Toggle menu
Toggle personal menu
Not logged in
Your IP address will be publicly visible if you make any edits.

Psvpfstools Mod Vita

From GameBrew
psvpfstools mod
Psvpfstoolsmodvita2.png
General
Authorcuevavirus
TypePC Utilities
Version2.2
LicenseMixed
Last Updated2019/08/25
Links
Download
Website
Source

psvpfstools is a set of tools that allows to decrypt PFS filesystem layer of PS Vita.

In the past the only good way to do this was to mount PFS for example in Vita Shell and let PS Vita to decrypt the files.

However this tool is a completely new standalone approach that does not require you to have PS Vita.

All decryption is done directly on the PC.

PFS tools were designed in such a way that the F00D crypto layer is implemented natively without relying on cma.henkaku.xyz.

User guide

Why do I need F00D service

The only purpose of F00D service is to take the given key, encrypt it and give it back. F00D service does not decrypt PFS. To those that are curious - service does not use PS Vita as well.

Typically during decryption process service is called only once to encrypt klicensee that is extracted from zRIF string if you are decrypting gamedata or addcont (unicv.db format). Service is called once to encrypt key that is extracted from sealedkey file if you are decrypting savedata, trophies, appmeta, addcont root (icv.db format).

On Vita - there are 3 hardware implementations of crypto functions:

  • Use key - you have a freedom of giving the key to crypto function and key is used directly.
  • Use slot_id - you have to set the key into specific slot. Then by specifying key_id you instruct F00D to encrypt your key with specific key from F00D. Encrypted key is then used in crypto function of your choice.
  • Use key_id - you give the key and specify key_id. Your key is then encrypted with specific key from F00D. Encrypted key is then put into one of the slots in default range. After that encrypted key can be used in crypto function of your choice.

You can read more about crypto functions here.

F00D service cache

Instead of using F00D service directly it is now possible to use a cache file that is created beforehand.

To use it pass path to the file with --f00d_cache option.

When using the native F00D service you will get an `F00D cache` output that you can copy to a cache file.

Two types of files are allowed:

  • flat files with delimiters like " ", "\t", ","
  • json files

Format of flat files

  • titleid (only for information, not used)
  • klicensee
  • encrypted key
PCSE00000 00000000000000000000000000000000 00000000000000000000000000000000
PCSE11111 11111111111111111111111111111111 11111111111111111111111111111111
PCSE22222 22222222222222222222222222222222 22222222222222222222222222222222

Format of json files

{
   "PCSE00000" : 
   {
      "key" : "00000000000000000000000000000000",
      "value" : "00000000000000000000000000000000"
   },
   "PCSE11111" :
   {
      "key" : "11111111111111111111111111111111",
      "value" : "11111111111111111111111111111111"
   },
   "PCSE22222" :
   {
      "key" : "22222222222222222222222222222222",
      "value" : "22222222222222222222222222222222"
   }
}

What exactly can be decrypted

Tool now supports both icv.db and unicv.db formats.

Which means that it can decrypt gamedata, addcont, savedata, trophies, appmeta, addcont root.

In theory everything that is PFS encrypted can be decrypted.

The tool was tested in all scenarios listed above, including 3.61+ games.

In case of specific problems please refer to the next section.

How to use

When decrypting unicv.db: use -k or -z option to provide klicensee data.

When decrypting icv.db: dont use -k and -z. klicensee data will be taken automatically from sealedkey file.

Options:

-h [ --help ]             Show help.
-i [ --title_id_src ] arg Source directory that contains the application. Like PCSC00000.
-o [ --title_id_dst ] arg Destination directory where everything will be unpacked. Like PCSC00000_dec.
-k [ --klicensee ] arg    klicensee hex coded string. Like 00112233445566778899AABBCCDDEEFF.
-z [ --zRIF ] arg         zRIF string.
-c [ --f00d_cache ] arg   Path to flat or json file with F00D cache.

Credits

Special thanks:

  • Proxima. For initial docs on DMAC5, contributing code for keystone and sealedkey checks, providing F00D service and help with crypto theory, advising on libtomcrypt.
  • St4rk, weaknespase and everyone involved in PkgDecrypt. For zRIF string decode/inflate code.
  • devnoname120 for hmac_sha256 crypto primitives that were used in initial implementation.
  • SilicaAndPina for pointing at trophy and savedata pfs.
  • CelesteBlue for indicating possibility of sealedkey usage as local key.
  • tomazzz369 for testing and providing XP build.
  • MRGhidini for testing and integration into Psvimgtools-Easy-FrontEnd.

Other thanks:

  • Chris Venter. For libb64. Integrated as source.

External links

Advertising: