to log in again, but it's
important. Now you can send yourself the app database, which is the key to
this trick.
In your next email, it doesn't matter what the subject line is, but
you NEED to have a link to exactly this address:
email:send?attach=ur0:shell/db/app.db.
On the Vita, when you touch the link, it should open a composition.
Send it to yourself and open it on the PC. This is how you can download
your app database.
The app will then close itself, that means you did it right.
Next, you'll need to install SQLite Browser. It's quick and easy.
Open the database with it and go to tbl_uri. Make a new entry and enter exactly this:
NPXS10000;1;ux0;
Make sure you click write changes before you continue!
Then go to tbl_appinfo look for the one mentioning an eboot path. Replace that with this:
vs0:app/NPXS10027/eboot.bin
Write changes again.
Last step, search for the ID of a PSP game you own. If you don't know the ID, you can find it
by backing up the game or the save to your computer and looking at the folder name.
You can also look up the ID by name in the tbl_appinfo part of the database.
While you're there, also take note of the game you're gonna dump's ID.
This isn't going to be used until later, but it's good to know!
Once you found the PSP game's ID, add a new entry starting with the ID. Then put in this exact sequence of numbers in the next cell:
2454440077
Finally, put exactly this in the third cell:
../../../app
Write changes again.
If you do not have a PSP game, I recommend you get two using the PS3 method.
One for homebrew, and one to execute the dump. You'll see why later.
You can get minis for dirt cheap, as low as $1, and you don't have to keep them or even
play them at all.
Write changes, close the SQL program and rename the file to #0 with no extension.
Send it to yourself and put exactly THIS as the subject:
ur0:shell/db/app.db
You know the drill by now, open it on the Vita, and it should say you can't view
the image. If it says anything else, you did something wrong. Look over your steps
carefully.
I think it's wise at this point to reboot the Vita.
Here's how this is gonna work. Go to your web browser and enter this and the ID of the
game you'll be dumping:
ux0:app/[GAMEID]
If you edited the database correctly, Near should open and the game's manual will appear.
Keep it open, don't close it. Just minimize it and go to your content manager.
This tricks the system into keeping the game's data open AND unencrypted while the content
manager is open, which is normally impossible. Now, when the memory card is dumped, your unencrypted
game content will be in the "app" folder of the PSP emulator.
Remember how earlier we assigned that path to the PSP game you'll use for the dump?
What that tells the content manager is, "go back to the root-- then into the app folder."
That's where it will be searching for content to copy to the PC when you back up your game in the content manager.
Tricky, huh? Just make sure you're in airplane mode (or at least started the system that way)
and that qCMA is already running on your PC. It tends to close itself when you disconnect, so try opening the backup manager window to keep it running.
Then transfer your PSP game to your PC. You'll notice that it's taking a lot longer than normally
for its size, and that's good! That means it's taking your unencrypted Vita game with it.
Of course, the file on your computer is still encrypted like all PSP backups are.
It can never be that easy, can it? Don't be discouraged though! The PSP game is unencrypted
on the way back to the Vita-- and so will your Vita game contents. So transfer it back now.
You might get an error. The error means one of two things.
this one means you didn't succeed to dump the game at all. Some solutions would be to dump
one folder at a time (earlier I suggested you do only the app folder and not the entire root).
Also, try using PSP homebrew to delete the temp folder. Then try again.
The error, as long as it happens near the end, is harmless. It means some files could not
be transferred, but by that it probably means the actual PSP game. Your Vita dump should
be not only intact, but unencrypted!
Now the problem is getting to it. You need to have at least some form of PSP homebrew installed.
I used TN-V11 custom bubbles. ARK and VHBL work too. Either way you need a way to run PSPFiler or VitaFTP.
I'm not going to get into that, there's plenty of excellent tutorials on wololo.net and YouTube if you
need to know how to do it. It's a lot harder on 3.5x firmwares though, so be warned!
Anyway, now just launch your PSPFiler. Locate the apps folder that was generated and copy the files you want
to a PSP savegame folder.
At last you can transfer your save to the PC as saves aren't encrypted in this process.
And here we have it, for the first time ever, actual dumps of PSVita game data!
Hope this helps you guys out!
STEP ONE: INSTALL HENKAKU
https://henkaku.me/
STEP TWO: EDIT THE APP.DB OVER FTP
Hint: If you're dumping a cartridge, ALSO add "NPXS10000;1;gro0;" to the tbl_uri.Mr. Gas said:
Another hint: If you're using a PSTV, which has no Near app, use NPXS10072 (the email app) instead of NPXS10000.
STEP THREE: WITH THE MANUAL OPEN, MOVE MOLECULARSHELL
The reason you can't dump from molecularShell's current location is that it doesn't have the proper permissions to access other apps. That's because it's also in the app folder. An easy way to get around this is to find the molecularShell app folder (MLCL00001), then copy it somewhere on your desktop. Once you've done that, open it. We'll be copying the files inside to the ux0
atch directory.This is where game updates are stored and loaded on boot. If your game already has a patch folder, go inside and either backup or delete the contents. Then, move the contents of the copied molecularShell folder inside. You can probably guess what we're going to do now-- that's right, close molecularShell and open your game. It should open up right to the molecularShell we put in the patch folder. If it didn't, go back and make sure you set it up exactly like I did (see video).
STEP FOUR: DUMP FROM THESE DIRECTORIES
If you overwrite the current path in FTP with /app0: (or one of the other options)Major_Tom said:- app0: (basically the same as ux0:app/[TITLEID], but with mixed files from ux0
- addcont0: (DLC Content)
- savedata0: (That's where the fun is, unencrypted savegame, you can edit it directly, it should encrypt it back automatically)
you'll be brought to the game data, which you can right click and download. It will download straight to the directory you have set on the left of the FTP window, unencrypted.
You can also access /savedata0: or /addcont0: where your save data and DLC respectively are for this game. You can dump that the same way. Notice how we have access to all these things because we're basically running molecularShell as though it were the game we're dumping. Of course an app would have access to its own savedata, game data, and DLC.
Note: /addcont0: seems to still have a layer of encryption on it. If I figure out what to do about that later, I'll make a guide.
BONUS! STEP FIVE: REPLACING EDITED DATA YOU DUMPED PREVIOUSLY
Now, if you're like me, you want to modify these and use them in-game. Good news is you can do that!
With molecularShell still mounted in the patch directory, I simply just replaced the savedata bin with my modified one. To play the game of course, you have to exit this molecularShell, enter the normal one, and delete the contents of the patch directory again. Now, you can place your modified files here. In this case, the CPK I dumped from Golden.
Also put the sce_sys folder from molecularShell in here, otherwise the game will report that it's been corrupt when you launch it.
Last edited by Shrinefox,
