Editing Sealedkey / pfsSKKey

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
The Sealed Key is a an encrypted key used on PS Vita, PS4 and PS5 to prevent files modification and extraction. It can be found on different places in the filesystem and is used for Save Data and Trophy Data decryption and encryption.
This key can be found on different places and will be used for eg. SaveGame or Trophy Data decryption and encryption.
 
==== Paths ====
See also [https://wiki.henkaku.xyz/vita/Sealedkey PS Vita Sealedkey].
 
= PS4 =
 
== Location ==
 
The sealedkey file is located in the folder of every savedata/trophies. It is not PFS encrypted.
 
{| class="wikitable"
{| class="wikitable"
|-
|-
! Kind !! Path
! Kind !! Path
|-
|-
| Trophy || /user/home/[[User ID|User Id]]/trophy/data/[[sce_trop]]/sealedkey
| Trophys || /user/home/[[user Id|user Id]]/trophy/data/[[sce_trop]]/sealedkey
|-
| Save Data (internal HDD) || /user/home/[[User ID|User Id]]/[[NP Title ID|Title ID]]/[[save data directory]]/[[sce_sys]]/
|-
|-
| Save Data (USB Storage) || /PS4/SAVEDATA/[[User ID|User Id]]/[[NP Title ID|Title ID]]/<sealed_filename>.bin
| SaveGames || /user/home/[[user Id]]/[[title Id]]/[[save data directory]]/[[sce_sys]]/
|}
|}


= Structure =
== Structure ==
 
- size always 96 bytes
* Size is always 96 bytes.


{| class="wikitable"
{| class="wikitable"
|-
|-
! Offset !! Size !! Description !! Notes
! From !! To !! Description
|-
|-
| 0 || 8 || Magic || "pfsSKKey" standing for PFS SealedKey Key
| 00 || 07 || MAGIC ("pfsSKKey") (?playstation file system sealed key key?)
|-
|-
| 0x8 || 2 || [[#Keyset]] ||
| 08 || 0F || Category (game=1 or version ?)
|-
|-
| 0xA || 6 || Padding || Zeroed
| 10 || 1F || IV (16 bytes)
|-
|-
| 0x10 || 16 || IV || AES-128-CBC IV for use with the pfsSKKey__EncKey Key
| 20 || 3F || Encrypted key (32 bytes)
|-
|-
| 0x20 || 32 || Encrypted Sealed Key ||
| 40 || 5F || SHA-256 (32 bytes)
|-
| 0x40 || 32 || Digest || HMAC-SHA256 digest for use with the pfsSKKey__Secret Key
|}
|}


== De/En -Crypting ==
Can be decrypted by frindly asking the OS to do it for you. You will need kernel rights to be able to ask the PS4 for it.
<source lang="c">
<source lang="c">
   typedef struct {
/* Decryption */
      const char magic[8];
#define USER1 10000000
      unsigned short keyset;
#define usb0  "/mnt/usb0/"
      unsigned char reserved[6];
#define usb1  "/mnt/usb1/"
      unsigned char iv[16];
#define pfs   "decrypted_pfsSKKey.key"
      unsigned char encrypted_sealedkey[32];
      unsigned char digest[32];
char usb_error = "[-] ERROR: Can't access usb0 nor usb1!\n[-] Will return now to caller.\n"
   } sealed_key;
char usb0path, usb1path;
unsigned char pfsSKKey[96];
// Get's the encrypted sealed key based on user id.
int get_pfsSKKey(int userID)
{
  FILE *pfskey = fopen("host0:/user/home/" + userID + "/trophy/data/sce_trop/sealedkey", "r");
  if (pfskey == NULL)
    return 0;
 
  fread(pfsSKKey, 96, 1, pfskey);
  fclose(pfskey);
  return 1;
}
// Dump the sealedkey. Send over tcp and save to file.
void dumpDecryptedSealedKey(int to)
{
  int y = get_pfsSKKey(user1);                                              // First load the key into a buffer.
  if (!y) {
    knet_printf("[-] Can not load the sealed key!\n");
    kernel.printf("[-] Can not load the sealed key!\n");
    return -1;
  }
  unsigned char decyrpted_pfsSKKey[16];
  int i = kernel.sceSblSsDecryptSealedKey(pfsSKKey, decrpyted_pfsSKKey);    // Now decrpyt the key.
  knet_printf("[+] sceSblSsDecryptSealedKey returned %d\n", i);
  kernel.printf("[+] sceSblSsDecryptSealedKey returned %d\n", i);
    
  if (i) {                                                                  // Sending over tcp.
    knet_printf("[+] Your save game key = ");
    kernel.printf("[+] Your save game key = "); 
    for(int x =0; x < 0x10; x++) {
    knet_printf("%02X", dec_pfsSKKey[x]);
    kernel.printf("%02X", dec_pfsSKKey[x]);
    }
    knet_printf("\n");
    kernel.printf("\n");
 
    if (to == 1) {                                                          // Saving to file.
      knet_printf("[+] Will try to save to file...");
      kernel.printf("[+] Will try to save to file...");
   
      usb0path = usb0 + pfs;
      usb1path = usb1 + pfs;
      FILE *dump = fopen(usb0path, "w");
 
      if (dump == NULL) {
        dump = fopen(usb1path, "w");
          if (dump == NULL) {
            knet_printf("fail!\n" + usb_error);
            kernel.printf("fail!\n" + usb_error);
            return -1;
          }
      }
      fwrite(dec_pfsSKKey, 0x10, 1, dump);
      knet_printf("done!\n");
      kernel.printf("done!\n");
      fclose(dump);
    }
  }
  else {
    knet_printf("[+] Error!\n");
    kernel.printf("[+] Error!\n");
  }
}
</source>
</source>
== Keyset ==
{| class="wikitable"
|-
! Keyset !! System Software version !! Notes
|-
| 1 || 1.01-1.73 ||
|-
| 2 || 4.55 ||
|-
| 3 || ?4.70? ||
|-
| 4 || 5.05 ||
|-
| 5 || ? ||
|-
| 6 || ? ||
|-
| 7 || ? ||
|-
| 8 || ? ||
|-
| 9 || ? ||
|-
| 10 || ?8.00?-12.00 ||
|}
For example, in PS4 4.55 kernel, the function '''sceSblSsDecryptSealedKey''' checks that the keyset is less or equal 2 before calling '''sceSblSsDecryptWithPortability'''.
== Usage ==
With code execution in PS4 kernel, the sealed key can be decrypted by asking the PS4 kernel:
* with '''sceSblSsDecryptSealedKey''' (see Talk page),
* or with '''sceSblSsDecryptWithPortability''' (reimplement '''sceSblSsDecryptSealedKey''' by reversing Kernel),
* or with portability master keys (see [[Vulnerabilities#%3C=_?7.55?_-_Missing_HMAC_key_length_check_in_Secure_Kernel_leading_to_Partial_SAMU_KeyRings_bruteforce]]).
{{File Formats}}
<noinclude>[[Category:Main]]</noinclude>
Please note that all contributions to PS4 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS4 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)

Templates used on this page:

Retrieved from "http://www.psdevwiki.com/ps4/Sealedkey_/_pfsSKKey"