Recently we reported on PS4 Game Saves and PS4 Trophies working on a PlayStation 4 DevKit / TestKit, and this weekend @happyelement (aka harlequin) shared a PS4 Trophy Resigner script for developers to test out based on @flatz's previously-released PKG / PUP Python Scripts using the PS4 Trophy Retail Key.
Download: PS4 Trophy Resigner Makefile / GIT
Below is the script that would resign PS4 trophies extracted with the PlayStation 4 Trophy (PS4 .TRP File) Extractor by @RedEyeX32 if testing is successful:
Makefile:
trophy.c:
trp_resigner.c:
From the PS4Tools GIT, to quote: ps4tools
My collection of tools for PS4 file handling.
Credits
flat_z (original Python scripts for PUP and PKG unpacking)
CHANGELOG
I have put my trophy resigner in github, can anybody try this if it's working
https://github.com/harlequin/ps4tools
Please put key (trp-key-retail) in the PS4KEYS folder
If anyone gives it a try let us know if it works for you or not in the comments!
Update: From @zecoxao on the GIT, to quote: np_comm_id must be AAAA00000_00 (ok here) resigning must be made by decrypting with retail key and encrypting with debug key (not respected here) trophy must be named trophy00.trp (user can choose, so it's ok here)
I suggest before encrypting with retail key to encrypt with debug key and test. I can provide builds of debug trophy and retail trophy of a game for further analysis.
Here's the respective trophy files from minecraft retail and debug:
Download: trophy.zip (3.31 MB)
minor fixes and adjustments #2:
trp_resigner.c:
Two issues with trophy.c on your ps4tools:
This should fix memory alloc issues with computers with less than a certain amount of RAM (memset handles the rest)
Download: PS4 Trophy Resigner Makefile / GIT
Below is the script that would resign PS4 trophies extracted with the PlayStation 4 Trophy (PS4 .TRP File) Extractor by @RedEyeX32 if testing is successful:
Makefile:
Code:
CC = gcc
CFLAGS = -g -O2 -Wall
LDLIBS = -lz
FILES = pupunpack unpkg unpfs trophy trp_resigner
COMMON = sha2.o mingw_mmap.o tools.o aes.o sha1.o
DEPS = Makefile sha2.h
OBJS = $(COMMON) $(addsuffix .o, $(FILES))
all: $(FILES)
$(FILES): %: %.o $(COMMON) $(DEPS)
$(CC) $(CFLAGS) -o $@ $< $(COMMON) $(LDLIBS)
$(OBJS): %.o: %.c $(DEPS)
$(CC) $(CFLAGS) -c -o $@ $<
clean:
rm -f $(OBJS) $(FILES) *.exe *~
Code:
#include <sys/types.h>
#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/stat.h>
#include <string.h>
#include <stdarg.h>
#include <stdlib.h>
#include <zlib.h>
#include <dirent.h>
#include <assert.h>
#include <stdint.h>
#ifdef WIN32
#include "mingw_mmap.h"
#include <windows.h>
#include <wincrypt.h>
#else
#include <sys/mman.h>
#endif
#ifdef WIN32
#define MKDIR(x,y) mkdir(x)
#else
#define MKDIR(x,y) mkdir(x,y)
#endif
#include "types.h"
#include "tools.h"
typedef struct {
unsigned int magic; //
unsigned int version;
unsigned long file_size; // size of full trp file
unsigned int entry_num; // num entries
unsigned int entry_size; // size of entry
unsigned int dev_flag; // 1: dev
unsigned char digest[20]; //sha1 hash
unsigned int key_index;
unsigned char padding[44];
} trp_header;
typedef struct {
signed char entry_name[32];
unsigned long entry_pos;
unsigned long entry_len;
unsigned int flag; //3 on some, 0 on others, could be flags or an enum to determine if encrypted or not?
unsigned char padding[12];
} trp_entry;
static u8 *trophy = NULL;
u8 key[0x10]= {0};
u8 iv[0x10] = {0};
u8 ckey[0x10];
u8 civ[0x10];
trp_header *header;
u8 *np_comm_id = NULL;
u8 brutforce_npcommid (u8 *ptr, u64 len) {
u32 i;
u8 *out;
u8 *str;
printf("[!] Bruteforce attack started ... ");
np_comm_id = malloc(0x10);
for ( i = 0; i < 99999; i++ ) {
memset(np_comm_id, 0, 0x10);
sprintf(np_comm_id, "%s%05d_00", "NPWR", i);
aes128cbc_enc( key, iv, np_comm_id, 0x10, ckey);
memcpy(civ, ptr, 0x10);
out = malloc(len - 0x10);
aes128cbc(ckey, civ, ptr + 0x10, len - 0x10, out);
str = malloc(0x04);
memcpy(str, out, 0x04);
if ( !strcmp(str, "<!--") ) {
printf("Key found [%s]!\n", np_comm_id);
return 0;
}
}
printf("Failed!\n");
return 1;
}
int main(int argc, char *argv[]) {
u32 i;
u32 j;
u32 z;
u64 pos;
trp_entry *entry;
if (argc != 2 && argc != 3)
fail("usage: trophy filename [target]");
trophy = mmap_file(argv[1]);
if ( argv[2] != NULL ) {
MKDIR(argv[2], 0777);
if (chdir(argv[2]) != 0)
fail("chdir(%s)", argv[2]);
}
header = malloc(sizeof(trp_header));
memcpy( header, trophy, sizeof(trp_header) );
printf("[+] Tophy Magic 0x%X\n", header->magic);
printf("[+] Tophy Version 0x%x\n", header->version);
header->file_size = be64(trophy + 0x08);
printf("[+] Tophy File Size 0%X\n", header->file_size);
header->entry_num = be32(trophy + 0x10);
printf("[+] Tophy Number of Entries %d\n", header->entry_num);
printf("[+] Tophy Size of Entry: 0x%x\n", header->entry_size);
printf("[+] Tophy Dev Flag: 0x%x\n", header->dev_flag);
printf("[+] Tophy SHA-1 Hash: 0x%x\n", header->digest);
if ( header->dev_flag == 0x40000000 ) {
if (key_get_simple("trp-key-retail", key, 0x10) < 0)
fail("failed to load the ps4 trp retail key.");
} else {
if (key_get_simple("trp-key-debug", key, 0x10) < 0)
fail("failed to load the ps4 trp debug key.");
}
for(i = 0; i < header->entry_num; i++) {
entry = malloc(sizeof(trp_entry));
if(!entry) {
printf("Error in malloc\n");
}
pos = 0x60 + (i * 0x40);
memcpy( entry->entry_name, trophy + pos, 0x20);
entry->entry_pos = be64( trophy + pos + 0x20 );
entry->entry_len = be64( trophy + pos + 0x20 + 0x08 );
entry->flag = be32( trophy + pos + 0x20 + 0x08 + 0x08);
printf("[*] Entry Name: %.*s Pos: 0x%X Len: 0x%X Flag: 0x%X\n", 32, entry->entry_name, entry->entry_pos, entry->entry_len, entry->flag);
if ( entry->flag == 3 ) {
//encrypted files detected
if ( np_comm_id == NULL ) {
if ( brutforce_npcommid(trophy + entry->entry_pos, entry->entry_len) == 1) {
fail("failed to bruteforce.");
}
}
memcpy(civ, trophy + entry->entry_pos, 0x10);
aes128cbc(ckey, civ, trophy + entry->entry_pos + 0x10, entry->entry_len - 0x10, trophy + entry->entry_pos + 0x10);
memcpy_to_file( entry->entry_name, trophy + entry->entry_pos + 0x10, entry->entry_len - 0x10 );
} else {
memcpy_to_file( entry->entry_name, trophy + entry->entry_pos, entry->entry_len );
}
}
return 0;
}
Code:
/*
* Copyright (C) harlequin
*
* This software is distributed under the terms of the GNU General Public
* License ("GPL") version 3, as published by the Free Software Foundation.
*
*/
#include <sys/types.h>
#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/stat.h>
#include <string.h>
#include <stdarg.h>
#include <stdlib.h>
#include <zlib.h>
#include <dirent.h>
#include <assert.h>
#include <stdint.h>
#ifdef WIN32
#include "mingw_mmap.h"
#include <windows.h>
#else
#include <sys/mman.h>
#endif
#include "types.h"
#include "tools.h"
u8 np[0x10];
u8 iv[0x10] = {0};
u8 *ptr;
u8 key[0x10]= {0};
u8 org_key[0x10];
u8 new_key[0x10];
typedef struct {
u8 entry_name[32];
u64 entry_pos;
u64 entry_len;
u32 flag; //3 on some, 0 on others, could be flags or an enum to determine if encrypted or not?
u8 padding[12];
} trp_entry;
int main(int argc, char *argv[]) {
u32 num;
u64 pos;
u64 sz;
u32 i;
if (argc != 4)
fail("usage: trp_resigner trophy.trp np_comm_id debug_trophy.trp");
ptr = mmap_file(argv[1]);
sz = be64(ptr + 0x08);
num = be32(ptr + 0x10);
if (key_get_simple("trp-key-retail", key, 0x10) < 0)
fail("failed to load the ps4 trp retail key.");
//org key
memset(np, 0x00, 0x10);
memcpy(np, argv[2], 12);
aes128cbc_enc(key, iv, np, 0x10, org_key);
//new key
memset(np, 0x00, 0x10);
memcpy(np, "AAAA00000_00", 12);
aes128cbc_enc(key, iv, np, 0x10, new_key);
for(i = 0; i < num; i++) {
pos = 0x60 + (i * 0x40);
trp_entry *e;
e = malloc(0x40);
e->entry_pos = be64( ptr + pos + 0x20 );
e->entry_len = be64( ptr + pos + 0x20 + 0x08 );
e->flag = be32( ptr + pos + 0x20 + 0x08 + 0x08);
if ( e->flag == 0x03 ) {
u8 civ[0x10] = {0};
memcpy(civ, ptr + e->entry_pos, 0x10);
//decrypt
aes128cbc(org_key, civ, ptr + e->entry_pos + 0x10, e->entry_len - 0x10, ptr + e->entry_pos + 0x10);
//encrypt with new key np
aes128cbc_enc(new_key, civ, ptr + e->entry_pos + 0x10, e->entry_len - 0x10, ptr + e->entry_pos + 0x10);
}
}
//set header flag to development
wbe32(ptr + 0x18, 0x00000001);
//calculate sha1 - set to zero, calc, store
memset(ptr + 0x1C, 0, 0x14);
sha1(ptr, sz, ptr + 0x1C);
memcpy_to_file(argv[3], ptr , sz );
return 0;
}
My collection of tools for PS4 file handling.
Credits
flat_z (original Python scripts for PUP and PKG unpacking)
CHANGELOG
- First Release
- pupunpack: splits PS4UPDATE.PUP and exposes inner PUP files (encrypted).
- unpkg: unpacks retail/debug PKG files while collecting data and dumping internal files (mostly a C port of flat_z's Python script, at the moment).
- unpfs: unpacks pfs images
- trophy: unpack trophy files (incl. bruteforce for npcommid)
I have put my trophy resigner in github, can anybody try this if it's working
https://github.com/harlequin/ps4tools
Code:
trp_resigner trophy.trp np_comm_id debug_trophy.trp
If anyone gives it a try let us know if it works for you or not in the comments!
Update: From @zecoxao on the GIT, to quote: np_comm_id must be AAAA00000_00 (ok here) resigning must be made by decrypting with retail key and encrypting with debug key (not respected here) trophy must be named trophy00.trp (user can choose, so it's ok here)
I suggest before encrypting with retail key to encrypt with debug key and test. I can provide builds of debug trophy and retail trophy of a game for further analysis.
Here's the respective trophy files from minecraft retail and debug:
Download: trophy.zip (3.31 MB)
minor fixes and adjustments #2:
Code:
edited trophy resigner to allow debug resigning 2368717
changed flags, it's now closer to the debug aae92e0
set signature to x 4d2cedc
changed flag (was missing this one) 572d0d1
fixed np_comm_id inside xml fc9ff23
Code:
#include "tools.h"
u8 np[0x10];
+u8 np2[0x10];
u8 iv[0x10] = {0};
+u8 new_civ[0x10] = {
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
+};
u8 *ptr;
u8 key[0x10]= {0};
+u8 key2[0x10]= {0};
u8 org_key[0x10];
-u8 new_key[0x10];
+u8 new_key[0x10];
Code:
1- line 58 (change to u8 np_comm_id[0x10];)
2- line 68 (either comment it or remove it)