Certified File

Certified Files are the most common encrypted files on SCE PlayStation devices since PSP.

= Introduction =

Not only ELF/PRX files can be signed with this format, other known Certified Files are:
 * revoke list (e.g. RL_FOR_PACKAGE.img/RL_FOR_PROGRAM.img, pkg.srvk/prog.srvk, slb2:prog_rvk.srvk)
 * policy profiles (e.g. default.spp)
 * system software package (e.g. .pkg, .spkg_hdr.X)

It is important to notice that PS3 use big endian whilst PSVita use little endian.

Category
= Decryption =

Certified Files are all encrypted using the exact same algorithm. SELF are hashed and signed (signature is RSA based at the very least since firmware 0.940). This section only focuses on the encryption layer itself.


 * Step 1: Get SELF metadata decryption key and IV

Get a static key and IV contained within the relevant Secure Module. For example Update Package keys are located in update_service_sm.self, kernel PRX keys are located in kprx_auth_sm.self, Secure Modules (SM) as well as kernel_boot_loader.self, are located in secure_kernel.enp).

Decrypt the first 0x40 bytes of the SELF metadata using AES256CBC.

This results into the key and IV used in step 2


 * Step 2: Get plain SELF metadata

Use the key and IV decrypted from the first 0x40 bytes of the SELF metadata to decrypt the rest of the SELF metadata using AES128-CBC.


 * Step 3: Parse SELF metadata

The SELF metadata is typically stored in this format (below is the metadata example for a 4 sections self): The SPKG metadata follows the same principles but is slightly different (different MAGIC/Header).

Following the same principles, an update package metadata would look like this:


 * Step 4: Get plain SELF sections

Use the keys and IVs from the metadata to decrypt their respective sections using AES128-CTR.


 * Step 5: Uncompress sections if needed

Sections can be compressed. This is reported in the header.