Henkaku and some PS Vita VPKs, today PlayStation Vita developer Major_Tom revealed on Pastebin.com PS Vita DLC, cartridge / digital games and savedata decryption guides for Firmware 3.60 alongside the first PS Vita game mod PoC demo video.
For those unfamiliar with Tomtomdu80 and Mr.gas's past PlayStation Vita hacking and homebrew developments, some highlights can be seen below:
Finally, from Pastebin to quote: PSVita Digital Game/Cartridge Game/DLC/Savedata decryption on 3.60
- Dumping Games from PS Vita Cartridges
- PlayStation Vita Memory Cards Dumped
- PSPEMU LiveArea Homebrew on PS Vita
- Running Unplayable PS Vita Games on PlayStation TV (PSTV)
- Installing PSM Dev Assistant for Unity on PS Vita
- PSTV Hacked to Launch Games on PlayStation TV
I'll be referring to mr.gas' old trick for bypassing pfs protection on old fw. Old instructions :
"most of the work are going to be in app.db
1- add a value in table tbl_uri like the following
2- modify NPXS10000 eboot.bin path in tbl_appinfo to vs0:app/NPXS10027/eboot.bin
3- overwrite the modified app.db using email app and reboot
4- now use the browser to call the new uri with your target game . example :
apparently near app will open the game manual.
5- minimize near then dump the game using the psp pboot trick and QCMA (while the near app still open)
6- end of th story .. and have fun.
tested in fw 3.18 and above"
Make these modifications in app.db before following this guide. If you want to decrypt cartridges as well, you can also add "NPXS10000;1;gro0;" at step 1.
PSVita Digital Game/Cartridge Game/DLC/Savedata decryption on 3.60
It has been reported many times that mr.gas' trick to dump unencrypted files from ux0:app was patched in 3.60, but it's not actually exact.
What has been patched is the PBOOT.PBP dumper trick. MolecularShell can't access other applications files, that is why applying mr.gas' trick doesn't seem to work on 3.60.
So, how to do it again ? Well, we'll be taking advantage of how the vita handles game updates.
Game updates are installed in ux0:patch/[TITLEID]. They have the very same structure as ux0:app/[TITLEID].
Thanks to HENkaku, we can run unsigned eboot.bin. We will basically be hijacking the main game binary with our dumper.
Install MolecularShell in ux0:patch/[TITLEID] (exact same files as if they were in ux0:app/MLCL00001), where [TITLEID] is the game you want to decrypt (same for cartridges game).
Now, using mr.gas' old trick, open the URI "ux0:app/[TITLEID]" (or gro0:app/[TITLEID] for cartridges) in the webbrowser, minimize the newly opened near app.
Run the game you want to decrypt, MolecularShell will boot instead. You can now access ux0:app/[TITLEID], your decrypted game files will be present (or gro0:app/[TITLEID] if you want to decrypt a cartridge).
You can also access the following locations, where you can find unencrypted files :
HOW CAN I MOD MY GAME ???! I WANT 18+ PATCHES
- app0: (basically the same as ux0:app/[TITLEID], but with mixed files from ux0:patch as well)
- addcont0: (DLC Content)
- savedata0: (That's where the fun is, unencrypted savegame, you can edit it directly, it should encrypt it back automatically)
Hehehe, very easy. If you paid attention, you may have noticed we already managed to mod our game, indeed, we replaced its main binary with MolecularShell.
So, following the same process, you can basically put your modded files in ux0:patch/[TITLEID], FOLLOWING THE SAME STRUCTURE as the original one from ux0:app/[TITLEID].
Put the modded files, unencrypted, in ux0atch/[TITLEID]. If the directory already exists, delete it (or back it up, as you wish).
Make sure you're not using mr.gas trick here, or the directory won't be writable. Also use the original MolecularShell, you must not be running the game at this point.
Don't put any sce_pfs directory in ux0:patch/[TITLEID]. You can use sce_sys from MolecularShell.
Wait, if we hijack the patch directory from our game, doesn't it mean the updates won't be installed anymore ?
Indeed. To install your updates back, you need to dump an unencrypted version of ux0:patch/[TITLEID], and basically put the unencrypted files as well in your mod.
Decrypting the ux0:patch/[TITLEID] is really a PAIN IN THE ASS, so I won't explain how to do it here. I managed to do it, if no one figures it out, I'll eventually explain it later.