PUP: Difference between revisions
CelesteBlue (talk | contribs) |
CelesteBlue (talk | contribs) |
||
Line 240: | Line 240: | ||
* RSA2048 signature of the PUP regardless of the watermark: size 0x100 bytes. This part IS NOT ENCRYPTED. | * RSA2048 signature of the PUP regardless of the watermark: size 0x100 bytes. This part IS NOT ENCRYPTED. | ||
* SCEWM unique data per issue ID: size = file_size(usually 0x1000) - header_size(0x20) - pup_sig_size(0x100). Its size may vary, check file_size in SCEWM header. | * SCEWM unique data per issue ID: size = file_size(usually 0x1000) - header_size(0x20) - pup_sig_size(0x100). Its size may vary, check file_size in SCEWM header. | ||
== Encrypted content == | |||
After decryption, the data is composed of 2 parts: | |||
=== Message === | |||
The message is generated on developper demand by DevNet server. The message syntax has changed with devnet revisions. | |||
The message is totally independant of the PUP. The same PUP (for example PSVita FW 0.945) downloaded from DevNet in 2011 and in 2018 has different message syntax. | |||
Here 'x' represents an actual character, which I hide for confidentiality. | |||
==== Old message (2011-02) ==== | |||
<pre> | |||
# PUP watermark data that contain DevNet user id, org name, company name, date of PUP downloaded and host IP address | |||
User id:xxxxxx | |||
Org name:xxxxxxxxxxxxxx | |||
Company name:xxxxxxxxxxxxxxxxxxxxxxxxxxxx | |||
Date PUP downloaded:xxxx-xx-xx xx:xx | |||
Host IP address:xxx.xxx.xxx.xxx | |||
</pre> | |||
==== Recent message (2018-04) ==== | |||
<pre> | |||
# PUP watermark data contain a serial_number that associates with the user who download this PUP | |||
# Provide the serial number below to the DevNet development team to get user and org details. | |||
PUP serial number:xxxxxxxx | |||
</pre> | |||
=== Signature === | |||
It is RSA2048 of the watermark + maybe other data. | |||
== Security == | == Security == |
Revision as of 20:31, 27 December 2019
PUP files are update archives for the Vita.
PUP Structure
A good resource on the PUP structure can be found HERE.
Update .PKG files
Most of the files in the update PUP are .pkg files, a sort of Certified File.
Each component of the update is broken up into multiple parts, then optionally compressed, and finally encrypted into the PKG.
Package Header
Right after the Certified File header (usually at offset 0x400) is the update package header that provides information for piecing the component back together. The contents of this header is as follows:
Offset | Size | Description |
---|---|---|
0x0 | 0x4 | Version (0x4) |
0x4 | 0x4 | Type ID |
0x8 | 0x4 | Flags |
0xC | 0x4 | ? |
0x10 | 0x8 | Update FW Version |
0x18 | 0x8 | Final (decompressed) size |
0x20 | 0x8 | Decrypted size |
0x28 | 0x8 | ? |
0x30 | 0x4 | ? |
0x34 | 0x4 | ? |
0x38 | 0xC | ? |
0x3C | 0x4 | ? |
0x40 | 0x8 | ? |
0x48 | 0x8 | ? |
0x50 | 0x8 | Offset |
0x58 | 0x8 | Size |
0x60 | 0x8 | Part Index |
0x68 | 0x8 | Total Parts |
0x70 | 0x8 | ? |
0x78 | 0x8 | ? |
Flags
There are flags that are set in the package header. Some potential ones are listed here.
Flag | Description |
---|---|
0x10 | Set when compressed |
0x2 | Has multiple parts |
0x1 | Set when compressed |
Type ID
The type id determines which decryption routine to use in SceSblSsUpdateMgr. There is a truth table to determine which id can be handled by which decryption function. To see how this table is used, check out the example code for decrypting packages.
Type ID | Func 1? | Func 2? | Func 3? |
---|---|---|---|
0x0 | No | No | No |
0x1 | Yes | Yes | No |
0x2 | No | No | No |
0x3 | No | No | Yes |
0x4 | No | No | Yes |
0x5 | No | No | No |
0x6 | No | No | No |
0x7 | No | No | No |
0x8 | Yes | Yes | No |
0x9 | Yes | Yes | No |
0xA | Yes | Yes | Yes |
0xB | Yes | Yes | No |
0xC | Yes | Yes | No |
0xD | Yes | Yes | No |
0xE | No | No | No |
0xF | Yes | Yes | No |
0x10 | Yes | Yes | No |
0x11 | Yes | Yes | No |
0x12 | Yes | Yes | No |
0x13 | Yes | Yes | No |
0x14 | Yes | Yes | No |
0x15 | Yes | Yes | Yes |
0x16 | Yes | Yes | Yes |
0x17 | Yes | Yes | Yes |
0x18 | Yes | Yes | No |
0x19 | Yes | Yes | No |
0x1A | No | No | No |
0x1B | No | No | Yes |
Type ID (Identifier)
The type ID is also used to identify the component of the update.
Type ID | Note |
---|---|
0x0 | |
0x1 | os0 partition
|
0x2 | |
0x3 | |
0x4 | Permissions related to TAR archives of type 0x16 |
0x5 | |
0x6 | |
0x7 | |
0x8 | Syscon Update (0x9A54 type) |
0x9 | SLB2 bootloaders |
0xA | vs0 partition
|
0xB | Development CP firmware (same file as PUP entry 0x2006) |
0xC | Motion related |
0xD | Bbmc related |
0xE | |
0xF | Motion related |
0x10 | Touch/Syscon related |
0x11 | Touch related |
0x12 | Syscon related |
0x13 | Syscon related |
0x14 | Syscon Update (0x3665 type) |
0x15 | |
0x16 | TAR archive, patch update for vs0
|
0x17 | sa0 partition
|
0x18 | pd0 partition
|
0x19 | Syscon Update (0xC5E7 type) |
0x1A | |
0x1B | PSP Emulator lists |
SCEWM
Header
This is a watermark for PUPs. For development PUPs, the Issue ID is unique to the company/organization the PUP is issued to.
Offset | Size | Description |
---|---|---|
0x0 | 0x6 | Magic "SCEWM\0" |
0x6 | 0x2 | ?Version? (ex: 00 01) |
0x8 | 0x4 | Unknown (ex: 01 00 00 00) |
0xC | 0x4 | Content size including RSA area (ex: 0x1000) |
0x10 | 0x4 | Issue ID (ex: 0xD9) |
0x14 | 0x4 | Unknown (ex: 01 00 00 00) |
0x18 | 0x4 | Unknown (ex: 01 00 00 00) |
0x1C | 0x4 | Unknown (ex: 01 00 00 00) |
The Issue ID for SCE/retail PUPs seems to be 0x5A.
Content
The SCEWM file is composed of 3 parts:
- SCEWM header: size 0x20 bytes.
- RSA2048 signature of the PUP regardless of the watermark: size 0x100 bytes. This part IS NOT ENCRYPTED.
- SCEWM unique data per issue ID: size = file_size(usually 0x1000) - header_size(0x20) - pup_sig_size(0x100). Its size may vary, check file_size in SCEWM header.
Encrypted content
After decryption, the data is composed of 2 parts:
Message
The message is generated on developper demand by DevNet server. The message syntax has changed with devnet revisions.
The message is totally independant of the PUP. The same PUP (for example PSVita FW 0.945) downloaded from DevNet in 2011 and in 2018 has different message syntax.
Here 'x' represents an actual character, which I hide for confidentiality.
Old message (2011-02)
# PUP watermark data that contain DevNet user id, org name, company name, date of PUP downloaded and host IP address User id:xxxxxx Org name:xxxxxxxxxxxxxx Company name:xxxxxxxxxxxxxxxxxxxxxxxxxxxx Date PUP downloaded:xxxx-xx-xx xx:xx Host IP address:xxx.xxx.xxx.xxx
Recent message (2018-04)
# PUP watermark data contain a serial_number that associates with the user who download this PUP # Provide the serial number below to the DevNet development team to get user and org details. PUP serial number:xxxxxxxx
Signature
It is RSA2048 of the watermark + maybe other data.
Security
When comparing same PUP signed for two different issue IDs, we can notice only 2 differences:
- the issue ID in SCEWM header
- the SCEWM unique data