Module
Known NIDs
Version |
Name |
World |
Privilege |
NID
|
1.69 |
SceNpDrm |
Non-secure |
Kernel |
0xACCB4845
|
3.60 |
SceNpDrm |
? |
Kernel |
0xE7E2CE05
|
Libraries
Known NIDs
Data segment layout
Address |
Size |
Description
|
0x0000 |
0x4 |
SceNpDrm mutex SceUID
|
0x0004 |
0x4 |
ScePsmDrm mutex SceUID
|
0x0008 |
0x8 |
unknown
|
0x0010 |
0xC0 |
constant data decrypted with sceSblAuthMgrGetEKc key 0.
First 0x10 bytes are reencrypted with CID.
First 0x10 bytes are aes_key used to decrypt 0x800 bytes of Primary Key Table from act.dat
Second 0x10 bytes are aes_key used to decrypt Primary Key Table index from rif.
|
0x00D0 |
0xCF8 |
unknown
|
0x0DC8 |
0x4 |
Game Exist flag
|
0x0DCC |
0x4 |
Is DEX flag
|
0x0DD0 |
0x30 |
unknown
|
0x0E00 |
0x1040 |
tm0:/npdrm/act.dat data
|
0x1E40 |
0x400 |
tm0:/psmdrm/act.dat data
|
0x2240 |
0x10 |
OpenPsId
This key is compared against OpenPsId from act.dat
This key is compared to data in rif file at offset 0xC0
|
0x2250 |
0x10 |
unknown
|
0x2260 |
0x4 |
Loose Account Bind flag
|
0x2264 |
0x84 |
unknown
|
SceNpDrm
_sceNpDrmCheckDrmReset
Version |
NID
|
1.69 |
0x4458812B
|
3.60 |
0x4458812B
|
//opt is of size 0x18
int _sceNpDrmCheckDrmReset(int unk0, int unk1, void *opt);
_sceNpDrmRemoveActData
Version |
NID
|
1.69 |
0x507D06A6
|
3.60 |
0x507D06A6
|
//opt is of size 0x8
int _sceNpDrmRemoveActData(int unk0, void* opt);
_sceNpDrmGetRifName
Version |
NID
|
1.69 |
0xB8C5DA7C
|
3.60 |
0xB8C5DA7C
|
int _sceNpDrmGetRifName(char *name, int ignored, int unk2, int unk3);
_sceNpDrmGetRifNameForInstall
Version |
NID
|
1.69 |
0xD312424D
|
3.60 |
0xD312424D
|
//name is of size 0x30
//rif_data is of size 0x200
int _sceNpDrmGetRifNameForInstall(char *name, void *rif_data, int num);
_sceNpDrmGetRifInfo
Version |
NID
|
1.69 |
0xE8343660
|
3.60 |
0xE8343660
|
typedef struct rif_info //size is 0x70
{
char content_id[0x30];
char version_number[0x04];
char rif_lic_flags[0x04];
char lic_type0[0x04]; //lic type related
char lic_type1[0x04]; //lic type related
char account_id[0x08];
char rif_data_98[0x08];
char lic_start_time[0x08];
char lic_exp_time[0x08];
char dec_rif_key[0x10]; //decrypted rif key
}rif_info;
typedef struct _sceNpDrmGetRifInfo_opt //size is 0x28
{
char* content_id;
char* account_id;
char* version_number;
char* rif_lic_flags;
char* lic_type0; //lic type related
char* lic_type1; //lic type related
char* lic_start_time;
char* lic_exp_time;
char* rif_data_98;
}_sceNpDrmGetRifInfo_opt;
//rif data is of size 0x200
int _sceNpDrmGetRifInfo(void* rif_data, int rif_size, int num, _sceNpDrmGetRifInfo_opt* opt);
_sceNpDrmGetFixedRifName
Version |
NID
|
1.69 |
0xE935B0FC
|
3.60 |
0xE935B0FC
|
int _sceNpDrmGetFixedRifName(char *name, int ignored, int unk2, int unk3);
_sceNpDrmCheckActData
Version |
NID
|
1.69 |
0xFEEBCD62
|
3.60 |
0xFEEBCD62
|
//opt is of size 0x10
int _sceNpDrmCheckActData(int unk0, int unk1, int unk2, void* opt);
_sceNpDrmPresetRifProvisionalFlag
Version |
NID
|
3.60 |
0x2523F57F
|
//rif data is of size 0x200
int _sceNpDrmPresetRifProvisionalFlag(void* rif_data);
SceNpDrmForDriver
sceNpDrmGetRifInfoForDriver
Version |
NID
|
3.60 |
0xDB406EAE
|
//rif data is of size 0x200
int sceNpDrmGetRifInfoForDriver(void* rif_data, int rif_size, int num, char* content_id, char* account_id, char* version_number, char* rif_lic_flags, char* lic_type0, char* lic_type1, char* lic_start_time, char* lic_exp_time, char* rif_data_98);
sceNpDrmPackageSetGameExistForDriver
Version |
NID
|
3.60 |
0x3BFD2850
|
int sceNpDrmPackageSetGameExistForDriver(int value);
sceNpDrmGetFixedRifNameForDriver
Version |
NID
|
3.60 |
0x5D73448C
|
//name is of size 0x30
int sceNpDrmGetFixedRifNameForDriver(char *name, int ignored, int unk2, int unk3);
sceNpDrmGetRifNameForDriver
Version |
NID
|
3.60 |
0xDF62F3B8
|
//name is of size 0x30
int sceNpDrmGetRifNameForDriver(char *name, int ignored, int unk2, int unk3);
sceNpDrmGetRifNameForInstallForDriver
Version |
NID
|
3.60 |
0x17573133
|
//name is of size 0x30
//rif data size is unknown but at least 0xF8
int sceNpDrmGetRifNameForInstallForDriver(char *name, void *rif_data, int num);
sceNpDrmPresetRifProvisionalFlagForDriver
Version |
NID
|
3.60 |
0xC070FE89
|
//rif data size is unknown but at least 0xF8
int sceNpDrmPresetRifProvisionalFlagForDriver(void* rif_data, int unk1);
sceNpDrmCheckActDataForDriver
Version |
NID
|
3.60 |
0x9265B350
|
checks tm0:/npdrm/act.dat
//size of act data is 0x1040
int sceNpDrmCheckActDataForDriver(int unk0, int unk1, int unk2, int unk3, int arg_0);
sceNpDrmRemoveActDataForDriver
Version |
NID
|
3.60 |
0x8B85A509
|
checks tm0:/npdrm/act.dat
int sceNpDrmRemoveActDataForDriver(int unk);
sceNpDrmUpdateAccountIdForDriver
Version |
NID
|
3.60 |
0x116FC0D6
|
int sceNpDrmUpdateAccountIdForDriver(int unk0, int unk1);
sceNpDrmEbootSigGenMultiDiscForDriver
Version |
NID
|
3.60 |
0x39A7A666
|
int sceNpDrmEbootSigGenMultiDiscForDriver(int unk0, int unk1, int unk2, int unk3);
sceNpDrmEbootSigGenPs1ForDriver
Version |
NID
|
3.60 |
0x6D9223E1
|
int sceNpDrmEbootSigGenPs1ForDriver(int unk0, int unk1, int unk2, int unk3);
sceNpDrmGetLegacyDocKeyForDriver
Version |
NID
|
3.60 |
0x4E321BDE
|
//rif data is of size 0x200
//data1 is of size 0x90 - most likely decrypted with rif key from rif data using SceSblGcAuthMgr enc_dec 0x4c5de1aa
int sceNpDrmGetLegacyDocKeyForDriver(void *rif_data, void *data1, int unk, void *dest);
sceNpDrmEbootSigVerifyForDriver
Version |
NID
|
3.60 |
0x7A319692
|
int sceNpDrmEbootSigVerifyForDriver(int unk0, int unk1);
sceNpDrmEbootSigGenPspForDriver
Version |
NID
|
3.60 |
0x90B1A6D3
|
int sceNpDrmEbootSigGenPspForDriver(int unk0, int unk1, int unk2, int unk3);
sceNpDrmEbootSigConvertForDriver
Version |
NID
|
3.60 |
0xA29B75F9
|
int sceNpDrmEbootSigConvertForDriver(int unk0, int unk1, int unk2);
sceNpDrmPspEbootVerifyForDriver
Version |
NID
|
3.60 |
0xB6CA3A2C
|
int sceNpDrmPspEbootVerifyForDriver(int unk0, int unk1);
sceNpDrmPspEbootSigGenForDriver
Version |
NID
|
3.60 |
0xEF387FC4
|
int sceNpDrmPspEbootSigGenForDriver(int unk0, int unk1, int unk2);
sceNpDrmIsLooseAccountBindForDriver
Version |
NID
|
3.60 |
0xFC84CA1A
|
int sceNpDrmIsLooseAccountBindForDriver();
sceNpDrmUpdateDebugSettingsForDriver
Version |
NID
|
3.60 |
0xA91C7443
|
checks /CONFIG/NP debug_upgradable and /CONFIG/NP2 debug_drm_loose_bind registry values
int sceNpDrmUpdateDebugSettingsForDriver();
sceNpDrmGetRifPspKeyForDriver
Version |
NID
|
3.60 |
0xDACB71F4
|
//rif_data is of size 0x200
//dec_rif_key is of size 0x10
int sceNpDrmGetRifPspKeyForDriver(void *rif_data, void *dec_rif_key, int unk2, int unk3, int arg_0);
sceNpDrmGetRifVitaKeyForDriver
Version |
NID
|
3.60 |
0x723322B5
|
use sceNpDrmGetRifInfoForDriver to get required fields
int sceNpDrmGetRifVitaKeyForDriver(void *rif_data, void *dec_rif_key, char* lic_type0, char* lic_type1, char* lic_start_time, char* lic_exp_time, char* rif_lic_flags);
set_act_data
Version |
NID
|
3.60 |
0x742EBAF4
|
Related to sceSblGcAuthMgrPcactActivation
decrypts act_data with aes_dec_key and stores it to data segment
verifies sha1 - ecdsa or sha256 - rca
checks Loose Account Bind flag
verifies OpenPsId
creates tm0:/npdrm folder
writes tm0:/npdrm/act.dat file
repeats all verification steps
decrypts Primary Key Table
//data is of size 0x1040 - this is most likely act.dat data because of size
int set_act_data(void *act_data, const char *aes_dec_key);
get_act_data
Version |
NID
|
3.60 |
0xD91C3BCE
|
Related to sceSblGcAuthMgrPcactGetChallenge
reads 0x1038 bytes of tm0:/npdrm/act.dat data
//act_data is of size 0x1038
int get_act_data(void* act_data);
verify_rif
Version |
NID
|
3.60 |
0xFE7B17B6
|
verify ECDSA - SHA1 pair or RSA - SHA256 pair
//rif_data max size is 0x200
int verify_rif(void* rif_data, int rif_size);
verify_rif_full
Version |
NID
|
3.60 |
0xFF63672D
|
check OpenPsId
check cmd56 handshake part
perform steps to get decrypted rif key
//rif data size is unknown but at least 0xF8
int verify_rif_full(void* rif_data);
reset_act_dat
Version |
NID
|
3.60 |
0x77926F5
|
reads tm0:/npdrm/act.dat
verifies sha1 - ecdsa or sha256 - rca
checks Loose Account Bind flag
verifies OpenPsId
clears Secondary Table, RSA Signature, Unknown Sig, ECDSA Signature
decrypts Primary Key Table
int reset_act_dat();
SceNpDrmPackage
_sceNpDrmPackageTransform
Version |
NID
|
1.69 |
0x567DCA1
|
3.60 |
0x567DCA1
|
//opt is of size 0x28
int _sceNpDrmPackageTransform(int unk0, int unk1, void* opt, int unk3);
_sceNpDrmPackageInstallFinished
Version |
NID
|
1.69 |
0x6896EAF2
|
3.60 |
0x6896EAF2
|
//opt is of size 0x8
int _sceNpDrmPackageInstallFinished(int unk0, int unk1, int unk2, void* opt);
_sceNpDrmPackageCheck
Version |
NID
|
1.69 |
0xA1D885FA
|
3.60 |
0xA1D885FA
|
int _sceNpDrmPackageCheck(const void *buffer1, SceSize size, void *buffer2, unsigned int identifier);
sceNpDrmPackageIsGameExist
Version |
NID
|
1.69 |
0xB9337914
|
3.60 |
0xB9337914
|
int sceNpDrmPackageIsGameExist();
_sceNpDrmPackageInstallStarted
Version |
NID
|
1.69 |
0xCEC18DA4
|
3.60 |
0xCEC18DA4
|
//opt is of size 0x10
int _sceNpDrmPackageInstallStarted(int unk0, int unk1, int unk2, void* opt);
_sceNpDrmPackageDecrypt
Version |
NID
|
1.69 |
0xD6F05ACC
|
3.60 |
0xD6F05ACC
|
typedef struct _sceNpDrmPackageDecrypt //size is 0x10
{
SceOff offset; //The offset in the encrypted data
unsigned int identifier;
uint32_t unk_C;
} _sceNpDrmPackageDecrypt_opt;
int _sceNpDrmPackageDecrypt(void * buffer, SceSize size, _sceNpDrmPackageDecrypt_opt * opt);
sceNpDrmPackageInstallOngoing
Version |
NID
|
1.69 |
0xED0471FE
|
3.60 |
0xED0471FE
|
int sceNpDrmPackageInstallOngoing(int unk0, int unk1);
_sceNpDrmPackageUninstallFinished
Version |
NID
|
3.60 |
0x23A28861
|
//opt is of size 0x8
int _sceNpDrmPackageUninstallFinished(int unk0, int unk1, int unk2, void* opt);
_sceNpDrmPackageUninstallStarted
Version |
NID
|
3.60 |
0x4901C3E6
|
//opt is of size 0x10
int _sceNpDrmPackageUninstallStarted(int unk0, int unk1, int unk2, void* opt);
sceNpDrmPackageUninstallOngoing
Version |
NID
|
3.60 |
0xF1FF6193
|
int sceNpDrmPackageUninstallOngoing(int unk0, int unk1);
unk_200D2DE4
Version |
NID
|
3.60 |
0x200D2DE4
|
int unk_200D2DE4(int unk0, int unk1);
unk_4665E75A
Version |
NID
|
3.60 |
0x4665E75A
|
//opt is of size 0x10
int unk_4665E75A(int unk0, int unk1, int unk2, void *opt);
unk_640C1724
Version |
NID
|
3.60 |
0x640C1724
|
//opt is of size 0x8
int unk_640C1724(int unk0, int unk1, int unk2, void *opt);
unk_97BB85BD
Version |
NID
|
3.60 |
0x97BB85BD
|
//opt is of size 0x10
int unk_97BB85BD(int unk0, int unk1, int unk2, void *opt)
unk_A5E0F38C
Version |
NID
|
3.60 |
0xA5E0F38C
|
int unk_A5E0F38C(int unk0, int unk1);
unk_C75A775B
Version |
NID
|
3.60 |
0xC75A775B
|
//opt is of size 0x8
int unk_C75A775B(int unk0, int unk1, int unk2, void *opt);
ScePsmDrm
get_rif_name
Version |
NID
|
3.60 |
0x0D6470DA
|
//some data is of size 0x400 and contains rif data
int get_rif_name(char *rif_name, void *some_data);
_get_info
Version |
NID
|
3.60 |
0xE31A6220
|
typedef struct get_info_opt //size is 0x10
{
void* out2;
void* out3;
uint32_t unk_8;
uint32_t unk_C;
}get_info_opt
int _get_info(void *some_data, void *out0, void *out1, get_info_opt *opt);
_get_info_2
Version |
NID
|
3.60 |
0x207A2C53
|
typedef struct get_info2_opt //size is 0x10
{
void* out2;
void* out3;
uint32_t unk_8;
uint32_t unk_C;
}get_info2_opt
int _get_info(void *some_data, void *out0, void *out1, get_info2_opt *opt);
unk_E193CBB
Version |
NID
|
3.60 |
0xE193CBB
|
int unk_E193CBB(int unk0);
unk_3E881391
Version |
NID
|
3.60 |
0x3E881391
|
int unk_3E881391(int unk0);
unk_A89653B3
Version |
NID
|
3.60 |
0xA89653B3
|
//opt is of size 0x10
int unk_A89653B3(int unk0, int unk1, int unk2, void *opt);
ScePsmDrmForDriver
get_info_for_driver
Version |
NID
|
3.60 |
0x984F9017
|
this function is named after sceNpDrmGetRifInfoForDriver since arguments are very similar
//some_data is of size 0x400 and should contain rca signature at offset 0x300
//out0 is of size 0x30
//out1 is of size 0x8
//out2 is of size 0x8
//out3 is of size 0x8
int get_info_for_driver(void *some_data, void *out0, void *out1, void *out2, void *out3);
get_info_2_for_driver
Version |
NID
|
3.60 |
0x8C8CFD01
|
this function is named after sceNpDrmGetRifInfoForDriver since arguments are very similar
//data is of size 0x400
//out0 is of size 0x200
//out1 is of size 0x4
//out2 is of size 0x8
//out3 is of size 0x8
int get_info_2_for_driver(void *data, void *out0, void *out1, void *out2, int out3);
set_psm_act_data
Version |
NID
|
3.60 |
0xCB73E9D3
|
decrypts psm_act_data with aes_dec_key
creates tm0:/psmdrm if nesessary
writes tm0:/psmdrm/act.dat
verifies sha256 - rca
//data is of size 0x400
int set_psm_act_data(void *psm_act_data, const char *aes_dec_key);
unk_4CD5375C
Version |
NID
|
3.60 |
0x4CD5375C
|
int unk_4CD5375C(int unk0);
unk_791198CE
Version |
NID
|
3.60 |
0x791198CE
|
int unk_791198CE();
unk_B09003A7
Version |
NID
|
3.60 |
0xB09003A7
|
int unk_B09003A7(int unk0, int unk1, int unk2, int unk3, int arg_0);
Package integrity checks
Disable hash/signature verification
To find the function responsible for package verification search for immediate 0x7F504B47 ('.PKG'). Inside it does a lot of stuff including determining the function that will do signature checks. Find the condition that looks like if ( (v62 & 7) == 3 )
; below you will see the assignment check_func = &off_81009CFC;
. To bypass signature checks you need to patch two functions located at this offset and offset+4, making them behave as "return 1" is enough. For reference, on 1.60 the functions are sub_81000310 and sub_81000AA4. sub_81000310 is the only function in this module that calls SceSblGcAuthMgrPkgForDriver_E459A9A8_imp.
Note that on 1.60 this module sometimes is loaded at different addresses between reboots.
Allow debug packages to be installed
Find the function that calls SceSblAIMgrForDriver_D78B04A2; patch it to always return 1. On 1.60 it's at 0x81002d64.
Search for immediate 0x80870003, there should be two matches. Replace both with "MOV Reg, #0". On 1.60 the locations are 0x810035fe and 0x81004856.
RIF
The RIF files are used as the eboot.bin DRM. For each installed PKG and Game Card you will have an unique RIF file with proper information that will be used when you open the game to verify if you own the game(to PKG) and decrypt the eboot.bin. The RIF files may hold important information as PSN Account ID, the key used to decrypt one of the SELF encrypt layers [...].
PS Vita supports two different RIF file format. The first format (License Type 0) seems to be used by licenses with 0x97 bytes size and the second (License Type 1) seems to be used by RIF files with 0x200 bytes size. The difference between them is just the signature verification. License Type 0 only uses ECDSA Signature, the License Type 1 uses the ECDSA Signature verification and an extra RSA signature verification.
Name |
Offset |
Size
|
Version |
0x0 |
0x4
|
License Type |
0x4 |
0x2
|
License Flags |
0x6 |
0x2
|
PSN Account ID |
0x8 |
0x8
|
Content ID |
0x10 |
0x30
|
Primary Key Table index |
0x40 |
0x10
|
RIF Key |
0x50 |
0x10
|
License start time |
0x60 |
0x8
|
License expiration time |
0x68 |
0x8
|
ECDSA Signature |
0x70 |
0x28
|
Unknown |
0x98 |
0x8
|
Unknown |
0xA0 |
0x20
|
OpenPsId if bit 8 is set in License Flags |
0xC0 |
0x10
|
Unknown |
0xD0 |
0x10
|
CMD56 handshake part |
0xE0 |
0x14
|
Unknown |
0xF4 |
0x4
|
Unknown |
0xF8 |
0x4
|
Unknown |
0xFC |
0x4
|
RSA Signature |
0x100 |
0x100
|