NPDRM: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
mNo edit summary
No edit summary
Line 1: Line 1:
{{Wikify}}
{{Wikify}}


'''The info on this page is an extract (and simplify) of talk page, conversations and forum posts, please digest the info and move it this page'''
'''The info on this page is an extract (and simplify) of talk page, conversations and forum posts, please digest the info and move it to this page'''




Line 32: Line 32:
*http://wololo.net/talk/viewtopic.php?f=67&t=40656 Tutorial: How to find dev klicensee by '''Mysis'''
*http://wololo.net/talk/viewtopic.php?f=67&t=40656 Tutorial: How to find dev klicensee by '''Mysis'''


==act.dat header(encrypted) structure==
== rif file(encrypted) structure ==
 
{| class="wikitable sortable"
|-
| style="background-color:#123EDA; color:#FFFFFF;" |'''Name'''
| style="background-color:#123EDA; color:#FFFFFF;" |'''Offset'''
| style="background-color:#123EDA; color:#FFFFFF;" |'''Size'''
| style="background-color:#123EDA; color:#FFFFFF;" |'''Example'''
| style="background-color:#123EDA; color:#FFFFFF;" |'''Remark'''
|-
| Activation Type || 0x0 || 0x4 || 00000001 ||
|-
| Version || 0x4 || 0x4 || 00000001 || 1 or 2(current)
|-
| Account ID || 0x8 || 0x8 || B4 1F 2C 0B DC 1B 43 31 || personal PSN account ID
|-
| Primary Key Table || 0x10 || 0x800 || N.A || Used for decrypting rifkeys
|-
| Unknown1 || 0x810 || 0x40 || N.A||
|-
| Unknown2 || 0x850 || 0x10 || N.A|| Digest?
|-
| Unknown3 || 0x860 || 0x10 || N.A|| Encrypted_data for v.1 / Padding for v.2
|-
| Unknown4 || 0x870 || 0x10 || N.A|| Encrypted_data for v.1 / Time_Stamp for v.2
|-
| Secondary Table || 0x880 || 0x650 || N.A ||
|-
| Unknown5 || 0xED0 || 0x40 || N.A|| algo is same as for Unknown1?
|-
| RSA Signature? || 0xF10 || 0x100 || N.A|| params are unknown
|-
| ECDSA Signature || 0x1010 || 0x28 || N.A|| pub=vsh_pub, ctype=0x02(vsh_curves)
|-
|}
 
==rif file(encrypted) structure==


The rif holds the klicensee for both SELF and paid [[EDAT_files|EDAT]].
The rif holds the klicensee for both SELF and paid [[EDAT_files|EDAT]].
Line 107: Line 71:
|-  
|-  
|}
|}
= Tools =


*[http://pastie.org/private/yltlfwubsz8w5pyhmojyfg '''Rap2Rif''' source code by '''Flatz''' ]
*[http://pastie.org/private/yltlfwubsz8w5pyhmojyfg '''Rap2Rif''' source code by '''Flatz''' ]

Revision as of 18:53, 25 December 2019

The info on this page is an extract (and simplify) of talk page, conversations and forum posts, please digest the info and move it to this page


Once the user is trying to start a SELF, the vsh looks for the appinfo header type; if the type is 8, then the control digest element type 3 (NPD element) is located. From this NPD header the vsh gets the License Types (network license, local or free).

  • Type 1 (Network License): if a remote paid content is to be loaded, the vsh loads the act.dat and the rif associated to the content (will download to vsh process memory).
  • Type 2 (Local): For this paid content too, the vsh locate a file with the same title id on NPD element (CONTENT_ID), then the signature is checked (last 0x28 bytes of both RIF and act.dat).
  • Type 3 (Free): if a free content (no license check: no need for rif/act.dat) is detected then a generic klicense will be use for further steps (go to LV2).

Using the RIF_KEY with the act.dat index decryption key, it will obtain the actdatIndex, and finally having the actDat key index, the execution pass to LV2 Syscalls 471.

This function has different parameters depending if the content is debug, paid (type 1 & 2) or free (type 3):

PAID: syscall471(npd.type, &npd.titleID, NULL, &actdat.keyTable[rif.actDatIndex], &rif.key, npd.license, &npd);
FREE: syscall471(npd.type, &npd.titleID, freeklicensee, NULL, NULL, npd.license, &npd);
*PAID can also include free games/apps too but require this licensing check

The lv2 keeps a memory table with contentID and the associated key:

  • Paid content: the rif.key is converted to the klicensee (by using a constant value on lv2, IDPS and the act.dat) and once transformed it is stored on memory table.
  • free content: copies the titleID and the generic klicensee to the table.


From there, the lv1 hypervisor by loading Appldr, will transform (again) this key by using the klic_dec_key and finally remove the NPDRM layer for start the SELF decryption.

See also:

rif file(encrypted) structure

The rif holds the klicensee for both SELF and paid EDAT.

Name Offset Size Example Remark
Version Number 0x0 0x4 00 00 00 01
License Type 0x4 0x4 00 00 00 02
Account ID 0x8 0x8 B4 1F 2C 0B DC 1B 43 31 Used on Rap2Rif header
CONTENT ID 0x10 0x30 UP900-UCUS98721_00-PATAPONPSNDEMO08 Content ID
Encrypted Key Index 0x40 0x10 N.A Used for choosing act.dat key
Encrypted Rifkey 0x50 0x10 N.A Used for decrypt NPDRM self/sprx and edat files
License start time 0x60 0x8 00 00 01 1F C5 16 7B D8 For human readable, convert to decimal and use one Epoch-Unix converter time format online. Should be 0x08 lenght
License expiration time 0x68 0x8 00 00 00 00 00 00 00 00 If zeroed,-, there is no time limit. Used on PS+ for example. should be 0x08
ECDSA Signature 0x70 0x28 11 Patched in some CFW to allow unsigned. See Rif_Junk on Rap2Rif by Flatz , params are same as for act.dat
Unknown1 0xA0 0x10 N.A Digest?
Unknown2 0xB0 0x10 N.A Another Digest?
Unknown3 0xC0 0x40 N.A Zero bytes / Padding
RSA Signature? 0x100 0x100 N.A Params are unknown

Tools