SceNpDrm: Difference between revisions

From Vita Development Wiki
Jump to navigation Jump to search
Line 325: Line 325:


Related to sceSblGcAuthMgrPcactActivation
Related to sceSblGcAuthMgrPcactActivation
<source lang="C">
//data is of size 0x1040
int unk_742EBAF4(void *data, const char *aes_dec_key);
</source>


=== unk_D91C3BCE ===
=== unk_D91C3BCE ===

Revision as of 01:56, 15 June 2017

Module

Known NIDs

Version Name World Privilege NID
1.69 SceNpDrm Non-secure Kernel 0xACCB4845
3.60 SceNpDrm ? Kernel 0xE7E2CE05

Libraries

Known NIDs

Version Name World Visibility NID
1.69 SceNpDrm Non-secure User 0xF2799B1B
3.60 SceNpDrm ? User 0xF2799B1B
1.69 SceNpDrmForDriver Non-secure Kernel 0xD84DC44A
3.60 SceNpDrmForDriver ? Kernel 0xD84DC44A
1.69 SceNpDrmPackage Non-secure User 0x88514DB2
3.60 SceNpDrmPackage ? User 0x88514DB2
3.60 ScePsmDrm ? User 0x3F2B0888
3.60 ScePsmDrmForDriver ? Kernel 0x9F4924F2

SceNpDrm

_sceNpDrmCheckDrmReset

Version NID
1.69 0x4458812B
3.60 0x4458812B

_sceNpDrmRemoveActData

Version NID
1.69 0x507D06A6
3.60 0x507D06A6

_sceNpDrmGetRifName

Version NID
1.69 0xB8C5DA7C
3.60 0xB8C5DA7C

_sceNpDrmGetRifNameForInstall

Version NID
1.69 0xD312424D
3.60 0xD312424D

_sceNpDrmGetRifInfo

Version NID
1.69 0xE8343660
3.60 0xE8343660
typedef struct _sceNpDrmGetRifInfo_opt //size is 0x28
{
  char* unk_0; // buffer of size 0x30
  char* unk_4; // buffer of size 0x8
  char* unk_8; // buffer of size 0x4
  char* unk_C; // buffer of size 0x4 
  char* unk_10; // buffer of size 0x4
  char* unk_14; // buffer of size 0x4
  char* unk_18; // buffer of size 0x8
  char* unk_1C; // buffer of size 0x8
  char* unk_20; // buffer of size 0x8
}_sceNpDrmGetRifInfo_opt;

//rif data is of size 0x200

int _sceNpDrmGetRifInfo(void* rif_data, int rif_size, int num, _sceNpDrmGetRifInfo_opt* opt);

_sceNpDrmGetFixedRifName

Version NID
1.69 0xE935B0FC
3.60 0xE935B0FC

_sceNpDrmCheckActData

Version NID
1.69 0xFEEBCD62
3.60 0xFEEBCD62

_sceNpDrmPresetRifProvisionalFlag

Version NID
3.60 0x2523F57F

SceNpDrmForDriver

sceNpDrmGetRifInfoForDriver

Version NID
3.60 0xDB406EAE

was previously called SceNpDrmCheckRifForDriver

check _sceNpDrmGetRifInfo for buffer sizes

 int sceNpDrmGetRifInfoForDriver(void* rif_data, int rif_size, int num, void* out0, void* out1, void* out2, void* out3, void* out4, void* out5, void* out6, void* out7, void* out8);

sceNpDrmPackageSetGameExistForDriver

Version NID
3.60 0x3BFD2850

sceNpDrmGetFixedRifNameForDriver

Version NID
3.60 0x5D73448C
int sceNpDrmGetFixedRifNameForDriver(char* name);

sceNpDrmGetRifNameForDriver

Version NID
3.60 0xDF62F3B8
int sceNpDrmGetRifNameForDriver(char *name, int unk1, int unk2, int unk3);

sceNpDrmGetRifNameForInstallForDriver

Version NID
3.60 0x17573133
int sceNpDrmGetRifNameForInstallForDriver(char *name, void *unk, int num);

sceNpDrmPresetRifProvisionalFlagForDriver

Version NID
3.60 0xC070FE89

sceNpDrmCheckActDataForDriver

Version NID
3.60 0x9265B350

sceNpDrmRemoveActDataForDriver

Version NID
3.60 0x8B85A509

sceNpDrmUpdateAccountIdForDriver

Version NID
3.60 0x116FC0D6

sceNpDrmEbootSigGenMultiDiscForDriver

Version NID
3.60 0x39A7A666

sceNpDrmEbootSigGenPs1ForDriver

Version NID
3.60 0x6D9223E1

sceNpDrmGetLegacyDocKeyForDriver

Version NID
3.60 0x4E321BDE

sceNpDrmEbootSigVerifyForDriver

Version NID
3.60 0x7A319692

sceNpDrmEbootSigGenPspForDriver

Version NID
3.60 0x90B1A6D3

sceNpDrmEbootSigConvertForDriver

Version NID
3.60 0xA29B75F9

sceNpDrmPspEbootVerifyForDriver

Version NID
3.60 0xB6CA3A2C

sceNpDrmPspEbootSigGenForDriver

Version NID
3.60 0xEF387FC4

sceNpDrmIsLooseAccountBindForDriver

Version NID
3.60 0xFC84CA1A

sceNpDrmUpdateDebugSettingsForDriver

Version NID
3.60 0xA91C7443

sceNpDrmGetRifPspKeyForDriver

Version NID
3.60 0xDACB71F4

I guess this one was originally derived from the code of SceCompat

sceNpDrmGetRifVitaKeyForDriver

Version NID
3.60 0x723322B5

I guess this one was originally derived from the code of SceAppMgr

unk_742EBAF4

Version NID
3.60 0x742EBAF4

Related to sceSblGcAuthMgrPcactActivation

//data is of size 0x1040
int unk_742EBAF4(void *data, const char *aes_dec_key);

unk_D91C3BCE

Version NID
3.60 0xD91C3BCE

Related to sceSblGcAuthMgrPcactGetChallenge

verify_rif

Version NID
3.60 0xFE7B17B6

verify ECDSA - SHA1 pair or RSA - SHA256 pair

int verify_rif(void* rif_data, int rif_size);

SceNpDrmPackage

_sceNpDrmPackageTransform

Version NID
1.69 0x567DCA1
3.60 0x567DCA1

_sceNpDrmPackageInstallFinished

Version NID
1.69 0x6896EAF2
3.60 0x6896EAF2

_sceNpDrmPackageCheck

Version NID
1.69 0xA1D885FA
3.60 0xA1D885FA

sceNpDrmPackageIsGameExist

Version NID
1.69 0xB9337914
3.60 0xB9337914

_sceNpDrmPackageInstallStarted

Version NID
1.69 0xCEC18DA4
3.60 0xCEC18DA4

_sceNpDrmPackageDecrypt

Version NID
1.69 0xD6F05ACC
3.60 0xD6F05ACC

sceNpDrmPackageInstallOngoing

Version NID
1.69 0xED0471FE
3.60 0xED0471FE

_sceNpDrmPackageUninstallFinished

Version NID
3.60 0x23A28861

_sceNpDrmPackageUninstallStarted

Version NID
3.60 0x4901C3E6

sceNpDrmPackageUninstallOngoing

Version NID
3.60 0xF1FF6193

ScePsmDrm

get_rif_name

Version NID
3.60 0x0D6470DA
//some data is of size 0x400
int get_rif_name(char *rif_name, void *some_data);

_get_info

Version NID
3.60 0xE31A6220
typedef struct get_info_opt //size is 0x10
{
 void* out2;
 void* out3;
 uint32_t unk_8;
 uint32_t unk_C;
}get_info_opt

int _get_info(void *some_data, void *out0, void *out1, get_info_opt *opt);

ScePsmDrmForDriver

get_info_for_driver

Version NID
3.60 0x984F9017

this function is named after sceNpDrmGetRifInfoForDriver since arguments are very similar

//some_data is of size 0x400 and should contain rca signature at offset 0x300
//out0 is of size 0x30
//out1 is of size 0x8
//out2 is of size 0x8
//out3 is of size 0x8
int get_info_for_driver(void *some_data, void *out0, void *out1, void *out2, void *out3);

Package integrity checks

Disable hash/signature verification

To find the function responsible for package verification search for immediate 0x7F504B47 ('.PKG'). Inside it does a lot of stuff including determining the function that will do signature checks. Find the condition that looks like if ( (v62 & 7) == 3 ); below you will see the assignment check_func = &off_81009CFC;. To bypass signature checks you need to patch two functions located at this offset and offset+4, making them behave as "return 1" is enough. For reference, on 1.60 the functions are sub_81000310 and sub_81000AA4. sub_81000310 is the only function in this module that calls SceSblGcAuthMgrPkgForDriver_E459A9A8_imp.

Note that on 1.60 this module sometimes is loaded at different addresses between reboots.

Allow debug packages to be installed

Find the function that calls SceSblAIMgrForDriver_D78B04A2; patch it to always return 1. On 1.60 it's at 0x81002d64.

Search for immediate 0x80870003, there should be two matches. Replace both with "MOV Reg, #0". On 1.60 the locations are 0x810035fe and 0x81004856.

RIF

The RIF files are used as the eboot.bin DRM. For each installed PKG and Game Card you will have an unique RIF file with proper information that will be used when you open the game to verify if you own the game(to PKG) and decrypt the eboot.bin. The RIF files may hold important information as PSN Account ID, the key used to decrypt one of the SELF encrypt layers [...].

PS Vita supports two different RIF file format. The first format (License Type 0) seems to be used by licenses with 0x97 bytes size and the second (License Type 1) seems to be used by RIF files with 0x200 bytes size. The difference between them is just the signature verification. License Type 0 only uses ECDSA Signature, the License Type 1 uses the ECDSA Signature verification and an extra RSA signature verification.

Name Offset Size
Version 0x0 0x4
License Type 0x4 0x4
PSN Account ID 0x8 0x8
Content ID 0x10 0x30
Unknown 0x40 0x10
RIF Key 0x50 0x10
License start time 0x60 0x8
License expiration time 0x68 0x8
ECDSA Signature 0x70 0x28
Unknown 0x98 0x68
RSA Signature 0x100 0x100