SceNpDrm

Obtaining klicensee
Initialization steps (common):

1. Get the hardcoded encrypted EKc (0xC0 bytes). (on FW 3.60, 0xC0 bytes from SceNpDrm code segment at offset 0x111D0)

2. Decrypt the hardcoded encrypted EKc using sceSblAuthMgrGetEKcForDriver with key revision 0 (?or 1 or 2?).

Initialization steps (per-console):

3. Get ConsoleId (0x10 bytes) using sceSblSsMgrGetConsoleIdForDriver.

4. Decrypt using AES128ECB first 0x10 bytes of EKc with ConsoleId as key.

5. Read 0x800 bytes of the encrypted Primary Key Table from act.dat file.

6. Decrypt 0x800 bytes of Primary Key Table with reencrypted static key using AES (need to figure out which AES exactly).

Initialization steps (per-content):

7. Get 0x98 / 0x200 bytes of RIF data from the content's .rif file and select one of the 5 scenarios for decrypting RIF Key into klicensee based on License flags (need to figure out). In most cases only the first 0x70 bytes are needed for klicensee derivation because at 0x70 is the ECDSA signature which is not used for derivation, and after 0x98 is data only used for some PS Vita contents (maybe only PS Vita cartridges require a 0x200-byte RIF).

Scenario 1 - maybe DRM Free
Take RIF Key 2.

Take static keys 3, 4.

Take first 0x70 bytes of RIF data.

Use SceSblAuthMgr to decrypt RIF key 2 and obtain klicensee.

Scenario 2
Take RIF Key 2.

Take primary keys 1, 2.

Take first 0x70 bytes of RIF data.

Use SceSblAuthMgr to decrypt RIF key 2 and obtain klicensee.

Scenario 3 - Game Cartridge
Take RIF Key 2.

Take cmd56 handshake keys with get_5018_data.

Take first 0x70 bytes of RIF data.

Use SceSblAuthMgr to decrypt RIF key 2 and obtain klicensee.

Scenario 4 - Game Cartridge
Take RIF Key 1.

Take cmd56 handshake keys with get_5018_data.

Take first 0x70 bytes of RIF data.

Erase RIF Key 1 from RIF data.

Use SceSblAuthMgr to decrypt RIF key 1 and obtain klicensee.

Scenario 5
Take RIF Key 1.

Decrypt Primary Table Key index from RIF data with static key 2 using AES (need to figure out which AES exactly).

Take primary key using decrypted index.

Decrypt RIF key 1 with obtained primary key using AES (need to figure out which AES exactly).

sceNpDrmPresetRifProvisionalFlagForDriver
Updating license data.

sceNpDrmCheckActDataForDriver
get tm0:/npdrm/act.dat info

sceNpDrmRemoveActDataForDriver
Remove tm0:/npdrm/act.dat

sceNpDrmGetLegacyDocKeyForDriver
Gets klicensee to decrypt encrypted DOCUMENT.DAT.

sceNpDrmEbootSigVerifyForDriver
drm_data - __sce_ebootpbp or license data, size is 0x200.

sceNpDrmUpdateDebugSettingsForDriver
checks /CONFIG/NP debug_upgradable and /CONFIG/NP2 debug_drm_loose_bind registry values

sceNpDrmGetRifVitaKeyForDriver
It uses to get required fields.

sceNpDrmWriteActDataForDriver
Related to SceSblGcAuthMgr.

decrypts act_data with aes_dec_key and stores it to data segment

verifies sha1 - ecdsa or sha256 - RSA

checks Loose Account Bind flag

verifies OpenPsId

creates tm0:/npdrm folder

writes tm0:/npdrm/act.dat file

repeats all verification steps

decrypts Primary Key Table

sceNpDrmReadActDataForDriver
Related to sceSblGcAuthMgrPcactGetChallenge

reads 0x1038 bytes of tm0:/npdrm/act.dat data

sceNpDrmVerifyRifForDriver
verify ECDSA - SHA1 pair or RSA - SHA256 pair

sceNpDrmVerifyRifFullForDriver
check OpenPsId

check cmd56 handshake part

perform steps to get decrypted rif key

sceNpDrmUpdateActDataForDriver
reads tm0:/npdrm/act.dat

verifies ECDSA with sha1 and RSA with sha256

checks Loose Account Bind flag

verifies OpenPsId

clears Secondary Table, RSA Signature, Unknown Sig, ECDSA Signature

decrypts Primary Key Table

scePsmDrmGetRifInfoForDriver
This function is named after sceNpDrmGetRifInfoForDriver since arguments are very similar.

get_info_2_for_driver
this function is named after sceNpDrmGetRifInfoForDriver since arguments are very similar

set_psm_act_data
decrypts psm_act_data with aes_dec_key

creates tm0:/psmdrm if necessary

writes tm0:/psmdrm/act.dat

verifies sha256 - rca

unk_4CD5375C
Deletes psmact.dat.

Disable hash/signature verification
To find the function responsible for package verification search for immediate 0x7F504B47 ('.PKG'). Inside it does a lot of stuff including determining the function that will do signature checks. Find the condition that looks like ; below you will see the assignment. To bypass signature checks you need to patch two functions located at this offset and offset+4, making them behave as "return 1" is enough. For reference, on 1.60 the functions are sub_81000310 and sub_81000AA4. sub_81000310 is the only function in this module that calls SceSblGcAuthMgrPkgForDriver_E459A9A8_imp.

Note that on 1.60 this module sometimes is loaded at different addresses between reboots.

Allow debug packages to be installed
Find the function that calls sceSblAIMgrIsCEXForDriver. Patch it to always return 1. On FW 1.60 it is at 0x81002d64.

Search for immediate 0x80870003, there should be two matches. Replace both with "MOV Reg, #0". On 1.60 the locations are 0x810035fe and 0x81004856.

RIF
The RIF file holds the klicensee for NPDRM contents. The RIF files are used as DRM licenses. For each installed PKG and Game Card you have a unique RIF file with proper information that is used when you open the game to verify if you own the game (or PKG). The RIF files holds important information as PSN Account ID, the key used to decrypt one of the SELF encryption layers.

PS Vita supports two different RIF file formats. The first format version (v0) is used by RIF files with 0x98 bytes size and the second version (v1) is used by RIF files with 0x200 bytes size. The difference between these formats is just the signature and some data used by PS Vita only. RIF version 0 only uses ECDSA Signature only whilst RIF Version 1 uses the ECDSA Signature and an extra RSA Signature.

PSM-ACT
PSM Activation file

PSM-RIF
PSM RIF file