PSVita Digital Game/Cartridge Game/DLC/Savedata decryption
a guest Aug 2nd, 2016 15,581 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
- I'll be refering to mr.gas' old trick for bypassing pfs protection on old fw. Old instructions :
- "most of the work are going to be in app.db
- 1- add a value in table tbl_uri like the following
- 2- modify NPXS10000 eboot.bin path in tbl_appinfo to vs0:app/NPXS10027/eboot.bin
- 3- overwrite the modified app.db using email app and reboot
- 4- now use the browser to call the new uri with your target game . example :
- apparently near app will open the game manual.
- 5- minimize near then dump the game using the psp pboot trick and QCMA (while the near app still open)
- 6- end of th story .. and have fun
- tested in fw 3.18 and above
- Make these modifications in app.db before following this guide.
- If you want to decrypt cartridges as well, you can also add "NPXS10000;1;gro0;" at step 1.
- * PSVita Digital Game/Cartridge Game/DLC/Savedata decryption on 3.60*
- It has been reported many times that mr.gas' trick to dump unencrypted files from ux0:app was patched in 3.60, but it's not actually exact.
- What has been patched is the PBOOT.PBP dumper trick. MolecularShell can't access other applications files, that is why applying mr.gas' trick doesn't seem to work on 3.60.
- So, how to do it again ? Well, we'll be taking advantage of how the vita handles game updates.
- Game updates are installed in ux0:patch/[TITLEID]. They have the very same structure as ux0:app/[TITLEID].
- Thanks to HENkaku, we can run unsigned eboot.bin. We will basically be hijacking the main game binary with our dumper.
- Install MolecularShell in ux0:patch/[TITLEID] (exact same files as if they were in ux0:app/MLCL00001), where [TITLEID] is the game you want to decrypt (same for cartridges game).
- Now, using mr.gas' old trick, open the URI "ux0:app/[TITLEID]" (or gro0:app/[TITLEID] for cartridges) in the webbrowser, minimize the newly opened near app.
- Run the game you want to decrypt, MolecularShell will boot instead.
- You can now access ux0:app/[TITLEID], your decrypted game files will be present (or gro0:app/[TITLEID] if you want to decrypt a cartridge).
- You can also access the following locations, where you can find unencrypted files :
- - app0: (basically the same as ux0:app/[TITLEID], but with mixed files from ux0:patch as well)
- - addcont0: (DLC Content)
- - savedata0: (That's where the fun is, unencrypted savegame, you can edit it directly, it should encrypt it back automatically)
- * HOW CAN I MOD MY GAME ???! I WANT 18+ PATCHES *
- Hehehe, very easy. If you paid attention, you may have noticed we already managed to mod our game, indeed, we replaced its main binary with MolecularShell.
- So, following the same process, you can basically put your modded files in ux0:patch/[TITLEID], FOLLOWING THE SAME STRUCTURE as the original one from ux0:app/[TITLEID].
- Put the modded files, unencrypted, in ux0;patch/[TITLEID]. If the directory already exists, delete it (or back it up, as you wish).
- Make sure you're not using mr.gas trick here, or the directory won't be writable. Also use the original MolecularShell, you must not be running the game at this point.
- Don't put any sce_pfs directory in ux0:patch/[TITLEID]. You can use sce_sys from MolecularShell.
- * Wait, if we hijack the patch directory from our game, doesn't it mean the updates won't be installed anymore ? *
- Indeed. To install your updates back, you need to dump an unencrypted version of ux0:patch/[TITLEID], and basically put the unencrypted files as well in your mod.
- Decrypting the ux0:patch/[TITLEID] is really a PAIN IN THE ASS, so I won't explain how to do it here. I managed to do it, if no one figures it out, I'll eventually explain it later.
RAW Paste Data