SceNpDrm

From Vita Development Wiki
Revision as of 11:31, 4 July 2015 by Xyz (talk | contribs) (→‎Disable hash/signature verification)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Library

Known NIDs

Version Name World Privilege NID
1.69 SceNpDrm Non-secure Kernel 0xACCB4845

Modules

Known NIDs

Version Name World Visibility NID
1.69 SceNpDrm Non-secure User 0xF2799B1B
1.69 SceNpDrmForDriver Non-secure Kernel 0xD84DC44A
1.69 SceNpDrmPackage Non-secure User 0x88514DB2

SceNpDrm

_sceNpDrmCheckDrmReset

Version NID
1.69 0x4458812B

_sceNpDrmRemoveActData

Version NID
1.69 0x507D06A6

_sceNpDrmGetRifName

Version NID
1.69 0xB8C5DA7C

_sceNpDrmGetRifNameForInstall

Version NID
1.69 0xD312424D

_sceNpDrmGetRifInfo

Version NID
1.69 0xE8343660

_sceNpDrmGetFixedRifName

Version NID
1.69 0xE935B0FC

_sceNpDrmCheckActData

Version NID
1.69 0xFEEBCD62

SceNpDrmForDriver

SceNpDrmPackage

_sceNpDrmPackageTransform

Version NID
1.69 0x567DCA1

_sceNpDrmPackageInstallFinished

Version NID
1.69 0x6896EAF2

_sceNpDrmPackageCheck

Version NID
1.69 0xA1D885FA

sceNpDrmPackageIsGameExist

Version NID
1.69 0xB9337914

_sceNpDrmPackageInstallStarted

Version NID
1.69 0xCEC18DA4

_sceNpDrmPackageDecrypt

Version NID
1.69 0xD6F05ACC

sceNpDrmPackageInstallOngoing

Version NID
1.69 0xED0471FE

Package integrity checks

Disable hash/signature verification

To find the function responsible for package verification search for immediate 0x7F504B47 ('.PKG'). Inside it does a lot of stuff including determining the function that will do signature checks. Find the condition that looks like if ( (v62 & 7) == 3 ); below you will see the assignment check_func = &off_81009CFC;. To bypass signature checks you need to patch two functions located at this offset and offset+4, making them behave as "return 1" is enough. For reference, on 1.60 the functions are sub_81000310 and sub_81000AA4. sub_81000310 is the only function in this module that calls SceSblGcAuthMgrPkgForDriver_E459A9A8_imp.

Note that on 1.60 this module sometimes is loaded at different addresses between reboots.

Allow debug packages to be installed

Find the function that calls SceSblAIMgrForDriver_D78B04A2; patch it to always return 1. On 1.60 it's at 0x81002d64.

Search for immediate 0x80870003, there should be two matches. Replace both with "MOV Reg, #0". On 1.60 the locations are 0x810035fe and 0x81004856.