Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
PS4 Jailbreaking       Thread starter PSXHAX       Start date Jan 15, 2018 at 12:45 AM       16      
Status
Not open for further replies.
Based on IDC's previous PS4 PUP_Unpack, PlayStation 4 developer Thunder07 (aka Zer0xFF on Twitter) made available a PS4 PUP Unpacker v1.0 to unpack decrypted PS4 PUP images such as the recent 3.70 Decrypted OFW by BurtE. :love:

Download: pup_unpacker.exe / GIT

In other news today since the PS4 Keys by RedEyeX32 released last month, Something Sinister shared a tool for PS4 developers to create RSA key pairs with source code stating the following: "Polarssl's rsa_genkey.exe generates RSA key pairs. All inputs generated internally.

This version generates RSA key pairs from user input. 2048bit keys only. User inputs the exponent and randoms p and q."

Download: polarssl_rsa_application.zip (58 KB) / polarssl_rsa_source.zip (18 KB) / ps4pkgdec.zip (7.2 KB - contains ps4pkgdec.exe) / ps4pkgdec_update.zip (14 KB) / ps4pkgdec_update_source.zip (10 KB)

Additional details on usage with the PKGDec Tool are available from Robbie Luong for those interested. To quote from the README.md file: pup_unpacker

A utility to unpack PS4 update blobs that have been previously decrypted using pup_decrypt. This is based on idc/ps4-pup_unpack rewritten with C++ and runs on Linux/OSX/Win32

Note

This utility will not unpack the contents of nested filesystems. The filesystem images in updates are FAT32, exFAT, etc images and can be mounted or unpacked with other tools.

To Build

This app contains dependency to mateidavid/zstr as a submodule, as such it must be initiated before building. to do so run the following command:
Code:
git submodule update --init
Cheers go out to @prreis in the PSXHAX Shoutbox for the news tip earlier today! :beer:
PS4 PUP Unpacker by Thunder07 to Unpack Decrypted PS4 PUP Images.jpg
 

Comments

There are enough games for 1.76 at the moment.
Not really. Most 1.76 games that I dont liked. The higher FW is the better ones for better games that I really like.

So update it when CFW is readily for 4.05 or possibly 5.00-5.01 since they have the fully exploitable in private.
 
Lower is not necessary always better unless it's the actual firmware and you are below the actual firmware itself

Other than that trustworthy and multiple resources is much better then being locked to a lower firmware if higher exploits are available to the public.
 
But if from beta firmware (when you install beta firmware you can rollback to the original previous firmware) it's possible to mod current firmware to permit the downgrade option?
 
Not possible at the moment, rolling back is only available to those in Sony's Beta program running PS4 Beta Firmware.

Also here's some more information from Robbie Luong on how Something Sinister's tool is used with the previously released PS4 Keys by RedEyeX32:

It extracts and unencrypts encrypted files in game packages. A couple of extra steps are required before it can be used. First the rsa parameters have to be added to main.cs from main.cs, copy/paste the first 4 bytes of the exponent, first 128 bytes of p, first 128 bytes of q, each into it's own binary file.

To create the rest of the rsa parameters, use those 3 files with the application posted in this thread (RedEyeX32's linked above). Do command:
Code:
rsa_genkey.exe exponent p q
This will create a text file called priv.txt with all the parameters. Paste them into
main.cs from the rar posted above.
Code:
public struct RSAParameters {
D = new Byte[256] { ... },
DP = new byte [128] { ... },
DQ = new byte [128] { ... },
Exponent = new byte[04] { ... },
InverseQ = new byte[128] { ... },
Modulus = new byte[256] { ... },
P = new byte[128] { ... },
Q = new byte[128] { ... }
};
That will fix the exception caused by null pointers. One more minor fix in main.cs, that will also raise an exception with some files:
Code:
byte[] file_data = DecryptAes(key, iv, IO.In.ReadBytes(entry[i].size));
change it to this:
Code:
if ((entry[i].size % 16) != 0) padded_size = entry[i].size + (16 - (entry[i].size %16));
    else padded_size = entry[i].size;
    byte[] file_data = DecryptAes(key, iv, IO.In.ReadBytes(padded_size));
and add padded_size to the list of declared variables
Code:
uint entry_count = IO.In.SeekNReadUInt32(0x10);
uint file_table_offset = IO.In.SeekNReadUInt32(0x18);
uint padded_size;
also this fixes the incorrect use of zeroes for padding. section containing an encrypted file of size 0x214 bytes:
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00E4C570  1B DB 69 12 D3 CC DD D1 D3 3A 59 26 DA 43 63 0A  .Ûi.ÓÌÝÑÓ:Y&ÚCc.
00E4C580  23 22 1A D0 01 2B 74 1A 83 FC B6 1D 96 5A 70 09  #".Ð.+t.ƒü¶.–Zp.
00E4C590  6E 1F 1D 22 BB 43 55 1B F5 C8 7C FC 4B 35 93 B8  n.."»CU.õÈ|üK5“¸
00E4C5A0  F9 61 18 00 4D 9D C0 A4 70 38 B8 E6 72 0D 91 D3  ùa..M.À¤p8¸ær.‘Ó
00E4C5B0  A1 9E B1 B9 85 4D 22 74 26 6A 3D 37 36 B2 CD 43  ¡ž±¹…M"t&j=76²ÍC
00E4C5C0  70 04 58 76 1A 83 6A F0 92 A2 07 08 DF 96 12 AE  p.Xv.ƒjð’¢..ß–.®
00E4C5D0  11 80 CF 32 9E 6A C5 78 8E 4A E8 D0 51 8F A5 C7  .€Ï2žjÅxŽJèÐQ.¥Ç
00E4C5E0  D3 BC 7E A0 6E 08 C2 97 EC AF 91 92 04 A1 53 B9  Ó¼~ n.—쯑’.¡S¹
00E4C5F0  32 83 99 18 91 8A E6 0C 42 CA 8D 4A 32 CF 6B F1  2ƒ™.‘Šæ.BÊ.J2Ïkñ
00E4C600  F7 0F BA 13 37 39 A5 3D 14 4E B5 E6 BF B6 86 ED  ÷.º.79¥=.Nµæ¿¶†í
00E4C610  2A C9 2C B3 21 75 46 1F CF EF BE 3F BC BD 50 71  *É,³!uF.Ïï¾?¼½Pq
00E4C620  45 4A 16 74 D5 6B 8D 17 44 FF 3A 85 A8 B2 3D 0E  EJ.tÕk..Dÿ:…¨²=.
00E4C630  F2 E8 4E 8D 91 3F D0 FC 7A 73 16 43 D8 8D 17 32  òèN.‘?Ðüzs.CØ..2
00E4C640  3B 15 9E A1 BF 37 7A FB 0D 2B 4F 93 DA 4E FF F0  ;.ž¡¿7zû.+O“ÚNÿð
00E4C650  9B 32 68 EC 0A E9 F2 0B 06 03 22 B9 31 39 24 13  ›2hì.éò..."¹19$.
00E4C660  B4 06 A1 7A 78 DD CD 91 FC 50 6A 91 66 D9 92 64  ´.¡zxÝÍ‘üPj‘fÙ’d
00E4C670  CC A1 6E 69 AD 04 50 20 DA 21 D9 72 E3 66 10 4F  Ì¡ni..P Ú!Ùrãf.O
00E4C680  86 66 BA 7E AF 92 22 C7 3B FC 56 12 61 6E 51 43  †fº~¯’"Ç;üV.anQC
00E4C690  9E 06 62 0D A6 2E 68 42 AE 3B 4E 5F E8 EC 36 83  ž.b.¦.hB®;N_èì6ƒ
00E4C6A0  F3 A8 70 5D 68 2E 97 67 17 32 F5 C0 B9 8D 83 6D  ó¨p]h.—g.2õÀ¹.ƒm
00E4C6B0  23 D4 64 D0 21 BA 6A 7E 6C BF 84 CB AF E7 0C 0A  #ÔdÐ!ºj~l¿„˯ç..
00E4C6C0  80 BD 3E C0 58 0E 27 23 87 D3 6D AB 92 F8 88 0B  €½>ÀX.'#‡Óm«’øˆ.
00E4C6D0  70 97 CD 18 2A 15 B9 2A 5E E2 2C 04 E4 4D 64 C8  p—Í.*.¹*^â,.äMdÈ
00E4C6E0  5A DD 76 EE 98 23 93 9F 83 EE 3F 1E 84 06 99 5E  ZÝvî˜#“Ÿƒî?.„.™^
00E4C6F0  AE 8A FD F1 9E BA D5 75 8A 03 FA 67 83 A3 70 2F  ®ŠýñžºÕuŠ.úgƒ£p/
00E4C700  BF 3D 13 18 58 E8 1E 35 48 3C EF 21 04 2C FE F3  ¿=..Xè.5H<ï!.,þó
00E4C710  EA 7E A2 93 19 2C D4 46 51 5A 77 50 E0 65 B4 55  ê~¢“.,ÔFQZwPàe´U
00E4C720  D3 DE 64 19 BF C3 62 0B F4 30 4F 1D 2E 91 BF 66  ÓÞd.¿Ãb.ô0O..‘¿f
00E4C730  E5 45 F5 09 85 A8 2A D9 03 BA 4D D7 D7 F5 29 28  åEõ.…¨*Ù.ºM××õ)(
00E4C740  3F CB FB 09 9D 1D F8 60 27 63 04 2A 7F A5 25 3C  ?Ëû...ø`'c.*.¥%<
00E4C750  70 C5 F2 31 3E 81 DF 48 01 82 D9 BC B2 53 FB 3A  pÅò1>.ßH.‚Ù¼²Sû:
00E4C760  7C 62 56 BB D6 6D 77 58 B5 6D 06 A5 34 F7 76 C3  |bV»ÖmwXµm.¥4÷vÃ
00E4C770  B8 8A 57 E4 18 C1 27 61 33 BD DE 25 98 67 42 1D  ¸ŠWä.Á'a3½Þ%˜gB.
00E4C780  7A 42 71 57 96 1B 82 4B 33 6D 19 49 E4 38 F9 34  zBqW–.‚K3m.Iä8ù4
the last line is 4 bytes of the end of the file, the rest is artifact of encryption. here it is decrypted and extracted:
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  D2 94 A0 18 00 00 00 01 00 00 00 00 00 00 02 14  Ò” .............
00000010  00 00 00 00 00 00 01 80 00 00 00 00 00 00 00 01  .......€........
00000020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000060  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000070  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000080  00 10 00 0C 4E 50 57 52 30 35 32 39 34 5F 30 30  ....NPWR05294_00
00000090  00 11 00 0C 30 00 00 00 00 00 00 00 00 00 00 00  ....0...........
000000A0  00 12 00 B0 66 8F C1 6A 37 A3 30 BE 88 CA A0 73  ...°f.Áj7£0¾ˆÊ s
000000B0  05 CB 5F 0E D1 21 1D 6F 7C 30 F2 0A 96 DB F2 5D  .Ë_.Ñ!.o|0ò.–Ûò]
000000C0  FC 90 F5 42 82 95 83 E1 F2 5F 98 7A 35 00 96 3A  ü.õB‚•ƒáò_˜z5.–:
000000D0  7F 74 A3 44 2E DF 47 83 1A F2 22 B2 48 29 60 D5  .t£D.ßGƒ.ò"²H)`Õ
000000E0  31 8A 4B B0 7F 73 DA 0D 9D FB E0 89 86 02 62 17  1ŠK°.sÚ..ûà‰†.b.
000000F0  55 2A 4A 8B 04 50 37 E7 FB D8 A9 0F 96 AC B9 2D  U*J‹.P7çûØ©.–¬¹-
00000100  13 B5 E7 92 D5 61 64 A0 01 AC CB 6D 80 67 34 97  .µç’Õad .¬Ëm€g4—
00000110  35 C5 81 12 A1 BB A9 05 99 18 B4 9A D8 83 B8 9E  5Å..¡»©.™.´šØƒ¸ž
00000120  6A FB FF 56 F6 3E A6 4D 46 80 09 E3 0E 04 E4 2A  jûÿVö>¦MF€.ã..ä*
00000130  64 1A 63 4C D1 4D 9F D1 5E B4 CA 8D 72 C4 72 D5  d.cLÑMŸÑ^´Ê.rÄrÕ
00000140  B7 AE 9E 6C 41 15 A8 AB FA 25 BA 54 76 B7 E9 6B  ·®žlA.¨«ú%ºTv·ék
00000150  EA 3C 83 2B 00 13 00 10 70 7C F9 B0 19 9A 17 93  ê<ƒ+....p|ù°.š.“
00000160  01 6C AB AA E7 D9 94 6D 00 00 00 00 00 00 00 00  .l«ªçÙ”m........
00000170  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000180  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000190  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000001A0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000001B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000001C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000001D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000001E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000001F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000200  8D C1 40 8A 5E D0 1F 1B B6 4F CB 71 26 0D 27 38  .Á@Š^Ð..¶OËq&.'8
00000210  08 2E 7D 66 00 00 00 00 00 00 00 00 00 00 00 00  ..}f............
if we had used zero for the padding bytes, it would give instead:
Code:
00000200  8D C1 40 8A 5E D0 1F 1B B6 4F CB 71 26 0D 27 38  .Á@Š^Ð..¶OËq&.'8
00000210  BA FF CA 5B D9 8D 62 B9 98 1A 2F 61 3B D7 3E 52  ºÿÊ[Ù.b¹˜./a;×>R
the whole last line is incorrect not just the padding. it's important because the last 20 bytes before the padding is the sha1 checksum of the file from 0-1FF
Code:
8DC1408A5ED01F1BB64FCB71260D2738082E7D66
this can be used to check that the file was unencrypted correctly. optionally add a text box control in the designer window, name it textBox1 and in the properties window, for scrollable, choose vertical. then after line:
Code:
for (int i = 0; i < entry_count; i++) {
add this:
Code:
textBox1.Text = textBox1.Text + "\r\n";
textBox1.Text = textBox1.Text + "\r\nType:    " + entry[i].type.ToString("X");
textBox1.Text = textBox1.Text + "    Unk1:    " + entry[i].unk1.ToString("X");
textBox1.Text = textBox1.Text + "\r\nFlags1:  " + entry[i].flags1.ToString("X");
textBox1.Text = textBox1.Text + "    Flags2:  " + entry[i].flags2.ToString("X");
textBox1.Text = textBox1.Text + "\r\nOffset:  0x" + entry[i].offset.ToString("X");
textBox1.Text = textBox1.Text + "    Size:    0x" + entry[i].size.ToString("X");
textBox1.Text = textBox1.Text + "\r\nKey Index:  " + entry[i].key_index.ToString("X");textBox1.Text = textBox1.Text + "    Encrypted:  " + entry[i].is_encrypted.ToString();
to see the file list:

12694-e43f4bdb50430ca16f80c973abffcad2.jpg

by the way, this method gives the same keys already posted by modrobert.

I was really only trying to see if keys would work. Here is my compiled version. Really, it is somewhat funny for me to release this since I don't know where he got the random numbers and exponent or anything about ps4 pkgs. I don't know C# either.

Requires net framework 2.0 sorry, but that's what language he used for his release.

Download: ps4pkgdec.zip (7 KB) / solution.zip (517 KB)

I used it on a few game update pkgs. It usually extracts 2-5 files. Inspecting the extracted files in a hex editor, 1 or 2 obviously appear decrypted. These files have type 402 and 403. Not all updates have 402 or 403 file types. You will have to find some that do.

type 402 contains an np title id. type 403 contains the file's size, a similar type id and at the end of the file is the sha1 of the file contents. You can verify this by opening the type 403 file in a hexeditor, like hxd.exe, delete the last 20 bytes, have it compute the sha1 checksum of the remaining contents. It should be identical to the 20 bytes just cut from the end of the file. This verifies the file was decrypted correctly as shown in the posts above.

I don't know what these files are, but there is a string table in the original package file with the names of some of the files. What Mr. Redeye has named unknown1, is now labeled string index. It is the offset of the file's name in the string table, but file types 402 and 403 don't have entries in the string table, index ==0.

:arrow: update to pkgdec

Added:
  • list file properties
  • extract all files
  • extract file by file number
Requires .Net 4.0

Download: ps4pkgdec_update.zip (14 KB) / ps4pkgdec_update_source.zip (10 KB)

The files in the file table are only a small part of the pkg. lots of other data still in the game pkg. note also, he does not use the key index. the part 1 key seed is hard coded and being used to decrypt all the encrypted files. files with key index 3 look ok. files with a different key index possibly use a different key?

pkgdec.PNG
 
Status
Not open for further replies.
Back
Top