PUP: Difference between revisions

From Vita Development Wiki
Jump to navigation Jump to search
Line 240: Line 240:
* RSA2048 signature of the PUP regardless of the watermark: size 0x100 bytes. This part IS NOT ENCRYPTED.
* RSA2048 signature of the PUP regardless of the watermark: size 0x100 bytes. This part IS NOT ENCRYPTED.
* SCEWM unique data per issue ID: size = file_size(usually 0x1000) - header_size(0x20) - pup_sig_size(0x100). Its size may vary, check file_size in SCEWM header.
* SCEWM unique data per issue ID: size = file_size(usually 0x1000) - header_size(0x20) - pup_sig_size(0x100). Its size may vary, check file_size in SCEWM header.
== Encrypted content ==
After decryption, the data is composed of 2 parts:
=== Message ===
The message is generated on developper demand by DevNet server. The message syntax has changed with devnet revisions.
The message is totally independant of the PUP. The same PUP (for example PSVita FW 0.945) downloaded from DevNet in 2011 and in 2018 has different message syntax.
Here 'x' represents an actual character, which I hide for confidentiality.
==== Old message (2011-02) ====
<pre>
# PUP watermark data that contain DevNet user id, org name, company name, date of PUP downloaded and host IP address
User id:xxxxxx
Org name:xxxxxxxxxxxxxx
Company name:xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Date PUP downloaded:xxxx-xx-xx xx:xx
Host IP address:xxx.xxx.xxx.xxx
</pre>
==== Recent message (2018-04) ====
<pre>
# PUP watermark data contain a serial_number that associates with the user who download this PUP
# Provide the serial number below to the DevNet development team to get user and org details.
PUP serial number:xxxxxxxx
</pre>
=== Signature ===
It is RSA2048 of the watermark + maybe other data.


== Security ==
== Security ==

Revision as of 20:31, 27 December 2019

PUP files are update archives for the Vita.

PUP Structure

A good resource on the PUP structure can be found HERE.

Update .PKG files

Most of the files in the update PUP are .pkg files, a sort of Certified File.

Each component of the update is broken up into multiple parts, then optionally compressed, and finally encrypted into the PKG.

Package Header

Right after the Certified File header (usually at offset 0x400) is the update package header that provides information for piecing the component back together. The contents of this header is as follows:

Offset Size Description
0x0 0x4 Version (0x4)
0x4 0x4 Type ID
0x8 0x4 Flags
0xC 0x4 ?
0x10 0x8 Update FW Version
0x18 0x8 Final (decompressed) size
0x20 0x8 Decrypted size
0x28 0x8 ?
0x30 0x4 ?
0x34 0x4 ?
0x38 0xC ?
0x3C 0x4 ?
0x40 0x8 ?
0x48 0x8 ?
0x50 0x8 Offset
0x58 0x8 Size
0x60 0x8 Part Index
0x68 0x8 Total Parts
0x70 0x8 ?
0x78 0x8 ?

Flags

There are flags that are set in the package header. Some potential ones are listed here.

Flag Description
0x10 Set when compressed
0x2 Has multiple parts
0x1 Set when compressed

Type ID

The type id determines which decryption routine to use in SceSblSsUpdateMgr. There is a truth table to determine which id can be handled by which decryption function. To see how this table is used, check out the example code for decrypting packages.

Type ID Func 1? Func 2? Func 3?
0x0 No No No
0x1 Yes Yes No
0x2 No No No
0x3 No No Yes
0x4 No No Yes
0x5 No No No
0x6 No No No
0x7 No No No
0x8 Yes Yes No
0x9 Yes Yes No
0xA Yes Yes Yes
0xB Yes Yes No
0xC Yes Yes No
0xD Yes Yes No
0xE No No No
0xF Yes Yes No
0x10 Yes Yes No
0x11 Yes Yes No
0x12 Yes Yes No
0x13 Yes Yes No
0x14 Yes Yes No
0x15 Yes Yes Yes
0x16 Yes Yes Yes
0x17 Yes Yes Yes
0x18 Yes Yes No
0x19 Yes Yes No
0x1A No No No
0x1B No No Yes

Type ID (Identifier)

The type ID is also used to identify the component of the update.

Type ID Note
0x0
0x1 os0 partition
0x2
0x3
0x4 Permissions related to TAR archives of type 0x16
0x5
0x6
0x7
0x8 Syscon Update (0x9A54 type)
0x9 SLB2 bootloaders
0xA vs0 partition
0xB Development CP firmware (same file as PUP entry 0x2006)
0xC Motion related
0xD Bbmc related
0xE
0xF Motion related
0x10 Touch/Syscon related
0x11 Touch related
0x12 Syscon related
0x13 Syscon related
0x14 Syscon Update (0x3665 type)
0x15
0x16 TAR archive, patch update for vs0
0x17 sa0 partition
0x18 pd0 partition
0x19 Syscon Update (0xC5E7 type)
0x1A
0x1B PSP Emulator lists

SCEWM

Header

This is a watermark for PUPs. For development PUPs, the Issue ID is unique to the company/organization the PUP is issued to.

Offset Size Description
0x0 0x6 Magic "SCEWM\0"
0x6 0x2 ?Version? (ex: 00 01)
0x8 0x4 Unknown (ex: 01 00 00 00)
0xC 0x4 Content size including RSA area (ex: 0x1000)
0x10 0x4 Issue ID (ex: 0xD9)
0x14 0x4 Unknown (ex: 01 00 00 00)
0x18 0x4 Unknown (ex: 01 00 00 00)
0x1C 0x4 Unknown (ex: 01 00 00 00)

The Issue ID for SCE/retail PUPs seems to be 0x5A.

Content

The SCEWM file is composed of 3 parts:

  • SCEWM header: size 0x20 bytes.
  • RSA2048 signature of the PUP regardless of the watermark: size 0x100 bytes. This part IS NOT ENCRYPTED.
  • SCEWM unique data per issue ID: size = file_size(usually 0x1000) - header_size(0x20) - pup_sig_size(0x100). Its size may vary, check file_size in SCEWM header.

Encrypted content

After decryption, the data is composed of 2 parts:

Message

The message is generated on developper demand by DevNet server. The message syntax has changed with devnet revisions.

The message is totally independant of the PUP. The same PUP (for example PSVita FW 0.945) downloaded from DevNet in 2011 and in 2018 has different message syntax.

Here 'x' represents an actual character, which I hide for confidentiality.

Old message (2011-02)

# PUP watermark data that contain DevNet user id, org name, company name, date of PUP downloaded and host IP address
User id:xxxxxx
Org name:xxxxxxxxxxxxxx
Company name:xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Date PUP downloaded:xxxx-xx-xx xx:xx
Host IP address:xxx.xxx.xxx.xxx

Recent message (2018-04)

# PUP watermark data contain a serial_number that associates with the user who download this PUP
# Provide the serial number below to the DevNet development team to get user and org details.
PUP serial number:xxxxxxxx

Signature

It is RSA2048 of the watermark + maybe other data.

Security

When comparing same PUP signed for two different issue IDs, we can notice only 2 differences:

  • the issue ID in SCEWM header
  • the SCEWM unique data