eboot encryption

[sprocket12]

I have been reading up a little about modding game files, I know the code of the games, for setting things like resolution is in the eboot files, which in nondprm release is encrypted, I have read it can be decrypted, modified, but then NOT encrypted again, which means the mod will not work as the file will be ignored, why is this? maidumps are also decrypted, so I assume there is a key to decrypt, is it not the same key to encrypt them back?

[sprocket12]

Nobody knows? Nobody cares? or is this a really dumb question, please let me know which.

@Djdragon44 I did notice your reply in the chat, thank you anyway!

Quote

@sprocket12 I actually don't know the answer to that question

 

[ckv1212]

nonpdrm probably uses different kind of encryption and the keys for that encryption is not public.

[sprocket12]

1 hour ago, ckv1212 said:

nonpdrm probably uses different kind of encryption and the keys for that encryption is not public.

Thank you @ckv1212 

But can I ask why? AFAIK nonpdrm is a plugin that allows use of fake licences to fool the VITA, the files themselves are untouched. But... If the files are untouched, then were they also not untouched when they were on the cart, from which they were somehow dumped, and decrypted (using maidump). I assume key to decrypt must have been known to do that, so now we have the same untouched files, so the keys should be the same no?

[Djdragon44]

@sprocket12 hey! Sorry I was busy all weekend, didn't have much time to sit on the forums and run through it.

As for your question and how the licenses play a part. As far as in aware, NoNpDRM games are no decrypted for dumping. The files themselves, are simply copied over. What allows them to run, is the kernel plugin "NoNpDRM" which stops the "can this Vita play this game/is the license file valid".

I believe that's the whole point on NoNpDRM. Files are left "as they come" from S0ny, and what changed is the Vita's ability to bypass the license verification check, allowing anything to boot on the Vita.

So I believe, from that, there is no way to "decrypt" NoNpDRM games, due to them being untouched, and only "decrypted" by the Vita's OS, running essentially like a Cart or PSN installed game, making it a "universal, works without issues" kind of situation.

Again, sorry I was busy and didn't have time to sit down and respond this weekend! 

Let me know if this clears anything up! 

[sprocket12]

@Djdragon44 Thanks again for the reply. That makes sense, but my question was that even though the files are untouched that should not prevent ability to decrypt (as far as my thinking goes). Because even on the cart itself they are untouched right, so how is it possible for maidump to decrypt them? Also, since you went into a bit of detail, as you state, the VITA decrypts them to play them, so do we not have access to the whole VITA now? I mean low level access that allows us  to peek into the VITA's decryption process.

I know I have no clue about this, I am just asking simple questions which make sense to me, please if you could educate.

[Djdragon44]

@sprocket12 We actually don't know. Both MaiDumpTool and Vitamin (both dumping tools) are closed source. Due to that, we actually (as a community) have no idea how either of them do their own magic, as the VPK's and Projects are both closed source, and no one has/can reverse engineer the tools due to obfuscation, and the Developers being rather, erm, protective of their work. We just know they work, one being from China (Mai) and TheFl0w (Vitamin), and both work in different ways.

As to "so do we not have access to the whole VITA now?" - Believe it or not, we don't. Well, kinda? We have access to the Kernel, Trustzone, and the Operating System, decrypted and such, however, there are parts of the System not yet touched (publicly). f00d, for example, has yet to been publicly hacked (Enso, we believe, is a f00d hack, but it's, again. close source, so we can only guess). The reason we were able to make NoNpDRM games even work, is because back in the day, someone managed to decrypt and publicly release the Keys for PS3 and the Vita, because of this, we knew the "key" to unlock the code, thus, allowing us to dump and engineer methods to use that key to launch the game.

Income 3.61, they changed the private decryption key. Meaning everything build with the VitaSDK for 3.61, used a different key than all of them before, making the keys we have for 3.60 and under, useless. That key is part of the reason we cannot play 3.61+ games on our Vita, because they can't be decrypted/"handshake" with the Vita due to the keys not matching, thus resulting in a "black screen crash" for any game.

So in short, we have no idea how Sony manages their decryption method in the Vita, as it's not in plaintext code, it's all obfuscated, encrypted, and packed away in processors (f00d, Trustzone, etc), meaning there's no "code" to break per-se. We had a game with a key, an OS with the Decryption Method, and a means to make the two meet, making the game work.

It's like we've made a "Skeleton Key" to a door no one knows how it got there, how it works, or who made it, but the key opens the door in some cases.

It's all pretty complicated, but in short, all the methods known for dumping are close source, the methods the Vita used to decrypt are not public knowledge, and the keys used for 3.61 are not known. The only reason we can "dump 3.61+ games in NPS" is because NoNpDRM can fake a zRIF key, but the actual key to decrypt the game doesn't work, and it fails to launch regardless.

Little long winded, hope this was able to clear some stuff up~

Let me know if you have any more questions~

[sprocket12]

Thanks @Djdragon44 I will take a while to digest your answer. But it is the kind of detail I was looking for.

[iadlast]

But as for how the MaiDumpTool and Vitamin work, they basically just employ an old trick: the Vita removes the pfs encryption from the game files, including the eboot, when the game is booted, and it just copies these decrypted files to another directory from the app0 partition the Vita uses to load the game.

But for the eboot, things change: the eboot is protected under an additional encryption layer called NPDRM, which so far no one has managed to break through. The thing is that the eboot gets both the pfs and the NPDRM encryptions removed when the game is running, so VItamin and MaiDumpTool merely "trick" the system into loading the decrypted eboot into the RAM and then they reconstruct a copy of the eboot by copying it from the RAM, while also adding some stuff like the calls to the mai.suprx file in MaiDumpTool's case. This is also why these eboot dumps tend to have bugs or problems: because these tools also copy stuff from the RAM that don't necessarily belong to the eboot.

Edited January 8, 2018 by iadlast

[Djdragon44]

@iadlast Thanks for the information~ I'm not super well versed in how it all works exactly, really just a "as far as I know" through self learning, and such. Good to know some information is out there to breakdown how they work, or at least, the methods at which they work. Thanks for the info~ I'm sure @sprocket12 would love to read that as well.

[sprocket12]

Wow. @Djdragon44 and @iadlast I am forever grateful for your answers. I was going to research into Maidump, but now it seems more clear that what we have is not due to having hacked the whole system but more due to some clever trickery. Too sad. However, I did love to read your answers, and thank you once more.

[TheRadziu]

I know I'm quite late with the answer but:
Vita has multiple layers of different encryptions:
1. PKG encryption -> both pkg2zip and pkg_dec can decrypt and extract those just fine
2. pfs encryption -> you can decrypt files through PC tools (cant recall the name, sorry) or through vitashell
3. eboot encryption -> We still did not get a way to decrypt those, but any modifications to it can be done in vita's memory. In case of resolution hacks you can try ren's plugin (again, cant recall the name, sorry) or use game hacking plugin (I know chinese one work with nonpdrm and retail titles) via modifying game's binary on the fly.

The reason why vitamin and maitool could create decrypted eboots is simple: They didnt use original encrypted eboot at all, they simply dumped it from vita memory. That's the reason why games with elaborated or dynamic code couldnt be properly dumped with  those tools.