Yifan Lu releases psvimgtools, a Vita Backup Decrypter

image.jpg

The Playstation Vita's Content Manager Assistant allows you to backup games, saves and settings to your PC, encrypted with an AES256 key, which means that you can't do that much with them. While the hackers xyz and proxima were reportedly busy researching the F00D processor of the Vita, they discovered a trick that lets you practically obtain this secret key. With the AES256 key in one's possession, it's it now possible to decrypt Vita CMA Backups, even those from an unhackable firmware (3.63 etc.) although a hackable 3.60 Vita is always required.
Scratch that. Team Molecule member Davee prepared an online converter at this address.

Yifan Lu posted about this process in their blog and released psvimgtools, which consists of a PC tool for Windows, Mac and Linux as well as a companion homebrew application for Henkaku-enabled PS Vita systems. Yifan Lu summarized the possibilities that this provides as follows:

Hacking backups isn’t as fun as having a hacked system. So, don’t update from 3.60 if you have it! You cannot run unsigned code with this, so you are only limited to tricks that can be done on the registry, app.db, and other places. This includes:

- Enabling almost any games to run on the PSTV
- Swap X/O buttons for out-of-region consoles
- Run PSP homebrew with custom bubbles
- and maybe more as people make new discoveries

As a bonus, Yifan Lu claimed that because how Sony implements CMA backups and this trick relying on a hardware vulnerability, it is pretty much impossible to patch in future system updates. If Sony nonetheless decides to fix this, they would break compatibility of all CMA backups created to date, which even Sony is unlikely to pull off.

For more information on how this works, head to the source for Yifan Lu's blog post.

:arrow: Get psvimgtools on Github
:arrow: Source
:arrow: Yifan Lu's Twitter
 
Last edited by WiiUBricker,

Molina

My title? It's gone,... like the last fuck I gave.
Member
Joined
May 14, 2016
Messages
230
Trophies
0
Age
26
XP
178
Country
France
Dunno about UK though.
Do you see me with a UK flag? I had it changed, maybe a bug cause you to see me with a UK one.

I'm in a special place in France where I get taxed even more than other french department. So for me it will be a little more.
I hesitate on game on the go with a PsVita or couchgaming with a PsTv.
 

WiiUBricker

News Police
OP
Banned
Joined
Sep 19, 2009
Messages
7,828
Trophies
0
Location
Espresso
XP
7,409
Country
Argentina
This is how you brute-force your key:

Code:
D:\psvimgtools-0.1-win64>psvimg-keyfind 3 partials.bin
Found 0/8 words, current knowledge:
  ****************************************************************
dispatching 3 jobs with 0x55555555 tries per job.

 69% [==================================                ] (left: 0x4dc445d3)
Found 1/8 words, current knowledge:
  2BBA8792********************************************************
dispatching 3 jobs with 0x55555555 tries per job.

 23% [===========                                       ] (left: 0xc3438a8d)
Found 2/8 words, current knowledge:
  2BBA879271758459************************************************
dispatching 3 jobs with 0x55555555 tries per job.

 18% [=========                                         ] (left: 0xcf75b947)
Found 3/8 words, current knowledge:
  2BBA879271758459B7467D64****************************************
dispatching 3 jobs with 0x55555555 tries per job.

It takes a while, but it will get the job done. I will see how decrypted save files look like and if they are easy to edit.

Edit: Alright. Here is the content of my extracted save file. Some .bin, .db and .icv files. Still giberish to me. Maybe someone else can figure it out or better yet, create a save file editing tool for popular games.

psvsave.png
 
Last edited by WiiUBricker,
  • Like
Reactions: Deleted User
D

Deleted User

Guest
Sweet new tool; massive props to Yifan lu for finally cracking the Vita's CMA backup crypto!

Shame about the backed-up files still having PFS encryption, though I'm almost positive that will be cracked pretty soon as well. Nothing can really be done with PFS-encrypted files, apart from install them using the really old method introduced by Mr.Gas, so it makes sense that cracking PFS next will make this an even bigger deal!
 
Last edited by ,

WiiUBricker

News Police
OP
Banned
Joined
Sep 19, 2009
Messages
7,828
Trophies
0
Location
Espresso
XP
7,409
Country
Argentina
Sweet new tool; massive props to Yifan lu for finally cracking the Vita's CMA backup crypto!

Shame about the backed-up files still having PFS encryption, though I'm almost positive that will be cracked pretty soon as well. Nothing can really be done with PFS-encrypted files, apart from install them using the really old method introduced by Mr.Gas, so it makes sense that cracking PFS next will make this an even bigger deal!
Interesting. That's the first time I hear about PFS encryption. Do all Vita games use it?
 
D

Deleted User

Guest
Interesting. That's the first time I hear about PFS encryption. Do all Vita games use it?
Pretty much, yes. When you launch a legit purchased/downloaded game (or installed via PKG Installer), any files listed in /sce_pfs/files.db (which are pretty much almost all of the files in the game's filesystem) are decrypted by the system and mounted as the app0: partition. After that, the game will begin to run.

It's one of the main reasons you have to run the party app (as the manual app) before dumping a game in Vitamin/MaiDump, as the manual app also has the ability to decrypt the PFS in every file of the game's filesystem.

The PFS EncKey and Secret Key have been out in the wild for a while now, so I'm not really sure if the decryption method is just waiting to be developed now, or whether there are other things needed to decrypt them properly still...
 
Last edited by ,

WiiUBricker

News Police
OP
Banned
Joined
Sep 19, 2009
Messages
7,828
Trophies
0
Location
Espresso
XP
7,409
Country
Argentina
I don't get it, how could this works on 3.63 vita?
Is the key the same for all the ps vita?
You can give me your CMA backup and your AID and I will brute-force your key, decrypt your backup, make changes you want, re-encrypt it and send it back to you. Then you just need to import it via CMA. That's the general idea of how this works if you don't have a 3.60 Vita.

Edit: Actually you just need to give me your AID. I can then send you your partials.bin file that you can use yourself to brute-force your key and do the changes you need yourself.
 
Last edited by WiiUBricker,

Jhyrachy

Well-Known Member
Member
Joined
Jul 25, 2011
Messages
256
Trophies
0
XP
844
Country
Italy
You can give me your CMA backup and your AID and I will brute-force your key, decrypt your backup, make changes you want, re-encrypt it and send it back to you. Then you just need to import it via CMA. That's the general idea of how this works if you don't have a 3.60 Vita.
oh, i tought the crack happened on the ps vita side!

So what's the 'dump_partials.vpk' for?
 

WiiUBricker

News Police
OP
Banned
Joined
Sep 19, 2009
Messages
7,828
Trophies
0
Location
Espresso
XP
7,409
Country
Argentina
oh, i tought the crack happened on the ps vita side!

So what's the 'dump_partials.vpk' for?
It's described in the linked blog post.

I wrote a tool to do this brute force for you. It is not hyper-optimized but is portable and can find any key on a modern computer in about ten minutes. I have provided a Vita homebrew that generates the chosen ciphertexts on any HENkaku enabled Vita. These “partials”, as I call it, can be passed to psvimg-keyfind to retrieve a backup key for any PSN AID. The AID is not console unique but is tied to your PSN account. This is the hex sequence you see in your CMA backup path. The idea is that if you have a non-hackable Vita, you can easily send your AID to a friend (or stranger) who can generate the partials for you. You can then use psvimg-keyfind to find your backup key and use it to modify settings on your non-hackable Vita. Huge thanks to Proxima for the reference implementation that this is based off of.
 
  • Like
Reactions: Jhyrachy

Jhyrachy

Well-Known Member
Member
Joined
Jul 25, 2011
Messages
256
Trophies
0
XP
844
Country
Italy
thanks a lot!

So it's: generate partial.bin on the ps vita using the AID, copy them to the pc (using ftp?) and then crack them using psvimg-keyfind.exe right?
 
D

Deleted User

Guest
Woah WiiUBricker. Your more active then some of the reporters here lmao. You should probably be one

And this is nice. Don't own a ps anything but this is neat
 
  • Like
Reactions: Imacaredformy2ds

WiiUBricker

News Police
OP
Banned
Joined
Sep 19, 2009
Messages
7,828
Trophies
0
Location
Espresso
XP
7,409
Country
Argentina
thanks a lot!

So it's: generate partial.bin on the ps vita using the AID, copy them to the pc (using ftp?) and then crack them using psvimg-keyfind.exe right?
I have edited my post above. You actually just need to provide me or a person with a hacked 3.60 Vita your AID. Then I can use your AID with the homebrew app to generate a partials.bin that you can use to brute-force your own key and decrypt and re-encrypt your backup yourself.

So basically if you're on a non-hackable Vita, the only outside help you actually need is to generate those partials files, the rest can be done on your PC.
Yes.
 
Last edited by WiiUBricker,
D

Deleted User

Guest
Did anybody get the psvimg creation tool working yet? I'm not really having much luck with this myself for some strange reason...

C:\Users\Owner\Downloads\PSVita_2\psvimgtools-0.1-win64>psvimg-create -n app -K *insert key* ux0_temp_game_PCSI00009_app_PCSI00009 .
WARNING: skipping ux0_temp_game_PCSI00009_app_PCSI00009/bridge_prx.suprx because it is not a directory!
WARNING: skipping ux0_temp_game_PCSI00009_app_PCSI00009/eboot.bin because it is not a directory!
WARNING: skipping ux0_temp_game_PCSI00009_app_PCSI00009/managed because VITA_PATH.TXT is not found!
WARNING: skipping ux0_temp_game_PCSI00009_app_PCSI00009/module because VITA_PATH.TXT is not found!
WARNING: skipping ux0_temp_game_PCSI00009_app_PCSI00009/mono_prx.suprx because it is not a directory!
WARNING: skipping ux0_temp_game_PCSI00009_app_PCSI00009/resource because VITA_PATH.TXT is not found!
WARNING: skipping ux0_temp_game_PCSI00009_app_PCSI00009/sce_module because VITA_PATH.TXT is not found!
WARNING: skipping ux0_temp_game_PCSI00009_app_PCSI00009/sce_pfs because VITA_PATH.TXT is not found!
WARNING: skipping ux0_temp_game_PCSI00009_app_PCSI00009/sce_sys because VITA_PATH.TXT is not found!
WARNING: skipping ux0_temp_game_PCSI00009_app_PCSI00009/UnityDevelopmentPlayer.self because it is not a directory!
WARNING: skipping ux0_temp_game_PCSI00009_app_PCSI00009/UnityReleasePlayer.self because it is not a directory!
WARNING: skipping ux0_temp_game_PCSI00009_app_PCSI00009/VITA_PATH.TXT because it is not a directory!
created ./app.psvimg (size: 20, content size: 0)
created ./app.psvmd


The "ux0_temp_game_PCSI00009_app_PCSI00009" contains all my extracted files.
But I can't understand for the life of me why VITA_PATH.TXT isn't being found, and when it does end up being found (see bottom of the log), it says it's "not a directory"... :blink:

I was looking at the readme, however nothing was really making a lick of sense to me:

The pack input directory should follow the same format as the output of psvimg-extract. This means a separate directory for each backup set (there may only be one set, in which your input directory will contain one subdirectory) each with a VITA_PATH.TXT file specifying the Vita path and optionally a VITA_DATA.BIN file if the set is a file.



I have tried many different input folders, such as "ux0/temp/game/PCSI00009/app/PCSI00009", removing the 'ux0' part from the path, and even just "PCSI0009", but I just get the same old output...

Any ideas as to how I can get this actually working? I sure hope this isn't a bug, and it's just my stupidity... :unsure:
 

WiiUBricker

News Police
OP
Banned
Joined
Sep 19, 2009
Messages
7,828
Trophies
0
Location
Espresso
XP
7,409
Country
Argentina
Did anybody get the psvimg creation tool working yet? I'm not really having much luck with this myself for some strange reason...

C:\Users\Owner\Downloads\PSVita_2\psvimgtools-0.1-win64>psvimg-create -n app -K *insert key* ux0_temp_game_PCSI00009_app_PCSI00009 .
WARNING: skipping ux0_temp_game_PCSI00009_app_PCSI00009/bridge_prx.suprx because it is not a directory!
WARNING: skipping ux0_temp_game_PCSI00009_app_PCSI00009/eboot.bin because it is not a directory!
WARNING: skipping ux0_temp_game_PCSI00009_app_PCSI00009/managed because VITA_PATH.TXT is not found!
WARNING: skipping ux0_temp_game_PCSI00009_app_PCSI00009/module because VITA_PATH.TXT is not found!
WARNING: skipping ux0_temp_game_PCSI00009_app_PCSI00009/mono_prx.suprx because it is not a directory!
WARNING: skipping ux0_temp_game_PCSI00009_app_PCSI00009/resource because VITA_PATH.TXT is not found!
WARNING: skipping ux0_temp_game_PCSI00009_app_PCSI00009/sce_module because VITA_PATH.TXT is not found!
WARNING: skipping ux0_temp_game_PCSI00009_app_PCSI00009/sce_pfs because VITA_PATH.TXT is not found!
WARNING: skipping ux0_temp_game_PCSI00009_app_PCSI00009/sce_sys because VITA_PATH.TXT is not found!
WARNING: skipping ux0_temp_game_PCSI00009_app_PCSI00009/UnityDevelopmentPlayer.self because it is not a directory!
WARNING: skipping ux0_temp_game_PCSI00009_app_PCSI00009/UnityReleasePlayer.self because it is not a directory!
WARNING: skipping ux0_temp_game_PCSI00009_app_PCSI00009/VITA_PATH.TXT because it is not a directory!
created ./app.psvimg (size: 20, content size: 0)
created ./app.psvmd


The "ux0_temp_game_PCSI00009_app_PCSI00009" contains all my extracted files.
But I can't understand for the life of me why VITA_PATH.TXT isn't being found, and when it does end up being found (see bottom of the log), it says it's "not a directory"... :blink:

I was looking at the readme, however nothing was really making a lick of sense to me:

The pack input directory should follow the same format as the output of psvimg-extract. This means a separate directory for each backup set (there may only be one set, in which your input directory will contain one subdirectory) each with a VITA_PATH.TXT file specifying the Vita path and optionally a VITA_DATA.BIN file if the set is a file.



I have tried many different input folders, such as "ux0/temp/game/PCSI00009/app/PCSI00009", removing the 'ux0' part from the path, and even just "PCSI0009", but I just get the same old output...

Any ideas as to how I can get this actually working? I sure hope this isn't a bug, and it's just my stupidity... :unsure:
Just letting you know I have the the exact same problem. Maybe @yifan_lu can help?
 
General chit-chat
Help Users
    Veho @ Veho: No, sci fi authors are just huge pervs.