Advertising (This ad goes away for registered users. You can Login or Register)

[Question] Decrypt savedata?

Open discussions on programming specifically for the PS Vita.
Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
wth
HBL Developer
Posts: 834
Joined: Wed Aug 31, 2011 4:44 pm
Contact:

Re: [Question] Decrypt savedata?

Post by wth » Thu Apr 12, 2012 9:51 pm

codestation wrote:The CryptoEngine from the jpcsp emulator can decrypt savedata (and other things) on PC, is easy as:

Code: Select all

byte out[] = new CryptoEngine().DecryptSavedata(savedata_byte_array, savedata_byte_array.length, gamekey, 0);
With just the classes at "src/jpcsp/crypto/", the Bouncy Castle Crypto API jar file and a quick wrapper class one can make a decrypter in 10 mins.

Sadly you still need a psp to hook the savedata function and retrieve the gamekey (that or know some mips and reverse a little around sceUtilitySavedataInitStart to get the gamekey from the eboot).
Even though I never tried Java, I just gave it a try, but even with Bouncy Castle / Jpcsp correct sources, Jpcsp is still relying on other things like os.apache.xx and some other libs unrecognised by Eclipse xD
Anyway it bored me and I'm no java fan, so unless someone more into java does it I won't touch java anymore for now lol, SED works great too anyway :mrgreen:
Advertising

User avatar
codestation
Big Beholder
Posts: 1660
Joined: Wed Jan 19, 2011 3:45 pm
Location: /dev/negi

Re: [Question] Decrypt savedata?

Post by codestation » Fri Apr 13, 2012 4:11 am

Yeah., they updated the CryptoEngine and now is interlinked with everything :? .
You will prefer a c version instead? http://pastebin.com/RFDXKCAf , i tested it and works the same as the Java version, just link it to libkirk and you are good to go.
Advertising
Plugin list
Working on: QPSNProxy, QCMA - Open source content manager for the PS Vita
Playing: Error: ENOTIME
Repositories: github, google code
Just feel the code..

wth
HBL Developer
Posts: 834
Joined: Wed Aug 31, 2011 4:44 pm
Contact:

Re: [Question] Decrypt savedata?

Post by wth » Fri Apr 13, 2012 2:51 pm

codestation wrote:Yeah., they updated the CryptoEngine and now is interlinked with everything :? .
You will prefer a c version instead? http://pastebin.com/RFDXKCAf , i tested it and works the same as the Java version, just link it to libkirk and you are good to go.
thx yeah it's pretty awesome to see a c version too :mrgreen:
Decrypting with it works great for me too :)
However reencrypting produces a different encrypted file than the original, which after redecrypting still results in the same decrypted file xD
But this differently reencrypted file however doesn't load anymore on psp ^^'
Also according to him, as of r2038 of jpcsp, it seems PARAM.SFO's hash isn't proper (http://www.emunewz.net/forum/showthread ... #pid_39119)

So yeah, for now this C version seems to have a small issue reencrypting the file, but still makes a pretty good decrypter :D
Here's a binary if someone else wants to have try http://www.mediafire.com/?n3h7c8tr8v88wv6

Edit : Also, Jcpsp could also be designed so as to save the game keys somewhere too, just like Savegame Deemer does
Edit2 : Fixed the pc C version's output size to not be 16 bytes aligned, as some savefiles aren't 16 bytes aligned, link updated
Sometimes for some savefiles, the output size can be different than (the encrypted savefile's size - 16 bytes), just a small issue, can be fixed manually I guess

doragasu
Posts: 7
Joined: Sun Mar 17, 2013 4:58 pm

Re: [Question] Decrypt savedata?

Post by doragasu » Sun Mar 17, 2013 5:11 pm

I'm trying to transfer a Tekken 5 save from my old PSP to my new one. I successfully used SavegameDeemer plugin to decrypt a Silent Hill Origins savegame, and reencrypt it. But I tried decrypting the Tekken 5 save using SavegameDeemer without luck. When I save the game with the plugin enabled, the folder /PSP/SAVEPLAIN/UCES00356GAMEDATA is created, but it only contains the file <gameid>.bin (i.e. UCES00356.bin). The files SDINFO.BIN and SDDATA.BIN are not created.

Can I decrypt the save using kirk.exe and the data from the UCES00356.bin file? How can I do it? I have browsed the file with an hex editor, and there is not a single non-zero 16-byte key at the end. In fact, this is how the end of the file looks like (I have replaced non-zero bytes with XX):

Code: Select all

00000580  XX XX 00 00 XX XX XX XX  XX XX 00 00 XX XX 00 00
00000590  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
000005a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
000005b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
000005c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
000005d0  XX XX XX XX XX XX XX XX  XX XX XX XX XX XX XX 00
000005e0  XX 00 XX XX XX XX XX XX  XX XX XX XX 00 00 00 00
000005f0  XX 00 00 00 XX XX XX XX  XX XX XX XX XX XX XX XX
What offset do I use to grab the key? And when I have it, do I have to create a text file with it to supply it to kirk.exe? Or should it be a binary file? Do I have to use the game key or the console key? I'm a bit confused...

Edit: watching the sources, I have deduced, key file must be 16 byte binary file. I have created 3 key files using data from offsets 0x5D0, 0x5E0 and 0x5F0, but unfortunately using kirk with none of them produces valid data :(.

Definitely, I need help with this.

wololo
Site Admin
Posts: 3619
Joined: Wed Oct 15, 2008 12:42 am
Location: Japan

Re: [Question] Decrypt savedata?

Post by wololo » Mon Mar 18, 2013 12:59 am

try the same thing with SED and see if it helps. Your 16 bytes key needs to be provided to SED in binary format, and be named UCES00356.bin

As far as I remember, some Tekken games had an additional key specific to the device which prevented sharing the savedata between different devices, which could be why it won't work with kirk.exe unless you provide these keys. You will need to make sure you reencrypt your save on the *new* device.

I am not sure the 16bytes at the end of your .bin file are actually the key you need though... have you searched in your savedata folder to see if sgdeemer has created the files in another subfolder? it does that sometimes.

Freecheat ( http://www.wololo.net/downloads/index.php/download/7894 ) is another plugin that might give you the key, which you can then use in SED.
If you need US PSN Codes, this technique is what I recommend.

Looking for guest bloggers and news hunters here at wololo.net, PM me!

katsu
Posts: 178
Joined: Mon Nov 26, 2012 1:57 pm

Re: [Question] Decrypt savedata?

Post by katsu » Mon Mar 18, 2013 2:25 am

5DC-5EB
16 byte gamesave key


Image
Psvita wifi 2.05TN-V/3.52OFW DUALNAND FW
psvita wifi 3.52OFW
PSTV US 3.52 HFW
PSTV JP 3.51 HFW

User avatar
pspfanMOHH
Posts: 660
Joined: Sat Jun 11, 2011 9:16 pm
Location: Grand Line, New World

Re: [Question] Decrypt savedata?

Post by pspfanMOHH » Mon Mar 18, 2013 2:34 am

In the pspSDK/bin there is an application named SED, I am not sure if thats what wololo meant, I never touched it because I use SED in the psp.

doragasu
Posts: 7
Joined: Sun Mar 17, 2013 4:58 pm

Re: [Question] Decrypt savedata?

Post by doragasu » Mon Mar 18, 2013 10:09 am

Thanks a lot for help!

Using SED and the key extracted from the file created by SavegameDeemer at offset 5DC-5EB, I was able to decrypt the save file. In case somebody wants it, key for Tekken 5 EUR (UCES00356) is "01 af 6f 00 02 00 70 d5 2e 24 12 c7 e1 ff 83 ba". I know the savegame is properly decrypted because the first 5 bytes of the decrypted file are the ASCII text "PACK8".

Then I encrypted the file using SED in my new PSP, started the game and... it didn't work. The game tries to load data and says it's damaged. I suspected maybe the game could use a different key for each console, but verified it and the key is the same for my 2 PSPs. I suppose the game makes an additional check to test if the savedata is from other console :(.

Also it looks like decrypted data is compressed. It has a header starting with "PACK8", but there is not more readable text in the file.

EvilDooinz
Posts: 37
Joined: Mon Oct 08, 2012 3:39 pm

Re: [Question] Decrypt savedata?

Post by EvilDooinz » Tue Mar 19, 2013 2:20 pm

wololo wrote:It would be fairly easy to create a database of keys. There is only a few hundred games on the psp. So i dont see this as an issue :)
Thanks, it sounds like its doable to create a command line tool to encrypt savedata.
Actually aren't there are about 2000 psp game from different regions and wouldn't said keys be protected by law?

EvilDooinz
Posts: 37
Joined: Mon Oct 08, 2012 3:39 pm

Re: [Question] Decrypt savedata?

Post by EvilDooinz » Thu Mar 21, 2013 4:59 pm

codestation wrote:Yeah., they updated the CryptoEngine and now is interlinked with everything :? .
You will prefer a c version instead? http://pastebin.com/RFDXKCAf , i tested it and works the same as the Java version, just link it to libkirk and you are good to go.
I'm having a hard time compile this little code. I copy the code to a file called savedata.c then run "gcc -Wall savedata.c libkirk.a -o savedata.exe". it creates the savedata.exe but when I run it, it crashes Segmentation fault (core dumped). I've downloaded the binary wth compiled and it crashes also.

Post Reply

Return to “Programming and Security”