From Vita Development Wiki
Revision as of 04:40, 20 February 2017 by Yifan Lu (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

PSVIMG files are encrypted files generated by CMA in backing up and restoring data from the Vita. The format is documented in this tool [1].

Generating PSVIMG

When CMA is used to backup system, game, or savedata from the Vita to a PC or PS3, the following algorithm is used:

  1. Using a tar-like structure, stream all of the file data into a file.
  2. If making a PSVMD file, use the deflate algorithm to compress.
  3. Generate a random nonce for the first 0x10 bytes using the RndNumber syscall.
  4. Generate a unique session AES256 key using a secret phrase and the PSN account id of the PSVita.
  5. generate a SHA256 hash of the plaintext every 0x8000 bytes and insert the hash into the filestream.
  6. Encrypt the stream data using EncDecKeygen syscall from SceSblDmac5Mgr with the nonce as the header and the AES256 session key.
  7. Transmit to PC or PS3.


If you look at the 16 character hex directory name included in part of the backup path, that is your PSN account id. The AES256 session key is calculated by doing a SHA256 hash of the 8 byte hex binary representation of the PSN account id followed by the secret phrase: Sri Jayewardenepura Kotte



01 23 45 67 89 AB CD EF 53 72 69 20 4A 61 79 65 77
61 72 64 65 6E 65 70 75 72 61 20 4B 6F 74 74 65

SHA256 of this buffer generates the AES256 session key of:


Unfortunately, this is dependent on the PSVita for executing using the EncDecKeygen function. The AES256 key is altered inside the F00D Processor in some way currently unknown. Upon decryption, the session key is sent to F00D and an assigned slot. When the HW crypto engine is invoked to perform the decryption, it is given the slot number. Presumably, the crypto engine talks directly with F00D to use the derived key.