Sealedkey / pfsSKKey: Difference between revisions
Jump to navigation
Jump to search
Cfwprophet (talk | contribs) |
CelesteBlue (talk | contribs) (→Keyset) |
||
(16 intermediate revisions by 8 users not shown) | |||
Line 1: | Line 1: | ||
The Sealed Key is a an encrypted key used on PS Vita, PS4 and PS5 to prevent files modification and extraction. It can be found on different places in the filesystem and is used for Save Data and Trophy Data decryption and encryption. | |||
==== | |||
See also [https://wiki.henkaku.xyz/vita/Sealedkey PS Vita Sealedkey]. | |||
= PS4 = | |||
== Location == | |||
The sealedkey file is located in the folder of every savedata/trophies. It is not PFS encrypted. | |||
{| class="wikitable" | {| class="wikitable" | ||
|- | |- | ||
! Kind !! Path | ! Kind !! Path | ||
|- | |- | ||
| | | Trophy || /user/home/[[User ID|User Id]]/trophy/data/[[sce_trop]]/sealedkey | ||
|- | |- | ||
| | | Save Data (internal HDD) || /user/home/[[User ID|User Id]]/[[NP Title ID|Title ID]]/[[save data directory]]/[[sce_sys]]/ | ||
|- | |||
| Save Data (USB Storage) || /PS4/SAVEDATA/[[User ID|User Id]]/[[NP Title ID|Title ID]]/<sealed_filename>.bin | |||
|} | |} | ||
= Structure = | |||
* Size is always 96 bytes. | |||
{| class="wikitable" | {| class="wikitable" | ||
|- | |- | ||
! | ! Offset !! Size !! Description !! Notes | ||
|- | |||
| 0 || 8 || Magic || "pfsSKKey" standing for PFS SealedKey Key | |||
|- | |- | ||
| | | 0x8 || 2 || [[#Keyset]] || | ||
|- | |- | ||
| | | 0xA || 6 || Padding || Zeroed | ||
|- | |- | ||
| | | 0x10 || 16 || IV || AES-128-CBC IV for use with the pfsSKKey__EncKey Key | ||
|- | |- | ||
| | | 0x20 || 32 || Encrypted Sealed Key || | ||
|- | |- | ||
| | | 0x40 || 32 || Digest || HMAC-SHA256 digest for use with the pfsSKKey__Secret Key | ||
|} | |} | ||
<source lang="c"> | <source lang="c"> | ||
typedef struct { | |||
const char magic[8]; | |||
unsigned short keyset; | |||
unsigned char reserved[6]; | |||
unsigned char iv[16]; | |||
unsigned char encrypted_sealedkey[32]; | |||
unsigned char digest[32]; | |||
} sealed_key; | |||
</source> | </source> | ||
''' | == Keyset == | ||
{| class="wikitable" | |||
|- | |||
! Keyset !! System Software version !! Notes | |||
|- | |||
| 1 || 1.01-1.73 || | |||
|- | |||
| 2 || 4.55 || | |||
|- | |||
| 3 || ?4.70? || | |||
|- | |||
| 4 || 5.05 || | |||
|- | |||
| 5 || ? || | |||
|- | |||
| 6 || ? || | |||
|- | |||
| 7 || ? || | |||
|- | |||
| 8 || ? || | |||
|- | |||
| 9 || ? || | |||
|- | |||
| 10 || ?8.00?-12.00 || | |||
|} | |||
For example, in PS4 4.55 kernel, the function '''sceSblSsDecryptSealedKey''' checks that the keyset is less or equal 2 before calling '''sceSblSsDecryptWithPortability'''. | |||
== Usage == | |||
With code execution in PS4 kernel, the sealed key can be decrypted by asking the PS4 kernel: | |||
* with '''sceSblSsDecryptSealedKey''' (see Talk page), | |||
* or with '''sceSblSsDecryptWithPortability''' (reimplement '''sceSblSsDecryptSealedKey''' by reversing Kernel), | |||
* or with portability master keys (see [[Vulnerabilities#%3C=_?7.55?_-_Missing_HMAC_key_length_check_in_Secure_Kernel_leading_to_Partial_SAMU_KeyRings_bruteforce]]). | |||
{{File Formats}} | |||
<noinclude>[[Category:Main]]</noinclude> | |||
</ |
Latest revision as of 05:04, 14 December 2024
The Sealed Key is a an encrypted key used on PS Vita, PS4 and PS5 to prevent files modification and extraction. It can be found on different places in the filesystem and is used for Save Data and Trophy Data decryption and encryption.
See also PS Vita Sealedkey.
PS4[edit | edit source]
Location[edit | edit source]
The sealedkey file is located in the folder of every savedata/trophies. It is not PFS encrypted.
Kind | Path |
---|---|
Trophy | /user/home/User Id/trophy/data/sce_trop/sealedkey |
Save Data (internal HDD) | /user/home/User Id/Title ID/save data directory/sce_sys/ |
Save Data (USB Storage) | /PS4/SAVEDATA/User Id/Title ID/<sealed_filename>.bin |
Structure[edit | edit source]
- Size is always 96 bytes.
Offset | Size | Description | Notes |
---|---|---|---|
0 | 8 | Magic | "pfsSKKey" standing for PFS SealedKey Key |
0x8 | 2 | #Keyset | |
0xA | 6 | Padding | Zeroed |
0x10 | 16 | IV | AES-128-CBC IV for use with the pfsSKKey__EncKey Key |
0x20 | 32 | Encrypted Sealed Key | |
0x40 | 32 | Digest | HMAC-SHA256 digest for use with the pfsSKKey__Secret Key |
typedef struct {
const char magic[8];
unsigned short keyset;
unsigned char reserved[6];
unsigned char iv[16];
unsigned char encrypted_sealedkey[32];
unsigned char digest[32];
} sealed_key;
Keyset[edit | edit source]
Keyset | System Software version | Notes |
---|---|---|
1 | 1.01-1.73 | |
2 | 4.55 | |
3 | ?4.70? | |
4 | 5.05 | |
5 | ? | |
6 | ? | |
7 | ? | |
8 | ? | |
9 | ? | |
10 | ?8.00?-12.00 |
For example, in PS4 4.55 kernel, the function sceSblSsDecryptSealedKey checks that the keyset is less or equal 2 before calling sceSblSsDecryptWithPortability.
Usage[edit | edit source]
With code execution in PS4 kernel, the sealed key can be decrypted by asking the PS4 kernel:
- with sceSblSsDecryptSealedKey (see Talk page),
- or with sceSblSsDecryptWithPortability (reimplement sceSblSsDecryptSealedKey by reversing Kernel),
- or with portability master keys (see Vulnerabilities#<=_?7.55?_-_Missing_HMAC_key_length_check_in_Secure_Kernel_leading_to_Partial_SAMU_KeyRings_bruteforce).