PUP

PUP files are update archives for the Vita.

= PUP Structure =

A good resource on the PUP structure can be found HERE.

= Update .PKG files =

Most of the files in the update PUP are .pkg files, a sort of Certified File.

Each component of the update is broken up into multiple parts, then optionally compressed, and finally encrypted into the PKG.

Package Header
Right after the Certified File header (usually at offset 0x400) is the update package header that provides information for piecing the component back together. The contents of this header is as follows:

Flags
There are flags that are set in the package header. Some potential ones are listed here.

Type ID
The type id determines which decryption routine to use in SceSblSsUpdateMgr. There is a truth table to determine which id can be handled by which decryption function. To see how this table is used, check out the example code for decrypting packages.

Type ID (Identifier)
The type ID is also used to identify the component of the update.

= SCEWM =

PUP Watermark was added on FW 0.940.000.

Header
This is a watermark for PUPs. For development PUPs, the Issue ID is unique to the company/organization the PUP is issued to.

The Issue ID for SCE/retail PUPs seems to be 0x5A.

Content
The SCEWM file is composed of 3 parts:


 * SCEWM header: size 0x20 bytes.
 * RSA2048 signature of the PUP (regardless of the watermark): size 0x100 bytes. This part IS NOT ENCRYPTED.
 * SCEWM body (unique data per issue ID): size = file_size(usually 0x1000) - header_size(0x20) - pup_sig_size(0x100). Its size may vary, check file_size in SCEWM header. This part IS ENCRYPTED.

Body
The body is encrypted using AES128CBC with key and iv from update_service_sm.self.

After decryption, the data is composed of 2 parts:


 * 0xDE0 bytes: plaintext ASCII message
 * 0x100 bytes: RSA2048 signature of that message

Message
The message is generated on developer demand by DevNet server. The message syntax has changed with DevNet revisions.

The message is totally independant of the PUP. The same PUP (for example PSVita FW 0.945) downloaded from DevNet in 2011 and in 2018 has different message syntax.

Here 'x' represents an actual character, which I hide for confidentiality.

Old message (2011-02)
User id:xxxxxx Org name:xxxxxxxxxxxxxx Company name:xxxxxxxxxxxxxxxxxxxxxxxxxxxx Date PUP downloaded:xxxx-xx-xx xx:xx Host IP address:xxx.xxx.xxx.xxx
 * 1) PUP watermark data that contain DevNet user id, org name, company name, date of PUP downloaded and host IP address

Recent message (2018-04)
PUP serial number:xxxxxxxx
 * 1) PUP watermark data contain a serial_number that associates with the user who download this PUP
 * 2) Provide the serial number below to the DevNet development team to get user and org details.

Signature
It is RSA2048 of the watermark + maybe other data.

Security
When comparing same PUP signed for two different issue IDs, we can notice only 2 differences:
 * the issue ID in SCEWM header
 * the SCEWM unique data

= SCEAS =

This file contains Additional Signatures (A.S.) necessary for validation of the PUP.

It was added in FW 0.996, probably for security reasons.

This file is missing inside the DEX PUP v 0.945.040 (and all the pre-0.996 pups)

Body
The body is encrypted using AES128CBC with key and iv from update_service_sm.self.

Once decrypted:


 * 0x100 bytes: a RSA2048 signature, certainly of the PUP
 * 0x1E0 bytes: zeroes, maybe area for more than one signature
 * 0x100 bytes: RSA2048 signature of the Additional Signature(s)