Following his PS4 PFS Protection Bypass Guide, initial GameArchives PFS Support, GameArchives Updates and MakePFS utility this weekend @zecoxao dropped a hint on Twitter of a retail PS4 Sealedkey / pfsSKKey and is seeking someone with a PlayStation 4 DevKit / TestKit to decrypt it... noting that both the PS4 retail and development Sealedkey / pfsSKKey should be the same.
According to the PSDevWiki the Sealedkey / pfsSKKey can be obtained in different places and is used for SaveGame or Trophy Data decryption and encryption reminiscent of the PS4 Retail / Debug Game Transfusion Tutorial where savegames and trophies were confirmed as working.
To quote: Sealedkey / pfsSKKey
This key can be found on different places and will be used for eg. SaveGame or Trophy Data decryption and encryption.
Flags
Kind | Path |
Trophys | /user/home/user Id/trophy/data/sce_trop/sealedkey |
SaveGames | /user/home/user Id/title Id/save data directory/sce_sys/ |
Structure
- size always 96 bytes
From | To | Description |
00 | 07 | MAGIC ("pfsSKKey") (?playstation file system sealed key key?) |
08 | 09 | KeySet for getSealedKeySecret (changed beyond kernel 1.73) |
0A | 0F | Just 0x00 Bytes |
10 | 1F | IV (16 bytes) |
20 | 3F | Encrypted key (32 bytes) |
40 | 5F | SHA-256 (32 bytes) |
C
Code:
typedef struct sealedkey_t { const unsigned char MAGIC[8]; const unsigned char CAT[8]; const unsigned char IV[16]; const unsigned char KEY[32]; const unsigned char SHA256[32];} PfsSKKey;
CSharp
Code:
protected internal struct sealedkey { internal static byte[] MAGIC = new byte[8]; internal static byte[] CAT = new byte[8]; internal static byte[] IV = new byte[16]; internal static byte[] KEY = new byte[32]; internal static byte[] SHA256 = new byte[32];}
Note: You can't use a const byte[] defination in C#. It need to be a static byte[].
De/En -Crypting
Can be decrypted by frindly asking the OS to do it for you. You will need kernel rights to be able to ask the PS4 for it.
Code:
/* Decryption */#define foreach(item, array) \ for (int keep = 1, \ count = 0, \ size = sizeof(array) / sizeof*(array); \ keep && count != size; \ keep = !keep, count++) \ for (item = (array) + count; keep; keep = !keep)typedef unsigned char byte; /* byte defination for c/c++ */byte PFSK_IDENT[8] = "pfsSKKey";byte VERSION[8] = "\x01\x00\x00\x00\x00\x00\x00\x00"const char USER1 = "10000000";const char usb0 = "/mnt/usb0/";const char usb1 = "/mnt/usb1/";const char pfs = "dec_pfsSK.Key";const char home = "/user/home/";const char tropkey = "/trophy/data/sce_trop/sealedkey";char usb_error = "[-] ERROR: Can't access usb0 nor usb1!\n[-] Will return now to caller.\n"char usb0path[(strlen(usb0) + strlen(pfs))];char usb1path[strlen(usb0path)];/* Get's the encrypted sealed key based on user id */int get_pfsSKKey(byte *buffer, const char *userID, char path) { char toOpen[(strlen(home) + strlen(userID) + strlen(path))]; sprintf(toOpen, home, userID, path) FILE *pfskey = fopen(toOpen, "r"); if (!pfskey) return NULL; fread(buffer, 96, 1, pfskey); fclose(pfskey); return 1;}/* Dump the sealedkey. Send over tcp and save to file */int dumpDecryptedSealedKey(int to) { if (to < 0 || to > 1) return -2; /* First load the sealedkey into a buffer */ PfsSKKEy enc; if (!get_pfsSKKey(&enc, USER1, tropkey)) { printf("[-] Can not load the sealed key!\n"); return -1; } /* Let's check the pfsSKKEy */ if (enc->MAGIC == PFSK_IDENT && enc->CAT == VERSION) { printf("[+] Magic and version ok!\n[+] sk IV = "); foreach(byte *val, &enc->IV) printf("%02X", *val); printf("\n[+] sk KEY = "); foreach(byte *val, enc->KEY) printf("%02X", *val); printf("\n[+] sk Key-SHA256 = "); foreach(byte *val, sk->SHA256) printf("%02X", *val); printf("\n"); } else return -4; /* Now decrypt it */ byte dec[16]; int i; if (!(i = kernel.sceSblSsDecryptSealedKey(&enc, &dec))) { printf("[-] Error!\n[-] sceSblSsDecryptSealedKey returned %d\n", i); return -1; } printf("[+] sceSblSsDecryptSealedKey returned %d\n", i); if (!to) { /* Print it out */ printf("[+] Your decrypted sealedkey = "); foreach(byte *val, &dec) printf("%02X", *val); printf("\n"); return 1; } else { /* Saving to file */ printf("[+] Will try to save to file..."); sprintf(usb0path, usb0, pfs); sprintf(usb1path, usb1, pfs); FILE *dump = fopen(usb0path, "w"); if (!dump) { dump = fopen(usb1path, "w"); if (!dump) { printf("fail!\n%s", usb_error); return -3; } } fwrite(&dec, 16, 1, dump); printf("done!\n"); fclose(dump); return 1; }}
Reverse Engineering PS4 Trophies Data Documentation by thedarkprogr via PSDevWiki.com:
Trophy
_lp.Pkg <==== not sure why this is here but leaving it here
Background
Trophy files are encrypted on the PS4 by default and mounted by the console each time a game boots
Trophy files get mounted to /mnt/pfs/trophy/{UserId}/data/{NpComId}
Trophy Locations
Trophy files are saved in the following location
/user/home/{UserId}/trophy/data/ <=== This Directory contains all trophies for all games on the console with the NPComId (e.g. NPWR04914_00)
Inside each of these directories are the following files
- sealedkey <==== Sealed Key of each trophy file
- trophy.img <=== The sealed file signed with the sealed key
There is also a SQLite DB that contains all information regarding trophies
/user/home/10000000/trophy/db/trophy_local.db
Un-encrypted trophies can also be found on the ps4 in the following locations
/user/trophy/conf/ <=== these Directories seem completely useless but it does have some stuff to play with
And from the Github README.md: Manual-PS4-Trophy-Unlocker
Explanation on a method on how to unlock trophies on the PS4
Requirements
np_trophy a target (for this i used CUSA00184 [Angry Birds Star Wars]
Step 1
Decrypt the pkg of the game (passcode should be all zeros) From the decrypted files you will need the following
- basically the whole /sc0/ directory just dont use the changeinfo directory ,psresereved.dat or the trophy directory there
- the trophy directory (can be obtrained via ftp)
Now we can start you need to open up nptitle.dat in a hex viewer and grab the nptitleid and the secret
Now you need to place those values inside np_trophy in the NpTitleId and NpTitleSecret variables
Then you can build the pkg and thats it press x Select your trophy and click unlock
Spoiler: Related Tweets
From PSDevWiki.com: Portable Keys Dumps
pfsSKKey__SecKey (External)
Code:
00000000 70 66 73 53 4b 4b 65 79 5f 5f 53 65 63 4b 65 79 |pfsSKKey__SecKey|00000010 b5 da ef ff 39 e6 d9 0e ca 7d c5 b0 29 a8 15 3e |....9....}..)..>|00000020 87 07 96 0a 53 46 8d 6c 84 3b 3d c9 62 4e 22 af |....SF.l.;=.bN".|00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|*00000080
SCE_EAP_HDD__KEY (External)
Code:
00000000 53 43 45 5f 45 41 50 5f 48 44 44 5f 5f 4b 45 59 |SCE_EAP_HDD__KEY|00000010 bb 6c d6 6d dc 67 1f ac 36 64 f7 bf 50 49 ba a8 |.l.m.g..6d..PI..|00000020 c4 68 79 04 bc 31 cf 4f 2f 4e 9f 89 fa 45 87 93 |.hy..1.O/N...E..|00000030 81 17 45 e7 c7 e8 0d 46 0f af 23 26 55 0b d7 e4 |..E....F..#&U...|00000040 d2 a0 a0 d9 72 9d e5 d2 11 7d 70 67 6f 1d 55 74 |....r....}pgo.Ut|00000050 8d c1 7c df 29 c8 6a 85 5f 2a e9 a1 ad 3e 91 5f |..|.).j._*...>._|00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|*00000080
CFK1 (External)
Code:
00000000 43 46 4b 31 00 00 00 00 00 00 00 00 00 00 00 00 |CFK1............|00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|00000020 61 9a d0 db 62 cb 51 37 d8 aa 84 d0 28 b9 92 2d |a...b.Q7....(..-|00000030 74 46 01 4d 5a 20 67 31 af d2 ab 62 44 d1 f5 92 |tF.MZ g1...bD...|00000040 de 9f 35 6c 99 1b 1c 04 3d 76 cd 9f b1 a7 03 57 |..5l....=v.....W|00000050 89 73 d9 26 a1 60 ea 72 d8 e7 33 9f b0 52 f0 e2 |.s.&.`.r..3..R..|00000060 06 80 47 c4 d7 7a fd fd 95 72 27 8d 97 ab f4 21 |..G..z...r'....!|00000070 aa cd 9d 9d 2a a2 30 cc 0d 37 b8 69 47 d1 6a ac |....*.0..7.iG.j.|00000080
CFK1 (External-Extra)
Code:
00000000 40 83 63 f3 b4 d0 4b 54 09 ba f3 f4 27 41 13 c4 |@.c...KT....'A..|00000010 ac 97 ae 26 3b 9b 26 1c 2d 87 50 35 80 a3 e0 34 |...&;.&.-.P5...4|00000020 f9 97 e5 b9 8c 85 9d 90 33 68 04 32 81 1b 50 21 |........3h.2..P!|00000030 1f a4 5d 36 63 a3 50 7b cc 68 12 7c bf 9a aa 2d |..]6c.P{.h.|...-|00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|*00000080
SCEROOTPARAM_KEY (External)
Code:
00000000 53 43 45 52 4f 4f 54 50 41 52 41 4d 5f 4b 45 59 |SCEROOTPARAM_KEY|00000010 01 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|*00000040 29 ed 9c 0a f8 d3 97 00 29 85 a9 df d0 f2 47 21 |).......).....G!|00000050 03 ea a7 1e b1 10 c0 03 99 b1 1d ec b2 e5 df 08 |................|00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|*00000080
SCEROOTPARAM_KEY (External-Extra1)
Code:
00000000 ab 75 84 e1 58 6e f3 38 66 3b 39 9b 09 40 49 54 |.u..Xn.8f;9..@IT|00000010 6b ce b2 f0 9f 32 0a 1b f8 de 0a a0 d1 5f 28 bd |k....2......._(.|00000020 7f f5 78 1d c5 4c 80 fb e4 7a 3e 36 91 8d 19 3e |..x..L...z>6...>|00000030 09 67 ae 3d 61 4e b1 4f 7d 71 cf 20 e4 40 71 1f |.g.=aN.O}q. .@q.|00000040 05 65 93 0d fd 2d a6 d1 21 3c ef f4 5a 00 97 cb |.e...-..!<..Z...|00000050 2f e9 ed b5 ce 07 bb d3 57 4e fa b1 ac a3 fe 80 |/.......WN......|00000060 88 3f 0a 0e 75 9b 4f 2f 40 6a c6 ef 98 23 b9 e5 |.?..u.O/@j...#..|00000070 ae bd 3b 75 b7 c6 e1 68 5f b3 90 c4 12 a0 4d 24 |..;u...h_.....M$|00000080
SCEROOTPARAM_KEY (External-Extra2)
Code:
00000000 44 62 12 3c 06 10 f2 55 3c 01 d1 f8 50 eb 1e 88 |Db.<...U<...P...|00000010 c0 34 61 40 04 19 80 9d ab b4 63 f6 f3 6c e9 4d |[emailprotected]|00000020 39 6e 07 40 d9 8a d3 27 0c 27 e1 4a ad 0e b1 19 |9n.@...'.'.J....|00000030 fe 79 df 09 7c 07 9b eb ec f9 aa 64 f0 42 f6 4d |.y..|......d.B.M|00000040 58 45 0e 46 d9 e8 31 98 5d c5 10 ed 81 32 f5 c8 |XE.F..1.]....2..|00000050 8a d2 48 5b cc 6f 7e 2d 38 b0 f4 3e 8f 2b 0c 63 |..H[.o~-8..>.+.c|00000060 19 1d f8 5f 50 0b 77 f9 37 ec 7c 6b ea cd c9 15 |..._P.w.7.|k....|00000070 ea e6 d8 e1 bf 80 28 a3 eb 3e 9a 9d 5c 00 48 ad |......(..>..\.H.|00000080
SCE_LwUtoken_Key (External)
Code:
00000000 53 43 45 5f 4c 77 55 74 6f 6b 65 6e 5f 4b 65 79 |SCE_LwUtoken_Key|00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|*00000040 e4 03 52 c3 02 18 f1 a6 22 5a cf 4c a7 9e 54 eb |..R....."Z.L..T.|00000050 b2 7a bc be b7 1f b4 7a 5c d0 66 c7 9e 99 9f 2a |.z.....z\.f....*|00000060 66 4a b9 75 36 4c f3 0e 75 ee 24 15 9c 38 51 f3 |fJ.u6L..u.$..8Q.|00000070 01 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|00000080
SCE_LwUtoken_Key (External-Extra1)
Code:
00000000 a3 c6 b1 40 de 3d d5 e9 44 8c 16 0a 18 54 75 6f |...@.=..D....Tuo|00000010 1c 51 87 64 cd 3d a4 6f ce 72 a8 36 eb 61 f6 81 |.Q.d.=.o.r.6.a..|00000020 5a 3f b5 c4 73 08 7e 87 a9 ff 8d a6 a7 27 60 22 |Z?..s.~......'`"|00000030 fe 2f 64 64 ed 9c 97 fe 72 38 e4 d3 11 a9 b1 8b |./dd....r8......|00000040 35 32 29 d6 38 1e 7d 47 cc 09 0e 61 23 67 5f 00 |52).8.}G...a#g_.|00000050 cc 11 f2 51 69 5d 51 64 1b 4f c1 47 62 bb c0 3b |...Qi]Qd.O.Gb..;|00000060 46 60 85 53 7c 41 78 76 39 5c 5a a3 fa 7e 40 17 |F`.S|Axv9\Z..~@.|00000070 34 6f 6c 2a 27 04 25 cc 7c ad 87 c4 6a eb f6 bf |4ol*'.%.|...j...|00000080
SCE_LwUtoken_Key (External-Extra2)
Code:
00000000 2c e9 d0 41 3b f5 29 aa ad aa 0f 3b d6 18 44 7e |,..A;.)....;..D~|00000010 35 95 f6 9f af f0 03 92 1a cd 6e 59 22 54 c5 d9 |5.........nY"T..|00000020 6b 9d c2 14 d6 3f ee bf ef 07 58 af 96 1a ab 5d |k....?....X....]|00000030 77 09 27 96 2d fe a8 20 03 b4 e3 41 94 75 b2 49 |w.'.-.. ...A.u.I|00000040 54 4f 08 e7 5d f4 dc 87 3a 34 5d 8e a8 10 67 22 |TO..]...:4]...g"|00000050 e4 78 c4 70 d6 1b 9f 8c 5a b9 a9 d7 c9 17 83 30 |.x.p....Z......0|00000060 35 0e 11 ba a2 27 46 82 f9 f1 88 31 ea af ec 75 |5....'F....1...u|00000070 dc 5b 86 d7 70 90 c9 dc 76 c2 35 5c cd 9c 33 d4 |.[..p...v.5\..3.|00000080
Download: TrophyUnlocker.zip (includes TrophyUnlocker.exe)
To quote: Trophy Unlocker Beta
Its simple.
- Run TrophyUnlocker.exe
- Add the Param.sfo of the current game you want to run.
- Add the Nptitle and NpBlind files add the trophy.trp file
- All can be dumped with the app dump payload.
- Click build.
- Now install the created pkg on the PS4 (If the game is installed it will overwrite it so be careful)
- Run it.
- Click the arrows up and down to select the trophy you want unlocked
- [ ] to view the trophy list.
- X to unlock.
- And Triangle for a screenshot
Have fun
XDPx
P.s. this is a beta and a better looking ui with more stability will be coming soon as well as the source code to the github. edit here is a hotfix thanks GraFfiX_221211 for testing.