Join Us and become a Member for a Verified Badge on Discord to access private areas with the latest PS4 FPKGs.
PS4 CFW and Hacks       Thread starter PSXHAX       654       0      
Not open for further replies.


Staff Member
Following up on the previous update and recent PS4 game dumps, today Sony PlayStation 4 hacker SKFU shared an update on PS4 hacking discussing the state of things Part I featuring TitleID's and more below.

To quote: PS4 - The State of Things Part I: TitleID's

Yeah I'm still here! A lot of information was collected, analyzed and misused in the past months. I want to share an overview with you and I'll start with "Part I: TitleID's".

This post is not entirely about the PS4, it will include some information about the PSV as well.

Why are we interested in TitleID's?

Both the PS4 and the PSV use the known system of TitleID's to identify games and apps. Most of them are visible to you via either the Livearea on PSV or the menu of the PS4.

Some of them, on the other hand are only used as references for internal modules or similar and are therefore hidden. The most interesting ones are those which are linked with applications you shall not see and are just implemented for tests, were forgotten or exist for other unknown reasons. Do we want to find and start them? Yes, we do!

How do we find valid TitleID's?

Well, the best start is to look at the error reports of the consoles. Once a game or app crashes, a small error report is generated and you can view this information via the systems settings. You'll see that the TitleID is always with it.
  • NPXS19999 is the TitleID (pictured below)
Surely this will not lead us to any interesting hidden applications since those are most likely never active and can not be crashed without even knowing how to start them, but it will give us a good startpoint since the range of commonly used system ID's is huge (NPXS00000-NPXS9999). So now we need a way to test for valid ID's aka a possibility to launch games/apps by it's TitleID with bruteforcing.

How do we start apps/games by TitleID's?


For simplicity here's a small webform which will unlock the PKG Installer for your PS VITA: kindly hosted by The Zett. Just enter the E-Mail adress you use on your PSV and the script will send you the unlock E-Mail.

From julioms: This is the whole script:
function unlock()
var url = “psgm:open?titleid=NPXS10031″;, “_blank”);
On PlayStation VITA there are many ways to achieve our goal, so it's not important right now if one is public. I will show you the most simple one. Probably you have noticed the leak of information regarding a hidden PKG installer a few months ago - this was achieved by using this technique.

Simply as it is, the only thing you have to do is setup the E-Mail client application on your PlayStation VITA and write yourself an HTML E-Mail with the following content to receive the E-Mail on your PSV.
<a href="psgm:open?titleid=NPXS10031">OPEN PKG INSTALLER</a>
Open your E-Mail app and click the link and the PKG installer will start. You may want to replace the titleid parameter with any of your choice. I have a small list of tested TitleID's for PSV right here, feel free to add or modify information.

PS4 Method:

For the PlayStation 4 our method is a bit more complicated and requires a bit of RE knowledge for Android and/or iOS. I'll describe an example for Android:

Please grab a copy of the Metal Gear Solid V: GZ companion app for Android and save the APK on your PC. APK Downloader is useful here! (It's a fantastic game, I'm really sorry I had to use this one :()

Now you'll need the APK-Multi-Tool. Setup the tool and place the MGS companion APK file in the "place-apk-here-for-modding" folder. Start the tool, via the "Script.bat" and choose option 9 to decompile the APK. You now have a decompiled copy of the APK in your "projects" folder.

Locate the "PS4Net$1.smali" source file in "/smali/jp/konami/mgsvgzapp/", open it and replace the MGS V: GZ TitleID's with one of your choice and save the file. Go back to the APK-Multi-Tool script and choose option 15 (assuming your Android phone connected in debugger mode).

Now you can start the app on your phone, choose the main option and it will find your PS4 after you logged in PSN. Once started, normally the application would start Metal Gear Solid V: GZ, but now tries to start your TitleID if available.

The authentication system used for the secure communication between your phone and your PS4 is well done, but sadly not useful if we use a modification like this. Feel free to join the list of tested TitleID's for PS4.

For obvious reasons I made a small TitleID's launcher to test different ID's a lot faster.

XBOX ONE Method:

In the APK described in the PS4 method you might have noticed that there is code for the XBOX ONE version of the game as well. Nearly same system, have fun.

Stay tuned for Part II!

Best regards,


From The Z comes the following related article for PlayStation Vita: SKFU Releases ★ Package Installer Unlock on the Retail PS Vita!

To quote: If we look back at the various Gamescom videos I’ve uploaded, we could see that there is a special Application installed at the developer PS Vitas:

The Package Installer.

The App actually exists within the retail (that is your normal everyday PS Vita) PS Vita, but it is hidden.

If we use the following method, we are able to actually access and use the Package Installer application ourselves!

At first, how the hell can we access this hidden app?

Well, simply follow this easy video and you should be able to use the Package Installer at your own PS Vita.

No time to watch a video? Well, visit this website (linked above), enter your email address and press continue.

Next open the Email Application on your PS Vita, set up your email that you’ve used in the step from above, if you did not do this yet.

Open the new email you should’ve gotten and press the start button on the picture inside of the email.

If by black magic, the Package Installer application should open and you will be able to use it… Kind of...

The Package Installer has basically 2 ways to transfer content: Via host0:/ and via the CMA. Problem: The retail PS Vitas do not have a host0:/ and the normal CMA can not transfer packages.

How to solve this? Well, simply use the QCMA, made by codestation, which is capable of transferring your already saved content and additionally has a PS Vita firmware update function and a function for transferring packages, if you have access to the Package Installer.

QCMA - Cross-platform content manager for the PSVita (0.3.2)

QCMA is an open source Content Manager Assistant for the PS Vita. Since Sony forgot about Linux users i decided to make an implementation of their CMA using the vitamtp library that Yifan Lu made. QCMA is made in Qt so it can be recompiled to Windows and Mac OS X (or even Android?) without trouble.

  • Windows (XP - Vista - 7 - 8): (Note: the installer will install a driver that is required for Qcma. Make sure that your Vita is connected to the PC via usb when installing the driver and the Sony CMA app is closed. You can uninstall the drivers/qcma via Add/remove programs if you want to go back to use the official CMA app.)
  • 64bit OS X (compiled under OS X 10.8.5):
  • Dropbox (Mirrors):
  • Compiling under Linux/Windows/OSX:
  • Linux: Ubuntu PPA: Add the ppa repository using one of these methods:
Using the software center:

Go to Ubuntu Software Centre > Edit > Software Sources > Other Software and click Add, add ppa:codestation404/qcma. After clicking Add Source and Close, you have to Reload the software sources. You can then install Qcma from this PPA in the Software Center.

Using the command line:
sudo add-apt-repository ppa:codestation404/qcma
sudo apt-get update
sudo apt-get install qcma
  • 32bit .deb files (compiled under Ubuntu 12.04 LTS):
  • 64bit .deb files (compiled under Ubuntu 12.04 LTS):
  • 32bit .deb files (compiled under Ubuntu 13.10):
  • 64bit .deb files (compiled under Ubuntu 13.10):
  • 32bit .deb files (compiled under Ubuntu 14.04 LTS):
  • 64bit .deb files (compiled under Ubuntu 14.04 LTS):
  • 32bit .deb files (compiled under Debian Wheezy):
  • 64bit .deb files (compiled under Debian Wheezy):
  • 32bit .rpm files (compiled under OpenSuse 13.1):
  • 64bit .rpm files (compiled under OpenSuse 13.1):
  • 32bit .rpm files (compiled under Fedora 20):
  • 64bit .rpm files (compiled under Fedora 20):
Source Code:
  • Source code:
  • AUR Package for Archlinux:
  • AUR Package for Archlinux (KDE integration):
  • AUR Package for Archlinux (testing branch):
  • Readme:
  • Wiki:
Advanced settings explanation:
  • Offline mode: if you disable this then the PS Vita can use Qcma to check for updates and download firmware updates from the Internet. Keep it disabled if you don't want to upgrade.
  • Skip metadata retrieval: the initial scan will be A LOT faster by omiting some info when doing the initial scan. For example you will not be able to see ID3 info for mp3 files, resolution and duration for movies and game names for psp savedatas.
  • Disable USB monitoring: Qcma won't be able to connect to the PS Vita using a USB cable.
  • Disable wireless monitoring: Qcma won't be able to connect to the PS Vita via WiFi.
Issues with the current version:
  • The database is created in memory so is lost when QCMA exits. This will be solved once the SQLite backend is complete.
  • Multimedia changes on the PC requires a database refresh. This will be solved when the file monitoring daemon is completed.
  • Music streaming via WiFi has glitches (for example doesn't listen the categories on the first try). This happens with the official CMA too.
Verbose logging is activated by the command line switch --verbose. Debug output is activated using --with-debug (this will create hex dumps of every transaction). Under windows use qcma_console.exe to generate logs.

QCMA Changelog:
    0.3.2:   Fixed bug with PSP savedata transfer.
             Fixed bug when transferring multimedia folders.
    0.3.1:   Headless qcma version.
             Added dbus controls to qcma (Linux only)
             Set the default video codec to h264 if metadata skip is enabled.
             Delay the progress dialog by one second so it doesn't show on quick scans.
             Do not show the disconnect message if no connection is established.
             Show correct directory separators on Windows.
             Show if savedata, updates or dlc are present on backup manager.
             New database backend. Disabled for now.
             Added options to disable multimedia indexing.

    0.2.8:   Fixed bug where USB transfers couldn't be cancelled.
             Enabled item in Advanced settings dialog: "Skip metadata retrieval" (disabled by default).
             Enabled item in Advanced settings dialog: "Disable USB monitoring" (disabled by default).
             Enabled item in Advanced settings dialog: "Disable Wireless monitoring" (disabled by default).
    0.2.7:   Resolved problem when reading big files in PSP savedatas (like sending ISOS to the Vita).
             Resolved high memory usage when receiving files from PSP savedatas (like ISOS from TN-V).
             Fix crash on startup on some circunstances.
             Enabled item in Advanced settings dialog: "Offline mode" (enabled by default).

    0.2.6:   Show the account name on the info popup when the vita is connected (just like the official CMA).
             Fixed bug with multimedia browsing/streaming of content who has non-ascii characters on the filename.
             Picture scanning should be a little faster (use internal Qt library instead of ffmpeg for picture metadata extraction).
             KDE native notification support (only on Archlinux or builds from source code).
             Fixed bug with backup usage size when no items are detected.
             No more delay on Qcma exit if no devices are connected (will wait if a PS Vita is still connected).

    0.2.5:   Added filter for backup manager
             Fixed the PIN bug (negative numbers).
             Fixed bug related to creation of base folders for game backups.
             Show connection status in icon tray color.
             Show PSM icons in backup manager.
             Fixed bug with listing in backup manager.
             Fixed crash in PS Vita with some PSP savedatas.
             Avoid creation of folder with account id "ffffffffffffffff"     
    0.2.4:   QCMA in WiFi mode is compatible with FW 3.00.
    0.2.3:   Fixed bug (again) with large file support for linux binaries in 32bit.
VitaMTP Changelog:
2.5.1: Bump soname version, removed opencma.
2.4.0: Added cancel support for USB transfers.
2.3.0: Implement a read/write callbacks for the send/receive functions so there is no need to pass a buffer with the full contents of the file.
2.2.0: Updated socketpair implementation for WIndows.
2.1.2: added VitaMTP_Cancel_Get_Wireless_Vita and removed the callback parameter on VitaMTP_Get_Wireless_Vita
2.1.0: Added new CMA version.
2.0.2: Performance/stability increased ni wireless mode.
Does this mean free PSP/PS1/PS Vita games?

Wow! Stop right there! It is not as easy as you think.

The Package Installer is only capable of installing DRM-free content, which basically means you can not install any kind of content, that requires you to pay for it, e.g. full PSP/PS1/PS Vita games.

Any kind of demo applications, regardless of the PSN Store region (!), can be installed… As long as it is a PS Vita demo.

Pure applications like NicoNico, Netflix and the eBook Reader can also be installed, since those do not require you to have a license for them.

PSP demos can, unfortunately, not be installed via this way, otherwise a free PSP demo exploit could be, potentially, possible. Aww, bummer!

Some might think that this is useless, some others might think that this is great, since demos like Hatsune Miku: Project Diva f 2nd can now be played at any kind of PS Vita, regardless if they have access to the japanese PSN Store or not.

In the end you have to know yourself if you are going to use this or not.

I would like to thank SKFU for his work and dedication to the PS Vita, even if he hides a lot of things from the public, the things he releases are always a stunning surprise!

Finally, from ryuzen comes How to Download Vita Games Using IDM from PC as follows:

This tutorial will show you how to download your Vita games with Internet Download Manager instead of using your Vita or Sony’s tools.

  • Download faster
  • Fetch .pkg file for various use (example: Install another region demo (Via SKFU Package Installer method - linked above)
  • Let your Vita rest while downloading
  • Store downloaded games for backup later use on another device
  • Use downloaded game on different psn account without redownloading the same game again (cma won’t let you do this)
How to:

  • Download PSN download Manager first!
  • Create Hotspot From Your PC using your Router / Connectify (Or use virtual router plus, its free)
  • Connect your Vita to the hotspot
  • Download the game you want
  • Pause the download.
  • Now connect to your hotspot using proxy. Put your pc ip and port 27 then reconect your hotspot
  • Now open “psn dm.exe”, see it fetching the game, if nothing happen make sure to allow the firewall.
  • Right click and copy download link, copy it to IDM
  • Now delete ongoing download on psn dm. also pause the download on vita too
  • After download completed, copy downloaded file under downloads folder on psndm folder.
  • make blank text file, name it ready_“yourdownloadedfilename”.txt
  • Back to Vita, resume the download, you’ll notice it will download faster and install directly from file on your pc.
  • Done!
Note: you can keep your downloaded .pkg and do the same process if you want to install the game again, also you can use the downloaded file to install on another PSN account without redownloading the game again! Hope it helps.


Like i said we can install another region demo.. But the process is different, basically you can get the .pkg file from this method and use the hidden package installer (by SKFU linked above) to install another region demo :D (this might not work above firmware 3.18)
Not open for further replies.

:fire: Latest Help Topics