NPDRM: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
No edit summary
(16 intermediate revisions by 4 users not shown)
Line 1: Line 1:
{{Wikify}}
{{Wikify}}


'''The info on this page is an extract (and simplify) of talk page, conversations and forum posts, please digest the info and move it this page'''
'''The info on this page is an extract (and simplify) of talk page, conversations and forum posts, please digest the info and move it to this page.'''


To merge on wiki:
* [http://www.emunewz.net/forum/showthread.php?tid=8134 PSP NPDRM explanation by Hykem]
* [http://wololo.net/talk/viewtopic.php?f=67&t=40656 How to find dev klicensee in NPDRM SELF - SPRX by '''Mysis''']


Once the user is trying to start a [[SELF File Format and Decryption|SELF]], the [[VSH|vsh]] looks for the [[SELF_File_Format_and_Decryption#App_Info|appinfo header type]]; if the [[SELF_Types|type is 8]], then the [[SELF_File_Format_and_Decryption#Control_Information|control digest element type 3]] (NPD element) is located. From this NPD header the vsh gets the [[License Types]] (network license, local or free).
See also [https://wiki.henkaku.xyz/vita/SceNpDrm PS Vita NPDRM] and PSP NPDRM.


*'''Type 1''' (Network License): if a remote paid content is to be loaded, the vsh loads the act.dat and the rif associated to the content (will download to vsh process memory).
= PS3 NPDRM SELF - SPRX decryption steps =


*'''Type 2''' (Local): For this paid content too, the vsh locate a file with the same title id on NPD element (CONTENT_ID), then the signature is checked (last 0x28 bytes of both RIF and act.dat).
Once that the user is trying to start a [[SELF - SPRX]], the [[VSH]] looks for the [[SELF_-_SPRX#Program_Identification_Header|Program Identification Header]]. If the [[Program Type]] is NPDRM, then the [[SELF_-_SPRX#Supplemental_Header_Table|Supplemental Header Table NPDRM header]] is located. From this [[NPD]] header the [[VSH]] gets the [[#DRM Type]].


*'''Type 3''' (Free): if a free content (no license check: no need for rif/act.dat) is detected then a [[Keys#klic_free_key|generic klicense]] will be use for further steps (go to LV2).  
If a Network DRM content is to be loaded, the [[VSH]] loads the act.dat and the .rif associated to the content (it will download .rif to VSH process memory).


Using the RIF_KEY with the [[Keys#RIF.27s_act.dat_index_decryption_key|act.dat index decryption key]], it will obtain the actdatIndex, and finally having the actDat key index, the execution pass to [[LV2_Functions_and_Syscalls#LV2_Syscalls|LV2 Syscalls 471.]]
For Local DRM content too, the [[VSH]] locates a file with the same CONTENT ID as in NPDRM header, then the signatures are checked (RIF offset 0x70 and act.dat offset 0x1010). Using the [[Keys#NPDRM_Keys|np_act_data_index_dec_key]], it will decrypt the actdatIndex stored in RIF.


This function has different parameters depending if the content is debug, paid (type 1 & 2) or free (type 3):
If a Free DRM (DRM type 3) content is detected then there is no license check, so no need for .rif/act.dat, and a generic klicensee [[Keys#NPDRM_Keys|klic_ps3_free]] will be used for further steps.


<div style="width:600px; overflow:auto">
Then the execution passes to [[LV2_Functions_and_Syscalls#LV2_Syscalls|LV2 Syscall no 471 sys_npdrm_regist_ekc]].
PAID: syscall471(npd.type, &npd.titleID, NULL, &actdat.keyTable[rif.actDatIndex], &rif.key, npd.license, &npd);
<source lang="C">
FREE: syscall471(npd.type, &npd.titleID, freeklicensee, NULL, NULL, npd.license, &npd);
// is it titleID or content_id?
</div>
int sys_npdrm_regist_ekc(uint32_t type, char* titleID, void* klicensee, uint8_t* actdat, uint8_t* rif, int32_t licenseType, uint8_t* magicVersion);</source>
:<small>*PAID can also include free games/apps too but require this licensing check</small>
This function has different parameters depending on the [[#DRM Type]]:
* Local/Network DRM content: <source lang="C">sys_npdrm_regist_ekc(npd.type, &npd.titleID, NULL, &actdat.keyTable[rif.actDatIndex], &rif.key, npd.license, &npd);</source>
* Free DRM content: <source lang="C">sys_npdrm_regist_ekc(npd.type, &npd.titleID, klic_ps3_free, NULL, NULL, npd.license, &npd);</source>


The lv2 keeps a memory table with contentID and the associated key:
The lv2 keeps a memory table with contentID and the associated klicensee:
*Paid content: the rif.key is converted to the klicensee (by using a [[Keys#klicensee_constant|constant value on lv2]], [[IDPS|IDPS]] and the act.dat) and once transformed it is stored on memory table.
* Local/Network DRM content: lv2 AES128 decrypts the encrypted klicensee from RIF by using [[Keys#NPDRM_Keys|NPDRM IDPS Seed]], [[IDPS]], act.dat and some other keys. Once transformed, klicensee is stored in a memory table.
*free content: copies the titleID and the generic klicensee to the table.
* Free DRM content: lv2 copies the titleID and the generic klicensee (klic_ps3_free) to a memory table.


From there, the lv1 hypervisor, by loading [[Hypervisor_Reverse_Engineering#appldr|appldr]], will transform the key by using the [[Keys#ps3_klic_dec_key|ps3_klic_dec_key]] and finally remove the NPDRM layer of the SELF/SPRX to start the [[SELF - SPRX]] decryption.


From there, the lv1 hypervisor by loading [[Hypervisor_Reverse_Engineering#appldr|Appldr]], will transform (again) this key by using the [[Keys#klic_dec_key|klic_dec_key]] and finally remove the NPDRM layer for start the [[SELF File Format and Decryption|SELF]] decryption.
= PS3 NPDRM EDAT decryption steps =


See also:
See [[EDAT files]].
*wololo.net/talk/viewtopic.php?f=67&t=40656 Tutorial: How to find dev klicensee by '''Mysis'''


==act.dat header(encrypted) structure==
= DRM Type =


{| class="wikitable sortable"
A temporary name was "License type".
|-
| style="background-color:#123EDA; color:#FFFFFF;" |'''Name'''
| style="background-color:#123EDA; color:#FFFFFF;" |'''Offset'''
| style="background-color:#123EDA; color:#FFFFFF;" |'''Size'''
| style="background-color:#123EDA; color:#FFFFFF;" |'''Example'''
| style="background-color:#123EDA; color:#FFFFFF;" |'''Remark'''
|-
| Activation Type || 0x0 || 0x4 || 00000001 ||
|-
| Version || 0x4 || 0x4 || 00000001 || 1 or 2(current)
|-
| Account ID || 0x8 || 0x8 || B4 1F 2C 0B DC 1B 43 31 || personal PSN account ID
|-
| Primary Key Table || 0x10 || 0x800 || N.A || Used for decrypting rifkeys
|-
| Unknown1 || 0x810 || 0x40 || N.A||
|-
| Unknown2 || 0x850 || 0x10 || N.A|| Digest?
|-
| Unknown3 || 0x860 || 0x10 || N.A|| Encrypted_data for v.1 / Padding for v.2
|-
| Unknown4 || 0x870 || 0x10 || N.A|| Encrypted_data for v.1 / Time_Stamp for v.2
|-
| Secondary Table || 0x880 || 0x650 || N.A ||
|-
| Unknown5 || 0xED0 || 0x40 || N.A|| algo is same as for Unknown1?
|-
| RSA Signature? || 0xF10 || 0x100 || N.A|| params are unknown
|-
| ECDSA Signature || 0x1010 || 0x28 || N.A|| pub=vsh_pub, ctype=0x02(vsh_curves)
|-
|}
 
==rif file(encrypted) structure==
 
The rif holds the klicensee for both SELF and paid [[EDAT_files|EDAT]].


{| class="wikitable sortable"
{| class="wikitable sortable"
|-
|-
| style="background-color:#123EDA; color:#FFFFFF;" |'''Name'''
! Value !! Type !! Remarks
| style="background-color:#123EDA; color:#FFFFFF;" |'''Offset'''
| style="background-color:#123EDA; color:#FFFFFF;" |'''Size'''
| style="background-color:#123EDA; color:#FFFFFF;" |'''Example'''
| style="background-color:#123EDA; color:#FFFFFF;" |'''Remark'''
|-
| Version Number || 0x0 || 0x4 || 00 00 00 01 ||
|-
| License Type || 0x4 || 0x4 || 00 00 00 02 ||
|-
| Account ID || 0x8 || 0x8 || B4 1F 2C 0B DC 1B 43 31 || Used on Rap2Rif header
|-
| [[PARAM.SFO#CONTENT_ID|CONTENT ID]] || 0x10 || 0x30 || UP900-UCUS98721_00-PATAPONPSNDEMO08 || Content ID
|-
| Index hash || 0x40 || 0x10 || N.A ||
|-
|-
| Header hash || 0x50 || 0x10 || N.A  ||
| 0 || Debug || Used in SDAT files.
|-
|-
| License start time || 0x60 || 0x4 || 00 00 01 1F || For human readable, convert to decimal and use one [http://www.epochconverter.com/ Epoch-Unix converter] time format online. Should be 0x08 lenght
| 1 || Network || It requires network authentication every time the content is launched. See [http://en.wikipedia.org/wiki/PlayStation_Network_outage#Inability_to_use_PlayStation_3_content inability example].
|-
|-
| License expiration time || <strike>0x64</strike> 0x68 || 0x4 || C5 16 7B D8 || If zeroed,-, there is no time limit. Used on PS+ for example. should be 0x08
| 2 || Local || It requires first time activation online (paid content but also demo and free of charge content).
|-
|-
| NULL || 0x68 || 0x8 ||  || <strike>Null Padding</strike>
| 3 || Free || On PS3, it does not require any license file nor console activation (act.dat).
|-
|-
| Signature || 0x70 || 0x28 || 11 || [[Patches#reActPSN|Patched]] in some CFW to allow unsigned. See Rif_Junk on Rap2Rif by '''Flatz'''
| 0xD || "PS Vita Free" (guessed name) || Free but with license (.rif) requirement, unlike DRM Type 3.
|-
|}
|}


*[http://pastie.org/private/yltlfwubsz8w5pyhmojyfg '''Rap2Rif''' source code by '''Flatz''' ]
NPDRM contents decryption requires a key, the key licensee or klicensee. Depending on the content's DRM type, klicensee is got in different ways:
* DRM type Network: klicensee is generated using rif + ?to detail?
* DRM type Local: klicensee is generated using act.dat + associated rif + console's IDPS
* DRM type Free: klicensee is the constant PS3 Free klicensee (see NPDRM [[Keys]] and appldr keys)
* DRM type "PS Vita Free": maybe same as Local: to check.


*[http://pastie.org/private/pmnmsnqg6zbfnk9xactbw#1 '''Rap2Rif Key''' souce code by '''Flatz''']
Local DRM contents can also include free games/applications but require licensing check.


*[[Dev_Tools#ReactPSN_.rap_-.3E_.rif_converter|Link download & usage]]
= Tools =


*[http://www.emunewz.net/forum/showthread.php?tid=8134 another reference]
* Tools to convert RAP to klicensee: [[Dev_Tools#ReactPSN_.rap_to_.rif_converter|download links and usage]]




{{File Formats}}<noinclude>[[Category:Main]]</noinclude>
{{File Formats}}<noinclude>[[Category:Main]]</noinclude>

Revision as of 03:04, 13 February 2022

This article is marked for rewrite/restructuring in proper wiki format.
You can help PS3 Developer wiki by editing it.

The info on this page is an extract (and simplify) of talk page, conversations and forum posts, please digest the info and move it to this page.

To merge on wiki:

See also PS Vita NPDRM and PSP NPDRM.

PS3 NPDRM SELF - SPRX decryption steps

Once that the user is trying to start a SELF - SPRX, the VSH looks for the Program Identification Header. If the Program Type is NPDRM, then the Supplemental Header Table NPDRM header is located. From this NPD header the VSH gets the #DRM Type.

If a Network DRM content is to be loaded, the VSH loads the act.dat and the .rif associated to the content (it will download .rif to VSH process memory).

For Local DRM content too, the VSH locates a file with the same CONTENT ID as in NPDRM header, then the signatures are checked (RIF offset 0x70 and act.dat offset 0x1010). Using the np_act_data_index_dec_key, it will decrypt the actdatIndex stored in RIF.

If a Free DRM (DRM type 3) content is detected then there is no license check, so no need for .rif/act.dat, and a generic klicensee klic_ps3_free will be used for further steps.

Then the execution passes to LV2 Syscall no 471 sys_npdrm_regist_ekc. 

// is it titleID or content_id?
int sys_npdrm_regist_ekc(uint32_t type, char* titleID, void* klicensee, uint8_t* actdat, uint8_t* rif, int32_t licenseType, uint8_t* magicVersion);

This function has different parameters depending on the #DRM Type:

  • Local/Network DRM content: 
    sys_npdrm_regist_ekc(npd.type, &npd.titleID, NULL, &actdat.keyTable[rif.actDatIndex], &rif.key, npd.license, &npd);
  • Free DRM content: 
    sys_npdrm_regist_ekc(npd.type, &npd.titleID, klic_ps3_free, NULL, NULL, npd.license, &npd);

The lv2 keeps a memory table with contentID and the associated klicensee:

  • Local/Network DRM content: lv2 AES128 decrypts the encrypted klicensee from RIF by using NPDRM IDPS Seed, IDPS, act.dat and some other keys. Once transformed, klicensee is stored in a memory table.
  • Free DRM content: lv2 copies the titleID and the generic klicensee (klic_ps3_free) to a memory table.

From there, the lv1 hypervisor, by loading appldr, will transform the key by using the ps3_klic_dec_key and finally remove the NPDRM layer of the SELF/SPRX to start the SELF - SPRX decryption.

PS3 NPDRM EDAT decryption steps

See EDAT files.

DRM Type

A temporary name was "License type".

Value Type Remarks
0 Debug Used in SDAT files.
1 Network It requires network authentication every time the content is launched. See inability example.
2 Local It requires first time activation online (paid content but also demo and free of charge content).
3 Free On PS3, it does not require any license file nor console activation (act.dat).
0xD "PS Vita Free" (guessed name) Free but with license (.rif) requirement, unlike DRM Type 3.

NPDRM contents decryption requires a key, the key licensee or klicensee. Depending on the content's DRM type, klicensee is got in different ways:

  • DRM type Network: klicensee is generated using rif + ?to detail?
  • DRM type Local: klicensee is generated using act.dat + associated rif + console's IDPS
  • DRM type Free: klicensee is the constant PS3 Free klicensee (see NPDRM Keys and appldr keys)
  • DRM type "PS Vita Free": maybe same as Local: to check.

Local DRM contents can also include free games/applications but require licensing check.

Tools


SCE File Types
Certified File
NPDRM
NPDRM · App Types · ACT.DAT · RIF
PKG
EDAT
RCOXML
CXML
XMBML
XMB Config
DB Config
Databases
System Data
XMB Preload
Licences
 ·
Games/Apps
PS3
Emulators
Web
Unsorted
Retrieved from "http://www.psdevwiki.com/ps3/index.php?title=NPDRM&oldid=65407"