Coldswap | Run FULLY UNENCRYPTED, PLAYABLE games without owning them

Discussion in 'PS Vita - Tutorials' started by xy2_, May 21, 2016.

  1. xy2_
    OP

    xy2_ GBAtemp Regular

    Member
    256
    144
    Feb 4, 2016
    France
    A.K.A how I grew to hate the Vita intro video after re-watching it hundreds of times

    Hello,

    This is the culmination of two tricks, coldswapping (which I discovered recently) and registry hacking to be able to run FULLY ENCRYPTED AND PLAYABLE GAMES from any backup on the Vita. Essentially, a free version of BlackFin but for digital games. Most notably, you will not need the target owner's PSN account for this. Ironically, thanks to other memory card unslaving tricks, you can use this on any firmware and any single Vita after the deed is done, with some limitations.

    I want to give full credit to whoever found the original USB swap trick.

    Also, if you already know the target account's credentials, just game share instead; it's a lot easier than this method.

    The requirements for this are very specific:
    • A Vita on an exploitable firmware that can use MailWriter (3.52 max)
    • QCMA
    • Everything you need to hack a backup
    • The PS3 linked with the corresponding AccountID of the current hacked backup of your Vita (for example, if you hacked a friend's backup, it would be this friend's PS3 that you will need to use for this trick) logged into the correct account
    Explanation

    Vita has a very secure defense system (both card related and digital.) The only way to bypass that system is to think outside the box and fool the Vita.. By hacking a backup, then transferring games from the PS3 linked to that backup, we can effectively install packages unrestricted.

    You can see this method requires a lot to do: you can't just simply hack a backup and get free games; you also need the PS3 that is linked to that account. However, note that you only have to transfer a game once to activate the Vita , and the rest of the backed up games will instantly work. For this guide, the owner of the backup will be referred as the target.

    Hacking the backup

    First, have the target Vita owner pack whatever content you wish to use on his Vita, then have him send you the backup and hack it. You will now have his backup partially restricted.

    Coldswapping, activation, transferring games

    For the initial activation, you will need access to the target owner PS3 logged in into his account (you don't need his account credentials.) If you have the credentials the account, you can just do this on your own PS3 (although this pretty much removes all the purpose of it, and you should share accounts instead.)

    If you have hacked the backup right, you should be able to connect to a computer via
    QCMA.

    From there on, you have two options: either use the original USB swap trick (to do so, connect to the PC, unplug the Vita without saying OK on the error message, then connect it again, press OK and select PS3 > USB), or a coldswap.

    Follow this guide to execute a coldswap, while making sure the PS3 is logged in the target account, else you won't be able to transfer packages. Coldswapping has a tricky timing: press the PS button once the second "Please Wait" message (the one in a smaller box) is fully faded in.

    Once you have coldswapped or USB swap trick-ed, you will now be in the PC interface for CM, but with the PS3 client in the case of a coldswap, or simply in the PS3 interface if USB swapped. Select "Copy Content PC => Vita", then select "Applications", and you will be booted into the PS3 CM.

    The hard part is done. Now simply transfer content that the target account owns (make sure he owns the content, or you will get the usual nag message) and the Vita will be activated, on a hacked backup that you don't own, with games that you don't own. After the initial activation, the rest of the stored games on the backup will also be activated and fully unencrypted.

    Getting new content

    To get new content, proceed as you would transferring content from a PS3, except that you will have to coldswap and use the target's PS3 each time for each game, and he must own the game.

    Alternatively, you can use a PC, recieve/download one of the target's games as a CM backup, then simply transfer it using QCMA.

    Transferring an hacked backup to another Vita

    Follow this guide to unslave the memory card, allowing you to use it on any Vita for one use. Note that if you put it on a 3.52+ Vita, you will be unable to go back and unslave it again!
     
    Last edited by xy2_, May 25, 2016
    KiiWii, al3x_10m and Wolfvak like this.


  2. yifan_lu

    yifan_lu @yifanlu

    Member
    642
    1,325
    Apr 28, 2007
    United States
    Umm, how is this different from me activating my Vita on my friend's PSN account and just downloading the games? It's a lot easier
    1. Download wanted games on PS3 via PSN (they become bubbles on the PS3)
    2. Connect Vita to PS3 and open CMA. It automatically gets activated (if you already have two Vitas on your account, use email trick to backup activation, then deactivate, then copy the activation back).
    3. Copy any of the downloaded game over
     
    Voxel likes this.
  3. xy2_
    OP

    xy2_ GBAtemp Regular

    Member
    256
    144
    Feb 4, 2016
    France
    You don't need to have the PSN account credentials for this; that's the only advantage over game sharing, and a pretty significant one. I agree this method is a lot harder, though.
     
    Last edited by xy2_, May 22, 2016
  4. Voxel

    Voxel Clumsy Coder

    Member
    GBAtemp Patron
    Voxel is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    5,158
    5,801
    Jun 27, 2015
    United Kingdom
    England, UK
    So you still essentially have to get the login details of your friend?
     
  5. xy2_
    OP

    xy2_ GBAtemp Regular

    Member
    256
    144
    Feb 4, 2016
    France
    No; the target PS3 only needs to be logged in beforehand, and you don't have to know their login to be able to activate. Sorry if this is a little unclear in this part.
     
  6. Voxel

    Voxel Clumsy Coder

    Member
    GBAtemp Patron
    Voxel is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    5,158
    5,801
    Jun 27, 2015
    United Kingdom
    England, UK
    No, no, it's completely fine! :)

    You did a good job of this tutorial!
     
  7. Spore2

    Spore2 GBAtemp Regular

    Member
    193
    50
    Jan 12, 2016
    can someone do a video?
     
  8. anthony001

    anthony001 GBAtemp Regular

    Member
    299
    5
    Oct 19, 2007
    can you explain further the unslave and slave?
     
  9. xy2_
    OP

    xy2_ GBAtemp Regular

    Member
    256
    144
    Feb 4, 2016
    France
    Usually, after inserting the memory card in the Vita, that same memory card will be only usable on that same Vita, or on other Vitas that share the same account that the card was inserted in; basically enslaving the card to a specific account, and rendering it unusable on other accounts. This is tracked by a specific file in the memory card: id.dat.

    By simply clearing id.dat, it is possible to unslave the memory card and use it on any Vita this way.
     
  10. SirByte

    SirByte GBAtemp Fan

    Member
    494
    191
    Dec 30, 2012
    Canada
    Progress! Great job and great to see things still happening on the VITA. While this is still very limited (*) in scope, it may direct some attention back to VITA.

    (*) the complete obliteration of PSP security probably led to some "direct order" from the highest levels within Sony that this was not to be repeated, giving rise to the insane amount of security in the VITA system; anything very limited is still a major accomplishment. Remember the edited version of Lumines that people could play off their included 32MB Memorystick Duo albeit without sound? We're still not at that level as you require the targets PS3.
     
  11. xy2_
    OP

    xy2_ GBAtemp Regular

    Member
    256
    144
    Feb 4, 2016
    France
    Thanks for the support. I agree that this is extremely limited, in fact doing anything at all with the game related to transfer (with some registry editing) will usually cause you to trigger one of several failsafes put in in the exact case this scenario happened (Sony thought of everything..)

    One very amusing failsafe that I got was this one, when managing to fully transfer over the game apparently unencrypted: (C0-9254-0)

    [​IMG]

     
    Last edited by xy2_, May 22, 2016
    SirByte likes this.
  12. xy2_
    OP

    xy2_ GBAtemp Regular

    Member
    256
    144
    Feb 4, 2016
    France
    The catch is that you will need the target's PS3 to activate, and you can only use games that are owned by your currrent backup. This means, if you hack someone's backup, you will only be able to use their games and not your games. Currently the only solution to be able to play back your games is either to use another memory card/Vita (while making sure to clear id.dat for each swap) or restore your backup (you will still need the target's PS3 again to activate, though.)

    Fortunately, the initial PS3 activation is one time only. For further content, you can just simply transfer game backups from the original account via QCMA.
     
    Last edited by xy2_, May 24, 2016
  13. SirByte

    SirByte GBAtemp Fan

    Member
    494
    191
    Dec 30, 2012
    Canada
    The 'catch' is that you must know the person with the PS3, who is paying for these games. I wonder if that is some Brazillian store owner, if he/she could put some games on a whole fleet of VITAs, all from the same store-PS3. I guess we now know why Sony has been keeping the memory card prices so insanely high, don't we?
     
    Subtle Demise likes this.
  14. Cinnamon

    Cinnamon GBAtemp Regular

    Member
    257
    69
    May 2, 2014
    Norway
    Very interesting, so this overwrites the activation of your own account with that of the target's?
    Just wondering, does the activation show up under activated systems on PSN on target's account?
     
    Last edited by Cinnamon, May 24, 2016
  15. xy2_
    OP

    xy2_ GBAtemp Regular

    Member
    256
    144
    Feb 4, 2016
    France
    Technically, this doens't overwrite any activation, but rather transfers the entire system backup over with that backup's activation.
    I have no idea if it shows up on activated systems on PSN (didn't check), but it probably would given that we're doing everything as 'legitimate' as it gets.
     
  16. Kourin

    Kourin Touhou Maniac

    Member
    846
    533
    Jan 24, 2016
    Australia
    Ripple Star
    Semi-related, but if I went out and bought a Vita right now what FW would it likely be on? Been meaning to get one for awhile for I want one at an exploitable firmware.
     
  17. xy2_
    OP

    xy2_ GBAtemp Regular

    Member
    256
    144
    Feb 4, 2016
    France
    It's a dice roll; usually most of them are on latest firmware.
    I would recommend buying from this seller, it's your best bet (he specifies firmwares) and also where I got my Vita from.
     
    Kourin likes this.
  18. Kourin

    Kourin Touhou Maniac

    Member
    846
    533
    Jan 24, 2016
    Australia
    Ripple Star
    Thanks a bunch! this guy looks really good.
     
  19. darksun77
    This message by darksun77 has been removed from public view by raulpica, Jul 18, 2016, Reason: Spam -rp.
    Jul 17, 2016
  20. oxenh

    oxenh The most unknown member of GBAtemp

    Member
    273
    39
    Sep 1, 2008
    Cote d'Ivoire
    Is any way to use this trick with a psvita 3.60 and henkaku?
     
  21. Voxel

    Voxel Clumsy Coder

    Member
    GBAtemp Patron
    Voxel is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    5,158
    5,801
    Jun 27, 2015
    United Kingdom
    England, UK
    I would assume yes, since molecularShell can be used to FTP over files to parts of the Vita that the mailwriter could also write to.
    If I am missing any other information, xy2_ will fill you in on it.