psvimgtools: Yifan Lu releases tools to decrypt PS Vita backups (including 3.63)
Yesterday, Yifan Lu released a series of tools to decrypt PS Vita backups (the ones you generate by using CMA, the Content Manager Assistant). The release comes a few days after the tool’s existence was “leaked” by people who had found the repository before the developer was ready to release something in a stable state.
Team molecule have recently found some weaknesses in how some encryption is processed on the PS Vita, which allowed Yifan Lu to work on a tool that helps bruteforce the key used to encrypt the backups. That key is unique to your PSN account, not to your console.
The tool to let you get your key can be downloaded from Yifanlu’s github, but Molecule are now conveniently providing a website that does the work for you. Pass your AID* to cma.henkaku.xyz and let it do the work for you.
* Your AID is the xxxxxxxxxxxxxxxx in PS Vita/PGAME/xxxxxxxxxxxxxxxx/ in your CMA folder
Once you have your key, you can have fun with the other tools of the suite, which let you decrypt your PS Vita backups, then pack them back to install on your PS Vita.
Wait, what does this psvimgtools let me do exactly?
This lets you decrypt backup files, then pack them back to install on your Vita. It does not magically sign content within these files. According to Yifan, this opens the door to some minor hacking for 3.61 and 3.63 users: registry tricks such as the PS TV whitelist, or swapping O/X buttons is now doable for 3.61 and 3.63 owners. According to the hacker, this also lets you install PSP homebrew (usermode, this would include VHBL) through the Custom Bubble technique (basically the same as here except the whole email part to get files from the database can be done with the backup tools – anyone willing to write a cool tutorial or tools here?).
People are already releasing applications that will help end users on 3.63 and 3.61, stay tuned for details.
Maybe more importantly, for hackers, this brings new way to try and exploit the ps vita, through files that were not easy to edit until now. Savedata comes to mind.
Yifan Lu states it would be hard for Sonyy to patch this vulnerability in future firmwares, unless they decide to make backups forward incompatible in the next firmware update, which would be a pretty bold and unlikely move.
Last but not least, there’s a great writeup on Yifan Lu’s blog on how Team Molecule found the weakness (based on a suggestion from plutoo) that allow them to bruteforce the encryption key in minutes, compared to the normal “billions of billions of years” that would be expected
- get your AID (Your AID is the xxxxxxxxxxxxxxxx in PS Vita/PGAME/xxxxxxxxxxxxxxxx/ in your CMA folder)
- Retrieve your encryption key
- you can download the tools to decrypt/repack on Yifan Lu’s github here.
Source Yifan Lu