SceNpDrm

Obtaining klicensee
Initialization steps (common):

1. Get the hardcoded encrypted EKc (0xC0 bytes). (on FW 3.60, 0xC0 bytes from SceNpDrm code segment at offset 0x111D0)

2. Decrypt the hardcoded encrypted EKc using sceSblAuthMgrGetEKcForDriver with key revision 0 (?or 1 or 2?).

Initialization steps (per-console):

3. Get ConsoleId (0x10 bytes) using sceSblAimgrGetConsoleIdForDriver.

4. Decrypt using AES128ECB first 0x10 bytes of EKc with ConsoleId as key.

5. Read 0x800 bytes of the encrypted Primary Key Table from act.dat file.

6. Decrypt 0x800 bytes of Primary Key Table with reencrypted static key using AES (need to figure out which AES exactly).

Initialization steps (per-content):

7. Get 0x98 / 0x200 bytes of RIF from the content's .rif file and select one of the 5 scenarios for decrypting RIF Key into klicensee based on DRM Type (need to figure out). In most cases, only the first 0x70 bytes are needed for klicensee derivation because at 0x70 is the ECDSA signature which is not used for derivation, and after 0x98 are data only used for some PS Vita contents (maybe only PS Vita gamecards require a 0x200-byte RIF).

Scenario 1 - maybe DRM Free
Take RIF Key 2.

Take static keys 3, 4.

Take first 0x70 bytes of RIF.

Use SceSblAuthMgr to decrypt RIF key 2 and obtain klicensee.

Scenario 2
Take RIF Key 2.

Take primary keys 1, 2.

Take first 0x70 bytes of RIF.

Use SceSblAuthMgr to decrypt RIF key 2 and obtain klicensee.

Scenario 3 - Game Cartridge
Take RIF Key 2.

Take cmd56 handshake keys with get_5018_data.

Take first 0x70 bytes of RIF.

Use SceSblAuthMgr to decrypt RIF key 2 and obtain klicensee.

Scenario 4 - Game Cartridge
Take RIF Key 1.

Take cmd56 handshake keys with get_5018_data.

Take first 0x70 bytes of RIF.

Erase RIF Key 1 from RIF.

Use SceSblAuthMgr to decrypt RIF key 1 and obtain klicensee.

Scenario 5
Take RIF Key 1.

Decrypt Primary Table Key index from RIF with static key 2 using AES (need to figure out which AES exactly).

Take primary key using decrypted index.

Decrypt RIF key 1 with obtained primary key using AES (need to figure out which AES exactly).

_sceNpDrmRemoveActData
Removes NPDRM per-console activation data at tm0:/npdrm/act.dat.

_sceNpDrmGetRifName
Calls.

_sceNpDrmGetRifNameForInstall
Calls.

_sceNpDrmCheckActData
Calls.

_sceNpDrmPresetRifProvisionalFlag
Calls (license, SCE_TRUE).

sceNpDrmGetRifNameForDriver
Gets the RIF name for the provided NP Account ID, in order to read the license file from the good path.

sceNpDrmGetRifNameForInstallForDriver
Gets the RIF name for the provided license, in order to install (write) this license file to the good path.

sceNpDrmPresetRifProvisionalFlagForDriver
Updates license buffer by setting or unsetting the provisional flag. This way, the license RSA signature becomes invalid altough the ECDSA signature should remain valid.

sceNpDrmCheckActDataForDriver
Gets information about NPDRM per-console activation data at tm0:/npdrm/act.dat.

sceNpDrmRemoveActDataForDriver
Removes NPDRM per-console activation data at tm0:/npdrm/act.dat.

sceNpDrmGetLegacyDocKeyForDriver
Gets klicensee to decrypt encrypted DOCUMENT.DAT.

sceNpDrmUpdateDebugSettingsForDriver
Updates SceNpdrm global variables based on /CONFIG/NP/debug_upgradable and /CONFIG/NP2/debug_drm_loose_bind registry values.

sceNpDrmGetRifVitaKeyForDriver
This function calls to get required fields.

sceNpDrmWriteActDataForDriver
Related to SceSblGcAuthMgr.

decrypts act_data with aes_dec_key and stores it to data segment

verifies sha1 - ecdsa or sha256 - RSA

checks Loose Account Bind flag

verifies OpenPsId

creates tm0:/npdrm folder

writes tm0:/npdrm/act.dat file

repeats all verification steps

decrypts Primary Key Table

sceNpDrmReadActDataForDriver
Related to SceSblGcAuthMgr.

Reads 0x1038 bytes of tm0:/npdrm/act.dat.

sceNpDrmVerifyRifForDriver
Verifies ECDSA - SHA1 pair and/or RSA - SHA256 pair.

sceNpDrmVerifyRifFullForDriver
check OpenPsId

check cmd56 handshake part

perform steps to get decrypted rif key

sceNpDrmUpdateActDataForDriver
reads tm0:/npdrm/act.dat

verifies ECDSA with sha1 and RSA with sha256

checks Loose Account Bind flag

verifies OpenPsId

clears Secondary Table, RSA Signature, Unknown Sig, ECDSA Signature

decrypts Primary Key Table

scePsmDrmGetRifName
This is a guessed name.

scePsmDrmGetDebugRifName
This is a guessed name.

scePsmDrmCheckActData
Calls.

scePsmDrmGetRifInfoForDriver
This function is named after since arguments are very similar.

scePsmDrmGetRifPsmKeyForDriver
This function is named after since arguments are very similar.

scePsmDrmWriteActDataForDriver
decrypts psm_act_data with aes_dec_key

creates tm0:/psmdrm if necessary

writes tm0:/psmdrm/act.dat

verifies sha256 - rca

scePsmDrmRemoveActDataForDriver
Removes PSM DRM per-console activation data at tm0:/psmdrm/act.dat.

scePsmDrmUpdateActDataForDriver
reads tm0:/psmdrm/act.dat

verifies RSA with sha256

decrypts Primary Key Table

scePsmDrmCheckActDataForDriver
Gets information about currently loaded PSM act.dat.

Disable hash/signature verification
To find the function responsible for package verification search for immediate 0x7F504B47 ('.PKG'). Inside it does a lot of stuff including determining the function that will do signature checks. Find the condition that looks like ; below you will see the assignment. To bypass signature checks you need to patch two functions located at this offset and offset+4, making them behave as "return 1" is enough. For reference, on 1.60 the functions are sub_81000310 and sub_81000AA4. sub_81000310 is the only function in this module that calls SceSblGcAuthMgrPkgForDriver_E459A9A8_imp.

Note that on 1.60 this module sometimes is loaded at different addresses between reboots.

Allow debug packages to be installed
Find the function that calls sceSblAIMgrIsCEXForDriver. Patch it to always return 1. On FW 1.60 it is at 0x81002d64.

Search for immediate 0x80870003, there should be two matches. Replace both with "MOV Reg, #0". On 1.60 the locations are 0x810035fe and 0x81004856.

RIF
The RIF file holds the klicensee for NPDRM contents. The RIF files are used as DRM licenses. For each installed PKG and Game Card you have a unique RIF file with proper information that is used when you open the game to verify if you own the game (or PKG). The RIF files holds important information as PSN Account ID, the key used to decrypt one of the SELF encryption layers.

PS Vita supports two different RIF file formats. The first format version (v0) is used by RIF files with 0x98 bytes size and the second version (v1) is used by RIF files with 0x200 bytes size. The difference between these formats is just the signature and some data used by PS Vita only. RIF version 0 only uses ECDSA Signature only whilst RIF Version 1 uses the ECDSA Signature and an extra RSA Signature.

PSM-ACT
PSM Activation file

PSM-RIF
PSM RIF file