keystone file is located in sce_sys folder of apps/patches/addcont/savedatas/trophies. It is PFS encrypted.
It embeds a key called keystone that is used to verify that :
1) somebody who wants to extract/verify PKG is the owner of the product
2) a patch data is published by the creator of the app data
Keystone is generated from Passcode.
|0x8||0x2||Type (always 2)|
|0xA||0x2||Version (always 1)|
|0x20||0x10||IV for encrypted key|
SCE provides in official SDK a tool called pc2ks that converts passcode to keystone.
The first step is to check the HMAC of the file. The process is to use the HMAC key from the Keys#PFS_Secret_Keys page to check the HMAC at position 0x40 in the file. If it is correct, it proceeds to use another key to decrypt the value at 0x30 using the value at 0x20 as the IV.