So I was holding on to post an update until I have some good news. Unfortunately, as of now I have not made enough progress to get you excited. The security of PS4 is pretty tight so it is a tough grind trying to get through all the layers of protection. Here is an update of where we are at:
- The savegames of PS4, just like the ones of PS3, is a directory of files. It does not contain just the game data, it also contains the metadata such as save type, icon image and integrity hashes which make modifying the files a challenge even if the encryption is bypassed. Unlike PS3, where this directory was stored as is, the save games of PS4 are stored in a single file which is an image of the filesystem. This filesystem is called PFS (for Playstation file system, protected file system or pain in the *** file system, take your pick) and it is based on an open source filesystem UFS. This is not surprising because UFS is the main filesystem of FreeBSD, an operation system on which PS4 is based on.
- Along with the image of the PFS filesystem, PS4 stores a randomly generated key (in a .bin file). The key is generated when save game is first created and does not change for the life time of the save game. PFS filesystem in itself is not a hard file format. A lot of research has already been done on it and combined with the knowledge of open source UFS, it would have been trivial to read the PS4 save game. Where it gets tricky is the fact the PFS filesystem image is encrypted using the above-mentioned key. Moreover, since the key is provided with the save game, it is also encrypted and hashed for integrity check.
- The good news is that both the decryption key for the the savegame key and the integrity hash key are known. So for any given savegame, it is possible to read and even modify the encryption key. The bad news is that this key is only part of the equation. To decrypt the PFS, Playstation actually combines this random key with some other key to produce the actual key it can use to decrypt the savegame. This second portion of the key is guarded by a dedicated processor on the PS4 which answers for all security-related operations (SAMU). Even though the operating system on the PS4 is running with the highest privileges, it has no access to anything inside this processor.
- So at this point, I have no measurable progress to offer. I spent hours analyzing the code retrieved from the PS4 you guys provided me, and I finally understood the bigger chunk of it. But for now I’m stuck behind the wall of SAMU. This is not to say that I will not keep trying. I did gain the knowledge of how savegames work and what the next step needs to be. It might take a breakthrough from another researcher or a “lucky bounce” from one of my shots at the PS4 but I’m not losing hope yet. Moreover, this week has been really great for PS4 security-related breakthroughs, so it means that the grind is ongoing and I’m not the only one working on this. “All we need is just a little patience…”