Join Us and become a Member for a Verified Badge on Discord to access private areas with the latest PS4 FPKGs.
Category PS Vita Jailbreaking       Thread starter PSXHAX       Start date Jan 21, 2017 at 4:01 AM       10,839       5            
Following his PKGDecrypt homebrew application, PlayStation Vita developer St4rk documented the PS Vita PFS (PlayStation File System) encryption and secret keys today on the Wiki for developers! :ninja:

In addition, since our last GameArchives ArchiveExplorer update (Latest Version) the developer maxton has revised the application a few more times including some PFS bug fixes with the changes detailed below.

PS Vita PFS Keys
Code:
PFS EncKey : { 0x00, 0x29, 0x8C, 0xDF, 0x44, 0x28, 0xE7, 0x2C, 0x87, 0x85, 0xDA, 0xE0, 0x92, 0x3C, 0x60, 0xBD };

PFS Secret: { 0x8C, 0x5D, 0x3A, 0x4B, 0x9D, 0x9B, 0xF4, 0xB4, 0x53, 0xBC, 0xE6, 0xCD, 0xC3, 0x43, 0x31, 0xD8 };
RSA modulus and Exponent
Code:
    RSA Exponent : 0x10001
    Modulus Rif Key Type 0 and 1 :

{0x9C,0xCC,0xE3,0xA5,0x36,0xFA,0x64,0x1B,0x2D,0x13,0x54,0xEE,0x98,0xF0,0x93,0xC2,0x68,0x47,0x0F,0x72,0x2C,0x02,0x4B,0x86,0xCD,0x60,0x27,0x4E,0x08,0xE0,0x06,0x7A,0x3C,0xB0 ,0xDB,0xA3,0xD3,0x3D,0xB2,0xAC,0xE4,0x4A,0xA0,0x70,0xB1,0x0B,0x61,0x2A,0xC4,0x54,0x6E,0x51,0xB5,0xED,0xFA,0x23,0xF5,0xED,0x50,0x7F,0x23,0x36,0x5F,0x9A,0x0A,0x09,0xC1,0x80,0x7D,0x43,0xE6 ,0x17,0x22,0x25,0xAE,0xB8,0x16,0x30,0xAC,0x59,0x79,0xC4,0xA5,0x34,0x46,0x0A,0x41,0xA6,0x20,0x7E,0x6B,0x42,0x6F,0x3D,0xF8,0xCA,0xA0,0xFB,0xA7,0xED,0x2B,0x6A,0x47,0x4C,0x2A,0xAB,0x50,0xA9 ,0x2D,0xC7,0x43,0xF2,0x23,0x22,0x28,0xFA,0xC4,0x8F,0xED,0x21,0x8A,0x81,0x90,0xF0,0x42,0x3A,0xD0,0x0C,0x59,0x5D,0xCB,0x41,0x0D,0x18,0x84,0x5D,0xA9,0x0C,0xCF,0x2F,0xDF,0xD6,0xB9,0x0E,0x23 ,0x07,0x4B,0x52,0xB5,0x7C,0x48,0x66,0xB9,0x3D,0xD6,0xA7,0xC7,0x33,0x6D,0x74,0xD2,0x6D,0x9E,0x30,0xD8,0xA1,0xB1,0xC9,0x44,0x59,0xF3,0x43,0x12,0xAB,0x0A,0x46,0xB1,0xB2,0x81,0xD2,0x2B,0x38 ,0x80,0x93,0x52,0xA4,0x87,0xC0,0x0D,0x60,0x34,0x0F,0xEA,0xC1,0x83,0x4B,0xCF,0x88,0xDA,0x25,0xD9,0x80,0xB3,0x78,0x47,0x08,0x75,0x74,0x27,0xD4,0x09,0x48,0x49,0x3D,0x2F,0x5A,0x8F,0xEE,0xB5 ,0xB7,0x4B,0x29,0x61,0xFF,0xB4,0xE7,0xF3,0x83,0x22,0x07,0xCE,0x64,0x81,0xF0,0x7E,0x88,0x16,0x4E,0x32,0x08,0x18,0x01,0xB6,0x8F,0x8D,0x14,0x15,0x41,0xCE,0xD6,0xD7,0xD9,0x66,0xA0,0x8D,0xCB

    Modulus RIF Type 2 :

{0x8F,0x34,0x7C,0xAE,0x57,0x5C,0xE4,0x87,0xAD,0xC5,0x48,0x2E,0x64,0xD0,0x41,0xAB,0xC3,0x2F,0x10,0x12,0xE4,0xB6,0x94,0x78,0x90,0x47,0x38,0xA8,0x14,0x5D,0x62,0xBF,0xF9,0x8C ,0x6D,0x2C,0x36,0x1B,0x75,0xD3,0xC1,0x65,0xE4,0x2B,0x99,0x9A,0x5B,0x63,0x6B,0x91,0x48,0x89,0xEB,0xB5,0xF2,0x16,0x36,0x2A,0x8B,0xDD,0xD7,0x2A,0xE8,0xD0,0xA4,0x5A,0x73,0x0F,0x79,0xA3,0xE9 ,0xBB,0x51,0x38,0x95,0x75,0x4C,0x14,0x28,0x74,0x70,0x21,0x3C,0xEE,0x44,0xC6,0x75,0x17,0x8F,0x01,0xE0,0x9A,0x6B,0xB0,0xC4,0x51,0x5C,0x1D,0xB9,0xC9,0xBF,0x40,0xF1,0x48,0x1E,0x36,0x1E,0xFC ,0x7F,0x9F,0x23,0x6D,0x18,0x3C,0x59,0xA1,0xB7,0xF0,0x13,0x6B,0xAF,0x10,0xA6,0x2F,0xA9,0x2A,0xBD,0xD5,0xE8,0x52,0xB9,0xEC,0x2C,0x1B,0x17,0xB0,0x80,0xC1,0xD3,0x1F,0xB2,0x88,0x95,0x4B,0xF9 ,0x4F,0x93,0xB0,0x41,0x9C,0xFC,0xEB,0x86,0x73,0xE9,0x38,0x74,0xA3,0x40,0x27,0x17,0xF8,0xB1,0xDA,0x76,0x18,0x76,0xC6,0xCA,0xDA,0xF9,0xFD,0x11,0xB6,0xEA,0x50,0xF8,0x00,0xD2,0xEB,0x33,0xAB ,0x21,0x7E,0xFF,0x4C,0x60,0x3F,0xEA,0x56,0xC2,0x99,0x13,0x8A,0x5F,0x29,0x12,0xEA,0xB9,0x36,0xBF,0xA8,0x79,0xCF,0xBC,0xC8,0xFA,0x19,0xA6,0x44,0x04,0xC7,0x9F,0x61,0xB8,0x0C,0x3D,0xF6,0x8A ,0x46,0x62,0x08,0x87,0x0B,0x1C,0x7B,0xEE,0x3A,0xC4,0xF2,0x05,0x6A,0xF3,0xEF,0x64,0xCC,0xE1,0x0D,0x31,0x1F,0xB3,0xD7,0xF4,0x2C,0x73,0xED,0xF3,0x31,0x63,0x43,0x5F,0x0A,0xFA,0x72,0x75,0x07 };

    Modulus RIF Type 3 :

{0xA6,0xE0,0xB2,0xD4,0xB5,0x82,0xC0,0xE2,0x04,0x80,0x8C,0x45,0x83,0xAB,0x76,0x07,0x6B,0x34,0x96,0xB9,0x6F,0xFC,0x90,0x17,0x4A,0xB1,0xE0,0x35,0x67,0xB4,0xFC,0xD7,0x69,0x40 ,0x6D,0x9D,0xE3,0xA8,0xCE,0xEB,0xA2,0xE7,0xD4,0xCD,0xB2,0x3E,0x2B,0xEE,0x47,0x1C,0x53,0xD2,0xF7,0x1B,0x9D,0xD8,0x22,0x33,0xCD,0xD8,0x16,0x8B,0xE3,0xA5,0x67,0x59,0x2D,0x7E,0xD5,0x5F,0xB4 ,0x5C,0x71,0x79,0x17,0x75,0x6F,0xFC,0xB3,0x9E,0xC7,0x55,0x15,0x7A,0xB9,0x7F,0x89,0xF7,0xBC,0x1E,0x75,0x92,0xF5,0x47,0x55,0xED,0xBA,0x49,0x14,0xF0,0x8F,0x0C,0x77,0xE0,0xB3,0xEA,0xFF,0x9C ,0xEE,0x87,0x6F,0x3B,0x71,0x3E,0x65,0x81,0xEC,0x09,0xE5,0x17,0x3E,0x21,0x2B,0x61,0x2D,0xA7,0x0D,0xB3,0x66,0x03,0x9B,0x32,0x08,0x02,0xE0,0x22,0x8B,0x9E,0x42,0x2E,0x3C,0x81,0x4B,0x4C,0xF8 ,0xC5,0x02,0x07,0xDA,0x9E,0xC6,0x89,0xB5,0xF4,0x45,0x61,0x73,0x44,0x63,0x56,0x8A,0xB6,0x53,0x63,0xDA,0xAB,0x3C,0x60,0x5C,0x9D,0xA8,0x0D,0xF7,0x75,0x64,0x80,0x68,0xBB,0x37,0x5E,0x99,0xA8 ,0xFA,0xA8,0x02,0x69,0xE0,0x94,0xD7,0x75,0xA7,0x81,0xEB,0xFE,0x0B,0x7C,0x39,0xDB,0x82,0x27,0x20,0x49,0x85,0x2C,0x43,0x95,0xB8,0xBF,0x67,0xA9,0xE2,0x5C,0xBF,0xCF,0xD4,0x0B,0xE6,0xB2,0xC1 ,0x89,0x5C,0xE6,0x35,0x34,0xE5,0x52,0xD7,0xC4,0xF0,0x46,0x59,0xA7,0xCD,0x3C,0x59,0x84,0x1E,0x2C,0x24,0x2D,0x26,0x50,0x1E,0xB4,0xFF,0x1C,0x55,0x3B,0xA9,0x0F,0x32,0x04,0x28,0xA7,0x60,0xF3 };
GameArchives ArchiveExplorer v0.8.0
  • (Library) Add PSARC support, for zlib-compressed archives.
  • (Library) Begin work on archive modification.
  • (ArchiveExplorer) Add property view.
For binaries (.NET 4.5 required) download "Release-0.8.0.zip" below.

Downloads
GameArchives ArchiveExplorer v0.9.0
  • (Library) Fixed a bug in PFS direct reading that could leave files missing
  • (ArchiveExplorer) Added editor window with Disk Defragmenter-esque usage chart and file replacement (for Xbox ISOs only)
For binaries (.NET 4.5 required) download "Release-0.9.0.zip" below.

Downloads
GameArchives ArchiveExplorer 0.10.0
  • (Library) Add support for Wii U8 archives
  • (ArchiveExplorer) Fix case where special characters in filenames were not getting stripped
For binaries (.NET 4.5 required) download "Release-0.10.0.zip" below.

Downloads
To quote from yifan_lu on the significance of Sony's PFS protection: "So the vita has many layers of encryption. Let's look at a game cart and digital game:

1a) The cart has encryption on the raw data (that's why if you dump it externally, you'll see encrypted data). However, as soon as the game is placed into the vita, that layer is decrypted before the vita sees the game. Then we have "gro0" mounted, which is the unencrypted FAT partition.

1b) Digital games are encrypted in the SCE PKG format. Basically there is an encryption key chosen (at random) by the developer. The package is encrypted and signed by sony. Package Installer can get past this encryption (and it does for drm-free packages). For other packages, package installer sees that you don't have a license and errors out, but you can bypass this without kernel or anything (exercise left for the reader). Once the package is decrypted, it is basically an archive of files that is extracted to "ux0"

2) The second layer of encryption is PFS. All game data (images, textures, executables, etc) are encrypted with PFS. PFS key is derived from a passphrase chosen by the developer. It is also signed (either with a key derived from the passphrase or with sony's key, I'm not sure). This layer is decrypted when a game is mounted (gro0: => app0: or ux0:app/titleid => app0). mr.gas & major_tom's trick gets you past this layer.

3) Now, the showstopper. Game executable files (eboot.self, *.suprx, etc) are encrypted through NPDRM. The key to decrypt this is derived from ux0:license/titleid/*.rif AND tm0:npdrm/act.dat (for digital games) or just gro0:license/titleid/*.rif (for game cart). Of course, the key derivation process includes secrets that userland/system does not have access to and therefore there is no current public way of decrypting it. This is the last line of defense for Sony.

Basically #1 can be bypassed through BlackFin or HENkaku's FS access. #2 was bypassed by mr.gas and Major_Tom's pfs mounting trick. And we are waiting for #3 to be bypassed before the floodgates of backups opens."

In related PSVita news today, Francesco Giorgi made available some PS Vita Testing Kit with Dev Kit PDEL-10xx features demonstration videos below for those interested.
Here are some leaked PSVita Dev / Test Kit Tools thanks to @SilicaAndPina, and cheers to @B7U3 C50SS and @raedoob for passing along the news tip in the PSXHAX Shoutbox! :fire:
PS Vita PFS (PlayStation File System) Keys Documented by St4rk.jpg
 

Comments

chrrox

Member
Contributor
Is there any documentation anywhere how pfs keys are used for decryption.

It would be nice to make a tool to decrypt vita pkg's.
 
Recent Articles
PS5 Error Code WS-116332-6: PSN Banwave for PS Plus Collection Loophole
Following the PS5 Console Gamesharing Guide earlier this month, recently reports of PS5 Error Code WS-116332-6 from PlayStation 5 users including Chinese BBS user Monoly123 and a PSNine forum user...
PiPS5 for Sharing PS5 Screenshots and Video Clips Easier by ItsZero
Recently ItsZero on Twitter released PiPS5 that aims to make sharing your PlayStation 5 screenshots and PS5 video clips just a little bit easier. 📸 According to the developer, PiPS5 is inspired...
Sony Unveils PlayStation Plus Game Additions for December 2020
Beginning next month, the latest additions to Sony's PlayStation Plus digital game library include Worms Rumble, Just Cause 4 and Rocket Arena available to play on PS4 and PS5 starting Tuesday...
PS5 Error Codes and PlayStation 5 Error Code Database with Fixes
Happy Thanksgiving for those in the US, and following the generic Something Went Wrong PS5 Error Code (CE-107863-5 or E2-00000000) fixes below are some common PS5 Error Codes alongside a...
Top