Category PS4 CFW and Hacks       Thread starter PSXHAX       Start date Jan 20, 2020 at 3:07 AM       26,921       58            
Proceeding Flat_z's Write-up, the PS4 Backporting Method Outline and his recent PKGEditor Updates, PlayStation 4 developer maxton shared on Github some handy Package information including details on PS4 PKG encryption developer-controlled keys, PFS key generation, the ENTRY_KEYS entry, the IMAGE_KEY entry, how to decrypt PKGs and PKG authentication. :geek:

This also comes following the PFS Protection Bypass method, PFS Explorer Support for GameArchives (Latest Version) archive explorer, PS Vita PlayStation File System Keys, MakePFS, PS4 Sealedkey / pfsSKKey details for savegame and trophy data decryption, a PSFSKKey savegame decryption tool (lacking SAMU PFS keys) and the PFS Structure.

From the LibOrbisPkg Wiki via maxton on Github, to quote: PKG Information

The PS4 Dev Wiki has some information on PKGs and PFS images. Also check out flatz's write-up on Fake PKGs.

Anyway, here's some information about PKGs I've discovered in making this library and toolset.

PKG Encryption

Developer-controlled keys


The contents of a PKG are encrypted with keys derived from a developer-specified passcode and the Content ID.

Let's call these derived keys dk0 to dk6 based on the index value used to create them.
PS4 PKG Information on PlayStation 4 Packages and Keys via Maxton.png

  • dk1 is what flatz/sony refer to as EKPFS. It is used to generate PFS encryption and signing keys.
  • dk2 is used to generate the AES iv/key to encrypt the license.info in the PKG entry filesystem.
  • dk3 is used to generate the AES iv/key to encrypt the IMAGE_KEY entry, the license.dat, and to encrypt the PKG header signature.
  • It is not known if the other derived keys are used for anything. They can be used to encrypt entries in the PKG entry filesystem, but so far I've only seen dk2 and dk3 used for that.
PFS Key Generation
PS4 PKG Information on PlayStation 4 Packages and Keys via Maxton 2.png

To generate keys for PFS, the PFS key seed is combined with an index and then hashed with HMAC-SHA256 using the dk1 (EKPFS) as a key. Index 1 generates XTS tweak and data keys, while index 2 generates the HMAC-SHA256 signing key.

The ENTRY_KEYS entry
PS4 PKG Information on PlayStation 4 Packages and Keys via Maxton 3.png

6 of the derived keys are encrypted using public-key RSA and stored in the ENTRY_KEYS entry. Their digests are also stored there. Each derived key gets encrypted with a unique RSA key. The passcode is stored in place of dk0 and it gets its own RSA key as well.

We only have public moduli for these RSA keys; except RSA Key 3, for which we have the public and private keys. This entry is stored unencrypted in the PKG, so to access the passcode, for example, all you'd need is the private RSA key 0.

The IMAGE_KEY entry
PS4 PKG Information on PlayStation 4 Packages and Keys via Maxton 4.png

The EKPFS (dk1) is RSA encrypted with the "mount-image" public key and stored in IMAGE_KEY. We don't have the private "mount-image" RSA key, which is why for FAKE PKGs we actually replace it with flatz's generated mount-image key for Fake PKGs.

This allows us to decrypt FAKE PKGs without a passcode or license, the same way flatz illustrated in his Fake PKG kernel patches in the write-up.

Ok, whatever, but just tell me how do I decrypt some PKG I have?

So, if you want to decrypt the PFS image of any PKG, only one of the following items is required:
  1. RSA key 0 (public modulus starts d6 aa 0c 5c)
  2. RSA key 1 (public modulus starts b9 69 53 ee)
  3. The mount-image RSA key
  4. The passcode
  5. The EKPFS
  6. The XTS data and tweak keys
Having any of the items 1-3 would allow you to decrypt the PFS of any PKG. Having any of 4-6 would allow you to decrypt a specific PKG.

For Fake PKGs, we have replaced item 3 with our own key so we can already decrypt any Fake PKG using PkgEditor or PkgTool.

PKG Authentication

PKG files utilize SHA-256, HMAC-SHA256, and RSA to authenticate and prevent tampering.
Cheers to Figure03 for the heads-up on this over the weekend! 🍻

:fire: Also heating things up on Twitter today from @SpecterDev, to quote:

After many months of work in collaboration with diwidog and CrazyVoidPS4 w/ help from flat_z, we have a hello world homebrew app running on the PS4 built with a custom toolchain / non-sony ***! Still work to be done, but this is a big step for homebrew.
PS4 PKG Information on PlayStation 4 Packages and Keys via Maxton.jpg
 

Comments

jrogan1113

Member
Contributor
Do you have any further details on how this is done in the PS4? If a game is downloaded, does Orbis use SHA/RSA to perform the authentication before unpacking the PFS?

Once the PKG is installed, are there any further checks done on the installed game to ensure there is no further tampering or corruption?

Judging from errors like CE-38612-0 it would seem like there is some mechanism to detect corruption - not sure if this is based on authentication or just something akin to a SIGFAULT exception handler?

thanks!
 
Recent Articles
Indie PlayStation 5 Game Soulborn Alpha Trailer by Pixelmad Studios
Proceeding the Godfall PS5 and Outriders PS5 trailers, Indie game Publisher Pixelmad Studios made available a Soulborn Alpha Trailer video of their upcoming PlayStation 5 openworld RPG adventure...
Robotic Co-Op Adventure Biped Joins New PS4 Games Next Week
In addition to Final Fantasy VII Remake arriving on PS4 April 10th, next week the physics-based 3D co-op action-adventure game Biped comes to PlayStation 4 on April 8th. 🤖 Biped places a strong...
Fury Unleashed Blasts Onto PlayStation 4 May 8th, PS4 Demo Out
Reminiscent of classic action platformer video games including Contra and Metal Slug, you play a comic book hero in the combo-driven roguelite Fury Unleashed from Awesome Games Studio which blasts...
Windbound Sails to PlayStation 4 on August 28th, PS4 Trailer Video
The forbidden islands are calling survival adventure fans eager to unravel the mystery as Windbound from 5 Lives Studios sets sail on PlayStation 4 this August 28th. 🌊 ⛵ 🔎 Prepare to explore...
Top