Category PS Vita News       Thread starter PSXHAX       Start date Aug 2, 2016 at 10:36 PM       9,053       0            
Following the release of Henkaku and some PS Vita VPKs, today PlayStation Vita developer Major_Tom revealed on Pastebin.com PS Vita DLC, cartridge / digital games and savedata decryption guides for Firmware 3.60 alongside the first PS Vita game mod PoC demo video with PS Vita Decrypted Saves now being shared on PSVitaSaves.tk.

For those unfamiliar with Tomtomdu80 and Mr.gas's past PlayStation Vita hacking and homebrew developments, some highlights can be seen below:
Finally, from Pastebin to quote: PSVita Digital Game/Cartridge Game/DLC/Savedata decryption on 3.60

I'll be referring to mr.gas' old trick for bypassing pfs protection on old fw. Old instructions :

"most of the work are going to be in app.db
1- add a value in table tbl_uri like the following
NPXS10000;1;ux0;
2- modify NPXS10000 eboot.bin path in tbl_appinfo to vs0:app/NPXS10027/eboot.bin
3- overwrite the modified app.db using email app and reboot
4- now use the browser to call the new uri with your target game . example :
ux0:app/PCSA00017
apparently near app will open the game manual.
5- minimize near then dump the game using the psp pboot trick and QCMA (while the near app still open)
6- end of th story .. and have fun.
tested in fw 3.18 and above"

Make these modifications in app.db before following this guide. If you want to decrypt cartridges as well, you can also add "NPXS10000;1;gro0;" at step 1.

PSVita Digital Game/Cartridge Game/DLC/Savedata decryption on 3.60

It has been reported many times that mr.gas' trick to dump unencrypted files from ux0:app was patched in 3.60, but it's not actually exact.

What has been patched is the PBOOT.PBP dumper trick. MolecularShell can't access other applications files, that is why applying mr.gas' trick doesn't seem to work on 3.60.

So, how to do it again ? Well, we'll be taking advantage of how the vita handles game updates.

Game updates are installed in ux0:patch/[TITLEID]. They have the very same structure as ux0:app/[TITLEID].

Thanks to HENkaku, we can run unsigned eboot.bin. We will basically be hijacking the main game binary with our dumper.

Install MolecularShell in ux0:patch/[TITLEID] (exact same files as if they were in ux0:app/MLCL00001), where [TITLEID] is the game you want to decrypt (same for cartridges game).

Now, using mr.gas' old trick, open the URI "ux0:app/[TITLEID]" (or gro0:app/[TITLEID] for cartridges) in the webbrowser, minimize the newly opened near app.

Run the game you want to decrypt, MolecularShell will boot instead. You can now access ux0:app/[TITLEID], your decrypted game files will be present (or gro0:app/[TITLEID] if you want to decrypt a cartridge).

You can also access the following locations, where you can find unencrypted files :
  • app0: (basically the same as ux0:app/[TITLEID], but with mixed files from ux0:patch as well)
  • addcont0: (DLC Content)
  • savedata0: (That's where the fun is, unencrypted savegame, you can edit it directly, it should encrypt it back automatically)
HOW CAN I MOD MY GAME ???! I WANT 18+ PATCHES

Hehehe, very easy. If you paid attention, you may have noticed we already managed to mod our game, indeed, we replaced its main binary with MolecularShell.

So, following the same process, you can basically put your modded files in ux0:patch/[TITLEID], FOLLOWING THE SAME STRUCTURE as the original one from ux0:app/[TITLEID].

Put the modded files, unencrypted, in ux0:winkytongue:atch/[TITLEID]. If the directory already exists, delete it (or back it up, as you wish).

Make sure you're not using mr.gas trick here, or the directory won't be writable. Also use the original MolecularShell, you must not be running the game at this point.

Don't put any sce_pfs directory in ux0:patch/[TITLEID]. You can use sce_sys from MolecularShell.

Wait, if we hijack the patch directory from our game, doesn't it mean the updates won't be installed anymore ?

Indeed. To install your updates back, you need to dump an unencrypted version of ux0:patch/[TITLEID], and basically put the unencrypted files as well in your mod.

Decrypting the ux0:patch/[TITLEID] is really a PAIN IN THE ASS, so I won't explain how to do it here. I managed to do it, if no one figures it out, I'll eventually explain it later.

Also below is PS Vita SaveMgr by d3m3vilurr to dump & restore decrypted savefiles, as follows from the README.md file:

Download: savemgr.vpk / GIT

Configure

If you want to use another dump directory format, make simple config.ini file into ux0:data/savemgr
  • use ux0:data/savegames/PCSH00000_SLOT0
base=/data/savegames
slot_format=%s_SLOT%d
Default config like this; it will save to ux0:data/savegames/PCSH00000/SLOT0

base=/data/savegames
slot_format=%s/SLOT%d

Development

Need VitaShell's modules; install kernel and user and copy kernel.skprx and user.suprx into sce_sys then you can build vpk.

mkdir build
cd build && cmake -GNinja .. && ninja`

License

GPLv3

Credits

Project use these project's codes.
PS Vita Jailbreak.jpg
 

Comments

Recent Articles
JoystickUDP: Collection of Methods Using a PS4 Controller with UDPComms
Recently StanfordRoboticsClub shared on Github a collection of methods using a DualShock 4 PS4 Controller with UDPComms, which is a Python library to enable communication between different...
Star Wars Jedi: Fallen Order Joins New PS4 Game Releases Next Week
Explore the galaxy in the latest PlayStation 4 third-person action-adventure game Star Wars Jedi: Fallen Order from Respawn Entertainment arriving to PS4 next week on November 15th. Play as an...
Feel The Power of Pro with PlayStation 4 Pro Latest PS4 TV Spot!
Right behind their It's Time to Play! campaign and Black Friday Deals, Sony is ramping up PlayStation promotions for the holidays with the latest PS4 TV spot showcasing the Limited Edition PS4 Pro...
REPL4Y for Android PS4 Remote Play App Free Trial Version by Twist3d89
Proceeding his request for Beta Testers and the Chiaki Open Source PS4 Remote Play Client release, developer Twist3d89 has made available a free trial version of his REPL4Y for Android application...
Top