Join Us and become a Member for a Verified Badge on Discord to access private areas with the latest PS4 FPKGs.
PS4 CFW and Hacks       Thread starter PSXHAX       3,414       4      
Status
Not open for further replies.

PSXHAX

Staff Member
Moderator
Verified
Last fall we learned that PS4 RIF Files are required to make PlayStation 4 Packages (PKG files) playable, followed by some OMSK App details, the OMSK Client RIF File, an Install Guide for jailbroken consoles and most recently the necessary PS4 IDX File Generator.

Today PlayStation 4 developer @theorywrong (Twitter) shared via HydrogenNGU a PS4 rif_decryptor that is currently broken, and they are seeking some help from scene devs to fix the code. (y)

Download: PS4 RIF Decryptor Code

Code:
#define _WANT_UCRED
#define _XOPEN_SOURCE 700
#define __BSD_VISIBLE 1

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <stdint.h>
#include <inttypes.h>
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>
#include <sys/mman.h>
#include <sys/ioctl.h>
#include <kernel.h>
#include <ps4/kernel.h>
#include <debugnet.h>

#include "jailbreak.h"

typedef struct _decrypt_rif_args
{
  void* buffer;
  size_t length;
}
decrypt_rif_args;

void save_rif(char *name, uint8_t *raw, size_t size) {
    FILE *fd = fopen(name, "wb");
    if (fd != NULL) {
        fwrite(raw, 1, size, fd);
        fclose(fd);
    }
    else {
        debugNetPrintf(INFO, "dump err.\n");
    }
}

int decrypt_rif(char *rif_file, char *save_file) {
    debugNetPrintf(INFO, "RIF Filename: %s\n", rif_file);
    FILE* rif_input = fopen(rif_file, "rb");
    if (rif_input == NULL) {
        debugNetPrintf(INFO, "fopen: cannot open this file !\n");
        return 1;
    }

    fseek(rif_input, 0L, SEEK_END);
    int rif_size = ftell(rif_input);
    fseek(rif_input, 0L, SEEK_SET);

    void* rif_addr = align_alloc(0x4000, rif_size);
    fread(rif_addr, rif_size, 1, rif_input);
    fclose(rif_input);

    debugNetPrintf(INFO, "RIF Address: %p\n", rif_addr);
    debugNetPrintf(INFO, "RIF Size: %p\n", rif_size);

    int fd = -1;
    fd = open("/dev/npdrm", O_RDWR, 0);
    if (fd < 0)
    {
        free(rif_addr);
        debugNetPrintf(INFO, "Failed to open /dev/npdrm!\n");
        return 1;
    }

    decrypt_rif_args args;
    memset(&args, 0, sizeof(args));
    args.buffer = rif_addr,
    args.length = rif_size;

    if (ioctl(fd, 0xC0404E03, &args) < 0) {
        free(rif_addr);
        debugNetPrintf(INFO, "ioctl have a error !!!\n");
        return 1;
    }

    close(fd);

    save_rif(save_file, rif_addr, rif_size);
    debugNetPrintf(INFO, "Decrypted RIF saved to: %s !\n", save_file);

    free(rif_addr);
    return 0;
}

int main(int argc, char **argv)
{
    debugNetInit("192.168.1.2", 15000, DEBUG);
    debugNetPrintf(INFO, "rif_decrypt initialized\n");

    int64_t ret;

    debugNetPrintf(INFO, "getuid() : %d\n", getuid());
    if (getuid() != 0) {
        ps4KernelExecute((void*)jailbreak, NULL, &ret, NULL);
        debugNetPrintf(INFO, "jailbreak!!\n");
    }

    if (decrypt_rif("/mnt/usb0/generic.rif", "/mnt/usb1/generic.drif") > 0) {
        if (decrypt_rif("/mnt/usb1/generic.rif", "/mnt/usb1/generic.drif") > 0) {
            debugNetPrintf(INFO, "Failed to decrypt RIF !!\n");
        }
    }


    return EXIT_SUCCESS;
}
Calling this code is enough to decrypt any PS4 .rif file stated by Oneman.

From Pastebin.com:
Code:
__int64 __usercall [email protected]<rax>(__int64 [email protected]<rdx>, __int64 *[email protected]<rdi>, __m256i *[email protected]<rsi>, unsigned __int64 [email protected]<r12>, __m256i [email protected]<ymm0>)
{
  __m256i *v5; // [email protected]
  signed int v6; // [email protected]
  unsigned int v7; // [email protected]
  unsigned __int32 v8; // [email protected]
  __int32 v9; // [email protected]
  signed int v10; // [email protected]
  __int64 v11; // [email protected]
  __int64 v12; // [email protected]
  __int64 result; // [email protected]
  __m256i v15; // [rsp+0h] [rbp-528h]@19
  __m256i v16; // [rsp+20h] [rbp-508h]@23
  __int64 v17; // [rsp+40h] [rbp-4E8h]@23
  __m256i v18; // [rsp+60h] [rbp-4C8h]@19
  __m256i v19; // [rsp+80h] [rbp-4A8h]@20
  __int64 v21; // [rsp+C0h] [rbp-468h]@38
  unsigned __int64 _rif_header; // [rsp+E0h] [rbp-448h]@4
  unsigned __int16 v23; // [rsp+130h] [rbp-3F8h]@6
  char v24; // [rsp+320h] [rbp-208h]@33
  char v25; // [rsp+340h] [rbp-1E8h]@23
  __int64 v26; // [rsp+380h] [rbp-1A8h]@36
  __int64 v27; // [rsp+388h] [rbp-1A0h]@36
  __int64 v28; // [rsp+390h] [rbp-198h]@36
  __int64 v29; // [rsp+398h] [rbp-190h]@36
  __int64 v30; // [rsp+3C0h] [rbp-168h]@36
  __int64 v31; // [rsp+3C8h] [rbp-160h]@36
  char v32; // [rsp+3E0h] [rbp-148h]@4
  __int64 v33; // [rsp+4E0h] [rbp-48h]@1

  v5 = a3;
  v33 = *(_QWORD *)G__preinit_array_end;
  v6 = -2138636287;
  if ( !dword_8EF0C0 )
    goto LABEL_39;
  v6 = -2138636283;
  if ( !a2 )
    goto LABEL_39;
  if ( !a1 )
    goto LABEL_39;
  memcpy((__int64)&_rif_header, a1, 1024LL);
  v6 = sub_28D870((__int64)&_rif_header, (__int64)&v32);
  if ( v6 < 0 )
    goto LABEL_39;
  v6 = -2138636282;
  if ( (_DWORD)_rif_header != 'FIR' )
    goto LABEL_39;
  v7 = ((unsigned int)(unsigned __int16)(_rif_header >> 32) >> 8) | (unsigned __int16)((unsigned __int16)(_rif_header >> 32) << 8);
  v8 = _byteswap_ulong(v23) >> 16;
  if ( v8 > 0x100 )
  {
    if ( v8 > 0x301 )
    {
      if ( v8 != 770 )
        goto LABEL_39;
    }
    else if ( v8 - 512 >= 3 )
    {
      if ( v8 != 257 && v8 != 258 )
        goto LABEL_39;
    }
    else
    {
      v6 = -2138636285;
      if ( !(unsigned int)check_perm((__int64)&_rif_header, (__int64)&v32) )
        goto LABEL_39;
    }
  }
  else if ( v8 )
  {
    goto LABEL_39;
  }
  v6 = -2138636284;
  if ( !v7 )
    goto LABEL_39;
  if ( v7 > 1 )
    goto LABEL_39;
  v6 = _check_if_ps4_activated((__int64 *)&v18, (__int64 *)&v15, (__int64)&_rif_header, 1, a4, _YMM0);
  if ( v6 < 0 )
    goto LABEL_39;
  v6 = -2138636273;
  if ( v19.m256i_i8[0] )
    goto LABEL_39;
  v9 = v19.m256i_i32[2];
  if ( v19.m256i_i32[2] <= 0x100u )
  {
    v6 = -2138636282;
    if ( v19.m256i_i32[2] )
      goto LABEL_39;
    v6 = npdrm_decrypt_kds_rif(&v16.m256i_i64[3], (__int64)&v25, 0, _YMM0);
    __asm
    {
      vxorps  ymm0, ymm0, ymm0
      vmovaps [rsp+528h+anonymous_0], ymm0
      vmovaps [rsp+528h+var_528], ymm0
    }
    v17 = 0LL;
    goto LABEL_35;
  }
  if ( v19.m256i_i32[2] > 0x301u )
  {
    v6 = -2138636282;
    if ( v19.m256i_i32[2] != 770 )
      goto LABEL_39;
  }
  else if ( (unsigned int)(v19.m256i_i32[2] - 512) >= 3 )
  {
    if ( v19.m256i_i32[2] != 257 )
    {
      v6 = -2138636282;
      if ( v19.m256i_i32[2] != 258 )
        goto LABEL_39;
      v10 = npdrm_decrypt_disc_rif((__int64)&v25, (__int64 *)&v24, _YMM0);
      goto LABEL_34;
    }
  }
  else
  {
    v6 = 0x80870003;
    if ( !(unsigned int)check_perm((__int64)&v18, v19.m256i_u32[2]) )
      goto LABEL_39;
    v9 = v19.m256i_i32[2];
  }
  v10 = npdrm_decrypt_isolated_rif((__int64)&v25, v9, _YMM0);
LABEL_34:
  v6 = v10;
LABEL_35:
  if ( v6 >= 0 )
  {
    a2[3] = v29;
    a2[2] = v28;
    v11 = v26;
    a2[1] = v27;
    *a2 = v11;
    v12 = v30;
    a2[5] = v31;
    a2[4] = v12;
    if ( v5 )
      qmemcpy(v5, &v18, 0x68uLL);
    v6 = 0;
    memset((__int64)&_rif_header, 0LL);
    __asm
    {
      vxorps  ymm0, ymm0, ymm0
      vmovaps [rsp+528h+var_488], ymm0
      vmovaps [rsp+528h+var_4A8], ymm0
      vmovaps [rsp+528h+var_4C8], ymm0
    }
    v21 = 0LL;
  }
LABEL_39:
  result = *(_QWORD *)G__preinit_array_end;
  if ( *(_QWORD *)G__preinit_array_end == v33 )
    result = (unsigned int)v6;
  return result;
}
Cheers to @LightningMods in the PSXHAX Shoutbox for the heads-up on this community project! :notworthy:
PS4 RIF Decryptor WIP by TheoryWrong, Seeking to Fix Broken Code.jpg
 

harryoke

The Man,The Myth,The Legend!!
Developer
Member
Contributor
You need per title keys to decrypt pkg , which can only be achieved on kexploited PS4 , once you have key then you could decrypt pkg on pc.
bullsh!t post.
 

PSXHAX

Staff Member
Moderator
Verified
Thanks @Figure03, as Hydrogen removed his Tweets on it I demoted it from our news also.

According to sealab in the SB if backups is the goal it's going down that path, but he also said besides the broken code there's another issue with it unrelated to its code.

Also xxmcvapourxx said it will work but requires keys and is only achieved by kernel exploit (this may be the other issue)... so not too handy at the moment for most users it appears.

We'll close this thread for now, but if anyone finds out more feel free to share!
 
Status
Not open for further replies.

:fire: Latest Help Topics

Top