Following the release of Henkaku and some PS Vita VPKs, today PlayStation Vita developer Major_Tom revealed on Pastebin.com PS Vita DLC, cartridge / digital games and savedata decryption guides for Firmware 3.60 alongside the first PS Vita game mod PoC demo video with PS Vita Decrypted Saves now being shared on PSVitaSaves.tk.
For those unfamiliar with Tomtomdu80 and Mr.gas's past PlayStation Vita hacking and homebrew developments, some highlights can be seen below:
I'll be referring to mr.gas' old trick for bypassing pfs protection on old fw. Old instructions :
"most of the work are going to be in app.db
1- add a value in table tbl_uri like the following
NPXS10000;1;ux0;
2- modify NPXS10000 eboot.bin path in tbl_appinfo to vs0:app/NPXS10027/eboot.bin
3- overwrite the modified app.db using email app and reboot
4- now use the browser to call the new uri with your target game . example :
ux0:app/PCSA00017
apparently near app will open the game manual.
5- minimize near then dump the game using the psp pboot trick and QCMA (while the near app still open)
6- end of th story .. and have fun.
tested in fw 3.18 and above"
Make these modifications in app.db before following this guide. If you want to decrypt cartridges as well, you can also add "NPXS10000;1;gro0;" at step 1.
PSVita Digital Game/Cartridge Game/DLC/Savedata decryption on 3.60
It has been reported many times that mr.gas' trick to dump unencrypted files from ux0:app was patched in 3.60, but it's not actually exact.
What has been patched is the PBOOT.PBP dumper trick. MolecularShell can't access other applications files, that is why applying mr.gas' trick doesn't seem to work on 3.60.
So, how to do it again ? Well, we'll be taking advantage of how the vita handles game updates.
Game updates are installed in ux0:patch/[TITLEID]. They have the very same structure as ux0:app/[TITLEID].
Thanks to HENkaku, we can run unsigned eboot.bin. We will basically be hijacking the main game binary with our dumper.
Install MolecularShell in ux0:patch/[TITLEID] (exact same files as if they were in ux0:app/MLCL00001), where [TITLEID] is the game you want to decrypt (same for cartridges game).
Now, using mr.gas' old trick, open the URI "ux0:app/[TITLEID]" (or gro0:app/[TITLEID] for cartridges) in the webbrowser, minimize the newly opened near app.
Run the game you want to decrypt, MolecularShell will boot instead. You can now access ux0:app/[TITLEID], your decrypted game files will be present (or gro0:app/[TITLEID] if you want to decrypt a cartridge).
You can also access the following locations, where you can find unencrypted files :
Hehehe, very easy. If you paid attention, you may have noticed we already managed to mod our game, indeed, we replaced its main binary with MolecularShell.
So, following the same process, you can basically put your modded files in ux0:patch/[TITLEID], FOLLOWING THE SAME STRUCTURE as the original one from ux0:app/[TITLEID].
Put the modded files, unencrypted, in ux0:winkytongue:atch/[TITLEID]. If the directory already exists, delete it (or back it up, as you wish).
Make sure you're not using mr.gas trick here, or the directory won't be writable. Also use the original MolecularShell, you must not be running the game at this point.
Don't put any sce_pfs directory in ux0:patch/[TITLEID]. You can use sce_sys from MolecularShell.
Wait, if we hijack the patch directory from our game, doesn't it mean the updates won't be installed anymore ?
Indeed. To install your updates back, you need to dump an unencrypted version of ux0:patch/[TITLEID], and basically put the unencrypted files as well in your mod.
Decrypting the ux0:patch/[TITLEID] is really a PAIN IN THE ASS, so I won't explain how to do it here. I managed to do it, if no one figures it out, I'll eventually explain it later.
Also below is PS Vita SaveMgr by d3m3vilurr to dump & restore decrypted savefiles, as follows from the README.md file:
Download: savemgr.vpk / GIT
Configure
If you want to use another dump directory format, make simple config.ini file into ux0:data/savemgr
slot_format=%s_SLOT%d
Default config like this; it will save to ux0:data/savegames/PCSH00000/SLOT0
base=/data/savegames
slot_format=%s/SLOT%d
Development
Need VitaShell's modules; install kernel and user and copy kernel.skprx and user.suprx into sce_sys then you can build vpk.
mkdir build
cd build && cmake -GNinja .. && ninja`
License
GPLv3
Credits
Project use these project's codes.
For those unfamiliar with Tomtomdu80 and Mr.gas's past PlayStation Vita hacking and homebrew developments, some highlights can be seen below:
- Dumping Games from PS Vita Cartridges
- PlayStation Vita Memory Cards Dumped
- PSPEMU LiveArea Homebrew on PS Vita
- Running Unplayable PS Vita Games on PlayStation TV (PSTV)
- Installing PSM Dev Assistant for Unity on PS Vita
- PSTV Hacked to Launch Games on PlayStation TV
I'll be referring to mr.gas' old trick for bypassing pfs protection on old fw. Old instructions :
"most of the work are going to be in app.db
1- add a value in table tbl_uri like the following
NPXS10000;1;ux0;
2- modify NPXS10000 eboot.bin path in tbl_appinfo to vs0:app/NPXS10027/eboot.bin
3- overwrite the modified app.db using email app and reboot
4- now use the browser to call the new uri with your target game . example :
ux0:app/PCSA00017
apparently near app will open the game manual.
5- minimize near then dump the game using the psp pboot trick and QCMA (while the near app still open)
6- end of th story .. and have fun.
tested in fw 3.18 and above"
Make these modifications in app.db before following this guide. If you want to decrypt cartridges as well, you can also add "NPXS10000;1;gro0;" at step 1.
PSVita Digital Game/Cartridge Game/DLC/Savedata decryption on 3.60
It has been reported many times that mr.gas' trick to dump unencrypted files from ux0:app was patched in 3.60, but it's not actually exact.
What has been patched is the PBOOT.PBP dumper trick. MolecularShell can't access other applications files, that is why applying mr.gas' trick doesn't seem to work on 3.60.
So, how to do it again ? Well, we'll be taking advantage of how the vita handles game updates.
Game updates are installed in ux0:patch/[TITLEID]. They have the very same structure as ux0:app/[TITLEID].
Thanks to HENkaku, we can run unsigned eboot.bin. We will basically be hijacking the main game binary with our dumper.
Install MolecularShell in ux0:patch/[TITLEID] (exact same files as if they were in ux0:app/MLCL00001), where [TITLEID] is the game you want to decrypt (same for cartridges game).
Now, using mr.gas' old trick, open the URI "ux0:app/[TITLEID]" (or gro0:app/[TITLEID] for cartridges) in the webbrowser, minimize the newly opened near app.
Run the game you want to decrypt, MolecularShell will boot instead. You can now access ux0:app/[TITLEID], your decrypted game files will be present (or gro0:app/[TITLEID] if you want to decrypt a cartridge).
You can also access the following locations, where you can find unencrypted files :
- app0: (basically the same as ux0:app/[TITLEID], but with mixed files from ux0:patch as well)
- addcont0: (DLC Content)
- savedata0: (That's where the fun is, unencrypted savegame, you can edit it directly, it should encrypt it back automatically)
Hehehe, very easy. If you paid attention, you may have noticed we already managed to mod our game, indeed, we replaced its main binary with MolecularShell.
So, following the same process, you can basically put your modded files in ux0:patch/[TITLEID], FOLLOWING THE SAME STRUCTURE as the original one from ux0:app/[TITLEID].
Put the modded files, unencrypted, in ux0:winkytongue:atch/[TITLEID]. If the directory already exists, delete it (or back it up, as you wish).
Make sure you're not using mr.gas trick here, or the directory won't be writable. Also use the original MolecularShell, you must not be running the game at this point.
Don't put any sce_pfs directory in ux0:patch/[TITLEID]. You can use sce_sys from MolecularShell.
Wait, if we hijack the patch directory from our game, doesn't it mean the updates won't be installed anymore ?
Indeed. To install your updates back, you need to dump an unencrypted version of ux0:patch/[TITLEID], and basically put the unencrypted files as well in your mod.
Decrypting the ux0:patch/[TITLEID] is really a PAIN IN THE ASS, so I won't explain how to do it here. I managed to do it, if no one figures it out, I'll eventually explain it later.
Also below is PS Vita SaveMgr by d3m3vilurr to dump & restore decrypted savefiles, as follows from the README.md file:
Download: savemgr.vpk / GIT
Configure
If you want to use another dump directory format, make simple config.ini file into ux0:data/savemgr
- use ux0:data/savegames/PCSH00000_SLOT0
slot_format=%s_SLOT%d
Default config like this; it will save to ux0:data/savegames/PCSH00000/SLOT0
base=/data/savegames
slot_format=%s/SLOT%d
Development
Need VitaShell's modules; install kernel and user and copy kernel.skprx and user.suprx into sce_sys then you can build vpk.
mkdir build
cd build && cmake -GNinja .. && ninja`
License
GPLv3
Credits
Project use these project's codes.
