Skip to content

Instantly share code, notes, and snippets.

@yifanlu

yifanlu/E80558325.md

Last active October 13, 2023 14:04
Show Gist options
  • Star 27 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save yifanlu/c4cc12d3f1ccaebbf1846b84a69a4bfb to your computer and use it in GitHub Desktop.
Save yifanlu/c4cc12d3f1ccaebbf1846b84a69a4bfb to your computer and use it in GitHub Desktop.
Download ZIP
Vita 3.65 activation investigation (E-80558325)
Raw
E80558325.md

On 7/29/2017, all hacked Vitas on 3.60 spoofing the latest firmware (3.65) were blocked from console activation. This is particularly odd because the PSN passphrase did not change in 3.65. Additionally with the release of ensō added to the confusion of what happened. Here is the result of a preliminary investigation of the situation.

Upon game activation, the Vita displays an dialog that shows the error number E-80558325. This error number is used in SceNpKdc, which is found in vs0:external/np_kdc.suprx. The error code itself is created when the activation response is received:

v5 = v45 | 0x80558300;

Here, v5 is the return code and v45 is the string error code from the server converted to a number. The request made to Sony's server looks like the following

Content-Type: application/x-www-form-urlencoded
User-Agent: My heart leaps up when I behold A rainbow in the sky
X-I-5-DRM-Version: 1.0

loginid=PSNID&epassword=ENCRYPTEDPASSWORD&platform=psp2&c1=CHALLENGESTRING

The request from a 3.65 stock console has the same headers and loginid and epassword (for the same account) so the only change visible to Sony is the challenge string c1.

The response you get on 3.60 is

HTTP/1.0 200 OK
Server: Apache
X-I-5-DRM-Version: 1.0
X-I-5-DRM-Status: NG; reason=25
Content-Length: 0
Content-Type: application/x-i-5-drm
X-N: S
Date: Sat, 29 Jul 2017 23:01:31 GMT
Connection: keep-alive

Challenge

The challenge string is constructed in SceNpKdc with a call to SceLibKernel_9557D15C. Farther investigation shows that SceLibKernel_9557D15C likely has the following call type:

int sceKernelPcactGetChallenge(int id, const char entropy[32], char challenge[128]);

It is called with id = 0 and entropy set to uninitialized stack space. Tracing this call, you eventually arrive at a kernel function in SceSblGcAuthMgrPcactForDriver with the NID 0xB7AE58B9. This call looks like the following

typedef struct {
    uint8_t length;      // must be 16
    uint8_t unk[15];     // must all be 0
    uint8_t entropy[32]; // from user
} challengeInput_t;

int createPcactChallenge(int id, const challengeInput_t *in, uint64_t *rtc_seconds, char challenge[128], char output[16]);

It appears that data from aimgr_sm.self (F00D) along with in, rtc_seconds (the RTC in seconds), DMAC engine, and maybe other data are entangled together into a 112 byte sized block. Then a 20 byte SHA1-HMAC is computed over the buffer with some key. It is likely that the data itself is unimportant and just has to be random and console unique.

How Sony Blocked Activation

There are at least two possible ways. First is that on 3.65, the random-looking data block has some specific structure that Sony looks for (or some console unique data in this block gives away the fact that the console is on 3.60). Second is that they changed the SHA1-HMAC key. If it is the latter case, then the next step is to find how this key is constructed. It is likely that the key is constructed in F00D and therefore spoofing it would require a F00D hack.

Summary

  • Activation block is unrelated to ensō and Sony likely decided to implement this patch on 7/29 specifically to confuse users.
  • Bypassing this block might be possible with more investigation, but there has to be work done (I won't have the time to do it).
  • If you have a 3.60 Vita that is already activated, you should back up tm0:npdrm/act.dat to your computer as soon as possible!
@mynameistc
Copy link

mynameistc commented Sep 5, 2017
edited

Thanks to TheFlow the individual has released Adrenaline as a VPK. Activation is no longer needed. :)
https://github.com/TheOfficialFloW/Adrenaline

@shenron
Copy link

shenron commented Sep 5, 2017

It's very cool ! But the activation is still mandatory if you want to play with your legit digital games :(

@Elolawyn
Copy link

Elolawyn commented Sep 7, 2017

I have 1 doubt. I have tried to backup those files but i couldn't find act.dat. I could only back up vd0:/registry/system.dreg, vd0:/registry/system.ireg and myprofile.dat. I have no problem with not being able to play PSP or original games but I want to use QCMA, is there a problem? By the way, even If I couldn't find that file, I'm still able to use QCMA and on PS Vita settings screen it says that is linked to my account but I have sign out. So..., what's up with my Vita? Is It not activated?

@derivativetaste
Copy link

It should be noted that preserving and restoring the act.dat, and the registry files after a format/system restore is not enough to reactivate the console, it seems the system isn't fully activated and is challenged, resulting in not being able to download titles from the PSN Store.

@TheRadziu
Copy link

it seems the system isn't fully activated and is challenged, resulting in not being able to download titles from the PSN Store.

You can't do it even on 'fully' activated console. Content activation is also blocked on 3.60, thats the sony's way to push us into the piracy.
Oh the irony.

@Kekskruemel
Copy link

Kekskruemel commented Nov 26, 2017
edited

Is there any way to change the idps with one from an activated console of which we have the activation files ?

@JuanLuisMarin
Copy link

hello, I bought a PS VITA, I updated it to Firmware 3.18 and when trying to transfer PSP games from the ps3 I get the error E-80558325, apparently the problem is general with all versions less than or equal to 3.60, does anyone know if there is any solution?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment