PSN

Environments
The only valid (documented) values for "/CONFIG/NP" "env" are,  , and. SceShell checks the value on startup and if it is not valid, it will rewrite the key to be "invalid". The last two environments are only valid if the console is a test kit or a development kit.

Ticket
Upon logging into Sony Entertainment Network (formerly PlayStation Network), a session ticket is created. This ticket is what is used for all SEN services on the console (store, DLC, multiplayer, etc). The requesting of this ticket is subject to many checks that allow Sony to block consoles running outdated System Software version from connecting to SEN. Most of what is documented for PS3 is still relevant to the PS Vita. SEN ticket acquiring is done by SceShell and all other apps that use SEN use the ticket that SceShell acquired. That means in order to spoof SEN, all you need to do is patch shell.self and to get platform unique parameters from a later System Software version, you only need to decrypt shell.self (a kernel exploit, therefore, is sufficient but not necessary). Additionally, all SEN communication is done through TLS, and therefore is not susceptible to MITM attacks (you cannot just sniff the parameters without hacking the device). The CAs are also signed so you cannot modify the root CAs from a higher System Software PS Vita. Below is a list of steps the PS Vita takes to request a NP Ticket.


 * 1) First, an update check is made over HTTP. This can be easily bypassed through a proxy. If the update check fails, then the update prompt will show.
 * 2) A   is generated with your account id and console id (?). It is then encrypted and signed by Secure Modules and converted to base64.
 * 3) A platform unique (but not console unique)   is decrypted by Secure Modules.
 * 4)   is set to   where X.YY is the console System Software version.
 * 5)   is set to  . This does not seem to be for any security purpose and likely just vestigial code from legacy systems.
 * 6) A SSL request is made to   with the headers generated above.
 * 7) Either   is returned along with a ticket or   is returned. CODE is then added to   to form the error code to display to the user. If the error code is that a System Software update is required, the update prompt will show.

Before System Software version 3.63,  never changed across System Software versions. That means SEN only checked. Whenever Sony releases a new System Software, they do not revoke access to the last System Software right away. As long as you bypass the update check (through a proxy), you can still access SEN. This is why you are always able to use SEN for 1-2 weeks after a new System Software is released. With the original HENkaku hack, we spoof  to 3.61 and therefore SEN cannot tell a difference between a legitimate 3.61 console or a hacked 3.60 console since all other parameters are the same. However, in 3.63, Sony finally changed  but because of the 1-2 week grace period, people were still able to access SEN for a short amount of time after 3.63 was released. After the grace period, though, the old  is rejected, returning an   error code indicating that the console needs to be updated. Additionally, because  is tied to the console id, it is not possible to use a   from another console such as PS3, PSP, or Android. I am also unsure if the System Software version is in  (which is generated by Secure Modules). If that is the case, it is unlikely that SEN spoofing would ever work again (short of a Secure Modules hack, but in that case, there would be no need for SEN spoofing).