PS Vita Hack Part 1: Installing h-encore/HENkaku and VitaShell
In this tutorial we’ll create an exploit and install it on a fully stock PS Vita. The exploit will allow us to play PS Vita, PSP, and PlayStation game backups, as well as homebrew software. The current Vita homebrew scene is very impressive, and many emulators for 8-bit and 16-bit consoles are available.
This exploit can be installed on any PS Vita with software up to version 3.68. My system was updated to the latest firmware (3.68) and I have tested everything here and it’s working great. Note that if you have 3.65 or below, it behooves you not to update past 3.65. In addition to what I show you below, you can optionally install a package called ENSO that allows you to permanently install custom firmware versus having to execute exploit code each time you cold-power up your Vita. There’s no real penalty for not having ENSO installed, other than it’s a little less convenient. Since my Vita was on 3.68 I was unable to install ENSO, but if you have a VIta with 3.65 or lower, you can find ENSO here: https://enso.henkaku.xyz.
The original article that I followed to install this exploit is located here: https://github.com/TheOfficialFloW/h-encore. I have expanded upon their instructions to hopefully explain some more things and make some thing clearer.
Vita Hardware/Software Prerequisites
To check the software version of your Vita, go to Settings > System > System Information.
The latest version right now is 3.68. You can go to Settings > System Update to update if you aren’t worried about installing ENSO, or if you’re already on a version greater than 3.60 that isn’t 3.68. If you are on a version less than 3.60, you should probably stick with 3.60 or below. You can upgrade from a lesser version to 3.60 via USB. You’ll have to Google how to do that, as it’s beyond the scope of this tutorial.
Here are some additional “gotchas.”
- PS Vita “fat” models require 270MB free space on a Vita memory card to install.
- PS Vita slim models don’t, as they have internal storage.
- The device must be linked with a PSN account – the PSN account doesn’t need to be activated and you don’t need PS+.
Preparing Packages for Install
Download h-encore and decompress the h-encore folder to your Windows desktop for easy access. You can download h-encore here: https://github.com/TheOfficialFloW/h-encore/releases.
Download and install QCMA from here: https://codestation.github.io/qcma/. Install is typical “next next next finish” Windows installer. Accept all default values.
Download the DRM-free demo of “Bitter Smile” – This is the exploitable binary we’ll use to construct our exploit.
Copy the Bitter Smile PKG file to your h-encore folder. Do yourself a favor and rename it something shorter. I renamed mine bitter.pkg.
From the Windows command prompt, cd to the following folder and run the command:
cd C:\Users\YourName\Desktop\h-encore pkg2zip -x bitter.pkg
…where YourName is your Windows username and bitter.pkg is whatever your shortened Bitter Smile to. I assume you can do this without explicit instruction.
You’ll get output that looks something like the following:
pkg2zip v1.8 [*] loading... [*] unpacking Vita APP [*] unpacking completed [*] creating sce_sys/package/head.bin [*] creating sce_sys/package/tail.bin [*] creating sce_sys/package/stat.bin [*] minimum fw version required: 2.61 [*] done!
This will output files to \h-encore\app\PCSG90096
Copy all of the files from \h-encore\app\PCSG90096 to \h-encore\app\ux0_temp_game_PCSG90096_app_PCSG90096
Copy the temp.bin file from \h-encore\app\PCSG90096\sce_sys\package to \h-encore\license\ux0_temp_game_PCSG90096_license_app_PCSG90096 and rename the file to 6488b73b912a753a492e2714e9b38bc7.rif See what I highlighted in red and note that this is NOT the same location where you just copied the game files. Also note that it has to be .rif, and not .rif.bin. You may need to enable the setting in Windows Explorer to show file extensions to properly rename the extension for this file.
Getting Your Unique System ID and Encryption Key
Launch QMCA and open the Other tab. Ensure Use this version for updates is set to FW 0.00 (Always up-to-date) (mine defaulted to this), and click OK. QMCA will continue to run in the taskbar.
Launch Content Manager on the Vita and then connect it to the PC via USB. Choose the option that says Copy Content on the Vita Content Manager screen. The Vita will ask Select device to connect to – Choose PC. Select the method to connect, choose USB cable. You’ll get a system notification from QMCA that says that a device was added to the database.
On the Vita screen, tap the line that says PC > PS Vita System then Applications. If you left the QMCA paths at default, there will be a new folder created in: C:\Users\YourName\Documents\PS Vita\APP.
This new folder has a 16 character long name of letters/numbers and represents your Account ID. Take note of this string and save it in a safe place. This Account ID is unique to your PSN Account. You need to insert that key at this website to get an unlock key that you can use to encrypt Vita Packages: http://cma.henkaku.xyz.
Note that you have to use the key for your own PSN Account. If you try to use someone else’s unique key, you won’t be able to install the exploit (or any other software for that matter).
At this point you should have a 16-character Account ID number as well as a 64-character encryption key.
Compiling and Installing the Exploit
Open a Windows command prompt and change directory to where you unzipped h-encore. Type in the commands:
psvimg-create -n app -K YOUR_KEY app PCSG90096/app psvimg-create -n appmeta -K YOUR_KEY appmeta PCSG90096/appmeta psvimg-create -n license -K YOUR_KEY license PCSG90096/license psvimg-create -n savedata -K YOUR_KEY savedata PCSG90096/savedata
…where YOUR_KEY is your 64-character encryption key.
After all 4 command execute successfully, navigate to \h-encore\PCSG90096
That folder will contain a folder called sce_sys it should also contain the folders:
license, savedata, app, and appmeta. Each of those folders should contain the files X.psvimg and X.psvmd where X has the same name as the folder in which it resides.
Your final tree should look like this (D means Directory, F means File):
[D] h-encore\PCSG90096\ | --[D]app | | [F] app.psvimg | | [F] app.psvmd | --[D]appmeta | | [F] appmeta.psvimg | | [F] appmeta.psvmd | --[D]license | | [F] license.psvimg | | [F] license.psvmd | --[D]savedata | | [F] savedata.psvimg | | [F] savedata.psvmd | --[D]sce_sys | [F] icon0.png | [F] param.sfo
Copy the entire folder \h-encore\PCSG90096 to C:\Users\YourName\Documents\PS Vita\APP\XXXXXXXXXXXXXXXX\
Right click on the QCMA icon in the taskbar and choose Refresh Database. You’ll get a Windows message that says items have been added to the database.
Back on the Vita, under Applications choose PS Vita. The h-encore bubble with a size of 243MB should appear. Select h-encore with the check box and tap Copy.
You’ll get a message that says The selected items will be copied to this system. Tap OK.
If the size does not match or if you get an error C2-12858-4 then it’s because you did something wrong. Ensure your folder structure looks exactly like mine above. If that doesn’t work, go back and follow the instructions from the beginning.
When the application finishes copying, close Content Manager and scroll down to the last page on your Vita home screen. You’ll see the h-encore bubble. Launch it and OK past the warning about not being able to earn trophies. From here the screen should flash and you should see the option to install HENkaku and download VitaShell. Do both of those things, in that order.
Finally choose Exit. Note that you’ll have to launch h-encore and re-apply HENkaku every time you reboot your system (unless you just put it to sleep). You should now be able to launch VitaShell.
Get Rid of the Trophy Warning
This next step isn’t required but it gets rid of warnings about trophies when launching the exploit, since the save code that’s been provided for the exploit isn’t linked to your personal PS account. Keep in mind that you should do this, especially the first part where you enable unsafe homebrew, since you won’t be able to install any other homebrew if you don’t enable that setting.
- Launch Settings from the Vita Home Screen
- Choose HENkaku Settings from the Settings menu
- Click the checkbox next to Enable Unsafe Homebrew
- Launch VitaShell from the home screen
- Navigate to: ux0:user/00/savedata/
- Scroll down to highlight the folder PCSG90096 and press Triangle select Open Decrypted
- Scroll down and highlight system.dat, press Triangle, and choose Copy
- Go up one level (..), press Triangle, and then Paste. The system.dat file should have copied to the folder with all of the other “PCSE…” directories.
- Highlight the PCSG90096 folder again and press Triangle, and Delete it
- Close VitaShell and launch h-encore
- This will not launch the exploit anymore, rather it will launch Bitter Smile. When you see the title screen, close it.
- Go back in to VitaShell and again ensure you are in ux0:user/00/savedata
- A new folder for PCSG90096 has been created
- Highlight the system.dat file that we pasted before and press Triangle and choose Copy
- Highlight the PCSG90096 directory, press Triangle and choose Open Decrypted
- Once in the folder, press Triangle and choose Paste to copy the system.dat file back in
- Close VitaShell and launch h-encore again. This time it should take you to the exploit menu
This concludes Part 1 of the tutorial. In the next part I’ll be showing you how to install homebrew packages, including games and a PSP/PlayStation system emulator.