Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - SilicaAndPina

Pages: [1] 2
Kits / Rebuilding AFV File from act.dat and actsig.dat
« on: August 08, 2021, 01:13:04 PM »
What is an AFV?
An AFV is the file given to developers via DevNet that is needed to activate a Development Kit or Testing Kit console.
When an AFV is applied, the vita generates act.dat and actsig.dat, (as well as some binary blob that it copies to NVS) from that file

This process can be reversed in order to take act.dat and actsig.dat, and generate the corresponding AFV again

Lets take a look at the act.dat file:
it is a binary file found at tm0:/activate/act.dat
the structure is as follows:

int32 - magic number - must be "act\0"
int32 - version - always just 0x01
int32 - issue number- total number of tokens issued
int32 - start date - unix timestamp of activation begin period
int32 - end date - unix timestamp of activation end period
byte[0x10] - openPSID - same as activation key, minus the last set of digits
byte[0x1C] - reserved - all 0x00
byte[0x40] - activation token (encrypted) - for (symmetric) signature checks

after FW 1.80, sony realized that using a symmetric key for signature checks was stupa bad idea, so they also added actsig.dat
this file is just 0x100 bytes, and is a asymmetric signature using either ECDSA or RSA (im not sure which >_<)
this is basically just a blob of encrypted data ..

Now lets take a look at AFV Files:
They are a ascii file, (Not binary), and contain pretty much the same information as act.dat and actsig.dat,

# VITA/ActivationCode\n
# format_version=just like ACT.DAT, there is only version "1"\n
# code_num=number of tokens, (one afv can hold multiple devices activation data) but for our purposes, we will just put 1 here\n
# code_size=size of line1 (act.dat equivalent)\n
# extra_data_size=size of line2 (actsig.dat equivalent)\n
Hex Encoded OpenPSID, All uppercase, Decimal encoded start date, Decimal encoded end date,         Decimal encoded issue number, Hex Encoded Encrypted Token/Signature (symmetric), All uppercase\n
Hex Encoded actsig.dat, All upercase\n

So as you can see its quite trivial to recreate a AFV from act.dat and actsig.dat, you can basically just use a hex editor and notepad, use the hex editor to decode the int32's and copy hex encoded data in accordance to the structure below, and then just write them into notepad in that format, and save it as "vita_activation.afv" and it should work

Or, if your lazy, you can have this program i wrote do all the work for you

Code: [Select]
vita_make_afv act.dat actsig.dat vita_activation.afv
Ok, i got my AFV, now how can i activate my devkit using it?
Well, if you just generated it based on the activation tokens you already have applied if you try activate using this file
it will tell give you an error saying a newer activation file is required
This is because of the issue_number, the vita will refuse any AFV with an issue number that is less than or equal to the current issue number set in tm0:/activate/act.dat and NVS block, so in order to actually use this AFV, you have to either already have broken NVS activation data, or break it so that you can apply it again,
an easy way to break it would just be to use activate.vpk, put a blank (0x20) byte act-nvs.dat, (0x80) byte act.dat in ux0:/data/act.dat and then a blank (0x100) byte actsig.dat in ux0:/data also
then delete or rename the existing act.dat/actsig.dat files in tm0:/activate, open activate.vpk and then it will ask you to restore the activation backup, which of course is just blank data, which will clear all traces of activation from your devkit or testkit, including the last issue number. EASY right?

Oh, and you have to make sure your secure / cp clock is set to a time after the start date, but before the end date, otherwise it wont work!

Ok great, i mannaged to nuke my activation data from my devkit! now im able to use the AFV file i created to.. uh get it all back for some reason?
(wait, why are we doing this again? deleting activation just to copy it straight back? FOR SCIENCE?)

There are 3 ways to activate- you can activate via a memory card, it checks for an AFV at "ux0:/data/activate/vita_activation.afv", you can activate over CMA, (this requires DevkitCMA, QCMA and SonyCMA will not work), and finally you can activate via Neighbourhood for PlayStation Vita (devkit only) just click on the red "Activate" button the system will just reboot itself and the activation data will be re-applied.

all this for the off chance that your NVS activation block is broken but act.dat and actsig.dat are not....
this would force it to be re-generated, thus fixing the problem,
but if that is the case, don't use this to try fix it, instead just generate act-nvs.dat from an existing act.dat using this tool: Way faster.

At the end of the day, being able to generate AFV files and use them to activate your devkit may make you feel cool because your doing it the way sony "intended", well with a little bit of time travel anyway.

there is basically 0 practical use for this as far as i can tell, the one thing i can think of has a much faster way to accomplish the same thing, Oh well. if only sonys private key for actsig.dat would get leaked. then this would suddenly be way more useful.

(Thanks to princess of sleeping for providing a sample AFV file for me)

Blessed Be~

PS Vita / [Release] [PC TOOL] [Python] depersonalize_devnet
« on: May 02, 2021, 05:36:25 AM »
Removes watermark from Sony Developer PDF's and PUPs


you can run the same file from different users and find that after running this its the same bytes :D
making it possible to share w/o sony knowing where it came from

Blessed Be!!

PS 5 / Get a PS5 Camera Adapter without knowing any serial number!
« on: March 04, 2021, 07:32:01 AM »
1) take an existing serial number, eg: P0418091177309 ( yuno found this one on an ebay listing )
2) add a random number with 1-5 digits to it (lets say 2156), now we have P0418091179465
3) goto
4) say your not a robot

5) enter your newly calculated serial number-

6) fill in your details-

7) click submit and your done- enjoy !

if you receive an email saying there processing your request then you win !

-- Blessed Be~

PS 5 / NpTrophy v2 - PS5 Trophy File extractor!
« on: February 21, 2021, 05:37:47 AM »
I have written a program to extract files out of the PS5's trophy00.ucp file.


PS 5 / Unity for PlayStation 5, and first look at ps5 executables.
« on: February 20, 2021, 02:47:33 AM »
- we found the first ps5 for unity release, its

if u install the right unity version u can install and take a look at the files
extracted files:

It contains compiled SELF binaries that are NOT encrypted "clang version 10.0.0 (PS5 clang version e46d84a8 e46d84a8f26dda5456e992ff595a5a433c322b2e)"
src code, dll verisons of the cg compiler (i think?) and at9tool. some source code, and other neat things :D

- CG Compiler!

- Ps5 SELFS!

(not encrypted!)

- Trophy data files !!!

- Ps5 Codename Found!

- Some src

Found using Silica's UnityBrute (heavily upgraded by Olebeck)  and countless others who threw there network processing power into this.
(yuno's node found it i think?), and 5 terabytes of HTTP Requests :D

btw, it mentions where to find ps5 devnet, its at
still ip locked thou :-:

I have released a tool called "default-psn-avatar" awhile back originally just to get the.. default avatar but it has evolved alot since then:
it allows you to do the following:

1) Set avatar back to the default (duh)
2) Remove / Change "Real Name" entry (unrestricted input unlike PS4 or Web)
3) Change PSN Profile colour to ANY 32bit RGB color.
4) Remove Address Information from PSN

Fun stuff:
- If you set ONLY a first name, with no last name ("") then the ps4 profile viewer app will crash upon loading your profile ;P
- If you set your first and last name to a blank space it will appear invisible!
- If you set ONLY your first name to have a bunch of trailing spaces and a single space for last eg: F:"    Silica" M:"" L:" "
due to a rendering bug in the PS4, your name will appear to "move" when its selected in Party Chat.
- Setting an all white background as your cover image and making your profile color all white (#FFFFFF)
makes the page basically unreadable on PS4.

Download it here:

Thanks and Blessed Be~

PS M / [OpenPSS] Sce.PlayStation.Core.dll but its open src.
« on: August 07, 2020, 02:46:18 PM »
There is an essential .NET Mannaged library that EVERY psm game has a reference too.
most of the PSM DLL's are shipped with the game however PlayStation.Core is not.

because of this i decided to "rewrite" the library but with full src.
for Sce.PlayStation.Core essentially this is just like having the actual src code for the file :D

You have to build it using PSM Studio ofc.

see here:

somehow my dll is smaller than the offical one. but whatever,
if you replace it at %SCE_PSM_SDK%\mono\lib\psm with mine you'll see retail games still work np

though i havent tried everything theres a chance it could still be broken somewhere ahah

Blessed Be~

Tutorials / [UNOFFICAL] How to bypass AutoModerator on r/vitahacks
« on: August 05, 2020, 12:12:32 PM »
Okay so you may have noticed that r/vitahacks and other shitty subreddits have an "AutoModerator" that just removes posts based on certain words found within them,

for example on vitahacks if you say "NoNpDrm" it gets automatically removed and you receive a message saying

We do not permit discussion of piracy and piracy related tools for Vita and PSP or questions involving them. Period. This includes if these tools are used for legitimate means. This includes any general question that includes references to these tools. This includes meta questions about this tool and this rule. The reason is less about ethics and more about the association of these topics with low-effort threads that create a burden for the moderating staff. There are other subreddit more dedicated for these low-effort, low-value topics.

I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.

this is a clear violation of our 1st amendment rights!


1) Open Notepad.exe

2) Type the word

3) Right click the middle of the word

4) Open "Insert Unicode Control Character"

5) Click on "PDF"

6) Now copy paste the word into Reddit or whatever else

it wont be removed now! enjoy your INDEPENDENCE! from the CENSORING COMMUNIST MODERATORS!

Blessed Be~

Kits / Hidden Boot Parameters & Other CP Flags.
« on: August 01, 2020, 05:42:39 AM »
So you may be aware of certain "Boot Parameters" on DevKit as "development_mode" or "memory_size_switch"
what you likely didnt know is that these settings are acturally stored on CP Itself under /work/settings.xml
(you can even dump this file from your devkit uisng psp2ctrl settings-xml C:\path\to\output.xml)

with the recent CP Firmware Dump i could finally take a look at how this works,
and what i found was quite interesting.

as you can clearly see, there is alot more options there than just "development_mode"
you can also see an entry for "kernel:" and "none:" when before i only knew of "bootparam:" and "registry:"

One that caught my eye was "enable_extra_tty" so i gave it a try- using that psp2ctrl command that was discovered earlier by Mathieulh
Code: [Select]
psp2ctrl set-setting integer bootparam:/enable_extra_tty 1and oh! bingo!

More debug output is now printed!

A list of extra (untested) parameters to try are as follows:
(note, ive only tested enable_extra_tty i have NOT tried any of the others, use them at your own risk dont come to me if you break your CP. in theroy you can reset them from CP Recovery thou)
Code: [Select]
and potential strings to put infront of them are
Code: [Select]

As always, Blessed Be. and have a great Lughnasadh

Kits / Understanding and using the Content Downloader.
« on: July 06, 2020, 11:30:21 AM »
Some of you may have noticed a "content downloader" option under "Henkaku settings",
OG scene members will remember this from "IDU Mode", but it also exists under ★Debug Settings,

infact because its possible to have IDU Flag and Testkit flag all at the same time-
its possible for this settings option can appear twice inside the settings app. one in idu, and the other in debug
(note you have to hold L when booting settings app in IDU mode, because henkaku actually hijacks the "idu_settings.xml" file..)

but enough trivia. what does it do?
well its quite like the name implies, it allows you to download PSVita apps from an HTTP source.

Specifically the following formats:

    .PKG (fPKG and PSM Only for some reason, its possible VITA pkg works with idu flag, but i haven't tested)
    .PUP (PlaystationUPdate files.)
    .JPEG/JPG (PNG files do not show up for some reason, despite the vita being able to download them from Browser)
    .MP4 (Does not check if its a valid video file)

Content Downloader will HTTP GET whatever url you enter, and attempt to read <a href=""> html tags from the response,
it will list any that .endswith() any of the supported file types, giving you multiple choice selections

upon clicking on the download button the PSVita will go through that list and append whats specified in <a href=""> to the base URI.
it will then send an HTTP HEAD request to that in order to get information on the file (Content-Length mainly)
and then start downloading the same URI with HTTP GET.

Introducing: Meme HTTP (mHTTP):
Content Downloader implements HTTP incorrectly, and includes spaces and special characters directly in file paths UNESCAPED so no %20 on spaces,
this breaks alot of web servers >_<

Content Downloader ASSUMES relative URIs in href tags, if for example your base URI is
and it contains <a href="">when attempting to download this file, the URI that gets requested will be

Because of all these annoyances i opted to write my own "Content Downloader" server:

However careful usage of existing HTTP server software (making sure not to include spaces in filenames, having file lists inside directories as "index.html" etc) should work i guess?

- Blessed Be

Become an Instant pro at any game!

Install under *ALL then load up the game and submit your score to the leaderboards a IME dialog will pop up asking you to enter your REAL score, enter whatever you want and click enter- this score will be submitted to PSN Leaderboards.

NOTE: Sometimes PSN Leaderboards take a bit to update, and you might have to wait about a min for the score to show up.


Blessed Be~

PS Vita / LiveArea™ UI
« on: May 23, 2020, 11:03:03 PM »
I'd just like to interject for a moment.  What you're referring to as LiveArea™,
is in fact, LiveArea™ UI, or as I've recently taken to calling it, LiveArea™ plus UI.
LiveArea™ is not a User Interface unto itself, but rather another properitary component
of the fully functioning LiveArea™ UI made useful by the Home Screen, Index screen
and vital LiveArea™ UI components comprising a full User Interface

All PSVita users run the LiveArea™ UI system every day,
without realizing it.  Through a peculiar turn of events, LiveArea™ UI
which is widely used today is often called "LiveArea™", and many of its users are
not aware that it is basically the LiveArea™ UI system, developed by Sony Computer Entertainment

There really is a LiveArea™, and these people are using it, but it is just a
part of the system they use. LiveArea™ is the app start screen the one with
the buttons at the top, that looks like a peice of paper, that allow the vita
to start the other programs that you run. The LiveArea™ is an essential part of the PSVita,
but useless by itself; it can only function in the context of the complete LiveArea™ UI.
LiveArea™ is normally used in combination with the UI system: the whole system
is basically UI with LiveArea™ added, or LiveArea™ UI. All the so-called "Shell"
plugins are really plugins for LiveArea™ UI.

Kits / psp2ctrl.exe hidden commands
« on: April 23, 2020, 08:50:26 AM »
i decided to take a look inside psp2ctrl to try work out what all the hidden commands are,
like the psp2ctrl set-setting command i mentioned in earlier posts.

turns out psp2ctrl.exe is acturally a .NET executable. SN Systems seems to have made it pretty modular with "PlugIns"
Sony even provides src for some of it inside the
Code: [Select]
%SCE_ROOT_DIR%\PSP2\Tools\Target Manager Server\samples\tmapi\psp2cui\psp2ctrlfolder, however this src is incomplete (doesnt even contain "HelpPlugin.cs")

but because this is .NET it is Very easy to decompile using tools such as DNSpy

After doing this we can easily see all classes!
so i had a look at the HelpPlugIn class thinking maybe i could just
get all the hidden stuff to show by patching something in there..
and then i saw something.. quite interesting:

It checks if arg1 to the help command is "internal" then gets a list from true as an argument to PlugInStore.PlugIns

So lets have a look what happens when you pass "true" to arg1 of PlugInStore.PlugIns

Hm arg1 is a boolean called "IncludeInternal" and if its set
then it removes all IPlugin with "Hidden" set to true from the list of plugins..

So, what does this mean? well basically it means that we dont even need to patch anything.
Code: [Select]
psp2ctrl help internalwill list ALL the commands. and give a breif description of what they do.

here is a list of all the extra commands that appear when you pass the "internal" argument to psp2ctrl help

Code: [Select]
  breakpoints             {pid|name} [devkit]                 

                          List breakpoints for processes on the DevKit.

  cache-size              size [devkit ...]                   

                          Set the capacity of the DevKit(s) console output cache.  If size is less than the minimum cache size the cache will be set to it's minimum

  coredump-object-summary file                                 

                          Disaplays a summary of process objects in the corefile.


                          Get the file serving options.


                          Get the logging level used by TM.

  get-setting             setting [devkit]                     

                          Get the value of the DevKit registry setting.

  get-swinfo              key [devkit]                         

                          Get the value of the DevKit software info setting.

  kernelthreads           [devkit]                             

                          List the kernel threads running on the DevKit.

  monitor                 hwid [hwid] ...                     

                          Monitor notifications from the specified DevKit(s).

  mv                      src dest                             

                          Rename the specified file or directory from the file system of the default DevKit.

  netlog                  file                                 

                          Start logging DevKit comms to file.

  pmemory                 {pid|name} address size [devkit]     

                          Dump process memory for the process running on the DevKit.

  pobjects-summary        {pid|name} [devkit]                 

                          Dumps the kernel objects owned by the process.


                          Poll the default DevKit for it's power consumption.

  presume                 {pid|name} [devkit]                 

                          Revive the specified process from the Application Suspended state.

  protocol-info           protocol [devkit]                   

                          Display information about the specified protocol.

  protocol-register       protocol [devkit]                   

                          Register the specified protocol.

  psuspend                {pid|name} [devkit]                 

                          Put the specified process into the Application Suspended state.

  recover-cp              file [devkit]                       

                          Updates the firmware of the DevKit with the cpupdater.bin file specified.

  set-logging-level       level                               

                          Set the logging level used by TM.

  set-setting             string|integer setting value [devkit]

                          Set the value of the DevKit registry setting.  Use "" for an empty string value.

  settings                [devkit]                             

                          Get the values of the DevKit registry.

  settings-xml            file [devkit]                       

                          Get the settings XML file of the DevKit.

  stat                    path                                 

                          Stat the specified file.

  swinfo                  [devkit]                             

                          Get the values of the DevKit software info.

  threadlist              [devkit]                             

                          List threads running on the DevKit.

  touch                   [path]                               

                          Touch the specified file.

  update-cp               file [devkit]                       

                          Updates the firmware (only) of the DevKit with the PUP file specified.


                          Poll the default DevKit for it's voltages.

as you can see the psp2ctrl set-setting command that i mention in earlier posts is listed here.

anyway- this is nice to know. i bet that extra "internal" argument works on other platforms SDK's too.
perhaps orbisctrl help internal exists?

Blessed Be~

PS Vita / [Release] MakePsmGreatAgain v1.5
« on: April 19, 2020, 02:10:39 AM »
PSMGreatAgain is a plugin that patches parts of the PSM Developer Assistant and PSM Developer Assistant for Unity.
it gives you things like Auto-PSM+ (basically an infinite publishing license), makes all the apps run at SecurityCritical level so they
can use "unsafe" api calls. Adds a function to exit games running in PSM Dev w START+UP makes USB Serial work and so on.

In v1.5 i  patched out the "project_name" checks in PSM Dev and PSM Dev for Unity. basically before MPGA 1.5 the project_name set in had to match that defined in the publishing keys, ("*" for PSM, "_PSM_DEFAULT_" for PSM Unity.) however in this new version
this check is patched so it'll allways *try* to boot into the game.

though note, this patch is ONLY at runtime, at install-time it still checks. which means the only way to really use
apps with a custom project_name is to just extract the PSDP contents into ux0:/cache/PCSI0000(9/7)

Download here:

Blessed Be~

Kits / Reinstalling/Updating firmware from Safe Mode on PDEL1001
« on: April 16, 2020, 04:29:31 PM »
So just wanna say, if your devkit is working fine w no problems
i highly reccomend opening up Debug Settings, heading to "System Update"
and setting "Update Server URL" to anything (eg, perferably somewhere
you can setup an HTTP server, but as long as its not blank, QCMA will handle the rest.
This will ensure you can reinstall the usual way if anything happens ^

However.. if this is not the case and you can only access SafeMode or something, there are still some options!

Note: Having a offical *sony* memory card and another console to write to it with is required for most of this,
that and/or a PC with sony's software development kit installed.

Lets go over some options!

DevKit is in Release Mode (Select [Development Mode] under [Release Check Mode].)
In release mode, the DevKit will not allow you to install any updates,
its possible to change this from within Safe Mode, using undocumented psp2ctrl commands,
to do this. simply connect a micro-usb cable to the device and using psp2ctrl run the following commands:
Code: [Select]
psp2ctrl set-setting integer bootparam:/release_check_mode_console 0
psp2ctrl set-setting integer bootparam:/development_mode 1
(credit to Matheluth for finding these commands)
Now fully power cycle the devkit and you should be able to access update funcitions now,

No Update Server Set (One or more settings is Invalid)
So your console IS in development mode, and you go to "Update via Connecting to PC"
only to receive the error message "One or more settings is invalid!" this is because DevKit requires
you to specify where to download updates from in settings, and this address is used even when downloading via CMA.
Luckily though there is an undocumented way to override the Update Server setting
by placing a .TXT file simply containing the server URL you want in either
Code: [Select]
Creating these files will override the consoles setting and download the updatelist.xml file from the URL specified in these TXT files, rather than using the settings provided in the registry. if using QCMA this is all you need to do, but if your using anything else, you'll have to host a HTTP server, that can serve an updatelist.xml to the vita,

Note that psp2-updatelist.xml on DevKit must have a region id of "257" and "258" on testkits.
heres an example psp2-updatelist.xml:
Code: [Select]
<region id="257">
<np level0_system_version="01.600.000" level1_system_version="03.730.000" level2_system_version="03.730.000" map="03.730.000"/>
<np_d level0_system_version="01.600.000" level1_system_version="03.730.000" level2_system_version="03.730.000" map="03.730.000"/>
<version system_version="03.730.000" label="3.73">
<update_data update_type="full">
<image size="133770752">
<recovery spkg_type="systemdata">
<image spkg_version="01.000.010" size="56768512">
<recovery spkg_type="preinst">
<image spkg_version="01.000.000" size="128788480">

Update via Storage Media
This feature doesnt care about the Server URL location or anything it just attempts to use the the PSP2UPDAT.PUP located in
the following locations in the following order:
Code: [Select]
if any are found it is used for updating instead. obviously you could write a PSP2UPDAT.PUP to either ux0, or grw0 using another console and offical memory card. or just simply use host0.

Blessed Be~

Pages: [1] 2