PS4 Sealedkey / pfsSKKey for SaveGame & Trophy Data Decryption (2024)

Following his PS4 PFS Protection Bypass Guide, initial GameArchives PFS Support, GameArchives Updates and MakePFS utility this weekend @zecoxao dropped a hint on Twitter of a retail PS4 Sealedkey / pfsSKKey and is seeking someone with a PlayStation 4 DevKit / TestKit to decrypt it... noting that both the PS4 retail and development Sealedkey / pfsSKKey should be the same. PS4 Sealedkey / pfsSKKey for SaveGame & Trophy Data Decryption (1)

According to the PSDevWiki the Sealedkey / pfsSKKey can be obtained in different places and is used for SaveGame or Trophy Data decryption and encryption reminiscent of the PS4 Retail / Debug Game Transfusion Tutorial where savegames and trophies were confirmed as working. PS4 Sealedkey / pfsSKKey for SaveGame & Trophy Data Decryption (2)

To quote: Sealedkey / pfsSKKey

This key can be found on different places and will be used for eg. SaveGame or Trophy Data decryption and encryption.

Flags

KindPath
Trophys/user/home/user Id/trophy/data/sce_trop/sealedkey
SaveGames/user/home/user Id/title Id/save data directory/sce_sys/

Structure

  • size always 96 bytes
FromToDescription
0007MAGIC ("pfsSKKey") (?playstation file system sealed key key?)
0809KeySet for getSealedKeySecret (changed beyond kernel 1.73)
0A0FJust 0x00 Bytes
101FIV (16 bytes)
203FEncrypted key (32 bytes)
405FSHA-256 (32 bytes)

C

Code:

typedef struct sealedkey_t { const unsigned char MAGIC[8]; const unsigned char CAT[8]; const unsigned char IV[16]; const unsigned char KEY[32]; const unsigned char SHA256[32];} PfsSKKey;

CSharp

Code:

protected internal struct sealedkey { internal static byte[] MAGIC = new byte[8]; internal static byte[] CAT = new byte[8]; internal static byte[] IV = new byte[16]; internal static byte[] KEY = new byte[32]; internal static byte[] SHA256 = new byte[32];}

Note: You can't use a const byte[] defination in C#. It need to be a static byte[].

De/En -Crypting

Can be decrypted by frindly asking the OS to do it for you. You will need kernel rights to be able to ask the PS4 for it.

Code:

/* Decryption */#define foreach(item, array) \ for (int keep = 1, \ count = 0, \ size = sizeof(array) / sizeof*(array); \ keep && count != size; \ keep = !keep, count++) \ for (item = (array) + count; keep; keep = !keep)typedef unsigned char byte; /* byte defination for c/c++ */byte PFSK_IDENT[8] = "pfsSKKey";byte VERSION[8] = "\x01\x00\x00\x00\x00\x00\x00\x00"const char USER1 = "10000000";const char usb0 = "/mnt/usb0/";const char usb1 = "/mnt/usb1/";const char pfs = "dec_pfsSK.Key";const char home = "/user/home/";const char tropkey = "/trophy/data/sce_trop/sealedkey";char usb_error = "[-] ERROR: Can't access usb0 nor usb1!\n[-] Will return now to caller.\n"char usb0path[(strlen(usb0) + strlen(pfs))];char usb1path[strlen(usb0path)];/* Get's the encrypted sealed key based on user id */int get_pfsSKKey(byte *buffer, const char *userID, char path) { char toOpen[(strlen(home) + strlen(userID) + strlen(path))]; sprintf(toOpen, home, userID, path) FILE *pfskey = fopen(toOpen, "r"); if (!pfskey) return NULL; fread(buffer, 96, 1, pfskey); fclose(pfskey); return 1;}/* Dump the sealedkey. Send over tcp and save to file */int dumpDecryptedSealedKey(int to) { if (to < 0 || to > 1) return -2; /* First load the sealedkey into a buffer */ PfsSKKEy enc; if (!get_pfsSKKey(&enc, USER1, tropkey)) { printf("[-] Can not load the sealed key!\n"); return -1; } /* Let's check the pfsSKKEy */ if (enc->MAGIC == PFSK_IDENT && enc->CAT == VERSION) { printf("[+] Magic and version ok!\n[+] sk IV = "); foreach(byte *val, &enc->IV) printf("%02X", *val); printf("\n[+] sk KEY = "); foreach(byte *val, enc->KEY) printf("%02X", *val); printf("\n[+] sk Key-SHA256 = "); foreach(byte *val, sk->SHA256) printf("%02X", *val); printf("\n"); } else return -4; /* Now decrypt it */ byte dec[16]; int i; if (!(i = kernel.sceSblSsDecryptSealedKey(&enc, &dec))) { printf("[-] Error!\n[-] sceSblSsDecryptSealedKey returned %d\n", i); return -1; } printf("[+] sceSblSsDecryptSealedKey returned %d\n", i); if (!to) { /* Print it out */ printf("[+] Your decrypted sealedkey = "); foreach(byte *val, &dec) printf("%02X", *val); printf("\n"); return 1; } else { /* Saving to file */ printf("[+] Will try to save to file..."); sprintf(usb0path, usb0, pfs); sprintf(usb1path, usb1, pfs); FILE *dump = fopen(usb0path, "w"); if (!dump) { dump = fopen(usb1path, "w"); if (!dump) { printf("fail!\n%s", usb_error); return -3; } } fwrite(&dec, 16, 1, dump); printf("done!\n"); fclose(dump); return 1; }}

PS4 Sealedkey / pfsSKKey for SaveGame & Trophy Data Decryption (3) Reverse Engineering PS4 Trophies Data Documentation by thedarkprogr via PSDevWiki.com:

Trophy

_lp.Pkg <==== not sure why this is here but leaving it here

Background

Trophy files are encrypted on the PS4 by default and mounted by the console each time a game boots

Trophy files get mounted to /mnt/pfs/trophy/{UserId}/data/{NpComId}

Trophy Locations

Trophy files are saved in the following location

/user/home/{UserId}/trophy/data/ <=== This Directory contains all trophies for all games on the console with the NPComId (e.g. NPWR04914_00)

Inside each of these directories are the following files

  • sealedkey <==== Sealed Key of each trophy file
  • trophy.img <=== The sealed file signed with the sealed key

There is also a SQLite DB that contains all information regarding trophies

/user/home/10000000/trophy/db/trophy_local.db

Un-encrypted trophies can also be found on the ps4 in the following locations

/user/trophy/conf/ <=== these Directories seem completely useless but it does have some stuff to play with

And from the Github README.md: Manual-PS4-Trophy-Unlocker

Explanation on a method on how to unlock trophies on the PS4

Requirements

np_trophy a target (for this i used CUSA00184 [Angry Birds Star Wars]

Step 1

Decrypt the pkg of the game (passcode should be all zeros) From the decrypted files you will need the following

  • basically the whole /sc0/ directory just dont use the changeinfo directory ,psresereved.dat or the trophy directory there
  • the trophy directory (can be obtrained via ftp)

Now we can start you need to open up nptitle.dat in a hex viewer and grab the nptitleid and the secret

Now you need to place those values inside np_trophy in the NpTitleId and NpTitleSecret variables

Then you can build the pkg and thats it press x Select your trophy and click unlock

Spoiler: Related Tweets

From PSDevWiki.com: Portable Keys Dumps

pfsSKKey__SecKey (External)

Code:

00000000 70 66 73 53 4b 4b 65 79 5f 5f 53 65 63 4b 65 79 |pfsSKKey__SecKey|00000010 b5 da ef ff 39 e6 d9 0e ca 7d c5 b0 29 a8 15 3e |....9....}..)..>|00000020 87 07 96 0a 53 46 8d 6c 84 3b 3d c9 62 4e 22 af |....SF.l.;=.bN".|00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|*00000080

SCE_EAP_HDD__KEY (External)

Code:

00000000 53 43 45 5f 45 41 50 5f 48 44 44 5f 5f 4b 45 59 |SCE_EAP_HDD__KEY|00000010 bb 6c d6 6d dc 67 1f ac 36 64 f7 bf 50 49 ba a8 |.l.m.g..6d..PI..|00000020 c4 68 79 04 bc 31 cf 4f 2f 4e 9f 89 fa 45 87 93 |.hy..1.O/N...E..|00000030 81 17 45 e7 c7 e8 0d 46 0f af 23 26 55 0b d7 e4 |..E....F..#&U...|00000040 d2 a0 a0 d9 72 9d e5 d2 11 7d 70 67 6f 1d 55 74 |....r....}pgo.Ut|00000050 8d c1 7c df 29 c8 6a 85 5f 2a e9 a1 ad 3e 91 5f |..|.).j._*...>._|00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|*00000080

CFK1 (External)

Code:

00000000 43 46 4b 31 00 00 00 00 00 00 00 00 00 00 00 00 |CFK1............|00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|00000020 61 9a d0 db 62 cb 51 37 d8 aa 84 d0 28 b9 92 2d |a...b.Q7....(..-|00000030 74 46 01 4d 5a 20 67 31 af d2 ab 62 44 d1 f5 92 |tF.MZ g1...bD...|00000040 de 9f 35 6c 99 1b 1c 04 3d 76 cd 9f b1 a7 03 57 |..5l....=v.....W|00000050 89 73 d9 26 a1 60 ea 72 d8 e7 33 9f b0 52 f0 e2 |.s.&.`.r..3..R..|00000060 06 80 47 c4 d7 7a fd fd 95 72 27 8d 97 ab f4 21 |..G..z...r'....!|00000070 aa cd 9d 9d 2a a2 30 cc 0d 37 b8 69 47 d1 6a ac |....*.0..7.iG.j.|00000080

CFK1 (External-Extra)

Code:

00000000 40 83 63 f3 b4 d0 4b 54 09 ba f3 f4 27 41 13 c4 |@.c...KT....'A..|00000010 ac 97 ae 26 3b 9b 26 1c 2d 87 50 35 80 a3 e0 34 |...&;.&.-.P5...4|00000020 f9 97 e5 b9 8c 85 9d 90 33 68 04 32 81 1b 50 21 |........3h.2..P!|00000030 1f a4 5d 36 63 a3 50 7b cc 68 12 7c bf 9a aa 2d |..]6c.P{.h.|...-|00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|*00000080

SCEROOTPARAM_KEY (External)

Code:

00000000 53 43 45 52 4f 4f 54 50 41 52 41 4d 5f 4b 45 59 |SCEROOTPARAM_KEY|00000010 01 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|*00000040 29 ed 9c 0a f8 d3 97 00 29 85 a9 df d0 f2 47 21 |).......).....G!|00000050 03 ea a7 1e b1 10 c0 03 99 b1 1d ec b2 e5 df 08 |................|00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|*00000080

SCEROOTPARAM_KEY (External-Extra1)

Code:

00000000 ab 75 84 e1 58 6e f3 38 66 3b 39 9b 09 40 49 54 |.u..Xn.8f;9..@IT|00000010 6b ce b2 f0 9f 32 0a 1b f8 de 0a a0 d1 5f 28 bd |k....2......._(.|00000020 7f f5 78 1d c5 4c 80 fb e4 7a 3e 36 91 8d 19 3e |..x..L...z>6...>|00000030 09 67 ae 3d 61 4e b1 4f 7d 71 cf 20 e4 40 71 1f |.g.=aN.O}q. .@q.|00000040 05 65 93 0d fd 2d a6 d1 21 3c ef f4 5a 00 97 cb |.e...-..!<..Z...|00000050 2f e9 ed b5 ce 07 bb d3 57 4e fa b1 ac a3 fe 80 |/.......WN......|00000060 88 3f 0a 0e 75 9b 4f 2f 40 6a c6 ef 98 23 b9 e5 |.?..u.O/@j...#..|00000070 ae bd 3b 75 b7 c6 e1 68 5f b3 90 c4 12 a0 4d 24 |..;u...h_.....M$|00000080

SCEROOTPARAM_KEY (External-Extra2)

Code:

00000000 44 62 12 3c 06 10 f2 55 3c 01 d1 f8 50 eb 1e 88 |Db.<...U<...P...|00000010 c0 34 61 40 04 19 80 9d ab b4 63 f6 f3 6c e9 4d |[emailprotected]|00000020 39 6e 07 40 d9 8a d3 27 0c 27 e1 4a ad 0e b1 19 |9n.@...'.'.J....|00000030 fe 79 df 09 7c 07 9b eb ec f9 aa 64 f0 42 f6 4d |.y..|......d.B.M|00000040 58 45 0e 46 d9 e8 31 98 5d c5 10 ed 81 32 f5 c8 |XE.F..1.]....2..|00000050 8a d2 48 5b cc 6f 7e 2d 38 b0 f4 3e 8f 2b 0c 63 |..H[.o~-8..>.+.c|00000060 19 1d f8 5f 50 0b 77 f9 37 ec 7c 6b ea cd c9 15 |..._P.w.7.|k....|00000070 ea e6 d8 e1 bf 80 28 a3 eb 3e 9a 9d 5c 00 48 ad |......(..>..\.H.|00000080

SCE_LwUtoken_Key (External)

Code:

00000000 53 43 45 5f 4c 77 55 74 6f 6b 65 6e 5f 4b 65 79 |SCE_LwUtoken_Key|00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|*00000040 e4 03 52 c3 02 18 f1 a6 22 5a cf 4c a7 9e 54 eb |..R....."Z.L..T.|00000050 b2 7a bc be b7 1f b4 7a 5c d0 66 c7 9e 99 9f 2a |.z.....z\.f....*|00000060 66 4a b9 75 36 4c f3 0e 75 ee 24 15 9c 38 51 f3 |fJ.u6L..u.$..8Q.|00000070 01 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|00000080

SCE_LwUtoken_Key (External-Extra1)

Code:

00000000 a3 c6 b1 40 de 3d d5 e9 44 8c 16 0a 18 54 75 6f |...@.=..D....Tuo|00000010 1c 51 87 64 cd 3d a4 6f ce 72 a8 36 eb 61 f6 81 |.Q.d.=.o.r.6.a..|00000020 5a 3f b5 c4 73 08 7e 87 a9 ff 8d a6 a7 27 60 22 |Z?..s.~......'`"|00000030 fe 2f 64 64 ed 9c 97 fe 72 38 e4 d3 11 a9 b1 8b |./dd....r8......|00000040 35 32 29 d6 38 1e 7d 47 cc 09 0e 61 23 67 5f 00 |52).8.}G...a#g_.|00000050 cc 11 f2 51 69 5d 51 64 1b 4f c1 47 62 bb c0 3b |...Qi]Qd.O.Gb..;|00000060 46 60 85 53 7c 41 78 76 39 5c 5a a3 fa 7e 40 17 |F`.S|Axv9\Z..~@.|00000070 34 6f 6c 2a 27 04 25 cc 7c ad 87 c4 6a eb f6 bf |4ol*'.%.|...j...|00000080

SCE_LwUtoken_Key (External-Extra2)

Code:

00000000 2c e9 d0 41 3b f5 29 aa ad aa 0f 3b d6 18 44 7e |,..A;.)....;..D~|00000010 35 95 f6 9f af f0 03 92 1a cd 6e 59 22 54 c5 d9 |5.........nY"T..|00000020 6b 9d c2 14 d6 3f ee bf ef 07 58 af 96 1a ab 5d |k....?....X....]|00000030 77 09 27 96 2d fe a8 20 03 b4 e3 41 94 75 b2 49 |w.'.-.. ...A.u.I|00000040 54 4f 08 e7 5d f4 dc 87 3a 34 5d 8e a8 10 67 22 |TO..]...:4]...g"|00000050 e4 78 c4 70 d6 1b 9f 8c 5a b9 a9 d7 c9 17 83 30 |.x.p....Z......0|00000060 35 0e 11 ba a2 27 46 82 f9 f1 88 31 ea af ec 75 |5....'F....1...u|00000070 dc 5b 86 d7 70 90 c9 dc 76 c2 35 5c cd 9c 33 d4 |.[..p...v.5\..3.|00000080

Download: TrophyUnlocker.zip (includes TrophyUnlocker.exe)

To quote: Trophy Unlocker Beta

Its simple.

  • Run TrophyUnlocker.exe
  • Add the Param.sfo of the current game you want to run.
  • Add the Nptitle and NpBlind files add the trophy.trp file
  • All can be dumped with the app dump payload.
  • Click build.
  • Now install the created pkg on the PS4 (If the game is installed it will overwrite it so be careful)
  • Run it.
  • Click the arrows up and down to select the trophy you want unlocked
  • [ ] to view the trophy list.
  • X to unlock.
  • And Triangle for a screenshot

Have fun
XDPx

P.s. this is a beta and a better looking ui with more stability will be coming soon as well as the source code to the github. edit here is a hotfix thanks GraFfiX_221211 for testing.

PS4 Sealedkey / pfsSKKey for SaveGame & Trophy Data Decryption (4)

PS4 Sealedkey / pfsSKKey for SaveGame & Trophy Data Decryption (2024)
Top Articles
Latest Posts
Recommended Articles
Article information

Author: Maia Crooks Jr

Last Updated:

Views: 5827

Rating: 4.2 / 5 (43 voted)

Reviews: 90% of readers found this page helpful

Author information

Name: Maia Crooks Jr

Birthday: 1997-09-21

Address: 93119 Joseph Street, Peggyfurt, NC 11582

Phone: +2983088926881

Job: Principal Design Liaison

Hobby: Web surfing, Skiing, role-playing games, Sketching, Polo, Sewing, Genealogy

Introduction: My name is Maia Crooks Jr, I am a homely, joyous, shiny, successful, hilarious, thoughtful, joyous person who loves writing and wants to share my knowledge and understanding with you.