NHLView PS4 Update 2017/10

So I was holding on to post an update until I have some good news. Unfortunately, as of now I have not made enough progress to get you excited. The security of PS4 is pretty tight so it is a tough grind trying to get through all the layers of protection. Here is an update of where we are at:

  • The savegames of PS4, just like the ones of PS3, is a directory of files. It does not contain just the game data, it also contains the metadata such as save type, icon image and integrity hashes which make modifying the files a challenge even if the encryption is bypassed. Unlike PS3, where this directory was stored as is, the save games of PS4 are stored in a single file which is an image of the filesystem. This filesystem is called PFS (for Playstation file system, protected file system or pain in the *** file system, take your pick) and it is based on an open source filesystem UFS. This is not surprising because UFS is the main filesystem of FreeBSD, an operation system on which PS4 is based on.
  • Along with the image of the PFS filesystem, PS4 stores a randomly generated key (in a .bin file). The key is generated when save game is first created and does not change for the life time of the save game. PFS filesystem in itself is not a hard file format. A lot of research has already been done on it and combined with the knowledge of open source UFS, it would have been trivial to read the PS4 save game. Where it gets tricky is the fact the PFS filesystem image is encrypted using the above-mentioned key. Moreover, since the key is provided with the save game, it is also encrypted and hashed for integrity check.
  • The good news is that both the decryption key for the the savegame key and the integrity hash key are known. So for any given savegame, it is possible to read and even modify the encryption key. The bad news is that this key is only part of the equation. To decrypt the PFS, Playstation actually combines this random key with some other key to produce the actual key it can use to decrypt the savegame. This second portion of the key is guarded by a dedicated processor on the PS4 which answers for all security-related operations (SAMU). Even though the operating system on the PS4 is running with the highest privileges, it has no access to anything inside this processor.
  • So at this point, I have no measurable progress to offer. I spent hours analyzing the code retrieved from the PS4 you guys provided me, and I finally understood the bigger chunk of it. But for now I’m stuck behind the wall of SAMU. This is not to say that I will not keep trying. I did gain the knowledge of how savegames work and what the next step needs to be. It might take a breakthrough from another researcher or a “lucky bounce” from one of my shots at the PS4 but I’m not losing hope yet. Moreover, this week has been really great for PS4 security-related breakthroughs, so it means that the grind is ongoing and I’m not the only one working on this. “All we need is just a little patience…”

PS4 Acquired

  • As a result of the generous donations, I was able to collect enough funds in just a month to purchase the required PS4 console. I can not thank all the contributors enough.
  • In my few days with this “toy”, here is what I was able to discover so far:
    • I was able to extract default NHL 15 PS4 roster and confirm that it has a nearly identical format to the one of NHL 15 PS3. I will post an updated TDBView and the default roster in the next news update.
    • I’m able to execute arbitrary code on PS4 to test my hypotheses and discover how internals work – see the screenshot.
    • Since this console is on older firmware, I’m only able to run NHL 15 so far. As far as I can see, this will not be a limitation for current and future versions of the game. Once the savegame format is accessible, the coding will be done on PC and PS4 firmware will not matter. I have not yet purchased NHL 16 or NHL 17 though.
  • Now I could attempt to start modifying NHLView to be able to open the default rosters; however, I feel that at this point it is a waste of time since savegames are still a mistery. My next task is to be able to read the savegames. I will update you on progress when I have anything meaningful to post.
  • And did I forget to say A HUGE THANK YOU to all those who made any of this possible?

PS4 Fund-raising

In the last few months, PS4 scene has seen a lot of new development with regards to reverse-engineering in general and save game editing in particular. From what I’ve read, there is enough potential in the current state of affairs for me to be able to do research on the possibility of decrypting and resigning NHL roster save games. However, for this to happen I require a PS4 console with a specific firmware version which currently goes for $550 USD ($730 CAD) on eBay. Since I barely play games anymore, this is a hefty price to pay simply for a research project. I’m still very much interested in keeping NHLView alive, but I cannot afford the price tag. Therefore, I’m launching a donation campaign through Paypal to amass the necessary funds to purchase the said console.

I’m also making a promise that this is not some kind of scam to get your money. If I’m not able to collect the required amount, I will return the money to every single contributor (minus the PayPal fee). I will stop the campaign as soon as there is enough money and will post a picture of both the invoice and the console itself once I get everything.

Two things I cannot promise though:

  1. At this point, this is only a research. There is no definitive evidence that I will be able to defeat the encryption. Without decryption, no NHLView will exist for PS4.
  2. My efforts at this point are for PS4 only. I do not follow the Xbox One developments and have no knowledge what state modding is in for this console. You should not contribute if you are an Xbox One user.

To donate, use my PayPal.me page.