Join Us and become a Member for a Verified Badge on Discord to access private areas with the latest PS4 PKGs.
PS4 Jailbreaking       Thread starter PSXHAX       Start date Mar 10, 2018 at 1:25 AM       19,201       18      
Status
Not open for further replies.
Since the PS4 EBOOT / ELF FW Patcher Barthen Method and recent Free PS4 SaveData Decrypting Tools in development, CarlosCorcoles (aka Barthen) let us know on Twitter that he's added some information about keystone files to the PS4 developer wiki today! :ninja:

:arrow: Add Keystone GUI for PS4 FPKG Files by RoosterTeethForLife

To quote from the PSDevWiki page: Keystone

This file is generated on app package generation based on the passcode provided. It is then included in every savegame created by the app. It is used to prevent apps from mounting savedata of other apps, as you need to know at least the fingerprint to do it.

Passcode

The passcode is a 32 character string used on package generation to create the keystone file.

Structure

Size is always 96 (0x60) bytes for both PS4 and PSVita.

Offset Size Description Example
0x0 0x20 MAGIC ("keystone") and some constant bytes 6b 65 79 73 74 6f 6e 65 02 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x20 0x20 HMAC-SHA256 (32 bytes) of the bytes of the passcode using keystone_passcode_secret as key -
0x40 0x20 HMAC-SHA256 (32 bytes) of the previous two sections using keystone_ks_secret as key -
Sample keystone file generation

CSharp

Code:
public static byte [] GenerateKeystoneFile (string passcode)
{
   // 1. The first 32 bytes are constant
   byte[] keystone = {
       0x6B, 0x65, 0x79, 0x73, 0x74, 0x6F, 0x6E, 0x65, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
   };

   // 2. Convert the 32 characters of the passcode to a byte array
   byte[] passcodeInHEX = Encoding.ASCII.GetBytes(passcode);

   // 3. Calculate the fingerprint of the passcode
   HMACSHA256 hmac = new HMACSHA256();
   hmac.Key = keystone_passcode_secret;

   byte[] fingerprint = hmac.ComputeHash(passcodeInHEX);

   // 4. Concat the 32 bytes from point 1 and the 32 bytes from point 3
   keystone = keystone.Concat(fingerprint).ToArray();

   // 5. Calculate the SHA256Hmac of the 64 bytes from point 4
   hmac.Key = keystone_ks_secret;
   byte[] sha256hmac = hmac.ComputeHash(keystone);

   // 6. Concat the constant bytes from point 1, the fingerprint from point 3 and the hmac from point 5
   keystone = keystone.Concat(sha256hmac).ToArray();


   return keystone;

}
Sample keystone file

Sample keystone file created when provided a passcode consisting of all zeros "00000000000000000000000000000000":
Code:
The first 32 are constant:
00000000  6b 65 79 73 74 6f 6e 65  02 00 01 00 00 00 00 00  |keystone........|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
Fingerprint of the passcode:
00000020  29 4a 5e d0 6d b1 70 61  8f 2e ed 8c 42 4b 9d 82  |)J^.m.pa....BK..|
00000030  88 79 c0 80 cc 66 fb c4  86 4f 69 e9 74 de b8 56  |.y...f...Oi.t..V|
SHA256Hmac of the first 64 bytes of the file:
00000040  fa 0d 0c 2e bd 6a 00 80  63 71 3d e8 81 0d 7e 10  |.....j..cq=...~.|
00000050  b7 32 14 3b 91 cd 2e 4f  ea 2d 20 53 10 6e b7 5d  |.2.;...O.- S.n.]|
Documented UserModules KeySet Changes on DevWiki for those interested!
PlayStation 4 Keystone File Details on PS4 Dev Wiki by Barthen.jpg
 

Comments

uaegangster111

Senior Member
Contributor
Verified
That means when i upgrade to a ps4 pro i can retain my saves right? by repacking and reinstalling the fpkg game ?
 

73n1x69

Senior Member
Contributor
Verified
A patched version of fake pkg creator and the legit keystone are needed.
Having those, you or the releaser can pack the fpkg with the original keystone, so that the saves will be compatible :cool:
 

trcown

Senior Member
Contributor
Verified
It seems that it might be possible to also repackage official updates this way. (y)

The firmware limitation would still stand.
 

TLH1337

Member
Contributor
Verified
I wonder about the internal keystone generation func ... hooking that would allow to read the Passcode since its a basic for calcing hashes....
 

sillybunnie

Member
Contributor
Verified
@XVortex would it be possible to make a payload for a keystone only dumper? that way for those of us that would like to dump our original keystone we don't need to wait for it to dump the whole game if we already have the fakepkg, thanks!
 
Status
Not open for further replies.

:fire: Latest Help Topics

Top