SceNpDrm: Difference between revisions

From Vita Development Wiki
Jump to navigation Jump to search
No edit summary
Line 149: Line 149:


== RIF ==
== RIF ==
The RIF files are used as the PKG file's DRM. For each installed PKG you will have an specific RIF file with the proper information. The RIF files holds important information as PSN Account ID, the key used to decrypt one of the SELF encrypt layers [...].  
The RIF files are used as the eboot.bin DRM. For each installed PKG and Game Card you will have an unique RIF file with proper information that will be used when you open the game to verify if you own the game(to PKG) and decrypt the eboot.bin. The RIF files may hold important information as PSN Account ID, the key used to decrypt one of the SELF encrypt layers [...].  


PS Vita supports two different RIF file format. The first format (License Type 0) seems to be used by licenses with 0x97 bytes size and the second (License Type 1) seems to be used by RIF files with 0x200 bytes size. The difference between them is just the signature verification. License Type 0 only uses ECDSA Signature, the License Type 1 uses the ECDSA Signature verification and an extra RSA signature verification.
PS Vita supports two different RIF file format. The first format (License Type 0) seems to be used by licenses with 0x97 bytes size and the second (License Type 1) seems to be used by RIF files with 0x200 bytes size. The difference between them is just the signature verification. License Type 0 only uses ECDSA Signature, the License Type 1 uses the ECDSA Signature verification and an extra RSA signature verification.

Revision as of 00:55, 31 December 2016

Module

Known NIDs

Version Name World Privilege NID
1.69 SceNpDrm Non-secure Kernel 0xACCB4845

Libraries

Known NIDs

Version Name World Visibility NID
1.69 SceNpDrm Non-secure User 0xF2799B1B
1.69 SceNpDrmForDriver Non-secure Kernel 0xD84DC44A
1.69 SceNpDrmPackage Non-secure User 0x88514DB2

SceNpDrm

_sceNpDrmCheckDrmReset

Version NID
1.69 0x4458812B

_sceNpDrmRemoveActData

Version NID
1.69 0x507D06A6

_sceNpDrmGetRifName

Version NID
1.69 0xB8C5DA7C

_sceNpDrmGetRifNameForInstall

Version NID
1.69 0xD312424D

_sceNpDrmGetRifInfo

Version NID
1.69 0xE8343660

_sceNpDrmGetFixedRifName

Version NID
1.69 0xE935B0FC

_sceNpDrmCheckActData

Version NID
1.69 0xFEEBCD62

SceNpDrmForDriver

SceNpDrmCheckRifForDriver

Version NID
3.60 0xDB406EAE

SceNpDrmPackage

_sceNpDrmPackageTransform

Version NID
1.69 0x567DCA1

_sceNpDrmPackageInstallFinished

Version NID
1.69 0x6896EAF2

_sceNpDrmPackageCheck

Version NID
1.69 0xA1D885FA

sceNpDrmPackageIsGameExist

Version NID
1.69 0xB9337914

_sceNpDrmPackageInstallStarted

Version NID
1.69 0xCEC18DA4

_sceNpDrmPackageDecrypt

Version NID
1.69 0xD6F05ACC

sceNpDrmPackageInstallOngoing

Version NID
1.69 0xED0471FE

Package integrity checks

Disable hash/signature verification

To find the function responsible for package verification search for immediate 0x7F504B47 ('.PKG'). Inside it does a lot of stuff including determining the function that will do signature checks. Find the condition that looks like if ( (v62 & 7) == 3 ); below you will see the assignment check_func = &off_81009CFC;. To bypass signature checks you need to patch two functions located at this offset and offset+4, making them behave as "return 1" is enough. For reference, on 1.60 the functions are sub_81000310 and sub_81000AA4. sub_81000310 is the only function in this module that calls SceSblGcAuthMgrPkgForDriver_E459A9A8_imp.

Note that on 1.60 this module sometimes is loaded at different addresses between reboots.

Allow debug packages to be installed

Find the function that calls SceSblAIMgrForDriver_D78B04A2; patch it to always return 1. On 1.60 it's at 0x81002d64.

Search for immediate 0x80870003, there should be two matches. Replace both with "MOV Reg, #0". On 1.60 the locations are 0x810035fe and 0x81004856.

RIF

The RIF files are used as the eboot.bin DRM. For each installed PKG and Game Card you will have an unique RIF file with proper information that will be used when you open the game to verify if you own the game(to PKG) and decrypt the eboot.bin. The RIF files may hold important information as PSN Account ID, the key used to decrypt one of the SELF encrypt layers [...].

PS Vita supports two different RIF file format. The first format (License Type 0) seems to be used by licenses with 0x97 bytes size and the second (License Type 1) seems to be used by RIF files with 0x200 bytes size. The difference between them is just the signature verification. License Type 0 only uses ECDSA Signature, the License Type 1 uses the ECDSA Signature verification and an extra RSA signature verification.

Name Offset Size
Version 0x0 0x4
License Type 0x4 0x4
PSN Account ID 0x8 0x8
Content ID 0x10 0x30
Unknown 0x40 0x10
RIF Key 0x50 0x10
License start time 0x60 0x8
License expiration time 0x68 0x8
ECDSA Signature 0x70 0x28
Unknown 0x98 0x68
RSA Signature 0x100 0x100