Packages

PKG files for PSVita are essentially the same structure as PS3 and PSP game PKG files with different AES, RSA and ECC keys.

AES Keys

There now are 5 AES keys used for the decryption of game PKG files.

• PSP : { 0x07, 0xf2, 0xc6, 0x82, 0x90, 0xb5, 0x0d, 0x2c, 0x33, 0x81, 0x8d, 0x70, 0x9b, 0x60, 0xe6, 0x2b };
• PS3 : { 0x2e, 0x7b, 0x71, 0xd7, 0xc9, 0xc9, 0xa1, 0x4e, 0xa3, 0x22, 0x1f, 0x18, 0x88, 0x28, 0xb8, 0xf8 };
• PSV2: { 0xE3, 0x1A, 0x70, 0xC9, 0xCE, 0x1D, 0xD7, 0x2B, 0xF3, 0xC0, 0x62, 0x29, 0x63, 0xF2, 0xEC, 0xCB };
• PSV3: { 0x42, 0x3A, 0xCA, 0x3A, 0x2B, 0xD5, 0x64, 0x9F, 0x96, 0x86, 0xAB, 0xAD, 0x6F, 0xD8, 0x80, 0x1F };
• PSV4: { 0xAF, 0x07, 0xFD, 0x59, 0x65, 0x25, 0x27, 0xBA, 0xF1, 0x33, 0x89, 0x66, 0x8B, 0x17, 0xD9, 0xEA };

The overall algorithm is the same as PSP with one exception. On the PSP, the file table and the data is AES CTR encrypted using the 0x10 bytes from offset +0x70 in the file as the IV along with the PSP AES Key. On the PSVita for type 2,3 and 4, they first encrypt the 0x10 bytes at +0x70 to create a new AES session key, then do the normal AES_CTR with +0x70 as the IV and the new session key as the AES CTR key.

At offset +0xE7 in the PKG file is a version byte. This is only in the PSP type PKG files inside the .ext section. If its type 1, the use the PSP key as normal, if its type 2, use the PSV2 key with the new session key step, and if its type 3, use the PSV3, etc.

Installing

Package Installer uses SceNpDrm to decrypt/extract the game package into a temporary directory. Then it calls ScePromoterUtil NID 0x86641BC6 on 1.69 and NID 0x716C81F4 on 1.80+ to "promote" (aka install) the files into the right directory in ux0. ScePromoterUtil is just a wrapper for a SceShellSvc call, so SceShell actually moves the files, then adds the LiveArea bubble and updates app.db accordingly. In theory you can use SceNpDrm and ScePromoterUtil separately and package your games in an alternative format.