|
|
Line 514: |
Line 514: |
| </source> | | </source> |
|
| |
|
| === unk_8C8CFD01 === | | === get_info_2_for_driver === |
| {| class="wikitable" | | {| class="wikitable" |
| |- | | |- |
Line 521: |
Line 521: |
| | 3.60 || 0x8C8CFD01 | | | 3.60 || 0x8C8CFD01 |
| |} | | |} |
| | |
| | this function is named after sceNpDrmGetRifInfoForDriver since arguments are very similar |
|
| |
|
| <source lang="C"> | | <source lang="C"> |
Line 528: |
Line 530: |
| //out2 is of size 0x8 | | //out2 is of size 0x8 |
| //out3 is of size 0x8 | | //out3 is of size 0x8 |
| int unk_8C8CFD01(void *data, void *out0, void *out1, void *out2, int out3); | | int get_info_2_for_driver(void *data, void *out0, void *out1, void *out2, int out3); |
| </source> | | </source> |
|
| |
|
Module
Known NIDs
Version |
Name |
World |
Privilege |
NID
|
1.69 |
SceNpDrm |
Non-secure |
Kernel |
0xACCB4845
|
3.60 |
SceNpDrm |
? |
Kernel |
0xE7E2CE05
|
Libraries
Known NIDs
SceNpDrm
_sceNpDrmCheckDrmReset
Version |
NID
|
1.69 |
0x4458812B
|
3.60 |
0x4458812B
|
_sceNpDrmRemoveActData
Version |
NID
|
1.69 |
0x507D06A6
|
3.60 |
0x507D06A6
|
_sceNpDrmGetRifName
Version |
NID
|
1.69 |
0xB8C5DA7C
|
3.60 |
0xB8C5DA7C
|
_sceNpDrmGetRifNameForInstall
Version |
NID
|
1.69 |
0xD312424D
|
3.60 |
0xD312424D
|
_sceNpDrmGetRifInfo
Version |
NID
|
1.69 |
0xE8343660
|
3.60 |
0xE8343660
|
typedef struct _sceNpDrmGetRifInfo_opt //size is 0x28
{
char* unk_0; // buffer of size 0x30
char* unk_4; // buffer of size 0x8
char* unk_8; // buffer of size 0x4
char* unk_C; // buffer of size 0x4
char* unk_10; // buffer of size 0x4
char* unk_14; // buffer of size 0x4
char* unk_18; // buffer of size 0x8
char* unk_1C; // buffer of size 0x8
char* unk_20; // buffer of size 0x8
}_sceNpDrmGetRifInfo_opt;
//rif data is of size 0x200
int _sceNpDrmGetRifInfo(void* rif_data, int rif_size, int num, _sceNpDrmGetRifInfo_opt* opt);
_sceNpDrmGetFixedRifName
Version |
NID
|
1.69 |
0xE935B0FC
|
3.60 |
0xE935B0FC
|
_sceNpDrmCheckActData
Version |
NID
|
1.69 |
0xFEEBCD62
|
3.60 |
0xFEEBCD62
|
_sceNpDrmPresetRifProvisionalFlag
Version |
NID
|
3.60 |
0x2523F57F
|
SceNpDrmForDriver
sceNpDrmGetRifInfoForDriver
Version |
NID
|
3.60 |
0xDB406EAE
|
was previously called SceNpDrmCheckRifForDriver
check _sceNpDrmGetRifInfo for buffer sizes
int sceNpDrmGetRifInfoForDriver(void* rif_data, int rif_size, int num, void* out0, void* out1, void* out2, void* out3, void* out4, void* out5, void* out6, void* out7, void* out8);
sceNpDrmPackageSetGameExistForDriver
Version |
NID
|
3.60 |
0x3BFD2850
|
sceNpDrmGetFixedRifNameForDriver
Version |
NID
|
3.60 |
0x5D73448C
|
int sceNpDrmGetFixedRifNameForDriver(char* name);
sceNpDrmGetRifNameForDriver
Version |
NID
|
3.60 |
0xDF62F3B8
|
int sceNpDrmGetRifNameForDriver(char *name, int unk1, int unk2, int unk3);
sceNpDrmGetRifNameForInstallForDriver
Version |
NID
|
3.60 |
0x17573133
|
int sceNpDrmGetRifNameForInstallForDriver(char *name, void *unk, int num);
sceNpDrmPresetRifProvisionalFlagForDriver
Version |
NID
|
3.60 |
0xC070FE89
|
sceNpDrmCheckActDataForDriver
Version |
NID
|
3.60 |
0x9265B350
|
sceNpDrmRemoveActDataForDriver
Version |
NID
|
3.60 |
0x8B85A509
|
sceNpDrmUpdateAccountIdForDriver
Version |
NID
|
3.60 |
0x116FC0D6
|
sceNpDrmEbootSigGenMultiDiscForDriver
Version |
NID
|
3.60 |
0x39A7A666
|
sceNpDrmEbootSigGenPs1ForDriver
Version |
NID
|
3.60 |
0x6D9223E1
|
sceNpDrmGetLegacyDocKeyForDriver
Version |
NID
|
3.60 |
0x4E321BDE
|
sceNpDrmEbootSigVerifyForDriver
Version |
NID
|
3.60 |
0x7A319692
|
sceNpDrmEbootSigGenPspForDriver
Version |
NID
|
3.60 |
0x90B1A6D3
|
sceNpDrmEbootSigConvertForDriver
Version |
NID
|
3.60 |
0xA29B75F9
|
sceNpDrmPspEbootVerifyForDriver
Version |
NID
|
3.60 |
0xB6CA3A2C
|
sceNpDrmPspEbootSigGenForDriver
Version |
NID
|
3.60 |
0xEF387FC4
|
sceNpDrmIsLooseAccountBindForDriver
Version |
NID
|
3.60 |
0xFC84CA1A
|
sceNpDrmUpdateDebugSettingsForDriver
Version |
NID
|
3.60 |
0xA91C7443
|
sceNpDrmGetRifPspKeyForDriver
Version |
NID
|
3.60 |
0xDACB71F4
|
I guess this one was originally derived from the code of SceCompat
sceNpDrmGetRifVitaKeyForDriver
Version |
NID
|
3.60 |
0x723322B5
|
I guess this one was originally derived from the code of SceAppMgr
unk_742EBAF4
Version |
NID
|
3.60 |
0x742EBAF4
|
Related to sceSblGcAuthMgrPcactActivation
//data is of size 0x1040
int unk_742EBAF4(void *data, const char *aes_dec_key);
unk_D91C3BCE
Version |
NID
|
3.60 |
0xD91C3BCE
|
Related to sceSblGcAuthMgrPcactGetChallenge
verify_rif
Version |
NID
|
3.60 |
0xFE7B17B6
|
verify ECDSA - SHA1 pair or RSA - SHA256 pair
int verify_rif(void* rif_data, int rif_size);
SceNpDrmPackage
_sceNpDrmPackageTransform
Version |
NID
|
1.69 |
0x567DCA1
|
3.60 |
0x567DCA1
|
_sceNpDrmPackageInstallFinished
Version |
NID
|
1.69 |
0x6896EAF2
|
3.60 |
0x6896EAF2
|
_sceNpDrmPackageCheck
Version |
NID
|
1.69 |
0xA1D885FA
|
3.60 |
0xA1D885FA
|
sceNpDrmPackageIsGameExist
Version |
NID
|
1.69 |
0xB9337914
|
3.60 |
0xB9337914
|
_sceNpDrmPackageInstallStarted
Version |
NID
|
1.69 |
0xCEC18DA4
|
3.60 |
0xCEC18DA4
|
_sceNpDrmPackageDecrypt
Version |
NID
|
1.69 |
0xD6F05ACC
|
3.60 |
0xD6F05ACC
|
sceNpDrmPackageInstallOngoing
Version |
NID
|
1.69 |
0xED0471FE
|
3.60 |
0xED0471FE
|
_sceNpDrmPackageUninstallFinished
Version |
NID
|
3.60 |
0x23A28861
|
_sceNpDrmPackageUninstallStarted
Version |
NID
|
3.60 |
0x4901C3E6
|
sceNpDrmPackageUninstallOngoing
Version |
NID
|
3.60 |
0xF1FF6193
|
ScePsmDrm
get_rif_name
Version |
NID
|
3.60 |
0x0D6470DA
|
//some data is of size 0x400
int get_rif_name(char *rif_name, void *some_data);
_get_info
Version |
NID
|
3.60 |
0xE31A6220
|
typedef struct get_info_opt //size is 0x10
{
void* out2;
void* out3;
uint32_t unk_8;
uint32_t unk_C;
}get_info_opt
int _get_info(void *some_data, void *out0, void *out1, get_info_opt *opt);
ScePsmDrmForDriver
get_info_for_driver
Version |
NID
|
3.60 |
0x984F9017
|
this function is named after sceNpDrmGetRifInfoForDriver since arguments are very similar
//some_data is of size 0x400 and should contain rca signature at offset 0x300
//out0 is of size 0x30
//out1 is of size 0x8
//out2 is of size 0x8
//out3 is of size 0x8
int get_info_for_driver(void *some_data, void *out0, void *out1, void *out2, void *out3);
unk_CB73E9D3
Version |
NID
|
3.60 |
0xCB73E9D3
|
//data is of size 0x400
int unk_CB73E9D3(void *data, const char *aes_dec_key);
get_info_2_for_driver
Version |
NID
|
3.60 |
0x8C8CFD01
|
this function is named after sceNpDrmGetRifInfoForDriver since arguments are very similar
//data is of size 0x400
//out0 is of size 0x200
//out1 is of size 0x4
//out2 is of size 0x8
//out3 is of size 0x8
int get_info_2_for_driver(void *data, void *out0, void *out1, void *out2, int out3);
Package integrity checks
Disable hash/signature verification
To find the function responsible for package verification search for immediate 0x7F504B47 ('.PKG'). Inside it does a lot of stuff including determining the function that will do signature checks. Find the condition that looks like if ( (v62 & 7) == 3 )
; below you will see the assignment check_func = &off_81009CFC;
. To bypass signature checks you need to patch two functions located at this offset and offset+4, making them behave as "return 1" is enough. For reference, on 1.60 the functions are sub_81000310 and sub_81000AA4. sub_81000310 is the only function in this module that calls SceSblGcAuthMgrPkgForDriver_E459A9A8_imp.
Note that on 1.60 this module sometimes is loaded at different addresses between reboots.
Allow debug packages to be installed
Find the function that calls SceSblAIMgrForDriver_D78B04A2; patch it to always return 1. On 1.60 it's at 0x81002d64.
Search for immediate 0x80870003, there should be two matches. Replace both with "MOV Reg, #0". On 1.60 the locations are 0x810035fe and 0x81004856.
RIF
The RIF files are used as the eboot.bin DRM. For each installed PKG and Game Card you will have an unique RIF file with proper information that will be used when you open the game to verify if you own the game(to PKG) and decrypt the eboot.bin. The RIF files may hold important information as PSN Account ID, the key used to decrypt one of the SELF encrypt layers [...].
PS Vita supports two different RIF file format. The first format (License Type 0) seems to be used by licenses with 0x97 bytes size and the second (License Type 1) seems to be used by RIF files with 0x200 bytes size. The difference between them is just the signature verification. License Type 0 only uses ECDSA Signature, the License Type 1 uses the ECDSA Signature verification and an extra RSA signature verification.
Name
|
Offset
|
Size
|
Version
|
0x0
|
0x4
|
License Type
|
0x4
|
0x4
|
PSN Account ID
|
0x8
|
0x8
|
Content ID
|
0x10
|
0x30
|
Unknown
|
0x40
|
0x10
|
RIF Key
|
0x50
|
0x10
|
License start time
|
0x60
|
0x8
|
License expiration time
|
0x68
|
0x8
|
ECDSA Signature
|
0x70
|
0x28
|
Unknown
|
0x98
|
0x68
|
RSA Signature
|
0x100
|
0x100
|