Here's a guide from PlayStation 4 developer @RedEyeX32 covering SceNpTrophySignature which is located inside PS4 Decrypted ESFM trophy files such as TROP.ESFM. 
Download: SceNpTrophySignature.rar (83 KB)
This comes since we've seen a PS4 Trophy Resigner Makefile, Resigning PS4 Trophies Tutorial, PS4 Trophy Modding Guide, Modding PS4 Profile Trophies Demo and most recently PS4 Trophy Data Decryption Keys.
To quote from Red-EyeX32 on NGU: Hello NextGenUpdate, I was really curious and bored and decided to tinker with SceNpTrophySignature stored inside decrypted ESFM (trophy) files, specifically TROP.ESFM from Call of Duty: MWR that I released on Twitter.
The first thing I did was get the Sce-Np-Trophy-Signature tag inside the decrypted file, and created a new file and converted it to hex.
The output should be looking similar to this (will change on different file of course):
The structure of this goes as the following:
The digest described in the structure is a SHA-1 HMAC hash and signature is signed by RSA. The hunt was on to find keys to generate the digest and find keys for RSA.
But of course only public keys were to be found. If someone can factor Modulus for RSA plz let me know kthnx. The keys were fairly easy to find.
To calculate the SHA-1 HMAC hash all you have to do is get data in the decrypted ESFM starting from <trophyconf tag all the way to the end.
In the end there might be some padding (0D) make sure to delete up to hex value (0A), and you'll have to add the data from SceNpTrophyHeader struct to the end to calculate the hash.
Since we cannot sign our own signature due to us not having the private keys, all we can do is verify our signature and see that it's valid and came from in this case Sony. To verify, you'll have to generate a SHA1 hash of a message.
The message is the same thing as what you used to calculate the SHA-1 HMAC hash but now you'll have to add SceNpTrophySignature->digest to the end of the file.
I'm going to be including the stock TROP.ESFM (untouched) file I used, calc.bin file that I used to calculate the hash and verify signature, and the Sce-Np-Trophy-Signature (which you can easily do with the already included TROP.ESFM but why not).
I'm also going to include the source code to the tool I used to calculate everything. All the files are going to be stored in the /bin folder.
P.S: They used the same keys on PlayStation 3.
From @notzecoxao via Twitter to quote: welp, now i know what AD_SIGN keys are for
To quote from the Dev Wiki: SCEI_AD_SIGN RSA Keys (External)
Download: SceNpTrophySignature.rar (83 KB)
This comes since we've seen a PS4 Trophy Resigner Makefile, Resigning PS4 Trophies Tutorial, PS4 Trophy Modding Guide, Modding PS4 Profile Trophies Demo and most recently PS4 Trophy Data Decryption Keys.
To quote from Red-EyeX32 on NGU: Hello NextGenUpdate, I was really curious and bored and decided to tinker with SceNpTrophySignature stored inside decrypted ESFM (trophy) files, specifically TROP.ESFM from Call of Duty: MWR that I released on Twitter.
The first thing I did was get the Sce-Np-Trophy-Signature tag inside the decrypted file, and created a new file and converted it to hex.
The output should be looking similar to this (will change on different file of course):
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 4C 39 B9 8C 01 00 00 00 00 00 00 00 80 B9 E0 DE L9¹Œ........€¹àÞ
00000010 C1 C8 ED DB D9 0C F4 5D 7E CE 2A 65 6C 9D 7F F5 ÁÈíÛÙ.ô]~Î*el..õ
00000020 96 77 C4 7D 73 52 09 B7 35 69 89 BD 5A CE 0A 82 –wÄ}sR.·5i‰½ZÎ.‚
00000030 C8 58 06 B6 22 8B 5B 26 A7 A8 AB D1 C4 62 92 6D ÈX.¶"‹[&§¨«ÑÄb’m
00000040 5A 99 56 AD 6D 13 97 4B 2E 12 EB 23 DE A3 3D D2 Z™V.m.—K..ë#Þ£=Ò
00000050 57 25 70 00 DF D0 8F 73 83 19 84 D2 BC 56 15 FE W%p.ßÐ.sƒ.„Ò¼V.þ
00000060 EB 39 FB D8 A9 91 BF B5 60 1F 0D D8 4C E5 F3 5B ë9ûØ©‘¿µ`..ØLåó[
00000070 AA 52 AA 58 DB CA 0A 8D 77 B8 41 E6 DE E8 D1 5C ªRªXÛÊ..w¸AæÞèÑ\
00000080 1D BF 39 E2 34 F1 1D 16 DB CA 27 C7 EB 67 82 87 .¿9â4ñ..ÛÊ'Çëg‚‡
00000090 32 AD 80 43 A7 68 23 61 FC AC D8 FF E9 2B 54 17 2.€C§h#aü¬Øÿé+T.
Code:
typedef struct {
u8 digest[20];
u8 signature[128];
} SceNpTrophySignature;
typedef struct {
u32 magic; // (0x4C39B98C)
u64 version; // (1.00)
SceNpTrophySignature signature;
} SceNpTrophyHeader;But of course only public keys were to be found. If someone can factor Modulus for RSA plz let me know kthnx. The keys were fairly easy to find.
Code:
private byte[] SceNpTrophyXmlShaHmacKey = new byte[64] {
0x6A, 0xC0, 0xB3, 0xFB, 0x1E, 0xBB, 0x4F, 0xB7, 0xBC, 0xC2, 0xA0, 0x0D, 0xA3, 0xA2, 0xA4, 0xBD,
0xBC, 0xB7, 0x88, 0xEC, 0x45, 0x67, 0x48, 0xCC, 0x86, 0xCD, 0x9D, 0x09, 0xEF, 0x37, 0x93, 0x7F,
0x6E, 0xE3, 0x11, 0x67, 0x77, 0x8E, 0x41, 0x4E, 0x9B, 0x71, 0x1B, 0xE9, 0xD8, 0xCB, 0xB5, 0xF8,
0x95, 0x6E, 0x45, 0x4E, 0xE9, 0x4A, 0x46, 0xC3, 0x9D, 0xC4, 0xFF, 0x0D, 0x09, 0x0B, 0x92, 0xB7
};
static RSAParameters param = new RSAParameters() {
Modulus = new byte[128] {
0xCA, 0x30, 0xCE, 0xE5, 0x9B, 0xF1, 0x9E, 0x04, 0x1F, 0x6F, 0x02, 0xC5, 0x4A, 0xE4, 0x2C, 0xD6,
0x76, 0x91, 0x85, 0xE1, 0x57, 0xAB, 0x86, 0x59, 0xB7, 0x0D, 0xCE, 0xC0, 0xC3, 0xEE, 0x60, 0x39,
0xFF, 0x95, 0x2F, 0xD9, 0x76, 0x7D, 0x35, 0x47, 0x4B, 0x11, 0xBB, 0x55, 0x14, 0x20, 0x5C, 0x55,
0x38, 0x64, 0xF7, 0x7B, 0xD4, 0xDA, 0x89, 0x9B, 0x30, 0x11, 0x0B, 0x0E, 0xA4, 0xF8, 0xAD, 0x33,
0xFB, 0xE0, 0x35, 0x0E, 0x08, 0x5B, 0x2A, 0x92, 0xA7, 0xD3, 0x27, 0x97, 0x81, 0x10, 0xAA, 0xB9,
0x50, 0x85, 0x73, 0x02, 0x35, 0x40, 0x81, 0x56, 0x70, 0x7C, 0x3B, 0x22, 0x38, 0xF9, 0x78, 0xBF,
0xF4, 0xF3, 0x08, 0x06, 0x38, 0x09, 0xAE, 0xAF, 0xB2, 0xF9, 0xAE, 0xC6, 0x2E, 0x19, 0x68, 0xCF,
0xF5, 0x8B, 0x9B, 0xA8, 0x34, 0xB3, 0x58, 0x8C, 0x92, 0xC8, 0x41, 0x1C, 0x54, 0x8B, 0xFC, 0x49
},
Exponent = new byte[4] {
0x00, 0x01, 0x00, 0x01
}
};In the end there might be some padding (0D) make sure to delete up to hex value (0A), and you'll have to add the data from SceNpTrophyHeader struct to the end to calculate the hash.
Since we cannot sign our own signature due to us not having the private keys, all we can do is verify our signature and see that it's valid and came from in this case Sony. To verify, you'll have to generate a SHA1 hash of a message.
The message is the same thing as what you used to calculate the SHA-1 HMAC hash but now you'll have to add SceNpTrophySignature->digest to the end of the file.
I'm going to be including the stock TROP.ESFM (untouched) file I used, calc.bin file that I used to calculate the hash and verify signature, and the Sce-Np-Trophy-Signature (which you can easily do with the already included TROP.ESFM but why not).
I'm also going to include the source code to the tool I used to calculate everything. All the files are going to be stored in the /bin folder.
P.S: They used the same keys on PlayStation 3.
From @notzecoxao via Twitter to quote: welp, now i know what AD_SIGN keys are for
To quote from the Dev Wiki: SCEI_AD_SIGN RSA Keys (External)
Code:
pub : BB75227C7CE52660799A0DF40B4A789B6D74386E86EC14589CD7BAE6E6D883315365639415FB5919E6C015B1CB379D77F4B5AD5DA6B10ACD65DD3E94DC4973596A44F397AE493CF74CDBCD4305C532B9B7FC3F077036F49EBB8D2F9858BB0032470275582D5AE01C7D83A5B082AE58F9EAAF07304C948B1211416F4A13453F61
exponent : 010001
priv : 045EDEC6F8427F7A905B3F28097B5B0484B0C9000AB546642A83FD1F9512473CC72CFDFD5DE5D655FC434E3E2EF6C4FD1EFF7D634997A720D2D72DB65ACC7B9BF7CE79CA35DC9E28693A852B18F935CB1BFF1D6586C40393FECCE5A6E764CCBA30E373F37ACBD6FE154E54D658130F6A12C993D5C8CF44995332C417BB687361
p: F551D70C7104CFD27F8A543E1DE89ECCF1173062D81B509382E7E99A6EFFE046AC6C1E9FA277C3E0A92AE3C1C81D8B28EE56C83AF307733324D287DD555DE3E3
q: C39E677C8DE1E8F3502D8D85E31E75B6DD4EB567952B54F6B7D3703EBE386C7CC1D9E24AD8BD482452EFDA9D7CAD094539633300A26C0501CE42CADC12501AEB
dp: 3CA10659FFD0A5A02B7F3F84BE959031AC6003C85A0A9E2666D2F42C03C4DF63F8171C966D6BD6103F1EE77D2BFD09388B770D336C7EE9DCB8FC0332137809EB
dq: 3EB4B857A4E395D8E90AB12309FAE9A104B006567DEAB601A04B96DF85FA704C4D979A828397A9587B7D87869440A3881D2D3F5C24B49BA64888009F2AFFA2A1
invdp: E8DD3C07131550C4093A36D1C8DF108786C97F5628244CF3F60BF1437FC939659B0A9956412742AE2A3FF7BD82D7901B21A90FD20FCA5A92DBF4C1FDD7CD8CD3- Location: lv2_kernel.self
- Used for checking trophy signature inside SFM. Thanks to Red-EyeX32 for the tip
Code:
pub : 81CB2FEFB597AB59D7374B2897931501229DBDE307151C20082623C8AA82F5DAD7EB0AE836132E3609D70EAB6E0256DB90634CEECF889B83BCB3383BBA73B320C95BBDEAFD8DA7C3DBBB8231313C82F607CC1E7036BA4A5D60E7AB3F41983249F8096EA1232053D8D185DBB43088EBDD6264BB5F609CF2389229CAF2634385FF
exponent : 010001
priv : 03AEC3B3EDF7993589DD38453513C7C749F7A6D11FBCD218F8923876B39BD6A4F876634F566571ECB797C2034C3245CBA20BA73DA966CB5ED00657C49E14355360F200549A657782C0EC5222F680F4815276796CB3F6C20074F9F5F1C45DCB1114BCA83A23FE8C34D6F73AF5B19A83D0AC60FFE09FCC8E13AB52D6FD5206AB49
p: A7C32A8796127FF2DB879B17481F87BD0C37A3F0D66DF3F84BED83F7B753566420C08D4A28B92588385E05C43AD0387B2A9F99AB41B3B846EE4EE6FDDE5B6DA9
q: C60F9FA06E2604BFA9CDBE093BA89434C9C55E0B440319DBD398360C3AD3039082FF3B211E3D9396715BE2C0511B48DE708923F548AB6DD0AE7459D942118F67
dp: 3A2568094497B6E73AF5BE688C63F94D29FDE301A7A0C68DC9EB51F13B06548C31D9EB5EC7CC9C58A188DD20CD6DBC15DC8922DEFBCFC9D033EAFF1F00C1D9B9
dq: 17E0B850E216A949E611CCD05625EBC035771AF066C1ACF3689E181DFF55833F7FDB7F686DB9E4BA256E7B76CE106907902FA86B20D8B2038F94AD6458E7BF0F
invdp: 48A78458DCA3827D6BA22152B77913E590DA30978B9DB25048C4D45C74B7B375739C39C77CF2F4828DC4483F2A89EA5E3842CC96D9906FBB5E1C52E11B0962DE- Location: lv2_kernel.self
- Used for checking trophy signature inside SFM. Thanks to Red-EyeX32 for the tip
Code:
pub : CA30CEE59BF19E041F6F02C54AE42CD6769185E157AB8659B70DCEC0C3EE6039FF952FD9767D35474B11BB5514205C553864F77BD4DA899B30110B0EA4F8AD33FBE0350E085B2A92A7D327978110AAB95085730235408156707C3B2238F978BFF4F308063809AEAFB2F9AEC62E1968CFF58B9BA834B3588C92C8411C548BFC49
exponent : 010001
trns_pub : CE8A7F561F08EC50EAD12C1CD5EA95F914574E52942E1D25D944319704ADC3E87FDE0E0451EDA05C347BBA584E7572F9660D18014E444C46C8EE8ADF10F4A1345FE51EF42D94A1A9DE692CE99702AAC4D4C5E528EFADBA5B53B20A50B686D084307EC3EABB61157E5E00A96A374FBF5C570B804D821C17573C1C00ACF29CF5E7
SceNpTrophyXmlShaHmacKey : 6AC0B3FB1EBB4FB7BCC2A00DA3A2A4BDBCB788EC456748CC86CD9D09EF37937F6EE31167778E414E9B711BE9D8CBB5F8956E454EE94A46C39DC4FF0D090B92B7- inside np_trophy_util.sprx
