Editing SELF - SPRX

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
SELF stands for Signed Executable and Linkable Format. SELF is the file format used by the executables on the PS3 and PS Vita. SPRX stands for Signed Playstation Relocatable eXecutable. SPRX is a file extension, derived from PRX, of SELF files that are loaded as "libraries" rather than "applications". SELF files of applications are often named "EBOOT.BIN" as in "encrypted BOOT.BIN" as a legacy of PS1, PS2 and PSP executables filenames.
[[Category:Software]]
 
SELF stands for Signed Executable and Linkable Format.


[[File:Self.png|thumb|alt=A screenshot of f0f's presentation at CCC2010.]]
[[File:Self.png|thumb|alt=A screenshot of f0f's presentation at CCC2010.]]
[[File:Self_hdr.png|thumb]]


= Introduction =
It is the format used by the executables on the PS3
It consists of an elf whose sections might be encrypted using AES CTR and signed using ECDSA + HMAC-SHA1
It has a specific header here called SCE header where it stores all the parameters for this process


SELF consists of a [[Certified File]] header with an Extended Header followed by the encapsulated ELF file. ELF sections can be compressed using gzip. A SELF is usually encrypted and signed, but [[#fSELF|fSELF]] are unsigned SELFs. ELF sections can be encrypted using AES128 and signed using ECDSA160 or RSA2048 + HMAC-SHA1 or HMAC-SHA256. A SELF has a specific header called Extended header where it stores all the parameters for this program.
----
 
*Extended Header
Extended Header consists of information regarding the structure and offsets of the SELF. The first part is in plaintext until the Encryption Root Header.
 
*Encryption Root Header
Encryption Root Header is encrypted under an AES256CBC layer. It contains key and IV to further decrypt the Certification data using AES128 (CBC or CTR).
 
*Certification data
Certification Header, Certification Body and CF Signature are encrypted under an AES128 (CBC or CTR) layer with the Encryption Root Header key and IV.
 
*Certification Header
Signature is an ECDSA160/RSA2048 signature of the SHA1/SHA256 digest of the SELF file starting at offset 0 and ending at offset sign_offset.
 
*Data Segments
Data segments can be encrypted and/or compressed. SHA1/HMAC-SHA1/HMAC-SHA256 is used to ensure that they have not been modified.


= Cryptography =
= Cryptography =


Here is a small summary on how the SELF cryptography works.  
Here is a small summary on how the self cryptography works.  


Basically here are the steps being involved by the loaders:  
Basically here are the steps being involved by the loaders:  


Loaders all have a static key and iv called respectively <abbr title="ERK - 256bit Encryption Round Key">erk</abbr> and <abbr title="RIV - 128bit Reset Initialization Vector">riv</abbr>. Those are keys for the first decryption step which is to decrypt the Encryption Root Header using <abbr title="AES256CBC - Advanced Encryption Standard - 256 bit - Cipher-block chaining">AES256CBC</abbr>. When the SELF is protected by [[NPDRM]] ?instead of using static keys?, erk and riv are derived by decrypting klicensee using "NP_klic_key".
Loaders all have a static key and iv called respectively <abbr title="ERK - 256bit Encryption Round Key">erk</abbr> and <abbr title="RIV - 128bit Reset Initialization Vector">riv</abbr>, those are keys for the first decryption step which are used to decrypt the very first 0x40 bytes of the self's metadata using <abbr title="AES256CBC - Advanced Encryption Standard - 256 bit - Cipher-block chaining">AES256CBC</abbr>


Then the result is used as key and iv to decrypt the rest of the Certification data using <abbr title="AESCTR - Advanced Encryption Standard - Counter Mode">AES128CTR</abbr> (PS3) or AES128CBC (PS Vita). Finally the decrypted Certification data contains the key and iv for each data segments which are still decrypted following the Segment Certification Header information. This security model is based on the fact that the Certification Root Header once decrypted by the static AES256CBC key in the loader should never be the same from one binary to the other. The same goes for any other value used as an AES128 key or iv.
Then the result is used as a key and iv to decrypt the rest of the metadata using <abbr title="AESCTR - Advanced Encryption Standard - Counter Mode">AESCTR</abbr>, finally the decrypted metadata contains the keys and iv for each data sections which are still decrypted through AES128CTR. This security model is based on the fact that the first 0x40 bytes of the self's metadata once decrypted by the static AES256CBC key in the loader should never be the same from one binary to the other. The same goes for any other value used as an AES128CTR key or iv.  


Loaders are also involved with inflating the binaries using zlib.
Loaders are also involved with inflating the binaries using zlib.  


The SELF authenticity is based on other independent steps, <abbr title="HMAC-SHA1 - Hash-based Message Authentication Code - Secure Hash Algorithm 1">HMAC-SHA1</abbr> or HMAC-SHA256 of the data segments and <abbr title="ECDSA - Elliptic Curve Digital Signature Algorithm">ECDSA160</abbr> or RSA2048 for the signature of the header and the Certification data.
The self authenticity is based on other independent steps, <abbr title="HMAC-SHA1 - Hash-based Message Authentication Code - Secure Hash Algorithm 1">HMAC-SHA1</abbr> and <abbr title="ECDSA - Elliptic Curve Digital Signature Algorithm">ECDSA</abbr> for the actual signature.


== Short references ==
== Short references ==
*[http://en.wikipedia.org/wiki/Advanced_Encryption_Standard AES]
*[http://en.wikipedia.org/wiki/Advanced_Encryption_Standard AES]
*[http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation Block cipher modes of operation]
*[http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation Block cipher modes of operation]
Line 44: Line 31:
*[http://en.wikipedia.org/wiki/Elliptic_Curve_DSA ECDSA]
*[http://en.wikipedia.org/wiki/Elliptic_Curve_DSA ECDSA]


More indepth Online course about encryption in generic (also AES/ECDSA): [https://engineering.purdue.edu/kak/compsec/Lectures.html Lecture Notes on Computer and Network Security by Avinash Kak]
= File Format  =
 
= fSELF =


fSELF stands for fake signed ELF. It is the format output by Software Development Kits and ran on activated TestKits and DevKits. As it name suggests, a fSELF is not signed and usually not encrypted. If a fSELF was signed, that would imply that SDK embeds the private keys required to sign it.
Notes:


A fSELF has Attribute set to 0x8000. ?always?
*Numbers are stored in big endian format.


A fSELF has usually less rights than a System SELF but more than a finalized Non-System SELF. The OS recognizes a fSELF by looking at its program-authority-id.
== SELF/SCE Header ==
 
To document more...
 
= Location =
 
== PS3 ==
 
Files with extensions: eboot.bin, *.self, *.sprx.
 
See also [[SELFs inside ELFs]].
 
== PS Vita ==
 
Files with extensions: eboot.bin, *.self, *.suprx, *.skprx, *.skarx.
 
= File Format =
 
Notes:
* Warning: PS3 uses big endian, PS Vita uses little endian.
* Encapsulated ELF header fields are useless (only the EI_CLASS EI_DATA and EI_VERSION fields are checked).
 
== PS3 early Program Type 3 SELFs ==
 
<pre>
SDK 0.60: No sce version nor elf digest
SDK 0.8X: No sce version, with 0x30 elf digest
SDK 0.9X: With sce version and 0x40 elf digest (scetool produces this type)
</pre>
 
== Special SELF samples ==
 
=== Warhawk public beta release 012 ===
 
Oldest official game SELF (although not even NPDRM protected!!!) found by now: 2007-06-08.
 
*https://web.archive.org/web/*/http://download-prod.online.scea.com/medius-patch/warhawk-pubeta/warhawk//*
*https://web.archive.org/web/20070711084313/http://download-prod.online.scea.com/medius-patch/warhawk-*pubeta/warhawk/20070608_r012/NPUA80093_113_release.self
*https://web.archive.org/web/20070711084217/http://download-prod.online.scea.com/medius-patch/warhawk-pubeta/warhawk/20070608_r012/NPUA80093_113_PARAM.sfo
*https://web.archive.org/web/20070621155928/http://download-prod.online.scea.com/medius-patch/warhawk-pubeta/warhawk/20070608_r012/NPUA80093.cfg
 
*https://twitter.com/Mathieulh/status/1057395385319211008?s=20
 
== Extended Header ==
 
Extended Header offsets are relative to [[Certified File]] start.


=== Struct ===
=== Struct ===
typedef struct {
  uint32_t magic;                /* 53434500 = SCE\0 */
  uint32_t version;              /* header version */
  uint16_t sdk_type;              /* 0x0 retail (type 0)
                                  * 0x1 retail (0.92-3.30)
                                  * 0x2 retail (type 1)
                                  * 0x3 unknown (npdrm1?)
                                  * 0x4 retail (3.40-3.42)
                                  * 0x5 unknown (npdrm1?)
                                  * 0x6 unknown (npdrm2?)
                                  * 0x7 retail (3.50)
                                  * 0x8 unknown (npdrm1?)
                                  * 0x9 unknown (npdrm2?)
                                  * 0xa retail (3.55)
                                  * 0xb unknown (npdrm1?)
                                  * 0xc unknown (npdrm2?)
                                  * 0xd retail (3.56)
                                  * 0xe unknown (npdrm1?)
                                  * 0xf unknown (npdrm2?)
                                  * 0x10 retail (3.60-3.61)
                                  * 0x11 unknown (npdrm1?)
                                  * 0x12 unknown (npdrm2?)
                                  * 0x13 retail (3.65)
                                  * 0x14 unknown (npdrm1?)
                                  * 0x15 unknown (npdrm2?)
                                  * 0x16 retail (3.70-3.73)
                                  * 0x17 unknown (npdrm1?)
                                  * 0x18 unknown (npdrm2?)
                                  * 0x8000 DEBUG (devkit)
                                  */
  uint16_t header_type;          /* 1 self, 2 unknown, 3 pkg */
  uint32_t metadata_offset;      /* metadata offset */
  uint64_t header_len;            /* self header length */
  uint64_t elf_filesize;          /* ELF file length */
  uint64_t unknown;              /* UNKNOWN */
  uint64_t appinfo_offset;        /* app info offset */
  uint64_t elf_offset;            /* ELF #1 offset */
  uint64_t phdr_offset;          /* program header offset */
  uint64_t shdr_offset;          /* section header offset */
  uint64_t section_info_offset;  /* section info offset */
  uint64_t sceversion_offset;    /* version offset */
  uint64_t controlinfo_offset;    /* control info offset */
  uint64_t controlinfo_size;      /* control length */
  uint64_t padding;              /* UNKNOWN */ NEEDS CHECKING
} __attribute__((packed)) SELF;


<source lang="C">
===Table===
typedef struct { // Size is 0x50 bytes
  uint64_t ext_hdr_version;
  uint64_t program_identification_hdr_offset;
  uint64_t ehdr_offset;
  uint64_t phdr_offset;
  uint64_t shdr_offset;
  uint64_t segment_ext_hdr_offset;
  uint64_t version_hdr_offset;
  uint64_t supplemental_hdr_offset;
  uint64_t supplemental_hdr_size;
  uint64_t padding;
} __attribute__((packed)) ext_hdr;
</source>
 
=== Table ===


{| class="wikitable"
{| class="wikitable"
|-
! field !! offset !! type !! notes
! field !! offset !! type !! notes
|-
|-
| Extended Header version || 0x0 || u64 || 3 for PS3, 4 for PS Vita
| magic || 0x0 || u32 || Must be "SCE\0"
|-
| version || 0x4 || u32 || This must be 2 or the Self loader will abort
|-
| sdk_type  || 0x8  || u16|| This corresponds to the revision of the key to decrypt the [[SELF_File_Format_and_Decryption#Metadata_Header|metadata header]], see: [[Keys#Appldr|appldr]], [[Keys#Key_Table_Structure|key structure in loaders]]
*known appldr keys:  0x0000 - 0x000F
*known NPDRM keys: 0x0001, 0x0004, 0x0007, 0x000A
*debug: 0x8000
key_obj = key_table[sdk_type]
|-
| header_type || 0xA || u16 || 1 self, 2 rvk, 3 pkg, 4 spp
|-
| metadata_offset || 0xC  || u32 || Offset to the checksums. Must be at least 20 bytes before the end of the header
|-
|-
| Program Identification Header offset || 0x8 || u64 || Offset to Program Identification Header.
| header_len || 0x10 || u64 || This is the length of the header (including the fake elf headers)
*The total length of the header must be less that 8KB
|-
|-
| ELF Header offset || 0x10 || u64 || Offset to ELF Header.
| Encrypted size || 0x18 || u64 || The size of the encrypted part of the self file.
|-
| unknown || 0x20 || u64 || Must be 3
|-
| App_info_offset || 0x28 || u64 || An offset in the header, usually at 0x70. See App info header.
|-
| elf_offset || 0x30 || u64 || offset to the elf header
|-  
|-  
| Program Header offset || 0x18 || u64 || Offset to ELF Program Header.
| phdr_offset  || 0x38 || u64 || offset to phdr
|-
|-
| Section Header offset || 0x20 || u64 || Offset to ELF Section Header.
| shdr_offset  || 0x40 || u64 || offset to shdr
|-
|-
| Segment Extended Header offset || 0x28 || u64 || Offset to Segment Extended Header.
| encrypted phdr sizes/offsets table offset || 0x48 || u64 || Offset to a table which maps phdr entries to the actual offset/size within the encrypted fself.
Because fselfs can be compressed, they might not match the values listed within the elf.  
|-
|-
| Version Header offset || 0x30 || u64 || Offset to Version Header.
| sceversion header || 0x50 || u64 || Offset to a header which contains some version information, including an offset to the .sceversion section of the encrypted elf.  
The playstation 3 doesn't care about this, and doesn't even check the header
|-
|-
| Supplemental Header offset || 0x38 || u64 || Offset to Supplemental Header.
| Digest  || 0x58 || u64 ||  
|-
|-
| Supplemental Header size || 0x40 || u64 || Size of Supplemental Header.
| Digest Size  || 0x60  || u64 ||  
|-
|-
| Padding || 0x48 || u64 ||
|}
|}


=== Comments ===
===comments===
The real ELF data is located after the SCE header (see header size). It is encrypted, unless the flags are 0x8000. unfself works by cutting the SCE header from the (fake) SELF.


The real ELF data is located after the Extended Header (see Extended Header size in [[Certified File#Header|Certified File Header]]). It is encrypted, unless [[Certified File]] attribute is 0x8000 (fake CF). unfself works by cutting the SCE header from the fSELF and if needed decompressing segments.
== App Info  ==


== Program Identification Header ==
===Struct===
 
typedef struct {
Temporary name was App Info. Official name is Program Identification Header.
  uint64_t authid;                /* auth id */
 
  uint32_t vendor_id;            /* vendor id */
=== Struct ===
  uint32_t self_type;            /* app type
                                  * 1 level0,
                                  * 2 level1,
                                  * 3 level2,
                                  * 4 application,
                                  * 5 isolated SPU module,
                                  * 6 secure loader,
                                  * 7 unknown
                                  * 8 NPDRM app */
  uint64_t version;              /* app version */
  uint64_t padding;              /* UNKNOWN */
} __attribute__((packed)) APP_INFO;


<source lang="C">
===Table===
typedef struct {
  uint64_t program_authority_id;
  uint32_t program_vender_id;
  uint32_t program_type;
  uint64_t program_sceversion;
  uint64_t padding;
} __attribute__((packed)) program_identification_header;
</source>
 
=== Table ===


{| class="wikitable"
{| class="wikitable"
! field !! offset !! type !! notes !! example
|-
|-
| program_authority_id || 0x00 || u64 || See [[Program Authority Id]] || ex: 21 00 00 10 1C CA 01 30
! field !! offset !! type !! notes
|-
|-
| program_vender_id || 0x08 || u32 || See [[Program Vender Id]] || ex: 00 00 00 00
| authid    || 0x00 || u64
|-
|-
| program_type || 0x0C || u32 || See [[Program Type]] || ex: 08 00 00 00
|unknown    || 0x08 ||u32
|-
|-
| program_sceversion || 0x10 || u64 || ?SDK version or app version? [[Revision versus Version|version]] ex: 01.02 is translated by make_fself.exe to 02 01 00 00 || ex: 0x0000036000000000 (3.600.011), 0x0000009450000000 (0.945.040)
|app_type  || 0x0c ||u32 ||
                          *1 -- level 0
                          *2 -- level 1
                          *3 -- level 2
                          *4 -- application
                          *5 -- isolated SPU module
                          *6 -- secure loader
                          *8 -- NP-DRM application
|-
|-
| padding || 0x18 || u64 || Padding || 00 00 00 00 00 00 00 00
|app_version ||0x10 ||u64  
|}
|}


=== Comments ===
===Comments===


Aligned to 0x10 bytes.
Aligned to 0x10 bytes.


== ELF Header ==
== ELF Header ==
 
===Struct===
typedef struct {
  uint8_t ident[16];              /* magic */
  uint16_t type;                  /* type */
  uint16_t machine;              /* machine */
  uint32_t version;              /* version */
  uint64_t entry_point;          /* entry point address */
  uint64_t phdr_offset;          /* start of program headers */
  uint64_t shdr_offset;          /* start of section headers */
  uint16_t flags;                /* flags */
  uint32_t header_size;          /* size of this header */
  uint16_t phent_size;            /* size of program headers */
  uint16_t phnum;                /* number of program headers */
  uint16_t shent_size;            /* size of section headers */
  uint16_t shnum;                /* number of section headers */
  uint16_t shstrndx;              /* section header string table index */
} __attribute__((packed)) ELF;
 
===Table===


=== Struct ===
===Comments===


==== PS3 ====
See Spec here: [http://www.sco.com/developers/gabi/latest/ch4.eheader.html ELF Header]


<source lang="C">
Notes:
typedef struct {
    uint8_t e_ident[16];              /* ELF identification */
    uint16_t e_type;                  /* object file type */
    uint16_t e_machine;              /* machine type */
    uint32_t e_version;              /* object file version */
    uint64_t e_entry;                /* entry point address */
    uint64_t e_phoff;                /* program header offset */
    uint64_t e_shoff;                /* section header offset */
    uint32_t e_flags;                /* processor-specific flags */
    uint16_t e_ehsize;                /* ELF header size */
    uint16_t e_phentsize;            /* size of program header entry */
    uint16_t e_phnum;                /* number of program header entries */
    uint16_t e_shentsize;            /* size of section header entry */
    uint16_t e_shnum;                /* number of section header entries */
    uint16_t e_shstrndx;              /* section name string table index */
} __attribute__((packed)) ELF;
</source>


See also specifications:
*e_type: ET_PS3PRX=0xFFA4
[http://www.sco.com/developers/gabi/latest/ch4.eheader.html ELF Header]
*EI_OSABI: ELFOSABI_CELL_LV2=0x66
[http://www.openwatcom.com/ftp/devel/docs/elf-64-gen.pdf ELF-64 Object File Format]


==== PS Vita ====
== ELF Program Headers  ==


<source lang="C">
===Struct===
typedef struct {
typedef struct {
    uint8_t e_ident[16];              /* ELF identification */
  uint32_t type;
    uint16_t e_type;                  /* object file type */
  uint32_t flags;
    uint16_t e_machine;               /* machine type */
  uint64_t offset_in_file;
    uint32_t e_version;               /* object file version */
  uint64_t virtual_addr;
    uint32_t e_entry;                 /* entry point address */
  uint64_t phys_addr;
    uint32_t e_phoff;                 /* program header offset */
  uint64_t segment_size;
    uint32_t e_shoff;                 /* section header offset */
  uint64_t segment_mem_size;
    uint32_t e_flags;                 /* processor-specific flags */
  uint64_t alignment;
    uint16_t e_ehsize;                /* ELF header size */
} __attribute__((packed)) ELF_PHDR;
    uint16_t e_phentsize;            /* size of program header entry */
    uint16_t e_phnum;                /* number of program header entries */
    uint16_t e_shentsize;             /* size of section header entry */
    uint16_t e_shnum;                 /* number of section header entries */
    uint16_t e_shstrndx;              /* section name string table index */
} __attribute__((packed)) ELF;
</source>


{| class="wikitable sortable"
===Table===
! Name of the variable !! Offset !! Size !! Notes
|-
| e_ident[0..3] || 0 || 4 || Magic.
|-
| e_ident[4] || 4 || 1 || Class Type. Must be [ELFCLASS32 = 0x01].
|-
| e_ident[5] || 5 || 1 || Data Type. Must be [ELFDATA2LSB = 0x01].
|-
| e_ident[6] || 6 || 1 || File version. Must be 1.
|-
| e_ident[7...15] || 7 || 9 || unused
|-
| e_type || 0x10 || 2 || See SCE-specific e_type.
|-
| e_machine || 0x12 || 2 || Must be [EM_ARM = 0x0028].
|-
| e_version || 0x14 || 4 || Must be 0x1.
|-
| e_entry || 0x18 || 4 || Address to jump to in order to start program (warning: not always set).
|-
| e_phoff || 0x1C || 4 || Boundary checked, but unused (already given by SELF header). ?and for fSELF?
|-
| e_shoff || 0x20 || 4 || unused
|-
| e_flags || 0x24 || 4 || unused
|-
| e_ehsize || 0x28 || 2 || Must be sizeof(Elf32_Ehdr) = 0x0034.
|-
| e_phentsize || 0x2A || 2 || Must be sizeof(Elf32_Phdr) = 0x0020.
|-
| e_phnum || 0x2C || 2 || Count of Program Header in this ELF.
|-
| e_shentsize || 0x2E || 2 || unused
|-
| e_shnum || 0x30 || 2 || unused
|-
| e_shstrndx || 0x32 || 2 || unused
|}


See also [https://wiki.henkaku.xyz/vita/images/a/a2/Vita_SDK_specifications.pdf yifan lu's outdated specifications for PS Vita fSELF]
===Comments===
See Spec here: [http://www.sco.com/developers/gabi/latest/ch5.pheader.html ELF Program Headers]  


=== SCE specific ELF types (e_type) ===
== ELF Section Headers ==


<source lang="C">
===Struct===
/* SCE-specific definitions for e_type: */
typedef struct {
#define ET_SCE_EXEC 0xFE00 /* SCE Executable - PRX2 */
  uint32_t name_idx;
#define ET_SCE_RELEXEC 0xFE04 /* SCE Relocatable Executable - PRX2 */
  uint32_t type;
#define ET_SCE_STUBLIB 0xFE0C /* SCE SDK Stubs */
  uint64_t flags;
#define ET_SCE_DYNEXEC 0xFE10 /* SCE EXEC_ASLR (PS4 Executable with ASLR) */
  uint64_t virtual_addr;
#define ET_SCE_DYNAMIC 0xFE18 /* ? */
  uint64_t offset_in_file;
#define ET_SCE_IOPRELEXEC 0xFF80 /* SCE IOP Relocatable Executable */
  uint64_t segment_size;
#define ET_SCE_IOPRELEXEC2 0xFF81 /* SCE IOP Relocatable Executable Version 2 */
  uint32_t link;
#define ET_SCE_EERELEXEC 0xFF90 /* SCE EE Relocatable Executable */
  uint32_t info;
#define ET_SCE_EERELEXEC2 0xFF91 /* SCE EE Relocatable Executable Version 2 */
  uint64_t addr_align;
#define ET_SCE_PSPRELEXEC 0xFFA0 /* SCE PSP Relocatable Executable */
  uint64_t entry_size;
#define ET_SCE_PPURELEXEC 0xFFA4 /* SCE PPU Relocatable Executable */
} __attribute__((packed)) ELF_SHDR;
#define ET_SCE_ARMRELEXEC 0xFFA5 /* ?SCE ARM Relocatable Executable (PS Vita System Software earlier or equal 0.931.010) */
#define ET_SCE_PSPOVERLAY 0xFFA8 /* ? */
</source>


=== OS ABI identification ===
===Table===


<source lang="C">
===Comments===
#define ELFOSABI_CELL_LV2 102 /* CELL LV2 */
</source>


== ELF Program Segment Header ==
== Segment Information  ==


=== Struct ===
=== Struct ===


==== PS3 ====
typedef struct {
  uint64_t offset;
  uint64_t size;
  uint32_t compressed; // 2=compressed
  uint32_t unknown1;
  uint32_t unknown2;
  uint32_t encrypted; // 1=encrypted
} __attribute__((packed)) SECTION_INFO;


<source lang="C">
=== Table ===
typedef struct
{
  Elf64_Word p_type; /* Segment type */
  Elf64_Word p_flags; /* Segment flags */
  Elf64_Off p_offset; /* Segment file offset */
  Elf64_Addr p_vaddr; /* Segment virtual address */
  Elf64_Addr p_paddr; /* Segment physical address */
  Elf64_Xword p_filesz; /* Segment size in file */
  Elf64_Xword p_memsz; /* Segment size in memory */
  Elf64_Xword p_align; /* Segment alignment */
} Elf64_Phdr;
</source>


==== PS Vita ====
{| class="wikitable"
|-
! field !! offset !! type !! notes
|-
|Encrypted Data Offset || 0x00 ||u64 
|-
|Encrypted Data Size  || 0x08 ||u64
|- 
|unknown || 0x10 || u32 || This has been 1 in all the examples I have seen.
|- 
|unknown || 0x14 || u32 || Always 0, as far as I know.
|- 
|unknown || 0x18 || u32 || Always 0, as far as I know.
|- 
|unknown || 0x1c || u32 || This is 2 for loadable segment types, and 0 for other types.
|-
|}


<source lang="C">
=== Comments ===
typedef struct
{
  Elf32_Word p_type; /* Segment type */
  Elf32_Off p_offset; /* Segment file offset */
  Elf32_Addr p_vaddr; /* Segment virtual address */
  Elf32_Addr p_paddr; /* Segment physical address */
  Elf32_Word p_filesz; /* Segment size in file */
  Elf32_Word p_memsz; /* Segment size in memory */
  Elf32_Word p_flags; /* Segment flags */
  Elf32_Word p_align; /* Segment alignment */
} Elf32_Phdr;
</source>


See Spec here: [http://www.sco.com/developers/gabi/latest/ch5.pheader.html ELF Program Segment Header]
There is one of these entries for each phdr entry in the elf file so that the ps3 knows where to decrypt the data from. (because it might also be compressed.)


=== SCE specific segment types (p_type) ===
Notes:


<source lang="c">
*There is one Segment Information for each ELF Program Header.<br>
#define PT_SCE_RELA 0x60000000
== SCE Version Info ==
#define PT_SCE_LICINFO_1 0x60000001
#ddfine PT_SCE_LICINFO_2 0x60000002
#define PT_SCE_DYNLIBDATA 0x61000000
#define PT_SCE_PROCESS_PARAM 0x61000001
#define PT_SCE_MODULE_PARAM 0x61000002
#define PT_SCE_RELRO 0x61000010 // for PS4
#define PT_SCE_COMMENT 0x6FFFFF00
#define PT_SCE_LIBVERSION 0x6FFFFF01
#define PT_SCE_UNK_70000001 0x70000001
#define PT_SCE_IOPMOD 0x70000080
#define PT_SCE_EEMOD 0x70000090
#define PT_SCE_PSPRELA 0x700000A0
#define PT_SCE_PSPRELA2 0x700000A1
#define PT_SCE_PPURELA 0x700000A4
#define PT_SCE_SEGSYM 0x700000A8
</source>
'''PT_SCE_MODULE_PARAM (PS4)'''


This segment contains a single C struct. It appears instead of PT_SCE_PROCESS_PARAM if the ELF file was compiled to be a library. Like PT_SCE_PROCESS_PARAM, the .data segment contains it and it is always at offset 0.
===Struct===
<source lang="c">
typedef struct {
struct SceModuleParamBase {
  uint32_t unknown1;
    // current size of the struct this version
  uint32_t unknown2;
    uint64_t size;
  uint32_t unknown3;
    // magic bytes
  uint32_t unknown4;
    uint32_t magic; // 0x3c13f4bf
} __attribute__((packed)) SCEVERSION_INFO;
    // current version of the struct format used
    uint32_t version;
    // for example: 0x0803_0001 for firmware version 8.03
    uint32_t sdk_version;
}
</source>
The struct is the base or head of the actual struct used. The above fields are always present and their offsets do not change between versions.


Fields whose name are of the form: unk_0x[0-9 aA-fF], are unknown fields whose offset is in the name, e.g. unk_0x18 is at offset 0x18.<source lang="c">
===Table===
// checked FW 2.xx-7.00
// FW < 2.00 files do not have a PT_SCE_MODULE_PARAM segment, unchecked 7.00 < FW < 7.55
struct SceModuleParamV1 {
    uint64_t size; // 0x18
    uint32_t magic; // 0x3c13f4bf
    uint32_t version; // 1 for V1
    uint32_t sdk_version;
}
// checked 7.55-9.00, unchecked FW > 10.50 and 7.00 < FW < 7.55
struct SceModuleParamV2 {
    uint64_t size; // 0x20
    uint32_t magic; // 0x3c13f4bf
    uint32_t version; // 2 for V2
    uint32_t sdk_version;
    uint64_t unk_0x18;
}
</source>


=== SCE specific segment flags (p_flags) ===
===Comment===


<source lang="C">
== Control Information  ==
*PF_SPU_X = 0x00100000
*PF_SPU_W = 0x00200000
*PF_SPU_R = 0x00400000
*PF_RSX_X = 0x01000000
*PF_RSX_W = 0x02000000
*PF_RSX_R = 0x04000000
</source>


== ELF Section Header ==
===Struct===


=== Struct ===
typedef struct {
  uint32_t type; // 1==control flags; 2==file digest; 3==npdrm
  uint32_t size;


<source lang="C">
   union {
   typedef struct {
     // type 1 0x30 bytes
     uint32_t sh_name;                /* section name */
     struct {
    uint32_t sh_type;                /* section type */
      uint64_t unknown1;
     uint64_t sh_flags;                /* section attributes */
      uint8_t control_flags[16];
    uint64_t sh_addr;                 /* virtual address in memory */
      uint64_t unknown2;
    uint64_t sh_offset;               /* offset in file */
      uint64_t unknown3;
    uint64_t sh_size;                 /* size of section */
     } control_flags;
    uint32_t sh_link;                /* link to other section */
    uint32_t sh_info;                /* miscellaneous information */
    uint64_t sh_addralign;           /* address alignment boundary */
     uint64_t sh_entsize;              /* size of entries, if section has table */
  } __attribute__((packed)) ELF_SHDR;
</source>


=== SCE specific section types (sh_type) ===
    // type 2 0x40 bytes
    struct {
      uint64_t unknown1;
      uint8_t digest1[20];
      uint8_t digest2[20];
      uint64_t unknown2;
    } file_digest40;


<source lang="C">
    // type 2 0x30 bytes
#define SHT_SCE_RELA 0x60000000
    struct {
#define SHT_SCE_NID 0x61000001
      uint64_t unknown1;
#define SHT_SCE_IOPMOD 0x70000080
      uint8_t digest1[20];
#define SHT_SCE_EEMOD 0x70000090
      uint64_t unknown2;
#define SHT_SCE_PSPRELA 0x700000A0
    } file_digest30;
#define SHT_SCE_PPURELA 0x700000A4
</source>


== Segment Extended Header ==
    // type 3 0x90 bytes
    struct {
      uint64_t unknown1;
      uint32_t magic;
      uint32_t unknown2;
      uint32_t license; /* 1 network, 2 local, 3 free */
      uint32_t type; /* 1 exec, 21 update */
      uint8_t content_id[48];
      uint8_t digest[16];
      uint8_t invdigest[16];
      uint8_t xordigest[16];
      uint64_t unknown3;
      uint64_t unknown4;
    } npdrm;
  };
} __attribute__((packed)) CONTROL_INFO;


Temporary name was Section Info. Official name is segment_ext_header.
===Table===


Segment Extended Header is a table which maps each phdr/shdr entry to the actual offset/size within the encrypted Certified File. Indeed, because segments can be compressed, they might not match the values listed within the ELF phdr/shdr.
===Comments===


There is one of these entries for each ELF phdr (ELF Program Segment Header) entry in the ELF file so that the console knows where to decrypt the data from, because it might also be compressed.


=== Struct ===
== Metadata Information  ==


<source lang="C">
===Struct===
typedef struct {
typedef struct {
   uint64_t offset;
   uint8_t key[16];
   uint64_t size;
   uint8_t key_pad[16];
   uint32_t compression;
   uint8_t iv[16];
   uint32_t unknown;
   uint8_t iv_pad[16];
  uint64_t encryption;
} __attribute__((packed)) METADATA_INFO;
} __attribute__((packed)) segment_ext_header;
 
</source>
===Table===
 
 
===Comments===
Notes:


=== Table ===
*The key and ivec fields are encrypted using AES256CBC.
*This is not present if it is an FSELF.


{| class="wikitable"
== Metadata Header ==
! field  !! offset !! type !! notes
|-
| Offset || 0x00 ||u64 || Offset to data
|-
| Size || 0x08 || u64 || Size of data
|- 
| compress_algorithm || 0x10 || u32 || 1 = plain, 2 = zlib
|- 
| Unknown || 0x14 || u32 || Always 0, as far as I know.
|-  
| request_encryption || 0x18 || u64 || 0 = unrequested, 1 = completed, 2 = requested
|}


PS3 OS uses the following structure to handle that data:
===Struct===


<source lang="C">
typedef struct {
typedef struct {
   void *data;
   uint8_t key[16];
   uint64_t size;
   uint8_t key_pad[16];
   uint64_t offset;
   uint8_t iv[16];
} segment_ext_header;
  uint8_t iv_pad[16];
</source>
} __attribute__((packed)) METADATA_INFO;
 
===Table===


== Version Header ==


It contains some version information, including an offset to the .sceversion section of the encrypted ELF.
===Comments===
Notes:


=== Struct ===
*The metadata header is located after the metadata info in the SELF file.
*It is decrypted using AES128CTR with the key and ivec entries from the metadata information.
*The signature input length is the number of bytes which are used to generate the SHA-1 which is used to generate the ECDSA signature. The length should be eveything from the beginning until the signature itself. The decrypted version of the input data is used.
*This is only present if the metadata Information is present.


<source lang="C">
== Metadata Section Headers ==
  typedef struct {
  uint32_t subheader_type; // 1 - sceversion
  uint32_t present;        // 0 = false, 1 = true
  uint32_t size;          // usually 0x10
  uint32_t unknown4;
} __attribute__((packed)) version_header;
</source>


=== Data Struct ===
===Struct===


<source lang="C">
typedef struct {
typedef struct {
   uint64_t data_offset;
   uint16 unknown_1;
  uint64_t data_size;
   uint16 unknown_2; // 0x1
   uint32_t type; // 1 = shdr, 2 == phdr, 3 == unknown
   uint32 unknown_3;
   uint32_t program_idx;
   uint32 unknown_4; // ?Number of sections?
   uint32_t unknown;
   uint32 unknown_5;
   uint32_t sha1_idx;
   ////
   uint32_t encrypted; // 3=yes; 1=no
    uint64 offset;   // Data offset
  uint32_t key_idx;
    uint64 size;     // Data size
  uint32_t iv_idx;
   //// <- these are supposed to be sections
   uint32_t compressed; // 2=yes; 1=no
} SCE_VERSION_DATA_30;
} __attribute__((packed)) METADATA_SECTION_HEADER;
</source>


=== Comments ===
===Table===


== Supplemental Header Table ==
===Comments===


Temporary name was Control Information. Official name is supplemental_header_table.
Notes:


=== Struct ===
*The metadata section headers are located after the metadata header in the SELF file.
*The number of sections is indicated by the sectionCount entry in the metadata header.
*They are decrypted using AES128CTR with the key and ivec entries from the metadata information.
*Section data is decrypted using AES128CTR&nbsp;with the key and ivec from the metadata keys specified by keyIndex and ivecIndex.
*Section data will also need to be uncompressed using zlib.
*The dataOffsets of the metadata section headers match in general the segment information dataOffsets.
*This is only present if the metadata header is present.


<source lang="C">
== Section Hash ==
typedef struct ECDSA224_signature { // size is 0x38
  unsigned char r[0x1C];
  unsigned char s[0x1C];
} ECDSA224_signature;


// current hypothesis of SceSharedSecret is full (0x40 bytes) shared_secret overwritten with klicensee at offset 0x10
===Struct===
typedef struct SceSharedSecret { // size is 0x40 on PS Vita SDK versions 0.931.010-3.740.011
typedef struct {
  uint8_t shared_secret_0[0x10]; // ex: 0x7E7FD126A7B9614940607EE1BF9DDF5E or full of zeroes
  uint8_t sha1[20];
  uint8_t klicensee[0x10]; // usually full of zeroes for NPDRM and fSELF. Usually retrieved from bound RIF for NPDRM.
  uint8_t padding[12];
  uint8_t shared_secret_2[0x10]; // usually full of zeroes for NPDRM and fSELF
  uint8_t hmac_key[64];
  uint32_t shared_secret_3_0; // ex: 0x10, usually full of zeroes for NPDRM and fSELF
} __attribute__((packed)) SECTION_HASH;
  uint32_t shared_secret_3_1; // usually full of zeroes for NPDRM and fSELF
  uint32_t shared_secret_3_2; // usually full of zeroes for NPDRM and fSELF
  uint32_t shared_secret_3_3; // usually full of zeroes for NPDRM and fSELF
} SceSharedSecret;


typedef struct {
===Table===
  uint32_t type; // 1=PS3 plaintext_capability; 2=PS3 ELF digest; 3=PS3 NPDRM, 4=PS Vita ELF digest; 5=PS Vita NPDRM; 6=PS Vita boot param; 7=PS Vita shared secret
  uint32_t size;
  uint64_t next; // 1 if another Supplemental Header element follows else 0


  union {
===Comments===
    // type 1, 0x30 bytes
Notes:
    struct { // 0x20 bytes of data
      plaintext_capability_t plaintext_capability;
    } PS3_plaintext_capability_header;


    // type 2, 0x40 bytes
*The metadata keys (section hash) are located after the metadata section headers in the SELF file.
    struct { // 0x30 bytes of data
*The number of keys is indicated by the keyCount entry in the metadata header.
      uint8_t constant[0x14]; // same for every PS3/PS Vita SELF, hardcoded in make_fself.exe: 627CB1808AB938E32C8C091708726A579E2586E4
*They are decrypted using AES128CTR with the key and ivec entries from the metadata information.
      uint8_t elf_digest[0x14]; // SHA-1. Hash F2C552BF716ED24759CBE8A0A9A6DB9965F3811C is blacklisted by appldr
*If the sha1Index points to a key, then key[sha1Index] and key[sha1Index+1] form the 160-bit hash. key[sha1Index+2] to key[key[sha1Index+6] form the 512-bit key for the HMAC-SHA1. The HMAC-SHA1 is calculated on the decrypted data and before the decompression.
      uint64_t required_system_version; // filled on Sony authentication server, contains decimal PS3_SYSTEM_VER value from PARAM.SFO
    } PS3_elf_digest_header_40;


    // type 2, 0x30 bytes
== Signature Info ==
    struct { // 0x20 bytes of data
      uint8_t constant_or_elf_digest[0x14];
      uint8_t padding[0xC];
    } PS3_elf_digest_header_30;


    // type 3, 0x90 bytes
===Struct===
    struct { // 0x80 bytes of data
typedef struct {
      PS3_NPD npd; // See [[NPD]]
  uint32_t unknown1;
    } PS3_npdrm_header;
  uint32_t signature_size;
  uint64_t unknown2;
  uint64_t unknown3;
  uint64_t unknown4;
  uint64_t unknown5;
  uint32_t unknown6;
  uint32_t unknown7;
} __attribute__((packed)) SIGNATURE_INFO;
===Table===
===Comments===


    // type 4, 0x50 bytes
    struct { // 0x40 bytes of data
      uint8_t constant[0x14]; // same for every PS3/PS Vita SELF, hardcoded in make_fself.exe: 627CB1808AB938E32C8C091708726A579E2586E4
      uint8_t elf_digest[0x20]; // SHA-256 of source ELF file.
      uint8_t padding[8];
      uint32_t min_required_fw; // ex: 0x363 for 3.63
    } PSVita_elf_digest_header;
   
    // type 5, 0x110 bytes
    struct { // 0x100 bytes of data
      uint32_t magic;              // 7F 44 52 4D (".DRM")
      uint32_t finalized_flag;      // ex: 80 00 00 01. It may be version like in NPD.
      uint32_t drm_type;            // [[NPDRM#DRM_Type]]
      uint32_t padding;            // It may be Application Type like in NPD.
      uint8_t content_id[0x30];
      uint8_t digest[0x10];        // ?sha-1 hash of debug SELF/SPRX created using make_fself_npdrm? content_id hash?
      uint8_t padding_78[0x78];
      ECDSA224_signature sig[0x38]; // signature of PSVita_npdrm_header? signature of an external NPDRM file?
    } PSVita_npdrm_header;
   
    // type 6, 0x110 bytes
    struct { // 0x100 bytes of data
      uint8_t boot_param[0x100];
    } PSVita_boot_param_header;
   
    // type 7, 0x50 bytes
    struct { // 0x40 bytes of data
      SceSharedSecret shared_secret;
    } PSVita_shared_secret_header;
  };
} __attribute__((packed)) supplemental_header;
</source>


=== Table ===


=== Comments ===


* See [[Capability_Flags]].
== Signature ==
* PS3 loader uses supplemental_header_table to handle some data:
===Struct===
<source lang="C">
typedef struct {
typedef struct {
   plaintext_capability_t plaintext_capability;     /* Plaintext Capability */
   uint8_t r[21];
   uint8[0x14] elf_digest;         /* sha1 hash of the ELF file */
   uint8_t s[21];
   uint32_t    unknown_0;          /* seems to be padding */
   uint8_t padding[6];
  uint64_t    required_system_version;     /* PS3_SYSTEM_VER, decimal format */
} __attribute__((packed)) SIGNATURE;
} supplemental_header_table;
===Table===
</source>
===Comments===


= Extraction =
Notes:


* Load the Encryption Root Header and decrypt the key and IV entries using AES256CBC with key and IV from OS.
*The signature is located after the the signature information in the SELF file.  
* Load the Certification Header and decrypt it using AES128CTR/CBC with the key and IV entries from the Encryption Root Header.
*It is even present if the signature information is not present.  
* Load the Segment Certification Headers and decrypt them using AES128CTR/CBC with the key and ivec entries from the Encryption Root Header.
*It is decrypted using AES128CTR with the key and ivec entries from the metadata information.
* Load the Segment Certifications and decrypt them using AES128CTR/CBC with the key and ivec entries from the Encryption Root Header.
* For each Segment Certification:
** In the SELF file, fseek to data_offset and read in data_size bytes.
** Decrypt the data using the algorithm, key and ivec from the Segment Certification specified by keyIndex and ivecIndex in the Segment Certification Header.
** Uncompress the data using the algorithm specified in the Segment Certification Header.
** Write the output data to the ELF file as the program section specified by segment_id in the Segment Certification Header.


= Tools =
==Self Section Info==


== Official tools ==
===Struct===
typedef struct {
  uint8_t *data;
  uint64_t size;
  uint64_t offset;
} SELF_SECTION;
===Table===


=== make_fself ===
===Comments===


==== make_fself version 1.9.0 (2009-02-15) ====
= Extracting an ELF<br> =


Found in SCE PS3 SDK 1.92.
=== ELF Header  ===


=== make_fself_npdrm ===
Elf64_Ehdr elfHeader;
fseek ( selfFile, fix64 ( selfHeader.elfHeaderOffset ), SEEK_SET );
fread ( &amp;elfHeader, sizeof ( Elf64_Ehdr ), 1, selfFile );
fseek ( elfFile, 0, SEEK_SET );
fwrite ( &amp;elfHeader, sizeof ( Elf64_Ehdr ), 1, elfFile );


==== make_fself_npdrm version 1.9.0 (2009-02-15) ====
=== Section Headers  ===


Found in SCE PS3 SDK 1.92.
Elf64_Shdr elfSectionHeaders[100];
fseek ( selfFile, fix64 ( selfHeader.elfSectionHeadersOffset ), SEEK_SET );
fread ( elfSectionHeaders, sizeof ( Elf64_Shdr ), fix16 ( elfHeader.e_shnum ), selfFile );
fseek ( elfFile, fix64 ( elfHeader.e_shoff ), SEEK_SET );
fwrite ( elfSectionHeaders, sizeof ( Elf64_Shdr ), fix16 ( elfHeader.e_shnum ), elfFile );


=== unfself ===
=== Section Data  ===


==== unfself version 1.9.0 (2009-02-15) ====
Notes:


Found in SCE PS3 SDK 1.92.
*Unknown, manually copying the data over works for now.  
*There should be a section data offset somewhere.


== Unofficial tools ==
=== Program Headers  ===


=== some tool by geohot (2009) ===
Elf64_Phdr elfProgramHeaders[100];
fseek ( selfFile, fix64 ( selfHeader.elfProgramHeadersOffset ), SEEK_SET );
fread ( elfProgramHeaders, sizeof ( Elf64_Phdr ), fix16 ( elfHeader.e_phnum ), selfFile );
fseek ( elfFile, fix64 ( elfHeader.e_phoff ), SEEK_SET );
fwrite ( elfProgramHeaders, sizeof ( Elf64_Phdr ), fix16 ( elfHeader.e_phnum ), elfFile );


To be documented.
=== Program Data  ===


=== scetool by fail0verflow (?2010?) ===
Notes:


To be documented.
*Load the metadata information and decrypt the key and ivec entries using AES256CBC using erk and riv.
*Load the metadata header and decrypt it using AES128CTR with the key and ivec entries from the metadata information.
*Load sectionCount metadata section headers and decrypt them using AES128CTR with the key and ivec entries from the metadata information.
*Load keyCount metadata keys and decrypt them using AES128CTR with the key and ivec entries from the metadata information.
*For each metadata section:
**In the SELF file, fseek to dataOffset and read in dataSize bytes.
**Decrypt the data using AES128CTR with the key and ivec from the metadata keys specified by keyIndex and ivecIndex from the metadata section header.
**Uncompress the data using zlib.
**Write it to the ELF file as the program section specified by section Index in the metadata section header.


=== some tool by xorloser ===
=== Meta Checksums ===
There are 3 checksums at the offset specified by meta_offset.


To be documented.
*The first is the sha1 checksum of the entire self file.  
*The 2nd checksum is the inverse of the first checksum.
*The 3rd checksum is the first checksum XORed with 0xAAAAAA..AAAAAB


The PSJailbreak payload ignores the actual checksums, but checks that the 3rd checksum is the 2nd checksum XORed with 0xAAAAAA..AAAAAB


{{File Formats}}<noinclude>
''' Source: http://ps3wiki.lan.st/index.php?title=SELF_File_Format_and_Decryption '''
[[Category:Main]]
</noinclude>
Please note that all contributions to PS3 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS3 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)

Templates used on this page:

Retrieved from "http://www.psdevwiki.com/ps3/SELF_-_SPRX"