Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
Status
Not open for further replies.

PSXHAX

Staff Member
Verified
Moderator
Last fall we learned that PS4 RIF Files are required to make PlayStation 4 Packages (PKG files) playable, followed by some OMSK App details, the OMSK Client RIF File, an Install Guide for jailbroken consoles and most recently the necessary PS4 IDX File Generator.

Today PlayStation 4 developer @theorywrong (Twitter) shared via HydrogenNGU a PS4 rif_decryptor that is currently broken, and they are seeking some help from scene devs to fix the code. (y)

Download: PS4 RIF Decryptor Code

Code:
#define _WANT_UCRED
#define _XOPEN_SOURCE 700
#define __BSD_VISIBLE 1

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <stdint.h>
#include <inttypes.h>
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>
#include <sys/mman.h>
#include <sys/ioctl.h>
#include <kernel.h>
#include <ps4/kernel.h>
#include <debugnet.h>

#include "jailbreak.h"

typedef struct _decrypt_rif_args
{
  void* buffer;
  size_t length;
}
decrypt_rif_args;

void save_rif(char *name, uint8_t *raw, size_t size) {
    FILE *fd = fopen(name, "wb");
    if (fd != NULL) {
        fwrite(raw, 1, size, fd);
        fclose(fd);
    }
    else {
        debugNetPrintf(INFO, "dump err.\n");
    }
}

int decrypt_rif(char *rif_file, char *save_file) {
    debugNetPrintf(INFO, "RIF Filename: %s\n", rif_file);
    FILE* rif_input = fopen(rif_file, "rb");
    if (rif_input == NULL) {
        debugNetPrintf(INFO, "fopen: cannot open this file !\n");
        return 1;
    }

    fseek(rif_input, 0L, SEEK_END);
    int rif_size = ftell(rif_input);
    fseek(rif_input, 0L, SEEK_SET);

    void* rif_addr = align_alloc(0x4000, rif_size);
    fread(rif_addr, rif_size, 1, rif_input);
    fclose(rif_input);

    debugNetPrintf(INFO, "RIF Address: %p\n", rif_addr);
    debugNetPrintf(INFO, "RIF Size: %p\n", rif_size);

    int fd = -1;
    fd = open("/dev/npdrm", O_RDWR, 0);
    if (fd < 0)
    {
        free(rif_addr);
        debugNetPrintf(INFO, "Failed to open /dev/npdrm!\n");
        return 1;
    }

    decrypt_rif_args args;
    memset(&args, 0, sizeof(args));
    args.buffer = rif_addr,
    args.length = rif_size;

    if (ioctl(fd, 0xC0404E03, &args) < 0) {
        free(rif_addr);
        debugNetPrintf(INFO, "ioctl have a error !!!\n");
        return 1;
    }

    close(fd);

    save_rif(save_file, rif_addr, rif_size);
    debugNetPrintf(INFO, "Decrypted RIF saved to: %s !\n", save_file);

    free(rif_addr);
    return 0;
}

int main(int argc, char **argv)
{
    debugNetInit("192.168.1.2", 15000, DEBUG);
    debugNetPrintf(INFO, "rif_decrypt initialized\n");

    int64_t ret;

    debugNetPrintf(INFO, "getuid() : %d\n", getuid());
    if (getuid() != 0) {
        ps4KernelExecute((void*)jailbreak, NULL, &ret, NULL);
        debugNetPrintf(INFO, "jailbreak!!\n");
    }

    if (decrypt_rif("/mnt/usb0/generic.rif", "/mnt/usb1/generic.drif") > 0) {
        if (decrypt_rif("/mnt/usb1/generic.rif", "/mnt/usb1/generic.drif") > 0) {
            debugNetPrintf(INFO, "Failed to decrypt RIF !!\n");
        }
    }


    return EXIT_SUCCESS;
}
Calling this code is enough to decrypt any PS4 .rif file stated by Oneman.

From Pastebin.com:
Code:
__int64 __usercall dec_rif_ioctls@<rax>(__int64 a1@<rdx>, __int64 *a2@<rdi>, __m256i *a3@<rsi>, unsigned __int64 a4@<r12>, __m256i _YMM0@<ymm0>)
{
  __m256i *v5; // r14@1
  signed int v6; // er13@1
  unsigned int v7; // ebx@6
  unsigned __int32 v8; // eax@6
  __int32 v9; // esi@21
  signed int v10; // eax@31
  __int64 v11; // rax@36
  __int64 v12; // rax@36
  __int64 result; // rax@39
  __m256i v15; // [rsp+0h] [rbp-528h]@19
  __m256i v16; // [rsp+20h] [rbp-508h]@23
  __int64 v17; // [rsp+40h] [rbp-4E8h]@23
  __m256i v18; // [rsp+60h] [rbp-4C8h]@19
  __m256i v19; // [rsp+80h] [rbp-4A8h]@20
  __int64 v21; // [rsp+C0h] [rbp-468h]@38
  unsigned __int64 _rif_header; // [rsp+E0h] [rbp-448h]@4
  unsigned __int16 v23; // [rsp+130h] [rbp-3F8h]@6
  char v24; // [rsp+320h] [rbp-208h]@33
  char v25; // [rsp+340h] [rbp-1E8h]@23
  __int64 v26; // [rsp+380h] [rbp-1A8h]@36
  __int64 v27; // [rsp+388h] [rbp-1A0h]@36
  __int64 v28; // [rsp+390h] [rbp-198h]@36
  __int64 v29; // [rsp+398h] [rbp-190h]@36
  __int64 v30; // [rsp+3C0h] [rbp-168h]@36
  __int64 v31; // [rsp+3C8h] [rbp-160h]@36
  char v32; // [rsp+3E0h] [rbp-148h]@4
  __int64 v33; // [rsp+4E0h] [rbp-48h]@1

  v5 = a3;
  v33 = *(_QWORD *)G__preinit_array_end;
  v6 = -2138636287;
  if ( !dword_8EF0C0 )
    goto LABEL_39;
  v6 = -2138636283;
  if ( !a2 )
    goto LABEL_39;
  if ( !a1 )
    goto LABEL_39;
  memcpy((__int64)&_rif_header, a1, 1024LL);
  v6 = sub_28D870((__int64)&_rif_header, (__int64)&v32);
  if ( v6 < 0 )
    goto LABEL_39;
  v6 = -2138636282;
  if ( (_DWORD)_rif_header != 'FIR' )
    goto LABEL_39;
  v7 = ((unsigned int)(unsigned __int16)(_rif_header >> 32) >> 8) | (unsigned __int16)((unsigned __int16)(_rif_header >> 32) << 8);
  v8 = _byteswap_ulong(v23) >> 16;
  if ( v8 > 0x100 )
  {
    if ( v8 > 0x301 )
    {
      if ( v8 != 770 )
        goto LABEL_39;
    }
    else if ( v8 - 512 >= 3 )
    {
      if ( v8 != 257 && v8 != 258 )
        goto LABEL_39;
    }
    else
    {
      v6 = -2138636285;
      if ( !(unsigned int)check_perm((__int64)&_rif_header, (__int64)&v32) )
        goto LABEL_39;
    }
  }
  else if ( v8 )
  {
    goto LABEL_39;
  }
  v6 = -2138636284;
  if ( !v7 )
    goto LABEL_39;
  if ( v7 > 1 )
    goto LABEL_39;
  v6 = _check_if_ps4_activated((__int64 *)&v18, (__int64 *)&v15, (__int64)&_rif_header, 1, a4, _YMM0);
  if ( v6 < 0 )
    goto LABEL_39;
  v6 = -2138636273;
  if ( v19.m256i_i8[0] )
    goto LABEL_39;
  v9 = v19.m256i_i32[2];
  if ( v19.m256i_i32[2] <= 0x100u )
  {
    v6 = -2138636282;
    if ( v19.m256i_i32[2] )
      goto LABEL_39;
    v6 = npdrm_decrypt_kds_rif(&v16.m256i_i64[3], (__int64)&v25, 0, _YMM0);
    __asm
    {
      vxorps  ymm0, ymm0, ymm0
      vmovaps [rsp+528h+anonymous_0], ymm0
      vmovaps [rsp+528h+var_528], ymm0
    }
    v17 = 0LL;
    goto LABEL_35;
  }
  if ( v19.m256i_i32[2] > 0x301u )
  {
    v6 = -2138636282;
    if ( v19.m256i_i32[2] != 770 )
      goto LABEL_39;
  }
  else if ( (unsigned int)(v19.m256i_i32[2] - 512) >= 3 )
  {
    if ( v19.m256i_i32[2] != 257 )
    {
      v6 = -2138636282;
      if ( v19.m256i_i32[2] != 258 )
        goto LABEL_39;
      v10 = npdrm_decrypt_disc_rif((__int64)&v25, (__int64 *)&v24, _YMM0);
      goto LABEL_34;
    }
  }
  else
  {
    v6 = 0x80870003;
    if ( !(unsigned int)check_perm((__int64)&v18, v19.m256i_u32[2]) )
      goto LABEL_39;
    v9 = v19.m256i_i32[2];
  }
  v10 = npdrm_decrypt_isolated_rif((__int64)&v25, v9, _YMM0);
LABEL_34:
  v6 = v10;
LABEL_35:
  if ( v6 >= 0 )
  {
    a2[3] = v29;
    a2[2] = v28;
    v11 = v26;
    a2[1] = v27;
    *a2 = v11;
    v12 = v30;
    a2[5] = v31;
    a2[4] = v12;
    if ( v5 )
      qmemcpy(v5, &v18, 0x68uLL);
    v6 = 0;
    memset((__int64)&_rif_header, 0LL);
    __asm
    {
      vxorps  ymm0, ymm0, ymm0
      vmovaps [rsp+528h+var_488], ymm0
      vmovaps [rsp+528h+var_4A8], ymm0
      vmovaps [rsp+528h+var_4C8], ymm0
    }
    v21 = 0LL;
  }
LABEL_39:
  result = *(_QWORD *)G__preinit_array_end;
  if ( *(_QWORD *)G__preinit_array_end == v33 )
    result = (unsigned int)v6;
  return result;
}
Cheers to @LightningMods in the PSXHAX Shoutbox for the heads-up on this community project! :notworthy:
PS4 RIF Decryptor WIP by TheoryWrong, Seeking to Fix Broken Code.jpg
 
You need per title keys to decrypt pkg , which can only be achieved on kexploited PS4 , once you have key then you could decrypt pkg on pc.
bullsh!t post.
 
Thanks @Figure03, as Hydrogen removed his Tweets on it I demoted it from our news also.

According to sealab in the SB if backups is the goal it's going down that path, but he also said besides the broken code there's another issue with it unrelated to its code.

Also xxmcvapourxx said it will work but requires keys and is only achieved by kernel exploit (this may be the other issue)... so not too handy at the moment for most users it appears.

We'll close this thread for now, but if anyone finds out more feel free to share!
 
Status
Not open for further replies.
Back
Top