Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
PS4 Jailbreaking       Thread starter PSXHAX       Start date Apr 23, 2017 at 6:11 AM       10      
Status
Not open for further replies.
Following his PS4 PFS Protection Bypass Guide, initial GameArchives PFS Support, GameArchives Updates and MakePFS utility this weekend @zecoxao dropped a hint on Twitter of a retail PS4 Sealedkey / pfsSKKey and is seeking someone with a PlayStation 4 DevKit / TestKit to decrypt it... noting that both the PS4 retail and development Sealedkey / pfsSKKey should be the same. ;)

According to the PSDevWiki the Sealedkey / pfsSKKey can be obtained in different places and is used for SaveGame or Trophy Data decryption and encryption reminiscent of the PS4 Retail / Debug Game Transfusion Tutorial where savegames and trophies were confirmed as working. (y)

To quote: Sealedkey / pfsSKKey

This key can be found on different places and will be used for eg. SaveGame or Trophy Data decryption and encryption.

Flags

Kind Path
Trophys /user/home/user Id/trophy/data/sce_trop/sealedkey
SaveGames /user/home/user Id/title Id/save data directory/sce_sys/
Structure
  • size always 96 bytes
From To Description
00 07 MAGIC ("pfsSKKey") (?playstation file system sealed key key?)
08 09 KeySet for getSealedKeySecret (changed beyond kernel 1.73)
0A 0F Just 0x00 Bytes
10 1F IV (16 bytes)
20 3F Encrypted key (32 bytes)
40 5F SHA-256 (32 bytes)
C
Code:
typedef struct sealedkey_t {
     const unsigned char MAGIC[8];
     const unsigned char CAT[8];
     const unsigned char IV[16];
     const unsigned char KEY[32];
     const unsigned char SHA256[32];
} PfsSKKey;
CSharp
Code:
protected internal struct sealedkey {
     internal static byte[] MAGIC = new byte[8];
     internal static byte[] CAT = new byte[8];
     internal static byte[] IV = new byte[16];
     internal static byte[] KEY = new byte[32];
     internal static byte[] SHA256 = new byte[32];
}
Note: You can't use a const byte[] defination in C#. It need to be a static byte[].

De/En -Crypting

Can be decrypted by frindly asking the OS to do it for you. You will need kernel rights to be able to ask the PS4 for it.
Code:
/* Decryption */
#define foreach(item, array) \
     for (int keep = 1, \
              count = 0, \
              size = sizeof(array) / sizeof*(array); \
          keep && count != size; \
          keep = !keep, count++) \
         for (item = (array) + count; keep; keep = !keep)

typedef unsigned char byte;              /* byte defination for c/c++ */
byte PFSK_IDENT[8] = "pfsSKKey";
byte VERSION[8] = "\x01\x00\x00\x00\x00\x00\x00\x00"
const char USER1 = "10000000";
const char usb0 = "/mnt/usb0/";
const char usb1 = "/mnt/usb1/";
const char pfs = "dec_pfsSK.Key";
const char home = "/user/home/";
const char tropkey = "/trophy/data/sce_trop/sealedkey";
char usb_error = "[-] ERROR: Can't access usb0 nor usb1!\n[-] Will return now to caller.\n"
char usb0path[(strlen(usb0) + strlen(pfs))];
char usb1path[strlen(usb0path)];

/* Get's the encrypted sealed key based on user id */
int get_pfsSKKey(byte *buffer, const char *userID, char path) {
     char toOpen[(strlen(home) + strlen(userID) + strlen(path))];

     sprintf(toOpen, home, userID, path)

     FILE *pfskey = fopen(toOpen, "r");

     if (!pfskey) return NULL;

     fread(buffer, 96, 1, pfskey);
     fclose(pfskey);
     return 1;
}

/* Dump the sealedkey. Send over tcp and save to file */
int dumpDecryptedSealedKey(int to) {
     if (to < 0 || to > 1) return -2;

     /* First load the sealedkey into a buffer */
     PfsSKKEy enc;
     if (!get_pfsSKKey(&enc, USER1, tropkey)) {
         printf("[-] Can not load the sealed key!\n");
         return -1;
     }

     /* Let's check the pfsSKKEy */
     if (enc->MAGIC == PFSK_IDENT && enc->CAT == VERSION) {
         printf("[+] Magic and version ok!\n[+] sk IV = ");
         foreach(byte *val, &enc->IV) printf("%02X", *val);

         printf("\n[+] sk KEY = ");
         foreach(byte *val, enc->KEY) printf("%02X", *val);

         printf("\n[+] sk Key-SHA256 = ");
         foreach(byte *val, sk->SHA256) printf("%02X", *val);
         printf("\n");

     }
     else return -4;

     /* Now decrypt it */
     byte dec[16];

     int i;
     if (!(i = kernel.sceSblSsDecryptSealedKey(&enc, &dec))) {
         printf("[-] Error!\n[-] sceSblSsDecryptSealedKey returned %d\n", i);
         return -1;
     }
     printf("[+] sceSblSsDecryptSealedKey returned %d\n", i);

     if (!to) { /* Print it out */
         printf("[+] Your decrypted sealedkey = ");

         foreach(byte *val, &dec) printf("%02X", *val);

         printf("\n");
         return 1;
     }
     else { /* Saving to file */
         printf("[+] Will try to save to file...");

         sprintf(usb0path, usb0, pfs);
         sprintf(usb1path, usb1, pfs);

         FILE *dump = fopen(usb0path, "w");

         if (!dump) {
             dump = fopen(usb1path, "w");
             if (!dump) {
                 printf("fail!\n%s", usb_error);
                 return -3;
             }
         }

         fwrite(&dec, 16, 1, dump);
         printf("done!\n");
         fclose(dump);
         return 1;
     }
}
:arrow: Reverse Engineering PS4 Trophies Data Documentation by thedarkprogr via PSDevWiki.com:

Trophy


_lp.Pkg <==== not sure why this is here but leaving it here

Background

Trophy files are encrypted on the PS4 by default and mounted by the console each time a game boots

Trophy files get mounted to /mnt/pfs/trophy/{UserId}/data/{NpComId}

Trophy Locations

Trophy files are saved in the following location

/user/home/{UserId}/trophy/data/ <=== This Directory contains all trophies for all games on the console with the NPComId (e.g. NPWR04914_00)

Inside each of these directories are the following files
  • sealedkey <==== Sealed Key of each trophy file
  • trophy.img <=== The sealed file signed with the sealed key
There is also a SQLite DB that contains all information regarding trophies

/user/home/10000000/trophy/db/trophy_local.db

Un-encrypted trophies can also be found on the ps4 in the following locations

/user/trophy/conf/ <=== these Directories seem completely useless but it does have some stuff to play with

And from the Github README.md: Manual-PS4-Trophy-Unlocker

Explanation on a method on how to unlock trophies on the PS4

Requirements

np_trophy a target (for this i used CUSA00184 [Angry Birds Star Wars]

Step 1

Decrypt the pkg of the game (passcode should be all zeros) From the decrypted files you will need the following
  • basically the whole /sc0/ directory just dont use the changeinfo directory ,psresereved.dat or the trophy directory there
  • the trophy directory (can be obtrained via ftp)
Now we can start you need to open up nptitle.dat in a hex viewer and grab the nptitleid and the secret

Now you need to place those values inside np_trophy in the NpTitleId and NpTitleSecret variables

Then you can build the pkg and thats it press x Select your trophy and click unlock

Spoiler: Related Tweets

From PSDevWiki.com: Portable Keys Dumps

pfsSKKey__SecKey (External)

Code:
00000000  70 66 73 53 4b 4b 65 79  5f 5f 53 65 63 4b 65 79  |pfsSKKey__SecKey|
00000010  b5 da ef ff 39 e6 d9 0e  ca 7d c5 b0 29 a8 15 3e  |....9....}..)..>|
00000020  87 07 96 0a 53 46 8d 6c  84 3b 3d c9 62 4e 22 af  |....SF.l.;=.bN".|
00000030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000080
SCE_EAP_HDD__KEY (External)
Code:
00000000  53 43 45 5f 45 41 50 5f  48 44 44 5f 5f 4b 45 59  |SCE_EAP_HDD__KEY|
00000010  bb 6c d6 6d dc 67 1f ac  36 64 f7 bf 50 49 ba a8  |.l.m.g..6d..PI..|
00000020  c4 68 79 04 bc 31 cf 4f  2f 4e 9f 89 fa 45 87 93  |.hy..1.O/N...E..|
00000030  81 17 45 e7 c7 e8 0d 46  0f af 23 26 55 0b d7 e4  |..E....F..#&U...|
00000040  d2 a0 a0 d9 72 9d e5 d2  11 7d 70 67 6f 1d 55 74  |....r....}pgo.Ut|
00000050  8d c1 7c df 29 c8 6a 85  5f 2a e9 a1 ad 3e 91 5f  |..|.).j._*...>._|
00000060  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000080
CFK1 (External)
Code:
00000000  43 46 4b 31 00 00 00 00  00 00 00 00 00 00 00 00  |CFK1............|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000020  61 9a d0 db 62 cb 51 37  d8 aa 84 d0 28 b9 92 2d  |a...b.Q7....(..-|
00000030  74 46 01 4d 5a 20 67 31  af d2 ab 62 44 d1 f5 92  |tF.MZ g1...bD...|
00000040  de 9f 35 6c 99 1b 1c 04  3d 76 cd 9f b1 a7 03 57  |..5l....=v.....W|
00000050  89 73 d9 26 a1 60 ea 72  d8 e7 33 9f b0 52 f0 e2  |.s.&.`.r..3..R..|
00000060  06 80 47 c4 d7 7a fd fd  95 72 27 8d 97 ab f4 21  |..G..z...r'....!|
00000070  aa cd 9d 9d 2a a2 30 cc  0d 37 b8 69 47 d1 6a ac  |....*.0..7.iG.j.|
00000080
CFK1 (External-Extra)
Code:
00000000  40 83 63 f3 b4 d0 4b 54  09 ba f3 f4 27 41 13 c4  |@.c...KT....'A..|
00000010  ac 97 ae 26 3b 9b 26 1c  2d 87 50 35 80 a3 e0 34  |...&;.&.-.P5...4|
00000020  f9 97 e5 b9 8c 85 9d 90  33 68 04 32 81 1b 50 21  |........3h.2..P!|
00000030  1f a4 5d 36 63 a3 50 7b  cc 68 12 7c bf 9a aa 2d  |..]6c.P{.h.|...-|
00000040  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000080
SCEROOTPARAM_KEY (External)
Code:
00000000  53 43 45 52 4f 4f 54 50  41 52 41 4d 5f 4b 45 59  |SCEROOTPARAM_KEY|
00000010  01 00 01 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000040  29 ed 9c 0a f8 d3 97 00  29 85 a9 df d0 f2 47 21  |).......).....G!|
00000050  03 ea a7 1e b1 10 c0 03  99 b1 1d ec b2 e5 df 08  |................|
00000060  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000080
SCEROOTPARAM_KEY (External-Extra1)
Code:
00000000  ab 75 84 e1 58 6e f3 38  66 3b 39 9b 09 40 49 54  |.u..Xn.8f;9..@IT|
00000010  6b ce b2 f0 9f 32 0a 1b  f8 de 0a a0 d1 5f 28 bd  |k....2......._(.|
00000020  7f f5 78 1d c5 4c 80 fb  e4 7a 3e 36 91 8d 19 3e  |..x..L...z>6...>|
00000030  09 67 ae 3d 61 4e b1 4f  7d 71 cf 20 e4 40 71 1f  |.g.=aN.O}q. .@q.|
00000040  05 65 93 0d fd 2d a6 d1  21 3c ef f4 5a 00 97 cb  |.e...-..!<..Z...|
00000050  2f e9 ed b5 ce 07 bb d3  57 4e fa b1 ac a3 fe 80  |/.......WN......|
00000060  88 3f 0a 0e 75 9b 4f 2f  40 6a c6 ef 98 23 b9 e5  |.?..u.O/@j...#..|
00000070  ae bd 3b 75 b7 c6 e1 68  5f b3 90 c4 12 a0 4d 24  |..;u...h_.....M$|
00000080
SCEROOTPARAM_KEY (External-Extra2)
Code:
00000000  44 62 12 3c 06 10 f2 55  3c 01 d1 f8 50 eb 1e 88  |Db.<...U<...P...|
00000010  c0 34 61 40 04 19 80 9d  ab b4 63 f6 f3 6c e9 4d  |[email protected]|
00000020  39 6e 07 40 d9 8a d3 27  0c 27 e1 4a ad 0e b1 19  |9n.@...'.'.J....|
00000030  fe 79 df 09 7c 07 9b eb  ec f9 aa 64 f0 42 f6 4d  |.y..|......d.B.M|
00000040  58 45 0e 46 d9 e8 31 98  5d c5 10 ed 81 32 f5 c8  |XE.F..1.]....2..|
00000050  8a d2 48 5b cc 6f 7e 2d  38 b0 f4 3e 8f 2b 0c 63  |..H[.o~-8..>.+.c|
00000060  19 1d f8 5f 50 0b 77 f9  37 ec 7c 6b ea cd c9 15  |..._P.w.7.|k....|
00000070  ea e6 d8 e1 bf 80 28 a3  eb 3e 9a 9d 5c 00 48 ad  |......(..>..\.H.|
00000080
SCE_LwUtoken_Key (External)
Code:
00000000  53 43 45 5f 4c 77 55 74  6f 6b 65 6e 5f 4b 65 79  |SCE_LwUtoken_Key|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000040  e4 03 52 c3 02 18 f1 a6  22 5a cf 4c a7 9e 54 eb  |..R....."Z.L..T.|
00000050  b2 7a bc be b7 1f b4 7a  5c d0 66 c7 9e 99 9f 2a  |.z.....z\.f....*|
00000060  66 4a b9 75 36 4c f3 0e  75 ee 24 15 9c 38 51 f3  |fJ.u6L..u.$..8Q.|
00000070  01 00 01 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000080
SCE_LwUtoken_Key (External-Extra1)
Code:
00000000  a3 c6 b1 40 de 3d d5 e9  44 8c 16 0a 18 54 75 6f  |...@.=..D....Tuo|
00000010  1c 51 87 64 cd 3d a4 6f  ce 72 a8 36 eb 61 f6 81  |.Q.d.=.o.r.6.a..|
00000020  5a 3f b5 c4 73 08 7e 87  a9 ff 8d a6 a7 27 60 22  |Z?..s.~......'`"|
00000030  fe 2f 64 64 ed 9c 97 fe  72 38 e4 d3 11 a9 b1 8b  |./dd....r8......|
00000040  35 32 29 d6 38 1e 7d 47  cc 09 0e 61 23 67 5f 00  |52).8.}G...a#g_.|
00000050  cc 11 f2 51 69 5d 51 64  1b 4f c1 47 62 bb c0 3b  |...Qi]Qd.O.Gb..;|
00000060  46 60 85 53 7c 41 78 76  39 5c 5a a3 fa 7e 40 17  |F`.S|Axv9\Z..~@.|
00000070  34 6f 6c 2a 27 04 25 cc  7c ad 87 c4 6a eb f6 bf  |4ol*'.%.|...j...|
00000080
SCE_LwUtoken_Key (External-Extra2)
Code:
00000000  2c e9 d0 41 3b f5 29 aa  ad aa 0f 3b d6 18 44 7e  |,..A;.)....;..D~|
00000010  35 95 f6 9f af f0 03 92  1a cd 6e 59 22 54 c5 d9  |5.........nY"T..|
00000020  6b 9d c2 14 d6 3f ee bf  ef 07 58 af 96 1a ab 5d  |k....?....X....]|
00000030  77 09 27 96 2d fe a8 20  03 b4 e3 41 94 75 b2 49  |w.'.-.. ...A.u.I|
00000040  54 4f 08 e7 5d f4 dc 87  3a 34 5d 8e a8 10 67 22  |TO..]...:4]...g"|
00000050  e4 78 c4 70 d6 1b 9f 8c  5a b9 a9 d7 c9 17 83 30  |.x.p....Z......0|
00000060  35 0e 11 ba a2 27 46 82  f9 f1 88 31 ea af ec 75  |5....'F....1...u|
00000070  dc 5b 86 d7 70 90 c9 dc  76 c2 35 5c cd 9c 33 d4  |.[..p...v.5\..3.|
00000080

Download: TrophyUnlocker.zip (includes TrophyUnlocker.exe)

To quote: Trophy Unlocker Beta

Its simple.
  • Run TrophyUnlocker.exe
  • Add the Param.sfo of the current game you want to run.
  • Add the Nptitle and NpBlind files add the trophy.trp file
  • All can be dumped with the app dump payload.
  • Click build.
  • Now install the created pkg on the PS4 (If the game is installed it will overwrite it so be careful)
  • Run it.
  • Click the arrows up and down to select the trophy you want unlocked
  • [ ] to view the trophy list.
  • X to unlock.
  • And Triangle for a screenshot
Have fun
XDPx

P.s. this is a beta and a better looking ui with more stability will be coming soon as well as the source code to the github. edit here is a hotfix thanks GraFfiX_221211 for testing.
PS4 Sealedkey pfsSKKey for SaveGame & Trophy Data Decryption Encryption.jpg
 

Comments

I like the sound of savegame and trophy data decryption and encryption... maybe it will slow down all the for-profit apps popping up for PS4 game saves and encourage free and open-source alternatives at some point. <3
 
I'm not sure I like it. I don't care what people do with their trophies or saves, but if it means people unlocking extra content for multiplayer games I don't like it.
 
We can always count on Sony to keep modders 'fun' to a minimum... especially on PSN, so hopefully it wouldn't completely ruin online gaming.
 
Anymore work being done by devs on save data. Would be great to see a free solution to save wizard like the bsd days. Especially since all the new 405/455 ps4 developments.
 
Anyone can help me to decrypt a save so that i can use it on 5.05 with hen? I've activated the ps (thx to offline account activator) so now i can use usb function to copy them, but if the save are from high fw it say is corrupted. The saves are from 7.00 fw.
 
Status
Not open for further replies.
Back
Top