/psvimgtools

Decrypt Vita CMA backups

Primary LanguageCMIT LicenseMIT

psvimgtools

This is a set of tools that let you decrypt, extract, and repack Vita CMA backup images. To use this you need your backup key which is tied to your PSN AID.

Building

You should have cmake and zlib installed. To enable hardware accelerated crypto, make sure libgcrypt is installed. Windows users should install either Cygwin or Bash on Ubuntu for Windows.

Then just run

mkdir build && cd build
cmake ..
make

Usage

psvimg-extract

This is used to extract .psvimg files. The extracted output includes a directory for each backup set (e.g: ur0:appmeta, ux0:iconlayout.ini, and ur0:tmp/registry are three separate sets). Each backup set contains zero or more files and directories. A special file VITA_PATH.TXT is created for each set to remember what the original path was before extraction (this is used for repacking). A set can be only a single file (for example ux0:iconlayout.ini). In that case, the file VITA_DATA.BIN is created to host the contents of the file.

psvmd-decrypt

This decrypts and decompresses .psvmd files. The contents of which are defined in psvimg.h. This contains information such as the firmware version of the system that created the backup and the unique PSID of the system. Extracting this file is not required for repacking and is provided for reverse engineering/debugging purposes.

psvimg-create

This repacks extracted files and creates the associated .psvimg and .psvmd files. If you have a decrypted .psvmd, you may pass it in with -m and the tool will reuse as many fields as possible (exception: size fields). No validity checks will be performed. If you do not have a decrypted .psvmd, you should use the -n option and specify the name of the backup. You should use the same name (the file name without the .psvimg extension) when repacking because CMA does check for a valid name. For example, if you are repacking license.psvimg, you should specify -n license.

The pack input directory should follow the same format as the output of psvimg-extract. The means a separate directory for each backup set (there may only be one set, in which your input directory will contain one subdirectory) each with a VITA_PATH.TXT file specifying the Vita path and optionally a VITA_DATA.BIN file if the set is a file.

Note that CMA does check the paths of the backup sets. Trying to add a backup set with a custom path may result in failure.

psvimg-keyfind

This is a brute-force backup key find tool. You should generate a valid partials.bin file using the provided "dump_partials" Vita homebrew that runs on HENkaku enabled consoles. You can generate partials for other people as well if you know their AID. The partials.bin file does not contain any console-unique information but is derived from the provided PSN AID. The AID is the 16 hex characters in your CMA backup path. For example, if I wish to decrypt PS Vita/PGAME/xxxxxxxxxxxxxxxx/NPJH00053/game/game.psvimg then my AID is xxxxxxxxxxxxxxxx.

The -n option specifies the number of threads to run. On Linux, each thread tries to run on a separate processor. On OSX/Windows, it is up to the scheduler to make such decisions. You should not specify too high of a number here, as running multiple threads on a single CPU will result in diminishing returns. A good rule of thumb is to specify the number of CPU cores on your system.