Jump to content

PS Vita PFS Keys Documented

Recommended Posts

  • Developer

PS Vita dev  @St4rkDev  has documented the PS Vita PFS Keys

PS Vita PFS Keys

PFS EncKey : { 0x00, 0x29, 0x8C, 0xDF, 0x44, 0x28, 0xE7, 0x2C, 0x87, 0x85, 0xDA, 0xE0, 0x92, 0x3C, 0x60, 0xBD };
PFS Secret: { 0x8C, 0x5D, 0x3A, 0x4B, 0x9D, 0x9B, 0xF4, 0xB4, 0x53, 0xBC, 0xE6, 0xCD, 0xC3, 0x43, 0x31, 0xD8 };




"So the vita has many layers of encryption. Let's look at a game cart and digital game:

1a) The cart has encryption on the raw data (that's why if you dump it externally, you'll see encrypted data). However, as soon as the game is placed into the vita, that layer is decrypted before the vita sees the game. Then we have "gro0" mounted, which is the unencrypted FAT partition.

1b) Digital games are encrypted in the SCE PKG format. Basically there is an encryption key chosen (at random) by the developer. The package is encrypted and signed by sony. Package Installer can get past this encryption (and it does for drm-free packages). For other packages, package installer sees that you don't have a license and errors out, but you can bypass this without kernel or anything (exercise left for the reader). Once the package is decrypted, it is basically an archive of files that is extracted to "ux0"

2) The second layer of encryption is PFS. All game data (images, textures, executables, etc) are encrypted with PFS. PFS key is derived from a passphrase chosen by the developer. It is also signed (either with a key derived from the passphrase or with sony's key, I'm not sure). This layer is decrypted when a game is mounted (gro0: => app0: or ux0:app/titleid => app0). mr.gas & major_tom's trick gets you past this layer.

3) Now, the showstopper. Game executable files (eboot.self, *.suprx, etc) are encrypted through NPDRM. The key to decrypt this is derived from ux0:license/titleid/*.rif AND tm0:npdrm/act.dat (for digital games) or just gro0:license/titleid/*.rif (for game cart). Of course, the key derivation process includes secrets that userland/system does not have access to and therefore there is no current public way of decrypting it. This is the last line of defense for Sony.




Edited by LightningMods_
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...