PSVita Digital Game/Cartridge Game/DLC/Savedata decryption on 3.60 (by Major_Tom)
PS Vita Hacker Major_Tom just posted a full explanation of how he recently managed to do Savedata decryption and game modding on the PS Vita 3.60, via HENkaku.
I’ll be refering to mr.gas’ old trick for bypassing pfs protection on old fw. Old instructions :
most of the work are going to be in app.db
- add a value in table tbl_uri like the following NPXS10000;1;ux0;
- modify NPXS10000 eboot.bin path in tbl_appinfo to vs0:app/NPXS10027/eboot.bin
- overwrite the modified app.db using email app and reboot
- now use the browser to call the new uri with your target game . example : ux0:app/PCSA00017. apparently near app will open the game manual.
- minimize near then dump the game using the psp pboot trick and QCMA (while the near app still open)
- end of th story .. and have fun.tested in fw 3.18 and above
Make these modifications in app.db before following this guide.
If you want to decrypt cartridges as well, you can also add “NPXS10000;1;gro0;” at step 1.
PSVita Digital Game/Cartridge Game/DLC/Savedata decryption on 3.60
It has been reported many times that mr.gas’ trick to dump unencrypted files from ux0:app was patched in 3.60, but it’s not actually exact.
What has been patched is the PBOOT.PBP dumper trick. MolecularShell can’t access other applications files, that is why applying mr.gas’ trick doesn’t seem to work on 3.60.
So, how to do it again ? Well, we’ll be taking advantage of how the vita handles game updates.
Game updates are installed in ux0:patch/[TITLEID]. They have the very same structure as ux0:app/[TITLEID].
Thanks to HENkaku, we can run unsigned eboot.bin. We will basically be hijacking the main game binary with our dumper.
Install MolecularShell in ux0:patch/[TITLEID] (exact same files as if they were in ux0:app/MLCL00001), where [TITLEID] is the game you want to decrypt (same for cartridges game).
Now, using mr.gas’ old trick, open the URI “ux0:app/[TITLEID]” (or gro0:app/[TITLEID] for cartridges) in the webbrowser, minimize the newly opened near app.
Run the game you want to decrypt, MolecularShell will boot instead.
You can now access ux0:app/[TITLEID], your decrypted game files will be present (or gro0:app/[TITLEID] if you want to decrypt a cartridge).
You can also access the following locations, where you can find unencrypted files :
- app0: (basically the same as ux0:app/[TITLEID], but with mixed files from ux0:patch as well)
- addcont0: (DLC Content)
- savedata0: (That’s where the fun is, unencrypted savegame, you can edit it directly, it should encrypt it back automatically)
HOW CAN I MOD MY GAME ???! I WANT 18+ PATCHES
Hehehe, very easy. If you paid attention, you may have noticed we already managed to mod our game, indeed, we replaced its main binary with MolecularShell.
So, following the same process, you can basically put your modded files in ux0:patch/[TITLEID], FOLLOWING THE SAME STRUCTURE as the original one from ux0:app/[TITLEID].
Put the modded files, unencrypted, in ux0;patch/[TITLEID]. If the directory already exists, delete it (or back it up, as you wish).
Make sure you’re not using mr.gas trick here, or the directory won’t be writable. Also use the original MolecularShell, you must not be running the game at this point.
Don’t put any sce_pfs directory in ux0:patch/[TITLEID]. You can use sce_sys from MolecularShell.
Wait, if we hijack the patch directory from our game, doesn’t it mean the updates won’t be installed anymore ?
Indeed. To install your updates back, you need to dump an unencrypted version of ux0:patch/[TITLEID], and basically put the unencrypted files as well in your mod.
Decrypting the ux0:patch/[TITLEID] is really a PAIN IN THE ***, so I won’t explain how to do it here. I managed to do it, if no one figures it out, I’ll eventually explain it later.
Source: Major_Tom on twitter