|
|
| Line 149: |
Line 149: |
| | | | |
| | == RIF == | | == RIF == |
| − | The RIF files are used as the PKG file's DRM. For each installed PKG you will have an specific RIF file with the proper information. The RIF files holds important information as PSN Account ID, the key used to decrypt one of the SELF encrypt layers [...]. | + | The RIF files are used as the eboot.bin DRM. For each installed PKG and Game Card you will have an unique RIF file with proper information that will be used when you open the game to verify if you own the game(to PKG) and decrypt the eboot.bin. The RIF files may hold important information as PSN Account ID, the key used to decrypt one of the SELF encrypt layers [...]. |
| | | | |
| | PS Vita supports two different RIF file format. The first format (License Type 0) seems to be used by licenses with 0x97 bytes size and the second (License Type 1) seems to be used by RIF files with 0x200 bytes size. The difference between them is just the signature verification. License Type 0 only uses ECDSA Signature, the License Type 1 uses the ECDSA Signature verification and an extra RSA signature verification. | | PS Vita supports two different RIF file format. The first format (License Type 0) seems to be used by licenses with 0x97 bytes size and the second (License Type 1) seems to be used by RIF files with 0x200 bytes size. The difference between them is just the signature verification. License Type 0 only uses ECDSA Signature, the License Type 1 uses the ECDSA Signature verification and an extra RSA signature verification. |
Revision as of 00:55, 31 December 2016
Module
Known NIDs
| Version |
Name |
World |
Privilege |
NID
|
| 1.69 |
SceNpDrm |
Non-secure |
Kernel |
0xACCB4845
|
Libraries
Known NIDs
SceNpDrm
_sceNpDrmCheckDrmReset
| Version |
NID
|
| 1.69 |
0x4458812B
|
_sceNpDrmRemoveActData
| Version |
NID
|
| 1.69 |
0x507D06A6
|
_sceNpDrmGetRifName
| Version |
NID
|
| 1.69 |
0xB8C5DA7C
|
_sceNpDrmGetRifNameForInstall
| Version |
NID
|
| 1.69 |
0xD312424D
|
_sceNpDrmGetRifInfo
| Version |
NID
|
| 1.69 |
0xE8343660
|
_sceNpDrmGetFixedRifName
| Version |
NID
|
| 1.69 |
0xE935B0FC
|
_sceNpDrmCheckActData
| Version |
NID
|
| 1.69 |
0xFEEBCD62
|
SceNpDrmForDriver
SceNpDrmCheckRifForDriver
| Version |
NID
|
| 3.60 |
0xDB406EAE
|
SceNpDrmPackage
_sceNpDrmPackageTransform
| Version |
NID
|
| 1.69 |
0x567DCA1
|
_sceNpDrmPackageInstallFinished
| Version |
NID
|
| 1.69 |
0x6896EAF2
|
_sceNpDrmPackageCheck
| Version |
NID
|
| 1.69 |
0xA1D885FA
|
sceNpDrmPackageIsGameExist
| Version |
NID
|
| 1.69 |
0xB9337914
|
_sceNpDrmPackageInstallStarted
| Version |
NID
|
| 1.69 |
0xCEC18DA4
|
_sceNpDrmPackageDecrypt
| Version |
NID
|
| 1.69 |
0xD6F05ACC
|
sceNpDrmPackageInstallOngoing
| Version |
NID
|
| 1.69 |
0xED0471FE
|
Package integrity checks
Disable hash/signature verification
To find the function responsible for package verification search for immediate 0x7F504B47 ('.PKG'). Inside it does a lot of stuff including determining the function that will do signature checks. Find the condition that looks like if ( (v62 & 7) == 3 ); below you will see the assignment check_func = &off_81009CFC;. To bypass signature checks you need to patch two functions located at this offset and offset+4, making them behave as "return 1" is enough. For reference, on 1.60 the functions are sub_81000310 and sub_81000AA4. sub_81000310 is the only function in this module that calls SceSblGcAuthMgrPkgForDriver_E459A9A8_imp.
Note that on 1.60 this module sometimes is loaded at different addresses between reboots.
Allow debug packages to be installed
Find the function that calls SceSblAIMgrForDriver_D78B04A2; patch it to always return 1. On 1.60 it's at 0x81002d64.
Search for immediate 0x80870003, there should be two matches. Replace both with "MOV Reg, #0". On 1.60 the locations are 0x810035fe and 0x81004856.
RIF
The RIF files are used as the eboot.bin DRM. For each installed PKG and Game Card you will have an unique RIF file with proper information that will be used when you open the game to verify if you own the game(to PKG) and decrypt the eboot.bin. The RIF files may hold important information as PSN Account ID, the key used to decrypt one of the SELF encrypt layers [...].
PS Vita supports two different RIF file format. The first format (License Type 0) seems to be used by licenses with 0x97 bytes size and the second (License Type 1) seems to be used by RIF files with 0x200 bytes size. The difference between them is just the signature verification. License Type 0 only uses ECDSA Signature, the License Type 1 uses the ECDSA Signature verification and an extra RSA signature verification.
| Name
|
Offset
|
Size
|
| Version
|
0x0
|
0x4
|
| License Type
|
0x4
|
0x4
|
| PSN Account ID
|
0x8
|
0x8
|
| Content ID
|
0x10
|
0x30
|
| Unknown
|
0x40
|
0x10
|
| RIF Key
|
0x50
|
0x10
|
| License start time
|
0x60
|
0x8
|
| License expiration time
|
0x68
|
0x8
|
| ECDSA Signature
|
0x70
|
0x28
|
| Unknown
|
0x98
|
0x68
|
| RSA Signature
|
0x100
|
0x100
|