Category PS4 CFW and Hacks       Thread starter PSXHAX       Start date Jan 20, 2020 at 3:07 AM       25,873       58            
Proceeding Flat_z's Write-up, the PS4 Backporting Method Outline and his recent PKGEditor Updates, PlayStation 4 developer maxton shared on Github some handy Package information including details on PS4 PKG encryption developer-controlled keys, PFS key generation, the ENTRY_KEYS entry, the IMAGE_KEY entry, how to decrypt PKGs and PKG authentication. :geek:

This also comes following the PFS Protection Bypass method, PFS Explorer Support for GameArchives (Latest Version) archive explorer, PS Vita PlayStation File System Keys, MakePFS, PS4 Sealedkey / pfsSKKey details for savegame and trophy data decryption, a PSFSKKey savegame decryption tool (lacking SAMU PFS keys) and the PFS Structure.

From the LibOrbisPkg Wiki via maxton on Github, to quote: PKG Information

The PS4 Dev Wiki has some information on PKGs and PFS images. Also check out flatz's write-up on Fake PKGs.

Anyway, here's some information about PKGs I've discovered in making this library and toolset.

PKG Encryption

Developer-controlled keys


The contents of a PKG are encrypted with keys derived from a developer-specified passcode and the Content ID.

Let's call these derived keys dk0 to dk6 based on the index value used to create them.
PS4 PKG Information on PlayStation 4 Packages and Keys via Maxton.png

  • dk1 is what flatz/sony refer to as EKPFS. It is used to generate PFS encryption and signing keys.
  • dk2 is used to generate the AES iv/key to encrypt the license.info in the PKG entry filesystem.
  • dk3 is used to generate the AES iv/key to encrypt the IMAGE_KEY entry, the license.dat, and to encrypt the PKG header signature.
  • It is not known if the other derived keys are used for anything. They can be used to encrypt entries in the PKG entry filesystem, but so far I've only seen dk2 and dk3 used for that.
PFS Key Generation
PS4 PKG Information on PlayStation 4 Packages and Keys via Maxton 2.png

To generate keys for PFS, the PFS key seed is combined with an index and then hashed with HMAC-SHA256 using the dk1 (EKPFS) as a key. Index 1 generates XTS tweak and data keys, while index 2 generates the HMAC-SHA256 signing key.

The ENTRY_KEYS entry
PS4 PKG Information on PlayStation 4 Packages and Keys via Maxton 3.png

6 of the derived keys are encrypted using public-key RSA and stored in the ENTRY_KEYS entry. Their digests are also stored there. Each derived key gets encrypted with a unique RSA key. The passcode is stored in place of dk0 and it gets its own RSA key as well.

We only have public moduli for these RSA keys; except RSA Key 3, for which we have the public and private keys. This entry is stored unencrypted in the PKG, so to access the passcode, for example, all you'd need is the private RSA key 0.

The IMAGE_KEY entry
PS4 PKG Information on PlayStation 4 Packages and Keys via Maxton 4.png

The EKPFS (dk1) is RSA encrypted with the "mount-image" public key and stored in IMAGE_KEY. We don't have the private "mount-image" RSA key, which is why for FAKE PKGs we actually replace it with flatz's generated mount-image key for Fake PKGs.

This allows us to decrypt FAKE PKGs without a passcode or license, the same way flatz illustrated in his Fake PKG kernel patches in the write-up.

Ok, whatever, but just tell me how do I decrypt some PKG I have?

So, if you want to decrypt the PFS image of any PKG, only one of the following items is required:
  1. RSA key 0 (public modulus starts d6 aa 0c 5c)
  2. RSA key 1 (public modulus starts b9 69 53 ee)
  3. The mount-image RSA key
  4. The passcode
  5. The EKPFS
  6. The XTS data and tweak keys
Having any of the items 1-3 would allow you to decrypt the PFS of any PKG. Having any of 4-6 would allow you to decrypt a specific PKG.

For Fake PKGs, we have replaced item 3 with our own key so we can already decrypt any Fake PKG using PkgEditor or PkgTool.

PKG Authentication

PKG files utilize SHA-256, HMAC-SHA256, and RSA to authenticate and prevent tampering.
Cheers to Figure03 for the heads-up on this over the weekend! 🍻

:fire: Also heating things up on Twitter today from @SpecterDev, to quote:

After many months of work in collaboration with diwidog and CrazyVoidPS4 w/ help from flat_z, we have a hello world homebrew app running on the PS4 built with a custom toolchain / non-sony ***! Still work to be done, but this is a big step for homebrew.
PS4 PKG Information on PlayStation 4 Packages and Keys via Maxton.jpg
 

Comments

jrogan1113

Member
Contributor
Do you have any further details on how this is done in the PS4? If a game is downloaded, does Orbis use SHA/RSA to perform the authentication before unpacking the PFS?

Once the PKG is installed, are there any further checks done on the installed game to ensure there is no further tampering or corruption?

Judging from errors like CE-38612-0 it would seem like there is some mechanism to detect corruption - not sure if this is based on authentication or just something akin to a SIGFAULT exception handler?

thanks!
 
Recent Articles
PS4 Renesas RL78 Debug Protocol Implementation by Fail0verflow
Following the PS4 SysCon Renesas Chip Image and updates by droogie, PS4 Glitch Pinout research via @juansbeck and their PS4 Aux Hax Parts 1-4 today fail0verflow shared with PlayStation 4 scene...
PS Store Big in Japan Sale Live with Deals on Over 500 PSN Titles
PS Store's latest Big in Japan flash sale features discounts on over 500 PSN titles including Kingdom Hearts All-In-One Package, NieR: Automata Game of the YoRHa Edition, Code Vein and more! 🎎 🗾...
Hello Games Releases No Man's Sky Living Ship Update for PS4 / PS VR
Since the No Man's Sky initial release and No Man's Sky Beyond Update developer Hello Games released a new Living Ship Update for PS4 and PS VR gamers. :cool: Check out their latest PlayStation 4...
PlayStation Store Essential Picks PSN Sale with Savings Up to 70% Off
PlayStation fans can save up to 70% off critically acclaimed must-have games during the PS Store Essential Picks sale beginning today on select PSN titles including Star Wars Jedi: Fallen Order...
Top