PSVita Digital Game/Cartridge Game/DLC/Savedata decryption on 3.60 (by Major_Tom)
PS Vita Hacker Major_Tom just posted a full explanation of how he recently managed to do Savedata decryption and game modding on the PS Vita 3.60, via HENkaku.
The explanation is lengthy and detailed, and relies on MrGas’s trick to bypass pfs protection. The content below is taken directly from Major_Tom’s pastebin, with his permission:
I’ll be refering to mr.gas’ old trick for bypassing pfs protection on old fw. Old instructions :
most of the work are going to be in app.db
- add a value in table tbl_uri like the following NPXS10000;1;ux0;
- modify NPXS10000 eboot.bin path in tbl_appinfo to vs0:app/NPXS10027/eboot.bin
- overwrite the modified app.db using email app and reboot
- now use the browser to call the new uri with your target game . example : ux0:app/PCSA00017. apparently near app will open the game manual.
- minimize near then dump the game using the psp pboot trick and QCMA (while the near app still open)
- end of th story .. and have fun.tested in fw 3.18 and above
Make these modifications in app.db before following this guide.
If you want to decrypt cartridges as well, you can also add “NPXS10000;1;gro0;” at step 1.
PSVita Digital Game/Cartridge Game/DLC/Savedata decryption on 3.60
It has been reported many times that mr.gas’ trick to dump unencrypted files from ux0:app was patched in 3.60, but it’s not actually exact.
What has been patched is the PBOOT.PBP dumper trick. MolecularShell can’t access other applications files, that is why applying mr.gas’ trick doesn’t seem to work on 3.60.
So, how to do it again ? Well, we’ll be taking advantage of how the vita handles game updates.
Game updates are installed in ux0:patch/[TITLEID]. They have the very same structure as ux0:app/[TITLEID].
Thanks to HENkaku, we can run unsigned eboot.bin. We will basically be hijacking the main game binary with our dumper.
Install MolecularShell in ux0:patch/[TITLEID] (exact same files as if they were in ux0:app/MLCL00001), where [TITLEID] is the game you want to decrypt (same for cartridges game).
Now, using mr.gas’ old trick, open the URI “ux0:app/[TITLEID]” (or gro0:app/[TITLEID] for cartridges) in the webbrowser, minimize the newly opened near app.
Run the game you want to decrypt, MolecularShell will boot instead.
You can now access ux0:app/[TITLEID], your decrypted game files will be present (or gro0:app/[TITLEID] if you want to decrypt a cartridge).
You can also access the following locations, where you can find unencrypted files :
- app0: (basically the same as ux0:app/[TITLEID], but with mixed files from ux0:patch as well)
- addcont0: (DLC Content)
- savedata0: (That’s where the fun is, unencrypted savegame, you can edit it directly, it should encrypt it back automatically)
HOW CAN I MOD MY GAME ???! I WANT 18+ PATCHES
Hehehe, very easy. If you paid attention, you may have noticed we already managed to mod our game, indeed, we replaced its main binary with MolecularShell.
So, following the same process, you can basically put your modded files in ux0:patch/[TITLEID], FOLLOWING THE SAME STRUCTURE as the original one from ux0:app/[TITLEID].
Put the modded files, unencrypted, in ux0;patch/[TITLEID]. If the directory already exists, delete it (or back it up, as you wish).
Make sure you’re not using mr.gas trick here, or the directory won’t be writable. Also use the original MolecularShell, you must not be running the game at this point.
Don’t put any sce_pfs directory in ux0:patch/[TITLEID]. You can use sce_sys from MolecularShell.
Wait, if we hijack the patch directory from our game, doesn’t it mean the updates won’t be installed anymore ?
Indeed. To install your updates back, you need to dump an unencrypted version of ux0:patch/[TITLEID], and basically put the unencrypted files as well in your mod.
Decrypting the ux0:patch/[TITLEID] is really a PAIN IN THE ***, so I won’t explain how to do it here. I managed to do it, if no one figures it out, I’ll eventually explain it later.
Source: Major_Tom on twitter
NICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICENICE THANKS Major Tom & Mr.Gas, much appreciated!!!!!!!!!!!!!!!!!!!!!!!!!!!
My life has been rejuvenated because of this!
Backups anyone?
So you no longer need to install the cartridge to memory card?
Sounds so much simpler.
“Can’t find application.”
Please help…
you modified the tbl_uri wrong
each ; represents a new cell so
find NPXS10000 entry
change the the flag to 1 and the scheme to ux0 write changes then copy the app.db back to the vita
had the same error and after some troubleshooting got it to work
So what would happen if a whole dumped title were to be placed in the patch directory of another game? Hmmmm…
As reading this I thought exactly that same idea if this is possible though I will upgrade from 3.52 cause I dont wanna lose my psp isos just yet if i cant get vita isos in return.
Tried that, didn’t work. Got an error about the game being corrupted. But you can try if you want, maybe you’ll do something in other way.
Wooot! Hopefully we can get some rpgs undubbed soon!
Seems like your prayer was heard
So I’m going to update my 3.51 vita to 3.60 soon.
I have a multiplayer game here that I want to share to my other vita — I think we should now be able to easily copy the cart files into the memory card and run it from there? I expect that the cart needs to be there for initial authentication but I’m wondering how to execute the copied game files — as a patch of another game or through a new bubble perhaps? This should let me have a quick multiplayer game with someone who doesnt have a vita (or that vita game).
Since the files have also been decrypted and we can make fan translations and custom patches, I think we can pass these patches now through lower firmware though failmail or through henkaku on lower versions. Think of the possibilities of more exploits through vita games!
With Cartridge based games, all the Game Data, excluding updates, is kept on the cart. It’s not like the PS4 where it just copies all the data to the system.
Tested one save mod and it works. going to try see what mods to the game i can do
Once you edited the save, what did you do?
My current method has been this:
>Decrypt save using Tom’s method
>Grab data with Molecular’s FTP
>Edit data
>Drop it back into the savedata folder
>PS Button, close out of the game via swipe
I’ve been trying to mod Atelier Totori Plus for the last half hour, and when I finally managed to get it to stop erroring out upon startup all of my saves were missing from the “load game” option despite existing on my memcard.
My theory is that the game does some sort of patch or version check and attaches that to one of the data files in the savedata directory in order to prevent users from using saves from one update, or something like that.
Also, thanks for replying to my other post. Really helpful.
Been having issues. I even followed the reply you put earlier. Now everytime I boot my vita up I get an error popping up “moleculrShell” could not install you cannot use the application that is on this PS vita card. Icon for the same application is already installed.
Updated the app.db like you mentioned in another reply of yours.
Changed flag to 1 and set scheme to “gro0” since I’m trying to do this on a cartridge. Re-uploaded app.db, restarted, re-ran HENkaku.
I put the molecular shell files in
ux0:/patch/PCSE00408/
-sce_sys (folder)
-eboot.bin
-version.txt
Opened browser and typed in
gro0:/PCSE00408/
And getting Application not Found error. Any help is appreciated.
was there already a patch folder for PCSE00408?
i noticed that if the game had a patch folder already and i dragged molecular shell into it, the browser would not redirect to near.
so i backed up the folder deleted the contents and put in only the molecular shell files.
Haven’t tried cartridge mods yet going to do that now
okay i misread your post (though what i said earlier might resolve an issue when you start the game istelf)
you are trying to load gro0:/PCSE00408/
but you missed the app so type gro0:app/PCSE00408
I mistyped the post. I was launching “gro0:/app/PCSE00408/” I ran into a new issue now but I’m probably just going to try a digital game.
The new issue, when I launch “gro0:/app/PCSE00408” Near launches then gives mne an error “Insert a PS Vita card that contains this application”. Vita card is definitely inserted. And just to be sure, I’m supposed to be using the ID off of the cartridge as the title id correct?
Got exact the same problem while trying to dump Persona 4 files from retail cart.
Also cart icon that is in right upper corner got molecular shell icon instead of persona one.
@gameus
for my titleids i use bubble studio (https://anthe.studio/bubblestudio/) and check the id of the bubble from my app.db file . Since cartridge based games install a bubble i can get the id that way.
or go to http://psvitadb.com/ and search the game name the serial column (minus the -) is the titleid
@strusic sounds like you accidentally overwrote the wrong persona 4 folder on the memory card
Wololo says they don’t support piracy. Keeps posting about inevitable piracy. Prob for ad revenue
how is this piracy lmao
the dumped games can’t be used on any other console than yours (yet tho)
Wow, that was extremely simple. Never did any PSP/Vita homebrew but got it working and dumping my game cart in like 20 minutes.
OMG these developer/hacker I give them my respect to the job they have achieved
Been walking on journey of 1000 miles for vita piracy…….Piracy is just a mile away now!
Is this really meant to work for cartridges? Because as far as I know, cartridges aren’t re-writable and it indeed did not work for me as the cartridges files were still encrypted for me (I tried the guide with a digital game and it worked, FYI
I believe you can copypaste everything into the patch folder, but i can’t even launch my gro0 game 🙁
I tried a couple Japanese games and it did not work.
I got all the way up to “your decrypted game files will be present.” That’s the rub, they’re not present.
I tried dumping cartridge Celceta USA and that worked. Is there something USA-specific about the hack?
I’m an idiot. I got .psarc files. I wasn’t expecting that, but those are actually the files. OK, thanks for the guide.
Some games will not work. Appears to be newer games. Symptoms: Near closes when you launch the game.
damn i get lost on the first part ” mr.gas’ old trick for bypassing pfs protection on old fw” i dont know if this part is needed or not
Would the PSVita games released by the warez group PSicO for the Cobra BlackFin be able to launched with HENkaku? I thought they were downloadable, and encryption / DRM removed? Could we just launch these like we could and other home brew app?
No, that thing doesn’t remove DRM, it just performs game cart license validation remotely (as opposed to the normal/local check of the cart inserted into a Vita’s slot). It also doesn’t work on 3.60, and HENkaku doesn’t work on any firmware other than 3.60.
Alright Wololo, You’ve gotta share your patch dumping method and reformat that tutorial so its not so confusing for novices. took me a few tries to realize you have to completely delete the patch folder’s contents and then replace it with molecularShell and not just copy it into the patch directory leaving the rest intact. If you’d like I can write a tutorial myself with enough info a total novice can do it.
So I dumped Ys – Memories of Celceta [PCSE00245]’s gamecard through FileZilla using the decryption method above.
1) Is there any reason to dump the other folders (gc, license, and psp2), or is only the [PCSE00245] folder within app valuable?
2) Is there a way to play the decrypted dump from the memory card. I tried uploading the [PCSE00245] folder onto the memory card at ux0:/app/[PCSE00245], and once the game card is removed, I keep getting the error stating that the card is needed when I tap the bubble. I also tried starting from MolecularShell, and no dice.
FYI, I am not asking this for the sake of piracy (although I am not judging anyone indulges in piracy), since I do own 28 Vita gamecards, and countless PSN titles, and just want to be able to put a good 15 or so backups on my memory card instead of toting around this stupid game case along with the Vita everywhere. Thanks for anyone that reads this and responds.
How did you managed to do it? I get error C2-13700-1 each time near tries to open after I enter the path in browser. I’m sure I changed NPXS10000 eboot.bin path to NPXS10027 (I’ve changed the row with key 3022202214 using DB browser if it matters
I’ve solved the problem. It seems you should not add ux0 and gro0 recrords to app.db at the same time.
i WASN’T able to find the saves for borderlands 2 on the vita using this method. Replacing everything in /patch/PCSE00383 would only show an empty directory when using this method.
But…
IF you use VITA SHELL (0.7) in place of molecular shell (follow the same method above and copy the vita shell files into BL2 patch instead) you can browse to savedata0: and the decrypted files will be there 🙂
Can I use this metod to transfer savedata between two accounts?
There is certainly a great deal to learn about this topic. I really like all the points you’ve made.
if a game has no patch folder what should i do. i tried creating one myself but when i boot persona 4. the game starts not the molecular shell. i did everything. modified the app.db and opened the game manual in near and didnt close it. started the game but molecular shell wont boot.