SceNpDrm

Obtaining klicensee
1. Get 0xC0 bytes from SceNpDrm code segment at offset 0x111D0. This is the list of static keys.

2. Decrypt 0xC0 bytes of static keys using sceSblAuthMgrGetEKc key 0.

3. Get 0x10 bytes of CID with sceSblSsMgrGetConsoleIdForDriver.

4. Encrypt first 0x10 bytes of static keys with CID using AES (need to figure out which AES exactly).

5. Read 0x800 bytes of Primary Key Table from act.dat

6. Decrypt 0x800 bytes of Primary Key Table with reencrypted static key using AES (need to figure out which AES exactly).

7. Get 0x97 / 0x200 bytes of rif data and select one of 5 scenarios for decrypting RIF Key based on license flags (need to figure out).

Scenario 1
Take RIF Key 2

Take static keys 3, 4

Take first 0x70 bytes of rif data

Use sceSblAuthMgrDecBindData to decrypt RIF key 2 and obtain klicensee.

Scenario 2
Take RIF Key 2

Take primary keys 1, 2

Take first 0x70 bytes of rif data

Use sceSblAuthMgrDecBindData to decrypt RIF key 2 and obtain klicensee.

Scenario 3
Take RIF Key 2

Take cmd56 handshake keys with get_5018_data

Take first 0x70 bytes of rif data

Use sceSblAuthMgrDecBindData to decrypt RIF key 2 and obtain klicensee.

Scenario 4
Take RIF Key 1

Take cmd56 handshake keys with get_5018_data

Take first 0x70 bytes of rif data

Erase RIF Key 1 from rif data

Use sceSblAuthMgrDecBindData to decrypt RIF key 1 and obtain klicensee.

Scenario 5
Decrypt Primary Table Key index from rif data with static key 2 using AES (need to figure out which AES exactly).

Take primary key using decrypted index.

Decrypt RIF key 1 with obtained primary key using AES (need to figure out which AES exactly).

sceNpDrmCheckActDataForDriver
checks tm0:/npdrm/act.dat

sceNpDrmRemoveActDataForDriver
checks tm0:/npdrm/act.dat

sceNpDrmUpdateDebugSettingsForDriver
checks /CONFIG/NP debug_upgradable and /CONFIG/NP2 debug_drm_loose_bind registry values

sceNpDrmGetRifVitaKeyForDriver
use sceNpDrmGetRifInfoForDriver to get required fields

set_act_data
Related to sceSblGcAuthMgrPcactActivation

decrypts act_data with aes_dec_key and stores it to data segment

verifies sha1 - ecdsa or sha256 - rca

checks Loose Account Bind flag

verifies OpenPsId

creates tm0:/npdrm folder

writes tm0:/npdrm/act.dat file

repeats all verification steps

decrypts Primary Key Table

get_act_data
Related to sceSblGcAuthMgrPcactGetChallenge

reads 0x1038 bytes of tm0:/npdrm/act.dat data

verify_rif
verify ECDSA - SHA1 pair or RSA - SHA256 pair

verify_rif_full
check OpenPsId

check cmd56 handshake part

perform steps to get decrypted rif key

reset_act_dat
reads tm0:/npdrm/act.dat

verifies sha1 - ecdsa or sha256 - rca

checks Loose Account Bind flag

verifies OpenPsId

clears Secondary Table, RSA Signature, Unknown Sig, ECDSA Signature

decrypts Primary Key Table

get_info_for_driver
this function is named after sceNpDrmGetRifInfoForDriver since arguments are very similar

get_info_2_for_driver
this function is named after sceNpDrmGetRifInfoForDriver since arguments are very similar

set_psm_act_data
decrypts psm_act_data with aes_dec_key

creates tm0:/psmdrm if nesessary

writes tm0:/psmdrm/act.dat

verifies sha256 - rca

Disable hash/signature verification
To find the function responsible for package verification search for immediate 0x7F504B47 ('.PKG'). Inside it does a lot of stuff including determining the function that will do signature checks. Find the condition that looks like ; below you will see the assignment. To bypass signature checks you need to patch two functions located at this offset and offset+4, making them behave as "return 1" is enough. For reference, on 1.60 the functions are sub_81000310 and sub_81000AA4. sub_81000310 is the only function in this module that calls SceSblGcAuthMgrPkgForDriver_E459A9A8_imp.

Note that on 1.60 this module sometimes is loaded at different addresses between reboots.

Allow debug packages to be installed
Find the function that calls SceSblAIMgrForDriver_D78B04A2; patch it to always return 1. On 1.60 it's at 0x81002d64.

Search for immediate 0x80870003, there should be two matches. Replace both with "MOV Reg, #0". On 1.60 the locations are 0x810035fe and 0x81004856.

RIF
The RIF files are used as the eboot.bin DRM. For each installed PKG and Game Card you will have an unique RIF file with proper information that will be used when you open the game to verify if you own the game(to PKG) and decrypt the eboot.bin. The RIF files may hold important information as PSN Account ID, the key used to decrypt one of the SELF encrypt layers [...].

PS Vita supports two different RIF file format. The first format (License Type 0) seems to be used by licenses with 0x98 bytes size and the second (License Type 1) seems to be used by RIF files with 0x200 bytes size. The difference between them is just the signature verification. License Type 0 only uses ECDSA Signature, the License Type 1 uses the ECDSA Signature verification and an extra RSA signature verification.