Recrypt.sys

recrypt.sys is a file that contains a list of the recrypt keys for each .rec that has been created by the console. The list is itself both encrypted and signed to prevent tampering.

Purpose

Most iQue apps have the "recrypt flag" set in their CMD. When a console launches these apps for the first time, a new key is generated and the plaintext app is re-encrypted using this key and the content iv from the app's CMD. This ensures that each iQue has uniquely encrypted .rec files, rather than all iQues using the same encrypted files from the server or factory.

After generating this new "recrypt key", the console stores it in recrypt.sys, and encrypts it using the recrypt list key from the console's Virage2 and an initialization vector generated from the console's BBID like so:

uint32_t recrypt_list_iv[4] = { BBID, BBID + 1, BBID + 2, BBID + 3 } // BBID is big-endian

Format

recrypt.sys is cryptographically signed, but like sig.db it is signed with an elliptic curve signature (using the console's ECC private key) rather than RSA-2048. This is most likely because it must be altered and re-signed even when the console is not connected to the iQue server, and the iQue itself does not contain the RSA private key needed to sign files.

After the signature is a 4-byte unsigned int containing the number of entries in the recrypt key list.

Each 32-byte entry is encrypted with the above-mentioned recrypt list key and BBID-derived initialization vector. The plaintext of each entry contains the content ID of the associated .rec, the recrypt key, and an unknown 12-byte field that seems to be the same for each entry.