On 7/29/2017, all hacked Vitas on 3.60 spoofing the latest firmware (3.65) were blocked from console activation. This is particularly odd because the PSN passphrase did not change in 3.65. Additionally with the release of ensō added to the confusion of what happened. Here is the result of a preliminary investigation of the situation.
Upon game activation, the Vita displays an dialog that shows the error number E-80558325. This error number is used in SceNpKdc, which is found in vs0:external/np_kdc.suprx. The error code itself is created when the activation response is received:
v5 = v45 | 0x80558300;
Here, v5 is the return code and v45 is the string error code from the server converted to a number. The request made to Sony's server looks like the following
Content-Type: application/x-www-form-urlencoded
User-Agent: My heart leaps up when I behold A rainbow in the sky
X-I-5-DRM-Version: 1.0
loginid=PSNID&epassword=ENCRYPTEDPASSWORD&platform=psp2&c1=CHALLENGESTRING
The request from a 3.65 stock console has the same headers and loginid and epassword (for the same account) so the only change visible to Sony is the challenge string c1.
The response you get on 3.60 is
HTTP/1.0 200 OK
Server: Apache
X-I-5-DRM-Version: 1.0
X-I-5-DRM-Status: NG; reason=25
Content-Length: 0
Content-Type: application/x-i-5-drm
X-N: S
Date: Sat, 29 Jul 2017 23:01:31 GMT
Connection: keep-alive
The challenge string is constructed in SceNpKdc with a call to SceLibKernel_9557D15C. Farther investigation shows that SceLibKernel_9557D15C likely has the following call type:
int sceKernelPcactGetChallenge(int id, const char entropy[32], char challenge[128]);It is called with id = 0 and entropy set to uninitialized stack space. Tracing this call, you eventually arrive at a kernel function in SceSblGcAuthMgrPcactForDriver with the NID 0xB7AE58B9. This call looks like the following
typedef struct {
uint8_t length; // must be 16
uint8_t unk[15]; // must all be 0
uint8_t entropy[32]; // from user
} challengeInput_t;
int createPcactChallenge(int id, const challengeInput_t *in, uint64_t *rtc_seconds, char challenge[128], char output[16]);It appears that data from aimgr_sm.self (F00D) along with in, rtc_seconds (the RTC in seconds), DMAC engine, and maybe other data are entangled together into a 112 byte sized block. Then a 20 byte SHA1-HMAC is computed over the buffer with some key. It is likely that the data itself is unimportant and just has to be random and console unique.
There are at least two possible ways. First is that on 3.65, the random-looking data block has some specific structure that Sony looks for (or some console unique data in this block gives away the fact that the console is on 3.60). Second is that they changed the SHA1-HMAC key. If it is the latter case, then the next step is to find how this key is constructed. It is likely that the key is constructed in F00D and therefore spoofing it would require a F00D hack.
- Activation block is unrelated to ensō and Sony likely decided to implement this patch on 7/29 specifically to confuse users.
- Bypassing this block might be possible with more investigation, but there has to be work done (I won't have the time to do it).
- If you have a 3.60 Vita that is already activated, you should back up
tm0:npdrm/act.datto your computer as soon as possible!
Is there any way to change the idps with one from an activated console of which we have the activation files ?