Category PS Vita CFW and Hacks       Thread starter PSXHAX       Start date Sep 8, 2017 at 3:41 AM       23,482       15            
Following his previous Vitamin official release, the recent PS4 NPDRM Conversion and 6.61 Adrenaline-6 Fix, PlayStation Vita developer TheFloW announced that this month he'll be releasing Vitamin 3.0 featuring a PS Vita plugin called NoNpDrm which allows users to bypass Sony's DRM to share digital games and run them from memory card, SD card, USB, etc. :love:

:idea: NoNpDrm v1.0 followed by NoNpDrm v1.1 is out for PlayStation Vita owners! :fire:

To quote from Pastebin.com on his disclosure statement: The upcoming tool is a plugin called NoNpDrm and allows you to bypass DRM, respectively to share any digital games (inclusive additional content). It will also allow you to run Game Cards from MC/SD/USB. You can call it Vitamin 3.0, however it is NOT a dumper.

Using the plugin, you can simply copy&paste any game from gro0:app/ux0:app and then install and launch them on other devices/accounts (provided HENkaku is installed). This is possible by using a fake license which will be generated by the plugin.

Unlike the previous dumpers, NoNpDrm assures you that the game is untouched and every game (<= 3.60) will be compatible. This means that the way the game is installed and launched is pretty much official. For example game updates can simply be downloaded and installed from LiveArea.

People who can not activate their devices anymore, but still have games installed on their devices, will also benefit from this plugin: by getting a fake license from someone else, they will be able to play their games again. The plugin will be available this month.

:arrow: Update: NoNpDrm v1.0 is now officially released, with the Github download links and details from the ReadMe file available HERE followed by a NoNpDrm v1.1 update! :thumbup:

Cheers to @xxmcvapourxx for sharing the news tip in the PSXHAX Shoutbox earlier tonight! :beer:
Vitamin 3.0 PS Vita NoNpDrm DRM Bypass Plugin by TheFloW Coming.jpg
 

Comments

B7U3 C50SS

~ Team_Zer0 ~
Senior Member
Contributor
Well then you've answered your own question haven't you? about it coming out? just look at his tweet where he states it will come out tomorrow. oh and the one where he disclosed it.

Correct me if i'm wrong.
Well... I may not know a ton about it when it comes to PS4 but when it comes to PS3 NPDRM Is basically as follows as explained by JuanNadie over on PS3Hax.net

Code:
NPDRM Self algorithm
THIS DOES NOT ALLOW TO OBTAIN 3.60+ keys

On NPDRM self decryption all the security levels of the PS3 are involved: user space (vsh), kernel space(lv2), hypervisor( lv1) and isolated SPU (metldr + appldr)

The process start on vsh.elf...

VSH:

Once the vsh detects that user is trying to start a self, it looks for the appinfo header type. If the type is 8, then the control digest element type 3 (NPD element) is located. From this NPD header the vsh gets the license type (free, local or network license).

If a free content(type 3) is detected then a generic klicense will be use for further steps (go to LV2). That klicensee is already public (see geohot npdrm_omac_key_1).

However if a paid content is to be loaded the vsh loads the act.dat and the rif associated to the content (if local it will locate a file with the same titleid on NPD element, if remote it will download to vsh process memory)

Then the signature is checked (last 0x28 bytes of both RIF and act.dat). The curves used are on vsh.self. It is a 3 element table, having the first curve nulled. The curve index for rif/act is 2. The curve values are negated as in the apploader and has the following structure

struct curve {
uint8_t p[0x14];
uint8_t a[0x14];
uint8_t b[0x14];
uint8_t N[0x14];
uint8_t Gx[0x14];
uint8_t Gy[0x14];
}

If the curve checks then vsh will process the rif:

struct rif {
uint8_t unk1[0x10]; //version, license type and user number
uint8_t titleid[0x30]; //Content ID
uint8 padding[0xC]; //Padding for randomness
uint32_t actDatIndex; //Key index on act.dat between 0x00 and 0x7F
uint8 key[0x10];    //encrypted klicensee
uint64_t unk2;    //timestamp??
uint64_t unk3;    //Always 0
uint8_t rs[0x28];
};

struct ACTDAT {
uint8_t unk1[0x10]; //Version, User number
uint8_t keyTable[0x800]; //Key Table
......
uint8_t signature[0x28];
}

Using the RIF_KEY it will obtain the actdatIndex:

AES_KEY rifKey;
int result = AES_set_decrypt_key(RIF_KEY, 0x80, &rifKey);
AES_decrypt(&rif->padding, &rif->padding, &rifKey);

And finally having the actDat key index the execution pass to LV2 syscall 471

LV2

Lv2 is accessed using syscall471 which haves the following syntax:

int syscall_471(uint32_t type, char* titleID, void* klicensee, uint8_t* actdat, uint8_t* rif,    int32_t licenseType, uint8_t* magicVersion);

The function has different parameters depending if the content is debug, free or paid:

FREE: syscall471(npd.type, &npd.titleID, freeklicensee, NULL, NULL, npd.license, &npd);
PAID: syscall471(npd.type, &npd.titleID, NULL, &actdat.keyTable[rif.actDatIndex*0x10], &rif.key, npd.license, &npd);

The lv2 keeps a memory table with contentID and the associated key.
When it receives a free content (r5 is not null) then copies the titleID and the klicensee to the table. For a paid content the rif.key is converted to the klicensee using:

AES_KEY IDPSKey, ConstKey, ActDatKey;
uint8_t encrConst[0x10];
uint8_t decryptedActDat[0x10];
uint8_t klicensee[0x10];
int result = AES_set_encrypt_key(&IDPSVariation, 0x80, &IDPSKey);
AES_encrypt(&CONSTACTDAT, &encrConst, &IDPSKey);
result = AES_set_decrypt_key(&encrConst,0x80,&ConstKey);
AES_decrypt(actDat,&decryptedActDat,&ConstKey);
result = AES_set_decrypt_key(&decryptedActDat,0x80,&ActDatKey);
AES_decrypt(rif,&klicensee,&ActDatKey);


where CONSTACTDAT is a constant value on lv2, IDPSVaritaion appears to be IDPS (not checked but DRM_Manager_initialize (see graf_chokolo's "bible") to something with the same structure), actdat are the 0x10bytes selected by rif keyIndex, and rif is rif.key (bytes 0x50-0x5f).

Once transformed it is stored on memory table...

I haven't check further steps on vsh nor lv2 so perhaps there are further transformations on the paid case (NOT FOR THE FREE AS I HAVE DECRYPTED THOSE) so we are jumping directly to the appldr

AppLdr

As you can see from graf_chokolo payloads a parameter is passed on spu_args.field60. That parameter is the previously stored klicensee.

However this key must be transformed (again) even for the free case. The transformation is:

uint8_t decryptedKLicensee[0x10]
AES_KEY KLicenseeKey
int result = AES_set_decrypt_key(&KLicenseeDecryptKey,0x80,&KLICENSEEKEY);
AES_decrypt(klicensee,&decryptedKLicensee,&KLicenseeKey);
EY is another key located inside the apploader and klicensee is the parameter.

Then we can finally remove the NPDRM layer using:


AES_KEY key;
uint8_t iv[0x10];
memset(&iv[0],0,0x10);
int result = AES_set_decrypt_key(&KLicenseeDecryptKey,0x80,&key);
AES_cbc_encrypt(self + self->metaoffset + 0x20, self + self->metaoffset + 0x20,0x40,&key,&iv,0);

Once that layer is removed we proceed as normal:
-Decrypt using AESCBC256 with the NPDRM keys to obtain the metadata keys
-Decrypt using AESCTR128 the data sha,hmac,iv keys
-Decrypt the data.

PD: I WILL NOT PROVIDE ANY OF THE KEYS MENTIONED ABOVE

Credits to euss (documentation, keys and testing), mallory(testing,code), jester(testing)
  • Original Thread.
  • PS3 ^ Not PS4. I don't know the changes that were made. I could ask though.
 

PSXHAX

Staff Member
Moderator
Contributor
Verified
Looks like today is the release of VitaShell v1.63 and NoNpDrm v1.0:

Download: nonpdrm.skprx / GIT / NoNpDrm Dump List / PSDLE / NoPayStation v2.0 (view your raw account data with THIS when logged in per Al Azif meaning whatever is in your library on the account you're signed into will display on that page, and you can change the ?size= to be bigger if it doesn't display all your stuff... so if you buy a game on psn though the browser the info will show up on that page, including pkg links)

From the ReadMe.md, to quote: NoNpDrm Plugin by TheFloW

Features
  • Exports PS Vita content license keys as fake licences.
  • Bypasses expiration of PlayStation Plus and other timed licenses.
  • Allows you to run trial versions as full versions.
  • Allows sharing PFS encrypted content (unmodified non decrypted games) across multiple PS Vita accounts and devices using generated fake license files.
  • Imported games behave as purchased games and allow the use of game updates seemlessly downloaded from the Sony Interactive Entertainment Network (PlayStation Network) as long as these updates run on firmware 3.60 and lower.
  • Games can also be stripped of their PFS encryption using tools such as Vitamin just as any other purchased games would.
  • Using purchased applications on deactivated devices.
In a nutshell, this plugin allows you to bypass DRM protection on any PS Vita content.

This software WILL NOT
  • Allow modifications to your games/applications.
  • Work with PFS decrypted content (such as games dumped using applications such as Vitamin or MaiDumpTool).
  • Enable you to run applications/use content without a valid license or a fake license file.
  • Work with PlayStation Portable or PlayStation 1 titles (should you wish to play such titles, you may want to look into the Adrenaline software).
  • Work with applications that only run on firmware 3.61 or later.
Legal Disclaimer
  • The removal and distribution of DRM content and/or circumventing copy protection mechanisms for any other purpose than archiving/preserving games you own licenses for is illegal.
  • This software is meant to be strictly reserved for your own PERSONAL USE.
  • The author does not take any responsibility for your actions using this software.
Software Requirements

This software will only work on PlayStation Vita, PlayStation Vita TV, PlayStation TV devices running on firmware 3.60, the taiHEN framework and HENkaku need to be running on your device, for more information please connect to https://henkaku.xyz/
For all the possibilities described below, you should use VitaShell v1.6 or higher for faster transfers.
VitaShell lets you mount your PS Vita's Memory Card or Game Card to your PC over USB.
On a PS TV device, you can mount a USB flash drive and copy files to uma0:.

Installation

Download the latest nonpdrm.skprx, copy it to ux0:tai and modify the ux0:tai/config.txt file to add the path to the module under *KERNEL as follows

*KERNEL
ux0:tai/nonpdrm.skprx

Don't forget to reboot your device, otherwise the plugin will have no effect yet. If you know what you are doing, you may change this path to an arbitrary location as long as it matches the exact location of the module. You may also edit the ur0:tai/config.txt instead assuming you do not have a config.txt file inside the ux0:tai/ folder

Creating the fake license

In order to generate a fake license file containing the application's rif key, you must first launch the application with the NoNpDrm plugin enabled. The fake licenses for the applications will then be stored at:
  • ux0:nonpdrm/license/app/TITLE_ID/6488b73b912a753a492e2714e9b38bc7.rif
  • ux0:nonpdrm/license/addcont/TITLE_ID/DLC_FOLDER/6488b73b912a753a492e2714e9b38bc7.rif (for additional content)
Sharing Digital Applications
  • If you wish to use the application on the same device but on a different account, simply copy the fake license 6488b73b912a753a492e2714e9b38bc7.rif to ux0:license/app/TITLE_ID/6488b73b912a753a492e2714e9b38bc7.rif.
  • If you wish to use the application on a different device, transfer the content of ux0:app/TITLE_ID to your PC and copy the fake license ux0:nonpdrm/license/app/TITLE_ID/6488b73b912a753a492e2714e9b38bc7.rif file as TITLE_ID/sce_sys/package/work.bin You need to overwrite the original work.bin
Note: on games obtained through the PlayStation Store, work.bin is tied to your Sony Interactive Entertainment (also known as PlayStation Network) account and contains your account ID. The fake license does however NOT contain any personal information.

Sharing Game Cards

Transfer the gro0:app/TITLE_ID folder and its content to ux0:app/TITLE_ID or to your computer and save the fake license ux0:nonpdrm/license/app/TITLE_ID/6488b73b912a753a492e2714e9b38bc7.rif as TITLE_ID/sce_sys/package/work.bin.

For faster transfers you can mount the Game Card over USB. To do so, open VitaShell (See the Software Requirements section of this documentation), press the START button of your PS Vita, in the Main settings menu, select Game Card next to the USB device option and press START once again to close the settings tab.

Now connect your PS Vita to your computer over USB and press the SELECT button.

Note: Mounting Game Cards over USB does not work on PlayStation TV or PlayStation Vita TV devices.

Sharing Additional Content

You may share any additional content across devices from ux0:addcont/TITLE_ID/DLC_FOLDER or, on selected card games, from grw0:addcont/TITLE_ID/DLC_FOLDER
To do so, copy the fake license ux0:nonpdrm/license/addcont/TITLE_ID/DLC_FOLDER/6488b73b912a753a492e2714e9b38bc7.rif to ux0:license/addcont/TITLE_ID/DLC_FOLDER/6488b73b912a753a492e2714e9b38bc7.rif.

Sharing Game Updates

While you may simply copy the content of ux0:patch/TITLE_ID or grw0:patch/TITLE_ID (in the case of selected card titles), game updates can be downloaded and installed directly from the PlayStation Network (unless the newest update is not compatible on 3.60).

Installing shared applications
  • Digital Application and Game Cards must be stored at the following location: ux0:app/TITLE_ID
  • Additional contents must be stored at the following location: ux0:addcont/TITLE_ID/DLC_FOLDER and their associated licenses must be copied to ux0:license/addcont/TITLE_ID/DLC_FOLDER/6488b73b912a753a492e2714e9b38bc7.rif.
  • Game Updates must be stored at the following location: ux0:patch/TITLE_ID.
Open VitaShell (version 1.6 or later) and press △ in the home section of VitaShell and choose Refresh livearea. This will trigger the installation if the files have been placed correctly and the licenses within work.bin files are valid.

Overview

Should you decide to store your game contents on your computer, it is recommended to use the same structure as ux0: as shown below:
Code:
├───addcont
│   └───TITLE_ID
│   │   └───DLC_FOLDER
├───app
│   └───TITLE_ID
│   │   └───sce_sys
│   │       └───package
│   │           └───work.bin (copied or overwritten from ux0:nonpdrm/license/app/TITLE_ID/6488b73b912a753a492e2714e9b38bc7.rif)
├───license
│   └───addcont
│   │   └───TITLE_ID
│   │       └───DLC_FOLDER
│   │           └───6488b73b912a753a492e2714e9b38bc7.rif (copied from ux0:nonpdrm/license/addcont/TITLE_ID/DLC_FOLDER/6488b73b912a753a492e2714e9b38bc7.rif)
├───patch
│   └───TITLE_ID
Source code

The source code is located within the src directory and is licensed under GPLv3.

Troubleshooting
  • "I am getting a C1-2758-2 error when trying to run a game/application" - Your game has not been copied properly and at least one of the file is corrupt, please copy it again and retry.
  • "I am getting a C1-6703-6 error when trying to run a game/application" - You are running NoNpDrm from a Devkit/Testkit (PDEL/PTEL) these devices are not currently supported.
  • "I am getting a C0-9250-6 error when trying to run a game/application" - The nonpdrm.skprx module is not loaded, make sure the path to the module is written in ur0:tai/config.txt or ux0:tai/config.txt if the later exists on your device.
  • "I am getting a NP-6182-7 error when trying to run a game/application" - This error occured only once during our test while attempting to run an expired PlayStation Plus timed application, attempting to run the game once more fixed the issue, we never managed to reproduce this error, should you manage to consistently reproduce this issue, please open an issue on github.
  • "My game/application displays as a trial version in the livearea" - This happens because you copied a game/application featuring a trial mode, without or with an invalid/corrupt work.bin.
  • "I somehow messed up the installation, how can I reinstall a game?" - You can delete the (fake) license at ux0:license/app/TITLE_ID and use the refresh option in VitaShell.
Donation

All my work is voluntary and nonprofit, however you can support my work by making a small donation - no matter how small, I'd be very thankful! Just be careful what you write to me in the message ;)
Donation Link

Special thanks
  • Thanks to Team molecule for HENkaku and thanks to yifanlu for taiHEN
  • Thanks to Mathieulh for beta testing and helping me writing this readme
 
Recent Articles
Pop Music Adventure Sayonara Wild Hearts Joins New PS4 Games Next Week
On September 19th next week included in the new PlayStation 4 video game releases is pop music adventure Sayonara Wild Hearts, which can be described as a dreamy, arcadey game that features...
Simple Wireless Rover for Raspberry Pi Controlled by PS4 DS4 via WiFi
Following the DJI Tello Drone and DeepRacer RC remote control PS4 DualShock 4 mods, recently Veilkrand on Github shared a Simple Wireless Rover for Raspberry Pi Controlled by PS4 DS4 via WiFi for...
Capcom Home Arcade Launches October 25th, Details and Trailer Video
Previously we covered the RetroEngine Sigma and Game Box Hero systems for emulation fans, and recently Capcom announced their Capcom Home Arcade launches this October 25th with pre-orders...
PS4 Retail Theme Unlocker Windows GUI Front-End by Backporter
Proceeding the PS4 DLC, Games, Updates & Themes Guide by @AluPL (aka TheRadziu on Twitter) today @Backporter shared via Twitter a PS4 Retail Theme Unlocker Windows GUI front-end...
Top