Psvpfstools Vita

From GameBrew
psvpfstools
Psvpfstoolsvita2.png
General
Authormotoharu
TypePC Utilities
Version2.0
LicenseMixed
Last Updated2018/01/27
Links
Download
Website
Source

psvpfstools is a set of tools that allows to decrypt PFS filesystem layer of PS Vita.

In the past the only good way to do this was to mount PFS for example in VitaShell and let PS Vita to decrypt the files.

However this tool is a completely new standalone approach that does not require you to have PS Vita.

All decryption is done directly on the PC.

User guide

Public F00D service

PFS tools were designed in such a way that implementation of F00D crypto layer can be provided separately.

Currently you can use a service url located at: http://cma.henkaku.xyz

Why do I need F00D service

The only purpose of F00D service is to take the given key, encrypt it and give it back. F00D service does not decrypt PFS. To those that are curious - service does not use PS Vita as well.

Typically during decryption process service is called only once to encrypt klicensee that is extracted from zRIF string if you are decrypting gamedata or addcont (unicv.db format). Service is called once to encrypt key that is extracted from sealedkey file if you are decrypting savedata, trophies, appmeta, addcont root (icv.db format).

On Vita - there are 3 hardware implementations of crypto functions:

  • Use key - you have a freedom of giving the key to crypto function and key is used directly.
  • Use slot_id - you have to set the key into specific slot. Then by specifying key_id you instruct F00D to encrypt your key with specific key from F00D. Encrypted key is then used in crypto function of your choice.
  • Use key_id - you give the key and specify key_id. Your key is then encrypted with specific key from F00D. Encrypted key is then put into one of the slots in default range. After that encrypted key can be used in crypto function of your choice.

You can read more about crypto functions here: https://wiki.henkaku.xyz/vita/SceSblSsMgr#SceSblSsMgrForDriver

F00D service cache

Instead of using F00D service directly it is now possible to use a cache file that is created beforehand.

To use it pass path to the file with --f00d_cache option.

When using --f00d_url option you will get an F00D cache output that you can copy to a cache file.

Two types of files are allowed:

  • flat files with delimiters like " ", "\t", ","
  • json files

Format of flat files

  • titleid (only for information, not used)
  • klicensee
  • encrypted key
PCSE00000 00000000000000000000000000000000 00000000000000000000000000000000
PCSE11111 11111111111111111111111111111111 11111111111111111111111111111111
PCSE22222 22222222222222222222222222222222 22222222222222222222222222222222

Format of json files

{
   "PCSE00000" : 
   {
      "key" : "00000000000000000000000000000000",
      "value" : "00000000000000000000000000000000"
   },
   "PCSE11111" :
   {
      "key" : "11111111111111111111111111111111",
      "value" : "11111111111111111111111111111111"
   },
   "PCSE22222" :
   {
      "key" : "22222222222222222222222222222222",
      "value" : "22222222222222222222222222222222"
   }
}

What can be decrypted

Tool now supports both icv.db and unicv.db formats.

Which means that it can decrypt gamedata, addcont, savedata, trophies, appmeta, addcont root.

In theory everything that is PFS encrypted can be decrypted.

The tool was tested in all scenarios listed above, including 3.61+ games.

In case of specific problems please refer to the next section.

How to use

When decrypting unicv.db: use -k or -z option to provide klicensee data.

When decrypting icv.db: dont use -k and -z. klicensee data will be taken automatically from sealedkey file.

Options:

-h [ --help ]             Show help.
-i [ --title_id_src ] arg Source directory that contains the application. Like PCSC00000.
-o [ --title_id_dst ] arg Destination directory where everything will be unpacked. Like PCSC00000_dec.
-k [ --klicensee ] arg    klicensee hex coded string. Like 00112233445566778899AABBCCDDEEFF.
-z [ --zRIF ] arg         zRIF string.
-f [ --f00d_url ] arg     Url of F00D service.
-c [ --f00d_cache ] arg   Path to flat or json file with F00D cache.

Screenshots

psvpfstoolsvita3.png

Known issues

https://github.com/motoharu-gosuto/psvpfstools/issues

PFS tools are still under developement and testing.

If you find bugs or have problems with decrypting specific data please consider leaving a report in the issues page.

Changelog

v2.0

  • Support of icv.db format (savedata, trophies etc).
  • Keystone and Sealedkey parsing and Keystone sanity check.
  • Complete rewrite of unicv.db parser (to accomodate icv.db).
  • Support of Merkle trees (related to icv.db).
  • Cleanup and improvement of crypto engine (more reversing done).
  • Improvement of different places in the code that had unknown behavior (reversing).
  • Bug fixes that were in previous versions.

Credits

Special thanks:

  • Proxima. For initial docs on DMAC5, contributing code for keystone and sealedkey checks, providing F00D service and help with crypto theory, advising on libtomcrypt.
  • St4rk, weaknespase and everyone involved in PkgDecrypt. For zRIF string decode/inflate code.
  • devnoname120 for hmac_sha256 crypto primitives that were used in initial implementation.
  • SilicaAndPina for pointing at trophy and savedata pfs.
  • CelesteBlue for indicating possibility of sealedkey usage as local key.
  • tomazzz369 for testing and providing XP build
  • MRGhidini for testing and integration into Psvimgtools Easy Frontend Vita.
  • Chris Venter. For libb64. Integrated as source..

External links

Advertising: