Vita Guides: Difference between revisions
No edit summary |
|||
(19 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
[[Category:Vita]] | |||
{| align="right" style="padding-left:20px" | |||
| __TOC__ | |||
|} | |||
== How to check if a DevKit's Firmware is Internal/External == | == How to check if a DevKit's Firmware is Internal/External == | ||
The first and most noticeabel indication would be a very long activation period as internal firmware kits often come with a QAF Token.<br> | |||
On emmc dumps you can hex-search for <code>83 FF AD 6D 24 F3 39 64 A0 61 78 8D A0 68 3B 19</code> which the start of a metadata block only present in Internal Firmwares. | If the firmware is missing App_Home and the test AppStores it is most likely a CEX_FOR_TOOL build which is internal.<br> | ||
If the kit is deactivated however you'd need to activate it and try to run a game cartridge. If there is an error it is most likely internal as the decryption keys are different between Internal and External.<br> | |||
<br> | |||
To 100% confirm the kit needs to be dumped and the modules checked though. On emmc dumps you can hex-search for <code>83 FF AD 6D 24 F3 39 64 A0 61 78 8D A0 68 3B 19</code> which is the start of a metadata block only present in Internal Firmwares. | |||
Line 10: | Line 17: | ||
<code>45 03 C7 63 01 13 04 00 45 03 C7 63 00 00 00 00 01 00 00 80 00 00 00 01 00 00 04 00 18 00 00 38 <binary>:System.Byte[]</code> | <code>45 03 C7 63 01 13 04 00 45 03 C7 63 00 00 00 00 01 00 00 80 00 00 00 01 00 00 04 00 18 00 00 38 <binary>:System.Byte[]</code> | ||
where "45 03 C7 63" is the CP Date (here 17/01/2023) If its <code>00 00 00 00</code> the kit has never been activated! | where "45 03 C7 63" is the CP Date (here 17/01/2023) If its <code>00 00 00 00</code> the kit has never been activated! | ||
<br><br> | |||
New alternative [http://wiki.corcovado.info/downloads/DipswTool.exe DipswTool.exe] (https://github.com/Princess-of-Sleeping/PSP2DipswTool/tree/master)<br> | |||
=== via Homebrew === | === via Homebrew === | ||
Line 18: | Line 27: | ||
At 0x8 is the (int) counter of activations.<br> | At 0x8 is the (int) counter of activations.<br> | ||
At 0xC the start date in Unix format and at 0x10 the end date in Unix format. | At 0xC the start date in Unix format and at 0x10 the end date in Unix format. | ||
== How to check if there is a QAF token installed == | == How to check if there is a QAF token installed == | ||
In any case dumping NVS is the savest way to tell for sure if and which kind of token is installed! | In any case dumping NVS is the savest way to tell for sure if and which kind of token is installed! | ||
=== CEX (Retails) === | === CEX (Retails) === | ||
Dumping NVS or using Apps to check and display the token name. (eg: [https://github.com/Freakler/vita-PSVident PSVident] or QAFUtility [PCSI90043]) | Dumping NVS or using Apps to check and display the token name. (eg: [https://github.com/Freakler/vita-PSVident PSVident] or QAFUtility [PCSI90043]) | ||
=== DEX (TestKits) === | === DEX (TestKits) === | ||
When the Kit is activated for a very long time there most likely is an active QA Token installed. | When the Kit is activated for a very long time there most likely is an active QA Token installed. | ||
=== TOOL (DevKits) === | === TOOL (DevKits) === | ||
Line 42: | Line 49: | ||
! Name !! Flags !! Notes | ! Name !! Flags !! Notes | ||
|- | |- | ||
| QAF_QATEAM_E || 01 00 00 00 00 00 0D 04 64 00 00 00 04 00 00 03 || for "QualityAssurance Team" units (early) | | QAF_QATEAM_E || <code>01 00 00 00 00 00 0D 04 64 00 00 00 04 00 00 03</code> || for "QualityAssurance Team" units (early) | ||
|- | |- | ||
| QAF_QATEAM_MINI_E || 01 00 00 00 00 00 0D 04 64 00 00 00 04 00 00 03 || for "QualityAssurance Team" units | | QAF_QATEAM_MINI_E || <code>01 00 00 00 00 00 0D 04 64 00 00 00 04 00 00 03</code> || for "QualityAssurance Team" units | ||
|- | |- | ||
| QAF_QATEAM_FULL_E || 11 00 00 00 00 00 0F 04 64 00 00 00 04 00 00 03 || for "QualityAssurance Team" units | | QAF_QATEAM_FULL_E || <code>11 00 00 00 00 00 0F 04 64 00 00 00 04 00 00 03</code> || for "QualityAssurance Team" units | ||
|- | |- | ||
| QAF_SYS_DEV_I|| 33 00 00 00 00 00 07 05 73 01 00 01 06 03 03 01 || for DevKits used for "System Development" | | QAF_SYS_DEV_I|| <code>33 00 00 00 00 00 07 05 73 01 00 01 06 03 03 01</code> || for DevKits used for "System Development" | ||
|- | |- | ||
| QAF_MGVIDEO_DEV_I|| 33 00 00 00 00 00 07 05 73 01 00 11 06 02 03 01 || for DevKits used for "MagicGate Video Development" | | QAF_MGVIDEO_DEV_I|| <code>33 00 00 00 00 00 07 05 73 01 00 11 06 02 03 01</code> || for DevKits used for "MagicGate Video Development" | ||
|- | |- | ||
| QAF_MGVIDEO_ADV_I|| 33 00 00 00 00 00 07 05 73 01 00 11 06 03 03 01 || for DevKits used for "MagicGate Video Development" | | QAF_MGVIDEO_ADV_I|| <code>33 00 00 00 00 00 07 05 73 01 00 11 06 03 03 01</code> || for DevKits used for "MagicGate Video Development" | ||
|} | |} | ||
The "_E" / or "_I" suffix indicates the Firmware the token is for. (External / Internal) | The "_E" / or "_I" suffix indicates the Firmware the token is for. (External / Internal) | ||
<br> | <br> | ||
== How to fake re-activate a DevKit == | == How to fake re-activate a DevKit == | ||
Line 62: | Line 68: | ||
=== via Software === | === via Software === | ||
Download this custom [http://wiki.corcovado.info/downloads/psp2ctrl.exe psp2ctrl.exe] (might require .net 4.5.2)<br> | <s>Download this custom [http://wiki.corcovado.info/downloads/psp2ctrl.exe psp2ctrl.exe] (might require .net 4.5.2)<br> | ||
<code>psp2ctrl.exe get-setting kernel:/bootparam</code> will return something <code>45 03 C7 63 01 13 04 00 45 03 C7 63 00 00 00 00 01 00 00 80 00 00 00 01 00 00 04 00 18 00 00 38 <binary>:System.Byte[]</code> | <code>psp2ctrl.exe get-setting kernel:/bootparam</code> will return something <code>45 03 C7 63 01 13 04 00 45 03 C7 63 00 00 00 00 01 00 00 80 00 00 00 01 00 00 04 00 18 00 00 38 <binary>:System.Byte[]</code> | ||
where "45 03 C7 63" is the CP Unix timestamp that you need to replace. Use / calculate one that is earlier than the CP timestamp! Then write back via <code>psp2ctrl.exe set-setting binary kernel:/bootparam "XX XX XX XX XX XX .."</code> | where "45 03 C7 63" is the CP Unix timestamp that you need to replace. Use / calculate one that is earlier than the CP timestamp! Then write back via <code>psp2ctrl.exe set-setting binary kernel:/bootparam "XX XX XX XX XX XX .."</code> | ||
<br><br> | |||
New alternative [http://wiki.corcovado.info/downloads/DipswTool.exe DipswTool.exe] (https://github.com/Princess-of-Sleeping/PSP2DipswTool/tree/master)<br></s> | |||
=== via Hardware === | === via Hardware === | ||
Remove the Battery for a couple seconds and set the earliest possible date in setup. (You can re-de-activate via setting time via Internet) | |||
== How to re-activate a TestKit == | == How to re-activate a TestKit == | ||
Line 74: | Line 81: | ||
(You can re-de-activate via button combo to reset timer: <code>POWER + PSButton + START + SELECT</code>) | (You can re-de-activate via button combo to reset timer: <code>POWER + PSButton + START + SELECT</code>) | ||
== How to craft an Activation Token == | |||
Download and use [http://wiki.corcovado.info/downloads/devkit_activation.rar devkit_activation.rar]<br> | |||
Example: <code>python devkit_activate.py -k a48d1a81ef37438ec96cba900521f678 -s 1688069949 -e 1788069949 -i 1 > vita_activation.afv</code><br> | |||
(Will be working for < 1.80 only since tokens aren't signed) (if a token is already present with a higher activation count it'll fail to activate and it won't overwrite) | |||
== How to dump a DevKit == | == How to dump a DevKit == | ||
<b>NGS Exploit files:</b> https://www.mediafire.com/folder/7h2n6rqu5rqks/NGS<br> | |||
<b>Devdumpers skprxs:</b> https://github.com/SKGleba/VitaTools/tree/main/devdumper/build<br> | |||
=== with activation via Neighborhood === | === with activation via Neighborhood === | ||
1) rename "devdump_xxxxxx.skprx" to "bootstrap.skprx" and put into local file serving directory (host0)<br> | 1) rename "devdump_xxxxxx.skprx" to "bootstrap.skprx" and put into local file serving directory (host0)<br> | ||
2) enable devmode (via for example <code>psp2ctrl set-setting integer bootparam:/development_mode 1</code>)<br> | 2) enable devmode (via for example <code>psp2ctrl set-setting integer bootparam:/development_mode 1</code>)<br> | ||
3) run "ngs_exploit_XXX.self"<br> | 3) run "ngs_exploit_XXX.self"<br> | ||
=== without activation === | === without activation === | ||
use Henkaku / Henlo | 0) use Henkaku / Henlo (make sure to have a memorycard with 4GB of free space)<br> | ||
1) Install [http://wiki.corcovado.info/downloads/plugin_loader.vpk plugin_loader.vpk]<br> | |||
2) Rename "devdump_xxxxxx_ux0data.skprx" to "kplugin.skprx" and put into "ux0:data/tai/" folder<br> | |||
3) Run Plugin Loader App (it will dump in the background) | |||
<br> | |||
== How to dump a MemoryCard == | == How to dump a MemoryCard == | ||
If it is a "Sample" MemoryCard they will only work for Firmwares earlier than 1.692! | If it is a "Sample" MemoryCard they will only work for Firmwares earlier than 1.692! | ||
=== via (activated/hacked) DevKit === | === via (activated/hacked) DevKit + Neighborhood === | ||
boot devkit<br> | |||
insert memory card (BUT DONT restart to use it! press NO on dialog)<br> | |||
place in FSROOT: devdump_toolram_mc_to_host0.skprx -> bootstrap.skprx<br> | |||
run ngs exploit self<br> | |||
=== via Vita === | === via Vita === | ||
Line 101: | Line 119: | ||
== How to unpack a MemoryCard raw dump == | == How to unpack a MemoryCard raw dump == | ||
Download [http://wiki.corcovado.info/downloads/mkfs.exe mkfs.exe] | Download [http://wiki.corcovado.info/downloads/mkfs.exe mkfs.exe] | ||
Use <code>mkfs.exe extract mc.img out</code> to unpack ux0 partition and then OSFMount to mount the partition | Use <code>mkfs.exe extract mc.img out</code> to unpack ux0-1 partition and then OSFMount to mount the partition file on Windows. | ||
Line 108: | Line 126: | ||
<code>psp2ctrl set-setting integer bootparam:/release_check_mode_console 0</code><br> | <code>psp2ctrl set-setting integer bootparam:/release_check_mode_console 0</code><br> | ||
<code>psp2ctrl set-setting integer bootparam:/development_mode 1</code><br> | <code>psp2ctrl set-setting integer bootparam:/development_mode 1</code><br> | ||
<br><br> | |||
New alternative [http://wiki.corcovado.info/downloads/DipswTool.exe DipswTool.exe] (https://github.com/Princess-of-Sleeping/PSP2DipswTool/tree/master)<br> | |||
== How to downgrade a PDEL below 1.692 == | == How to downgrade a PDEL below 1.692 == | ||
Line 125: | Line 144: | ||
== How to unpack an emmc/nand dump == | == How to unpack an emmc/nand dump == | ||
Download [http://wiki.corcovado.info/downloads/psp2scefstool.7z psp2scefstool.7z] | |||
Use <code>psp2scefstool -x emmc.img out</code> to unpack and then OSFMount to mount the partition files on Windows. | Use <code>psp2scefstool -x emmc.img out</code> to unpack and then OSFMount to mount the partition files on Windows. | ||
Line 133: | Line 153: | ||
== How to extract a Firmware PUP == | == How to extract a Firmware PUP == | ||
Download [http://wiki.corcovado.info/downloads/pup_fiction.7z pup_fiction.7z]<br> | |||
Drop PUP on exe | |||
== How to extract A Firmware PUP watermark == | |||
Extract the SCEWM segment from PUP<br> | |||
Use to decrypt | |||
normal: <code>openssl enc -d -aes-128-cbc -K BFD5EA9F91AE9AF23565E534C4823B72 -iv CE16937E97A3349F143C8FB6AA219528 -in package_scewm.wm -out package_scewm.bin -nopad</code><br> | |||
debugger-key: <code>openssl enc -d -aes-128-cbc -K AB7097356FDD49D83878540167F0C4AD -iv 85537C5A56BD15DF0EB5F7F0D9E276E6 -in package_scewm.wm -out package_scewm.bin -nopad</code> | |||
== How to decrypt vs0:vsh/etc/index.dat == | |||
Install openssl<br> | |||
<code>openssl aes-256-cbc -in index.dat -K 272AE4378CB06BF3F658F51C77ACA2769BE87FB19BBF3D4D6B1B0ED226E39CC6 -iv 37FA4ED2B6618B59B34F770FBB92947B -d > index.dat.dec -nopad</code><br> | |||
<code>openssl aes-256-cbc -in index.dat -K 06CC2E8FD40805A736F17CF2C13D58A6C8CF107E9E4A66AE25D39CA21C2531CC -iv 37FA4ED2B6618B59B34F770FBB92947B -d > index.dat.dec -nopad</code> for < 1.692<br> | |||
== How to convert External PDEL to Internal == | |||
nah |
Latest revision as of 17:19, 19 June 2024
How to check if a DevKit's Firmware is Internal/External
The first and most noticeabel indication would be a very long activation period as internal firmware kits often come with a QAF Token.
If the firmware is missing App_Home and the test AppStores it is most likely a CEX_FOR_TOOL build which is internal.
If the kit is deactivated however you'd need to activate it and try to run a game cartridge. If there is an error it is most likely internal as the decryption keys are different between Internal and External.
To 100% confirm the kit needs to be dumped and the modules checked though. On emmc dumps you can hex-search for 83 FF AD 6D 24 F3 39 64 A0 61 78 8D A0 68 3B 19
which is the start of a metadata block only present in Internal Firmwares.
How to check if a DevKit has been activated before & when
via Neighborhood
Download this custom psp2ctrl.exe (might require .net 4.5.2)
Running psp2ctrl.exe get-setting kernel:/bootparam
will return something like
45 03 C7 63 01 13 04 00 45 03 C7 63 00 00 00 00 01 00 00 80 00 00 00 01 00 00 04 00 18 00 00 38 <binary>:System.Byte[]
where "45 03 C7 63" is the CP Date (here 17/01/2023) If its 00 00 00 00
the kit has never been activated!
New alternative DipswTool.exe (https://github.com/Princess-of-Sleeping/PSP2DipswTool/tree/master)
via Homebrew
via act.dat
Open tm0:activate/act.dat
with a HexEditor.
At 0x8 is the (int) counter of activations.
At 0xC the start date in Unix format and at 0x10 the end date in Unix format.
How to check if there is a QAF token installed
In any case dumping NVS is the savest way to tell for sure if and which kind of token is installed!
CEX (Retails)
Dumping NVS or using Apps to check and display the token name. (eg: PSVident or QAFUtility [PCSI90043])
DEX (TestKits)
When the Kit is activated for a very long time there most likely is an active QA Token installed.
TOOL (DevKits)
When the Kit is activated for a very long time there most likely is an active QA Token installed. For DevKits you can often tell from the Console Output alone as it will have additional debug output. It is however possible that there is an inactive token still installed while the firmware was reverted to external for example. In that case only dumping NVS can tell.
What kind of QAF Tokens are there and what do they do
Name | Flags | Notes |
---|---|---|
QAF_QATEAM_E | 01 00 00 00 00 00 0D 04 64 00 00 00 04 00 00 03 |
for "QualityAssurance Team" units (early) |
QAF_QATEAM_MINI_E | 01 00 00 00 00 00 0D 04 64 00 00 00 04 00 00 03 |
for "QualityAssurance Team" units |
QAF_QATEAM_FULL_E | 11 00 00 00 00 00 0F 04 64 00 00 00 04 00 00 03 |
for "QualityAssurance Team" units |
QAF_SYS_DEV_I | 33 00 00 00 00 00 07 05 73 01 00 01 06 03 03 01 |
for DevKits used for "System Development" |
QAF_MGVIDEO_DEV_I | 33 00 00 00 00 00 07 05 73 01 00 11 06 02 03 01 |
for DevKits used for "MagicGate Video Development" |
QAF_MGVIDEO_ADV_I | 33 00 00 00 00 00 07 05 73 01 00 11 06 03 03 01 |
for DevKits used for "MagicGate Video Development" |
The "_E" / or "_I" suffix indicates the Firmware the token is for. (External / Internal)
How to fake re-activate a DevKit
The CP Battery cannot be empty!
via Software
Download this custom psp2ctrl.exe (might require .net 4.5.2)
psp2ctrl.exe get-setting kernel:/bootparam
will return something 45 03 C7 63 01 13 04 00 45 03 C7 63 00 00 00 00 01 00 00 80 00 00 00 01 00 00 04 00 18 00 00 38 <binary>:System.Byte[]
where "45 03 C7 63" is the CP Unix timestamp that you need to replace. Use / calculate one that is earlier than the CP timestamp! Then write back via psp2ctrl.exe set-setting binary kernel:/bootparam "XX XX XX XX XX XX .."
New alternative DipswTool.exe (https://github.com/Princess-of-Sleeping/PSP2DipswTool/tree/master)
via Hardware
Remove the Battery for a couple seconds and set the earliest possible date in setup. (You can re-de-activate via setting time via Internet)
How to re-activate a TestKit
via reAct.vpk
(You can re-de-activate via button combo to reset timer: POWER + PSButton + START + SELECT
)
How to craft an Activation Token
Download and use devkit_activation.rar
Example: python devkit_activate.py -k a48d1a81ef37438ec96cba900521f678 -s 1688069949 -e 1788069949 -i 1 > vita_activation.afv
(Will be working for < 1.80 only since tokens aren't signed) (if a token is already present with a higher activation count it'll fail to activate and it won't overwrite)
How to dump a DevKit
NGS Exploit files: https://www.mediafire.com/folder/7h2n6rqu5rqks/NGS
Devdumpers skprxs: https://github.com/SKGleba/VitaTools/tree/main/devdumper/build
with activation via Neighborhood
1) rename "devdump_xxxxxx.skprx" to "bootstrap.skprx" and put into local file serving directory (host0)
2) enable devmode (via for example psp2ctrl set-setting integer bootparam:/development_mode 1
)
3) run "ngs_exploit_XXX.self"
without activation
0) use Henkaku / Henlo (make sure to have a memorycard with 4GB of free space)
1) Install plugin_loader.vpk
2) Rename "devdump_xxxxxx_ux0data.skprx" to "kplugin.skprx" and put into "ux0:data/tai/" folder
3) Run Plugin Loader App (it will dump in the background)
How to dump a MemoryCard
If it is a "Sample" MemoryCard they will only work for Firmwares earlier than 1.692!
via (activated/hacked) DevKit + Neighborhood
boot devkit
insert memory card (BUT DONT restart to use it! press NO on dialog)
place in FSROOT: devdump_toolram_mc_to_host0.skprx -> bootstrap.skprx
run ngs exploit self
via Vita
SD2Vita required + StorageMgr
How to unpack a MemoryCard raw dump
Download mkfs.exe
Use mkfs.exe extract mc.img out
to unpack ux0-1 partition and then OSFMount to mount the partition file on Windows.
How to fix a Devkit stuck in PSTV + release mode
psp2ctrl set-setting integer bootparam:/platform_emulation_dolce 0
psp2ctrl set-setting integer bootparam:/release_check_mode_console 0
psp2ctrl set-setting integer bootparam:/development_mode 1
New alternative DipswTool.exe (https://github.com/Princess-of-Sleeping/PSP2DipswTool/tree/master)
How to downgrade a PDEL below 1.692
Install a Henkaku/Henlo hackable firmware and then use modoru v1.0 (since it provides its own spkg keys when decryption fails)
How to replace a CP Battery
They all use a CR2032
PDEL / new DEM
Open the shell and remove all screws from the CP board. The battery is located on its front.
DEM-3000G/H
How to unpack an emmc/nand dump
Download psp2scefstool.7z
Use psp2scefstool -x emmc.img out
to unpack and then OSFMount to mount the partition files on Windows.
How to check emmc/ud0 partition for leftover PUP
Hex search for "SCEUF" and check if all segments are still there.
How to extract a Firmware PUP
Download pup_fiction.7z
Drop PUP on exe
How to extract A Firmware PUP watermark
Extract the SCEWM segment from PUP
Use to decrypt
normal: openssl enc -d -aes-128-cbc -K BFD5EA9F91AE9AF23565E534C4823B72 -iv CE16937E97A3349F143C8FB6AA219528 -in package_scewm.wm -out package_scewm.bin -nopad
debugger-key: openssl enc -d -aes-128-cbc -K AB7097356FDD49D83878540167F0C4AD -iv 85537C5A56BD15DF0EB5F7F0D9E276E6 -in package_scewm.wm -out package_scewm.bin -nopad
How to decrypt vs0:vsh/etc/index.dat
Install openssl
openssl aes-256-cbc -in index.dat -K 272AE4378CB06BF3F658F51C77ACA2769BE87FB19BBF3D4D6B1B0ED226E39CC6 -iv 37FA4ED2B6618B59B34F770FBB92947B -d > index.dat.dec -nopad
openssl aes-256-cbc -in index.dat -K 06CC2E8FD40805A736F17CF2C13D58A6C8CF107E9E4A66AE25D39CA21C2531CC -iv 37FA4ED2B6618B59B34F770FBB92947B -d > index.dat.dec -nopad
for < 1.692
How to convert External PDEL to Internal
nah