Announcement

Collapse
No announcement yet.

CMA Has Been Hacked And Backups Decrypted For All Firmwares (PS Vita)

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • CMA Has Been Hacked And Backups Decrypted For All Firmwares (PS Vita)

    Yifan Lu's Note

    psvimgtools: Decrypt Vita Backups

    The Vita’s Content Manager allows you to backup and restore games, saves, and system settings. These backups are encrypted (but not signed!) using a key derived in the F00D processor.

    While researching into F00D, xyz and Proxima stumbled upon a neat trick (proposed originally by plutoo) that lets you obtain this secret key and that has inspired me to write a set of tools to manipulate CMA backups.

    The upshot is that with these tools, you can modify backups for any Vita system including 3.63 and likely all future firmware. This does not mean you can run homebrew, but does enable certain tricks like disabling the PSTV whitelist or swapping X/O buttons.

    Backup Keys

    Because my friends who discovered this are pretty busy with other stuff at the time, I will attempt to document their findings here. The backup encryption process is documented in detail on the wiki, but the short version is that your AID (unique to a PSN account) is used to generate a key seed. This key seed is used by the F00D processor (the security co-processor) to generate a AES256 key, which is passed directly to the hardware crypto device.

    The ARM (application) processor can access this crypto hardware but cannot read any keys out of it. This means that ARM can use the hardware as a black-box to encrypt backups without knowing the key. Of course you can try to brute force the key since you know both the plaintext and ciphertext thanks to the HENkaku kernel hack, but that would take time, which is physically impossible.

    However, since we can hack any Vita on 3.60, it is possible to use the Vita itself as a black box for extracting and modifying backups for other devices on unhackable firmwares, but since the process requires access to a hacked Vita, it is not very useful.

    Information from Yifan Lu's Blog

    From Yifan Lu @Twitter

    SOURCE Code & Tools on GitHub

    http://www.psx-place.com/threads/cma...en-3-63.12838/
    The Hackmaster

  • #2
    Neat, at first I thought you meant CMGSCCC or whatever that site was called. It's called Code Twink now.

    Comment


    • #3
      Hidden Applications for Vita 3.63 owners

      Idumpvitastuff over at reddit released Hidden Applications for Vita 3.63 owners. This tool leverages the recent release of psvimgtools that allows some nice tricks on firmwares 3.63 and 3.61 (which do not have access to a full hack such as HENkaku on firmware 3.60).

      This app will in particular let you enable Sign Up for PSN, which technically lets you do account switching. This also enables the package installer, but that one will refuse to start on retail Vita's.

      The author gave a full tutorial on how to enable Hidden Applications on PS Vita 3.63.

      https://www.reddit.com/r/vitahacks/c...plicatons_363/

      http://wololo.net/2017/02/22/ps-vita...-applications/
      The Hackmaster

      Comment


      • #4
        psvimgtools: Yifan Lu releases tools to decrypt PS Vita backups (including 3.63)

        https://yifan.lu/2017/02/19/psvimgto...-vita-backups/
        The Hackmaster

        Comment

        Working...
        X