PSVIMG: Difference between revisions

From Vita Development Wiki
Jump to navigation Jump to search
Line 2: Line 2:


== Generating PSVIMG ==
== Generating PSVIMG ==
When [[CMA]] is used to backup system, game, or savedata from the Vita to a PC or PS3, the following algorithm is used:
 
When [[CMA]] is used to backup system, game, or savedata from the PSVita to a PC or PS3, the following algorithm is used:


# Using a tar-like structure, stream all of the file data into a file.
# Using a tar-like structure, stream all of the file data into a file.
# If making a PSVMD file, use the deflate algorithm to compress.
# If making a PSVMD file, use the deflate algorithm to compress.
# Generate a random nonce for the first 0x10 bytes using the RndNumber syscall.
# Generate a random nonce for the first 0x10 bytes using the RndNumber syscall.
# Generate a unique session AES256 key using a secret phrase and the PSN account id of the PSVita.
# Generate a unique session AES256-CBC key using a secret phrase and the PSN account id.
# Generate a SHA256 hash of the plaintext every 0x8000 bytes and insert the hash into the filestream.
# Generate a SHA256 hash of the plaintext every 0x8000 bytes and insert the hash into the filestream.
# Encrypt the stream data using EncDecKeygen syscall from [[SceSblSsMgr#SceSblDmac5Mgr|SceSblDmac5Mgr]] with the nonce as the header and the AES256 session key.
# Encrypt the stream data using [[SceSblSsMgr#sceSblDmac5EncDecKeyGen|sceSblDmac5EncDecKeyGen]] with the nonce as the header and the AES256-CBC session key.
# Transmit to PC or PS3.
# Transmit to PC or PS3.


=== Secrets ===
=== Secrets ===
If you look at the 16 character hex directory name included in part of the backup path, that is your PSN Account Id.
 
The AES256 session key is calculated by doing a SHA256 hash of the 8 byte hex binary representation of the PSN Account Id followed by the secret phrase:
If you look on your PC at the 16 character hex directory name included in part of the backup path, that is your PSN Account Id.
The AES256-CBC session key is calculated by doing a SHA256 hash of the 8 byte hex binary representation of the PSN Account Id followed by the secret phrase:
<code>Sri Jayewardenepura Kotte</code>
<code>Sri Jayewardenepura Kotte</code>


==== Example ====
==== Example ====


Buffer:
Buffer of an example of PSN Account Id:
<source>
<source>
01 23 45 67 89 AB CD EF 53 72 69 20 4A 61 79 65 77
01 23 45 67 89 AB CD EF 53 72 69 20 4A 61 79 65 77
Line 25: Line 27:
</source>
</source>


SHA256 of this buffer generates the AES256 session key of:
SHA256 of this buffer consists in the AES256-CBC session key:
<source>
<source>
02EAAB5A00EC9D4207E8B1F53F8A2F3F91F1A73AAFDD2A81CCFEE3E83E5B101A
02EAAB5A00EC9D4207E8B1F53F8A2F3F91F1A73AAFDD2A81CCFEE3E83E5B101A
</source>
</source>


To generate the PSVIMG AES key, the buffer is decrypted using AES128ECB with a 128 bits key located at offset 0x82DC in the 3.60 kprx_auth_sm (Prototype units use another key located at offset 0x7294 in 1.03 kprx_auth_sm ).
To generate the PSVIMG AES key, the buffer is decrypted using AES128-ECB with a 128 bits key located at offset 0x82DC in the 3.60 kprx_auth_sm (Prototype units use another key located at offset 0x7294 in 1.03 kprx_auth_sm ).


This key is set though kprx_auth_sm using [[F00D_Commands#0x50001|service 0x50001]]).
This key is set though kprx_auth_sm using [[F00D_Commands#0x50001|service 0x50001]]).
Line 44: Line 46:
</source>
</source>


SHA-256: 186F29050C0D0D99038D86EFA9B6AD332E59564B7FFCA97985C09D64BD4BC442
SHA-256:
<source>
186F29050C0D0D99038D86EFA9B6AD332E59564B7FFCA97985C09D64BD4BC442
</source>


The encrypted above hash produces the following result:
The encrypted above hash produces the following result:

Revision as of 18:30, 3 February 2019

PSVIMG files are encrypted files generated by CMA in backing up and restoring data from the Vita. The format is documented in this tool [1].

Generating PSVIMG

When CMA is used to backup system, game, or savedata from the PSVita to a PC or PS3, the following algorithm is used:

  1. Using a tar-like structure, stream all of the file data into a file.
  2. If making a PSVMD file, use the deflate algorithm to compress.
  3. Generate a random nonce for the first 0x10 bytes using the RndNumber syscall.
  4. Generate a unique session AES256-CBC key using a secret phrase and the PSN account id.
  5. Generate a SHA256 hash of the plaintext every 0x8000 bytes and insert the hash into the filestream.
  6. Encrypt the stream data using sceSblDmac5EncDecKeyGen with the nonce as the header and the AES256-CBC session key.
  7. Transmit to PC or PS3.

Secrets

If you look on your PC at the 16 character hex directory name included in part of the backup path, that is your PSN Account Id. The AES256-CBC session key is calculated by doing a SHA256 hash of the 8 byte hex binary representation of the PSN Account Id followed by the secret phrase: Sri Jayewardenepura Kotte

Example

Buffer of an example of PSN Account Id:

01 23 45 67 89 AB CD EF 53 72 69 20 4A 61 79 65 77
61 72 64 65 6E 65 70 75 72 61 20 4B 6F 74 74 65

SHA256 of this buffer consists in the AES256-CBC session key:

02EAAB5A00EC9D4207E8B1F53F8A2F3F91F1A73AAFDD2A81CCFEE3E83E5B101A

To generate the PSVIMG AES key, the buffer is decrypted using AES128-ECB with a 128 bits key located at offset 0x82DC in the 3.60 kprx_auth_sm (Prototype units use another key located at offset 0x7294 in 1.03 kprx_auth_sm ).

This key is set though kprx_auth_sm using service 0x50001).

It is then used in conjunction with encdec_w_portability to decrypt/encrypt PSVIMG blocks.

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  00 00 00 00 00 00 00 00 53 72 69 20 4A 61 79 65  ........Sri Jaye
00000010  77 61 72 64 65 6E 65 70 75 72 61 20 4B 6F 74 74  wardenepura Kott
00000020  65                                               e

SHA-256:

186F29050C0D0D99038D86EFA9B6AD332E59564B7FFCA97985C09D64BD4BC442

The encrypted above hash produces the following result:

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  65 DE EF DE 3A 14 10 B5 6F 60 D0 AB B9 D9 9D FA  eÞïÞ:..µo`Ы¹Ù.ú
00000010  97 45 BF 55 C9 22 E3 44 A1 13 2E EB 67 60 9C 0D  —E¿UÉ"ãD¡..ëg`œ.