Toggle sidebar

Hacking Apparently, somebody Decrypted a PKG

  • Thread starter Thread starter Deleted-394630
  • Start date Start date
  • Views Views 34,619
  • Replies Replies 130
we definitely need to sit tight, but where did the guy go?

I feel like the best proof would be (other than releases the tool of course) to decrypt a Sony game.
 
mustafag32g said:
Poor vita... Piracy... Sony has already abandoned it. Noo Exclusive games... No AAA GAMES ://
Click to expand...

Nothing personal... But people need to stop this "Pity over piracy" sh*t. Why even bother hang around here with this kind of thinking attitude.
 
  • Like
Reactions: Subtle Demise, Ikilledzeus, Quantumcat and 1 other person
Why are people having trouble with saves? It works just find on my vita.

And like others I'm more towards it being a real dump rather than a devkit.
I mean ppl are saying stuff like "oh you have to unzip files into the vita, obvs a devkit rip", but that was the case for most PS3 dumps as well (depending on where you got it/how it was packaged) and those where all real dumps and not devkit leaks. (I also don't see how a zip file = devkit, not sure if I'm missing something there)

Also, I've not tested the adventure time game, but I imagine if it has no DRM then it would boot on the vita without having to first install henkaku right? (after the reboot I mean)

This new leak doesn't run without henkaku enabled, is that the case for adventure time or not?
 
Last edited by Rasa39,
  • Like
Reactions: ErniShinny
Rasa39 said:
Why are people having trouble with saves? It works just find on my vita.

I mean ppl are saying stuff like "oh you have to unzip files into the vita, obvs a devkit rip", but that was the case for most PS3 dumps as well (depending on where you got it/how it was packaged) and those where all real dumps and not devkit leaks. (I also don't see how a zip file = devkit, not sure if I'm missing something there)
Click to expand...

It's not just that, here's what yifan_lu said about it:
"I said this elsewhere, but in these situations, when we don't have complete information, it is best to apply Occam's razor. Right now we have a eboot.bin that looks exactly like a debug build. Now one explanation (the one people want to believe) is that an unknown individual found a previously unknown means of decrypting a retail eboot, and then managed to obtain/generate the right metadata, then in order to hide their tracks, modified the eboot to look exactly like the output of a debug build (there's many tell-tale signs in the binary that shows the difference between a decrypted retail eboot and a debug eboot). All this effort done in secrecy and without the help (as far as we know) of any of the known figures in the scene.

Or... some enterprising individual with access to the files working at some company decide to leak them (for fame? for lulz?) and claim it is decrypted retail to throw off the scent of any upper-management who decides to investigate."

Why would someone who's claiming he has a way to dump games he's that he's going to release go through the trouble of disguising the first "example" dump ?
 
  • Like
Reactions: MDashK
Zipping has nothing to do with devkit or not, but the fact that the metainformation still can be found in the eboot.bin meaning someone has the ability to decrypt the eboot and then regenerate the meta-information back, not an easy feat and requires deep knowledge of the SELF-format.
 
Rasa39 said:
Why are people having trouble with saves? It works just find on my vita.

And like others I'm more towards it being a real dump rather than a devkit.
I mean ppl are saying stuff like "oh you have to unzip files into the vita, obvs a devkit rip", but that was the case for most PS3 dumps as well (depending on where you got it/how it was packaged) and those where all real dumps and not devkit leaks. (I also don't see how a zip file = devkit, not sure if I'm missing something there)

Also, I've not tested the adventure time game, but I imagine if it has no DRM then it would boot on the vita without having to first install henkaku right? (after the reboot I mean)

This new leak doesn't run without henkaku enabled, is that the case for adventure time or not?
Click to expand...
the only reason we had to put the files manually on the vita is because the homebrew tools wouldn't handle a vpk that big :)
i don't think adventure time would run without henkaku, just like any custom or developer content
 
Last edited by cearp,
texthebear said:
Back to the point of a decrypted game,
http://wololo.net/talk/viewtopic.php?f=65&t=45348

What make this method by Mr.Gas different from the Xanado release?
Is this pfs protection the DRM that prevent game from loading on Henkaku?

yes, I'm a noob. Pls help me collecting the dot.
Click to expand...

Basically, this lets us dump the game files in order for them to be readable; this doesn't mean it's runnable.

Maybe, if we can make the Vita expect decrypted data, playing those dumps would be possible... but we probably need a CFW for that.
 
texthebear said:
Back to the point of a decrypted game,
http://wololo.net/talk/viewtopic.php?f=65&t=45348

What make this method by Mr.Gas different from the Xanado release?
Is this pfs protection the DRM that prevent game from loading on Henkaku?

yes, I'm a noob. Pls help me connecting the dot.
Click to expand...
So the vita has many layers of encryption. Let's look at a game cart and digital game:
1a) The cart has encryption on the raw data (that's why if you dump it externally, you'll see encrypted data). However, as soon as the game is placed into the vita, that layer is decrypted before the vita sees the game. Then we have "gro0" mounted, which is the unencrypted FAT partition.
1b) Digital games are encrypted in the SCE PKG format. Basically there is an encryption key chosen (at random) by the developer. The package is encrypted and signed by sony. Package Installer can get past this encryption (and it does for drm-free packages). For other packages, package installer sees that you don't have a license and errors out, but you can bypass this without kernel or anything (exercise left for the reader). Once the package is decrypted, it is basically an archive of files that is extracted to "ux0"
2) The second layer of encryption is PFS. All game data (images, textures, executables, etc) are encrypted with PFS. PFS key is derived from a passphrase chosen by the developer. It is also signed (either with a key derived from the passphrase or with sony's key, I'm not sure). This layer is decrypted when a game is mounted (gro0: => app0: or ux0:app/titleid => app0). mr.gas & major_tom's trick gets you past this layer.
3) Now, the showstopper. Game executable files (eboot.self, *.suprx, etc) are encrypted through NPDRM. The key to decrypt this is derived from ux0:license/titleid/*.rif AND tm0:npdrm/act.dat (for digital games) or just gro0:license/titleid/*.rif (for game cart). Of course, the key derivation process includes secrets that userland/system does not have access to and therefore there is no current public way of decrypting it. This is the last line of defense for sony.

Basically #1 can be bypassed through Blackfin or HENkaku's FS access. #2 was bypassed by mr.gas and Major_Tom's pfs mounting trick. And we are waiting for #3 to be bypassed before the floodgates of piracy opens.
 
  • Like
Reactions: lincruste, Cap'n Josh, MDashK and 9 others
Maav said:
Basically, this lets us dump the game files in order for them to be readable; this doesn't mean it's runnable.

Maybe, if we can make the Vita expect decrypted data, playing those dumps would be possible... but we probably need a CFW for that.
Click to expand...

Ok, how about the new dump method with molecularshell, where the near app decrypt the game and we can modify everything related to the game? Can we swap all the game file with the decrypted dump?
 
yifan_lu said:
Yes, that's what I mean in #2. That's mr.gas & major_tom's method.
Click to expand...

And what is it that ebootSegs does? Looking at the source code you just tell the kernel to load an encrypted self?
Does the PSV has some sort of hardware crypto engine like KIRK or the SPUs whcih you can ask to decrypt stuff?
 
yifan_lu said:
So the vita has many layers of encryption. Let's look at a game cart and digital game:
1a) The cart has encryption on the raw data (that's why if you dump it externally, you'll see encrypted data). However, as soon as the game is placed into the vita, that layer is decrypted before the vita sees the game. Then we have "gro0" mounted, which is the unencrypted FAT partition.
1b) Digital games are encrypted in the SCE PKG format. Basically there is an encryption key chosen (at random) by the developer. The package is encrypted and signed by sony. Package Installer can get past this encryption (and it does for drm-free packages). For other packages, package installer sees that you don't have a license and errors out, but you can bypass this without kernel or anything (exercise left for the reader). Once the package is decrypted, it is basically an archive of files that is extracted to "ux0"
2) The second layer of encryption is PFS. All game data (images, textures, executables, etc) are encrypted with PFS. PFS key is derived from a passphrase chosen by the developer. It is also signed (either with a key derived from the passphrase or with sony's key, I'm not sure). This layer is decrypted when a game is mounted (gro0: => app0: or ux0:app/titleid => app0). mr.gas & major_tom's trick gets you past this layer.
3) Now, the showstopper. Game executable files (eboot.self, *.suprx, etc) are encrypted through NPDRM. The key to decrypt this is derived from ux0:license/titleid/*.rif AND tm0:npdrm/act.dat (for digital games) or just gro0:license/titleid/*.rif (for game cart). Of course, the key derivation process includes secrets that userland/system does not have access to and therefore there is no current public way of decrypting it. This is the last line of defense for sony.

Basically #1 can be bypassed through Blackfin or HENkaku's FS access. #2 was bypassed by mr.gas and Major_Tom's pfs mounting trick. And we are waiting for #3 to be bypassed before the floodgates of piracy opens.
Click to expand...

Thank you yifan_lu, I've been looking for exactly this.

Though the .rif file remind me of reactPSN, which I think PS3 can break the last defense line.
 
iCEQB said:
And what is it that ebootSegs does? Looking at the source code you just tell the kernel to load an encrypted self?
Does the PSV has some sort of hardware crypto engine like KIRK or the SPUs whcih you can ask to decrypt stuff?
Click to expand...

Ebootsegs does not work with npdrm selfs. System selfs are encrypted differently.

texthebear said:
Thank you yifan_lu, I've been looking for exactly this.

Though the .rif file remind me of reactPSN, which I think PS3 can break the last defense line.
Click to expand...

You need to patch npdrm in kernel to load these hacked rifs.
 
  • Like
Reactions: MDashK and texthebear

Site & Scene News

Go to forum More news

Popular threads in this forum

Vita TV Technical Issue

Repaired aliexpress 1000 3G motherboard, but the shop couldn't figure out how to fix headphone jack

Error code C1-2613-2

Tutorial  How to add friends on Vita Despite the error

C2-12828-1 Saved Core File Succeeded

PSX games without Adrenaline?

[WIP] PS Vita Trophy Archive Manager - Workaround for the 100 Trophy Title Limit

Port-begging thread