Category PS Vita Jailbreaking       Thread starter PSXHAX       Start date Jan 21, 2017 at 4:01 AM       9,301       5            
Following his PKGDecrypt homebrew application, PlayStation Vita developer St4rk documented the PS Vita PFS (PlayStation File System) encryption and secret keys today on the Wiki for developers! :ninja:

In addition, since our last GameArchives ArchiveExplorer update (Latest Version) the developer maxton has revised the application a few more times including some PFS bug fixes with the changes detailed below.

PS Vita PFS Keys
Code:
PFS EncKey : { 0x00, 0x29, 0x8C, 0xDF, 0x44, 0x28, 0xE7, 0x2C, 0x87, 0x85, 0xDA, 0xE0, 0x92, 0x3C, 0x60, 0xBD };

PFS Secret: { 0x8C, 0x5D, 0x3A, 0x4B, 0x9D, 0x9B, 0xF4, 0xB4, 0x53, 0xBC, 0xE6, 0xCD, 0xC3, 0x43, 0x31, 0xD8 };
RSA modulus and Exponent
Code:
    RSA Exponent : 0x10001
    Modulus Rif Key Type 0 and 1 :

{0x9C,0xCC,0xE3,0xA5,0x36,0xFA,0x64,0x1B,0x2D,0x13,0x54,0xEE,0x98,0xF0,0x93,0xC2,0x68,0x47,0x0F,0x72,0x2C,0x02,0x4B,0x86,0xCD,0x60,0x27,0x4E,0x08,0xE0,0x06,0x7A,0x3C,0xB0 ,0xDB,0xA3,0xD3,0x3D,0xB2,0xAC,0xE4,0x4A,0xA0,0x70,0xB1,0x0B,0x61,0x2A,0xC4,0x54,0x6E,0x51,0xB5,0xED,0xFA,0x23,0xF5,0xED,0x50,0x7F,0x23,0x36,0x5F,0x9A,0x0A,0x09,0xC1,0x80,0x7D,0x43,0xE6 ,0x17,0x22,0x25,0xAE,0xB8,0x16,0x30,0xAC,0x59,0x79,0xC4,0xA5,0x34,0x46,0x0A,0x41,0xA6,0x20,0x7E,0x6B,0x42,0x6F,0x3D,0xF8,0xCA,0xA0,0xFB,0xA7,0xED,0x2B,0x6A,0x47,0x4C,0x2A,0xAB,0x50,0xA9 ,0x2D,0xC7,0x43,0xF2,0x23,0x22,0x28,0xFA,0xC4,0x8F,0xED,0x21,0x8A,0x81,0x90,0xF0,0x42,0x3A,0xD0,0x0C,0x59,0x5D,0xCB,0x41,0x0D,0x18,0x84,0x5D,0xA9,0x0C,0xCF,0x2F,0xDF,0xD6,0xB9,0x0E,0x23 ,0x07,0x4B,0x52,0xB5,0x7C,0x48,0x66,0xB9,0x3D,0xD6,0xA7,0xC7,0x33,0x6D,0x74,0xD2,0x6D,0x9E,0x30,0xD8,0xA1,0xB1,0xC9,0x44,0x59,0xF3,0x43,0x12,0xAB,0x0A,0x46,0xB1,0xB2,0x81,0xD2,0x2B,0x38 ,0x80,0x93,0x52,0xA4,0x87,0xC0,0x0D,0x60,0x34,0x0F,0xEA,0xC1,0x83,0x4B,0xCF,0x88,0xDA,0x25,0xD9,0x80,0xB3,0x78,0x47,0x08,0x75,0x74,0x27,0xD4,0x09,0x48,0x49,0x3D,0x2F,0x5A,0x8F,0xEE,0xB5 ,0xB7,0x4B,0x29,0x61,0xFF,0xB4,0xE7,0xF3,0x83,0x22,0x07,0xCE,0x64,0x81,0xF0,0x7E,0x88,0x16,0x4E,0x32,0x08,0x18,0x01,0xB6,0x8F,0x8D,0x14,0x15,0x41,0xCE,0xD6,0xD7,0xD9,0x66,0xA0,0x8D,0xCB

    Modulus RIF Type 2 :

{0x8F,0x34,0x7C,0xAE,0x57,0x5C,0xE4,0x87,0xAD,0xC5,0x48,0x2E,0x64,0xD0,0x41,0xAB,0xC3,0x2F,0x10,0x12,0xE4,0xB6,0x94,0x78,0x90,0x47,0x38,0xA8,0x14,0x5D,0x62,0xBF,0xF9,0x8C ,0x6D,0x2C,0x36,0x1B,0x75,0xD3,0xC1,0x65,0xE4,0x2B,0x99,0x9A,0x5B,0x63,0x6B,0x91,0x48,0x89,0xEB,0xB5,0xF2,0x16,0x36,0x2A,0x8B,0xDD,0xD7,0x2A,0xE8,0xD0,0xA4,0x5A,0x73,0x0F,0x79,0xA3,0xE9 ,0xBB,0x51,0x38,0x95,0x75,0x4C,0x14,0x28,0x74,0x70,0x21,0x3C,0xEE,0x44,0xC6,0x75,0x17,0x8F,0x01,0xE0,0x9A,0x6B,0xB0,0xC4,0x51,0x5C,0x1D,0xB9,0xC9,0xBF,0x40,0xF1,0x48,0x1E,0x36,0x1E,0xFC ,0x7F,0x9F,0x23,0x6D,0x18,0x3C,0x59,0xA1,0xB7,0xF0,0x13,0x6B,0xAF,0x10,0xA6,0x2F,0xA9,0x2A,0xBD,0xD5,0xE8,0x52,0xB9,0xEC,0x2C,0x1B,0x17,0xB0,0x80,0xC1,0xD3,0x1F,0xB2,0x88,0x95,0x4B,0xF9 ,0x4F,0x93,0xB0,0x41,0x9C,0xFC,0xEB,0x86,0x73,0xE9,0x38,0x74,0xA3,0x40,0x27,0x17,0xF8,0xB1,0xDA,0x76,0x18,0x76,0xC6,0xCA,0xDA,0xF9,0xFD,0x11,0xB6,0xEA,0x50,0xF8,0x00,0xD2,0xEB,0x33,0xAB ,0x21,0x7E,0xFF,0x4C,0x60,0x3F,0xEA,0x56,0xC2,0x99,0x13,0x8A,0x5F,0x29,0x12,0xEA,0xB9,0x36,0xBF,0xA8,0x79,0xCF,0xBC,0xC8,0xFA,0x19,0xA6,0x44,0x04,0xC7,0x9F,0x61,0xB8,0x0C,0x3D,0xF6,0x8A ,0x46,0x62,0x08,0x87,0x0B,0x1C,0x7B,0xEE,0x3A,0xC4,0xF2,0x05,0x6A,0xF3,0xEF,0x64,0xCC,0xE1,0x0D,0x31,0x1F,0xB3,0xD7,0xF4,0x2C,0x73,0xED,0xF3,0x31,0x63,0x43,0x5F,0x0A,0xFA,0x72,0x75,0x07 };

    Modulus RIF Type 3 :

{0xA6,0xE0,0xB2,0xD4,0xB5,0x82,0xC0,0xE2,0x04,0x80,0x8C,0x45,0x83,0xAB,0x76,0x07,0x6B,0x34,0x96,0xB9,0x6F,0xFC,0x90,0x17,0x4A,0xB1,0xE0,0x35,0x67,0xB4,0xFC,0xD7,0x69,0x40 ,0x6D,0x9D,0xE3,0xA8,0xCE,0xEB,0xA2,0xE7,0xD4,0xCD,0xB2,0x3E,0x2B,0xEE,0x47,0x1C,0x53,0xD2,0xF7,0x1B,0x9D,0xD8,0x22,0x33,0xCD,0xD8,0x16,0x8B,0xE3,0xA5,0x67,0x59,0x2D,0x7E,0xD5,0x5F,0xB4 ,0x5C,0x71,0x79,0x17,0x75,0x6F,0xFC,0xB3,0x9E,0xC7,0x55,0x15,0x7A,0xB9,0x7F,0x89,0xF7,0xBC,0x1E,0x75,0x92,0xF5,0x47,0x55,0xED,0xBA,0x49,0x14,0xF0,0x8F,0x0C,0x77,0xE0,0xB3,0xEA,0xFF,0x9C ,0xEE,0x87,0x6F,0x3B,0x71,0x3E,0x65,0x81,0xEC,0x09,0xE5,0x17,0x3E,0x21,0x2B,0x61,0x2D,0xA7,0x0D,0xB3,0x66,0x03,0x9B,0x32,0x08,0x02,0xE0,0x22,0x8B,0x9E,0x42,0x2E,0x3C,0x81,0x4B,0x4C,0xF8 ,0xC5,0x02,0x07,0xDA,0x9E,0xC6,0x89,0xB5,0xF4,0x45,0x61,0x73,0x44,0x63,0x56,0x8A,0xB6,0x53,0x63,0xDA,0xAB,0x3C,0x60,0x5C,0x9D,0xA8,0x0D,0xF7,0x75,0x64,0x80,0x68,0xBB,0x37,0x5E,0x99,0xA8 ,0xFA,0xA8,0x02,0x69,0xE0,0x94,0xD7,0x75,0xA7,0x81,0xEB,0xFE,0x0B,0x7C,0x39,0xDB,0x82,0x27,0x20,0x49,0x85,0x2C,0x43,0x95,0xB8,0xBF,0x67,0xA9,0xE2,0x5C,0xBF,0xCF,0xD4,0x0B,0xE6,0xB2,0xC1 ,0x89,0x5C,0xE6,0x35,0x34,0xE5,0x52,0xD7,0xC4,0xF0,0x46,0x59,0xA7,0xCD,0x3C,0x59,0x84,0x1E,0x2C,0x24,0x2D,0x26,0x50,0x1E,0xB4,0xFF,0x1C,0x55,0x3B,0xA9,0x0F,0x32,0x04,0x28,0xA7,0x60,0xF3 };
GameArchives ArchiveExplorer v0.8.0
  • (Library) Add PSARC support, for zlib-compressed archives.
  • (Library) Begin work on archive modification.
  • (ArchiveExplorer) Add property view.
For binaries (.NET 4.5 required) download "Release-0.8.0.zip" below.

Downloads
GameArchives ArchiveExplorer v0.9.0
  • (Library) Fixed a bug in PFS direct reading that could leave files missing
  • (ArchiveExplorer) Added editor window with Disk Defragmenter-esque usage chart and file replacement (for Xbox ISOs only)
For binaries (.NET 4.5 required) download "Release-0.9.0.zip" below.

Downloads
GameArchives ArchiveExplorer 0.10.0
  • (Library) Add support for Wii U8 archives
  • (ArchiveExplorer) Fix case where special characters in filenames were not getting stripped
For binaries (.NET 4.5 required) download "Release-0.10.0.zip" below.

Downloads
To quote from yifan_lu on the significance of Sony's PFS protection: "So the vita has many layers of encryption. Let's look at a game cart and digital game:

1a) The cart has encryption on the raw data (that's why if you dump it externally, you'll see encrypted data). However, as soon as the game is placed into the vita, that layer is decrypted before the vita sees the game. Then we have "gro0" mounted, which is the unencrypted FAT partition.

1b) Digital games are encrypted in the SCE PKG format. Basically there is an encryption key chosen (at random) by the developer. The package is encrypted and signed by sony. Package Installer can get past this encryption (and it does for drm-free packages). For other packages, package installer sees that you don't have a license and errors out, but you can bypass this without kernel or anything (exercise left for the reader). Once the package is decrypted, it is basically an archive of files that is extracted to "ux0"

2) The second layer of encryption is PFS. All game data (images, textures, executables, etc) are encrypted with PFS. PFS key is derived from a passphrase chosen by the developer. It is also signed (either with a key derived from the passphrase or with sony's key, I'm not sure). This layer is decrypted when a game is mounted (gro0: => app0: or ux0:app/titleid => app0). mr.gas & major_tom's trick gets you past this layer.

3) Now, the showstopper. Game executable files (eboot.self, *.suprx, etc) are encrypted through NPDRM. The key to decrypt this is derived from ux0:license/titleid/*.rif AND tm0:npdrm/act.dat (for digital games) or just gro0:license/titleid/*.rif (for game cart). Of course, the key derivation process includes secrets that userland/system does not have access to and therefore there is no current public way of decrypting it. This is the last line of defense for Sony.

Basically #1 can be bypassed through BlackFin or HENkaku's FS access. #2 was bypassed by mr.gas and Major_Tom's pfs mounting trick. And we are waiting for #3 to be bypassed before the floodgates of backups opens."

In related PSVita news today, Francesco Giorgi made available some PS Vita Testing Kit with Dev Kit PDEL-10xx features demonstration videos below for those interested.
Here are some leaked PSVita Dev / Test Kit Tools thanks to @SilicaAndPina, and cheers to @B7U3 C50SS and @raedoob for passing along the news tip in the PSXHAX Shoutbox! :fire:
PS Vita PFS (PlayStation File System) Keys Documented by St4rk.jpg
 

Comments

chrrox

Member
Contributor
Is there any documentation anywhere how pfs keys are used for decryption.

It would be nice to make a tool to decrypt vita pkg's.
 

PSXHAX

Staff Member
Moderator
Contributor
Verified
Ahh, ten four! :)

Other than IRC, you could start a discussion on the Wiki Keys Talk page asking about PFS Keys documentation... if I run across it anywhere, I'll post it in this thread also :thumbup:
 
Recent Articles
A Breaking Bad Movie El Camino Hits Netflix on October 11, 2019
After watching Season 4 of the prequel Better Call Saul and realizing Season 5 won't arrive until 2020 🤬, it's nearly time to jump ahead as next month on October 11th Netflix (with a second run by...
PS4 Android Application APK to Mod BO3 1.00 for 5.05 FW by MrNiato
Earlier this month we saw an All Clients Black Ops 3 (BO3) Zombie PS4 RTM Tool by PlayStation 4 homebrew developer @MrNiato, and today he shared on Twitter a PS4 Android Application to Mod BO3...
Pop Music Adventure Sayonara Wild Hearts Joins New PS4 Games Next Week
On September 19th next week included in the new PlayStation 4 video game releases is pop music adventure Sayonara Wild Hearts, which can be described as a dreamy, arcadey game that features...
Simple Wireless Rover for Raspberry Pi Controlled by PS4 DS4 via WiFi
Following the DJI Tello Drone and DeepRacer RC remote control PS4 DualShock 4 mods, recently Veilkrand on Github shared a Simple Wireless Rover for Raspberry Pi Controlled by PS4 DS4 via WiFi for...
Top