Category PS Vita News       Thread starter PSXHAX       Start date Aug 2, 2016 at 10:36 PM       8,954       0            
Following the release of Henkaku and some PS Vita VPKs, today PlayStation Vita developer Major_Tom revealed on Pastebin.com PS Vita DLC, cartridge / digital games and savedata decryption guides for Firmware 3.60 alongside the first PS Vita game mod PoC demo video with PS Vita Decrypted Saves now being shared on PSVitaSaves.tk.

For those unfamiliar with Tomtomdu80 and Mr.gas's past PlayStation Vita hacking and homebrew developments, some highlights can be seen below:
Finally, from Pastebin to quote: PSVita Digital Game/Cartridge Game/DLC/Savedata decryption on 3.60

I'll be referring to mr.gas' old trick for bypassing pfs protection on old fw. Old instructions :

"most of the work are going to be in app.db
1- add a value in table tbl_uri like the following
NPXS10000;1;ux0;
2- modify NPXS10000 eboot.bin path in tbl_appinfo to vs0:app/NPXS10027/eboot.bin
3- overwrite the modified app.db using email app and reboot
4- now use the browser to call the new uri with your target game . example :
ux0:app/PCSA00017
apparently near app will open the game manual.
5- minimize near then dump the game using the psp pboot trick and QCMA (while the near app still open)
6- end of th story .. and have fun.
tested in fw 3.18 and above"

Make these modifications in app.db before following this guide. If you want to decrypt cartridges as well, you can also add "NPXS10000;1;gro0;" at step 1.

PSVita Digital Game/Cartridge Game/DLC/Savedata decryption on 3.60

It has been reported many times that mr.gas' trick to dump unencrypted files from ux0:app was patched in 3.60, but it's not actually exact.

What has been patched is the PBOOT.PBP dumper trick. MolecularShell can't access other applications files, that is why applying mr.gas' trick doesn't seem to work on 3.60.

So, how to do it again ? Well, we'll be taking advantage of how the vita handles game updates.

Game updates are installed in ux0:patch/[TITLEID]. They have the very same structure as ux0:app/[TITLEID].

Thanks to HENkaku, we can run unsigned eboot.bin. We will basically be hijacking the main game binary with our dumper.

Install MolecularShell in ux0:patch/[TITLEID] (exact same files as if they were in ux0:app/MLCL00001), where [TITLEID] is the game you want to decrypt (same for cartridges game).

Now, using mr.gas' old trick, open the URI "ux0:app/[TITLEID]" (or gro0:app/[TITLEID] for cartridges) in the webbrowser, minimize the newly opened near app.

Run the game you want to decrypt, MolecularShell will boot instead. You can now access ux0:app/[TITLEID], your decrypted game files will be present (or gro0:app/[TITLEID] if you want to decrypt a cartridge).

You can also access the following locations, where you can find unencrypted files :
  • app0: (basically the same as ux0:app/[TITLEID], but with mixed files from ux0:patch as well)
  • addcont0: (DLC Content)
  • savedata0: (That's where the fun is, unencrypted savegame, you can edit it directly, it should encrypt it back automatically)
HOW CAN I MOD MY GAME ???! I WANT 18+ PATCHES

Hehehe, very easy. If you paid attention, you may have noticed we already managed to mod our game, indeed, we replaced its main binary with MolecularShell.

So, following the same process, you can basically put your modded files in ux0:patch/[TITLEID], FOLLOWING THE SAME STRUCTURE as the original one from ux0:app/[TITLEID].

Put the modded files, unencrypted, in ux0:winkytongue:atch/[TITLEID]. If the directory already exists, delete it (or back it up, as you wish).

Make sure you're not using mr.gas trick here, or the directory won't be writable. Also use the original MolecularShell, you must not be running the game at this point.

Don't put any sce_pfs directory in ux0:patch/[TITLEID]. You can use sce_sys from MolecularShell.

Wait, if we hijack the patch directory from our game, doesn't it mean the updates won't be installed anymore ?

Indeed. To install your updates back, you need to dump an unencrypted version of ux0:patch/[TITLEID], and basically put the unencrypted files as well in your mod.

Decrypting the ux0:patch/[TITLEID] is really a PAIN IN THE ASS, so I won't explain how to do it here. I managed to do it, if no one figures it out, I'll eventually explain it later.

Also below is PS Vita SaveMgr by d3m3vilurr to dump & restore decrypted savefiles, as follows from the README.md file:

Download: savemgr.vpk / GIT

Configure

If you want to use another dump directory format, make simple config.ini file into ux0:data/savemgr
  • use ux0:data/savegames/PCSH00000_SLOT0
base=/data/savegames
slot_format=%s_SLOT%d
Default config like this; it will save to ux0:data/savegames/PCSH00000/SLOT0

base=/data/savegames
slot_format=%s/SLOT%d

Development

Need VitaShell's modules; install kernel and user and copy kernel.skprx and user.suprx into sce_sys then you can build vpk.

mkdir build
cd build && cmake -GNinja .. && ninja`

License

GPLv3

Credits

Project use these project's codes.
PS Vita Jailbreak.jpg
 

Comments

Recent Articles
PlayStation 4 & PS4 Pro Price Drop Rumored in Black Friday 2019 Ad Leak
As we get closer to the holidays we'll do a dedicated topic on Black Friday 2019 ad scans like we did last year, but until then an alleged Walmart Black Friday 2019 ad leak brings rumors of both a...
Call of Duty: Modern Warfare & MediEvil Join New PS4 Games Next Week
Next week the PlayStation 4 gets some heavy hitters, including Call of Duty: Modern Warfare for PS4 on October 24th, and both MediEvil and The Outer Worlds on October 25th. šŸ˜ƒ Without further ado...
Sony Rumored to Unveil PS5 at PlayStation Meeting on February 12, 2020
Yesterday we saw the first PS5 DevKit Prototype Images, and although Sony confirmed the PlayStation 5 will launch during the Holiday 2020 season they haven't announced an official PS5 unveiling...
Leaked PS5 Dev Kit Prototype Images Surface from ZONEofTECH
Following the PS5 Development Kit Design Patent and PlayStation 5 Development Kit 3D Renders, this weekend ZONEofTECH shared some leaked Sony PS5 Dev Kit Prototype Images on Twitter with a video...
Top