Difference between revisions of "Ticket"
Hallowizer (talk | contribs) (→File structure: clarification) |
Hallowizer (talk | contribs) (Formatting updates and mentioned /ticket) |
||
| Line 1: | Line 1: | ||
| − | Tickets are found in many encrypted files used by the Wii (e.g. [[WAD Files]] or [[Wiidisc]] | + | '''Tickets''' are found in many encrypted files used by the Wii (e.g. [[WAD Files]] or [[Wiidisc|Wii Discs]]). Tickets for NAND [[title|titles]] are stored in [[:/ticket]], while tickets for discs are stored on the disc itself. Tickets contain the encrypted [http://en.wikipedia.org/wiki/Advanced_Encryption_Standard AES] "title key" and the Title ID of the data and are signed by a certificate from a [[certificate chain]] (which usually is the same for all titles and stored somewhere on the NAND). So far only tickets with [http://en.wikipedia.org/wiki/RSA RSA-2048] signatures have been seen. Discs will only work with those signatures because the size of partition ticket is always 0x2a4. |
| − | So far only tickets with [http://en.wikipedia.org/wiki/RSA RSA-2048] signatures have been seen. | ||
While all Wii titles are available on [[NUS]], most are encrypted with a key found in the ticket; this key is what is purchased with the [[Wii Shop Channel]]. Deleting a title using the data management feature of the [[System Menu]] leaves the ticket intact; this is responsible for allowing software to be redownloaded. However, tools such as [[AnyTitle Deleter]] delete tickets when they delete titles, which removes all traces of the title. | While all Wii titles are available on [[NUS]], most are encrypted with a key found in the ticket; this key is what is purchased with the [[Wii Shop Channel]]. Deleting a title using the data management feature of the [[System Menu]] leaves the ticket intact; this is responsible for allowing software to be redownloaded. However, tools such as [[AnyTitle Deleter]] delete tickets when they delete titles, which removes all traces of the title. | ||
Revision as of 03:36, 23 June 2021
Tickets are found in many encrypted files used by the Wii (e.g. WAD Files or Wii Discs). Tickets for NAND titles are stored in /ticket, while tickets for discs are stored on the disc itself. Tickets contain the encrypted AES "title key" and the Title ID of the data and are signed by a certificate from a certificate chain (which usually is the same for all titles and stored somewhere on the NAND). So far only tickets with RSA-2048 signatures have been seen. Discs will only work with those signatures because the size of partition ticket is always 0x2a4.
While all Wii titles are available on NUS, most are encrypted with a key found in the ticket; this key is what is purchased with the Wii Shop Channel. Deleting a title using the data management feature of the System Menu leaves the ticket intact; this is responsible for allowing software to be redownloaded. However, tools such as AnyTitle Deleter delete tickets when they delete titles, which removes all traces of the title.
File structure
| Start | End | Length | Description |
|---|---|---|---|
| 0x0000 | 0x0003 | 0x04 | Signature type (always 0x10001 for RSA-2048) |
| 0x0004 | 0x0103 | 0x100 | Signature by a certificate's key |
| 0x0104 | 0x013F | 0x3C | Padding (Always 0 - everything after this field is covered by the above signature) |
| 0x0140 | 0x017F | 0x40 | Signature issuer |
| 0x0180 | 0x01BB | 0x3C | ECDH data, used to generate one-time key during install of console specific titles |
| 0x01BC | 0x01BE | 0x03 | Unused/Padding |
| 0x01BF | 0x01CE | 0x10 | Title Key, encrypted by Common Key |
| 0x01CF | 0x01CF | 0x01 | Unknown |
| 0x01D0 | 0x01D7 | 0x08 | ticket_id (used as IV for title key decryption of console specific titles) |
| 0x01D8 | 0x01DB | 0x04 | Console ID |
| 0x01DC | 0x01E3 | 0x08 | Title ID / Initialization Vector (IV) used for AES-CBC encryption |
| 0x01E4 | 0x01E5 | 0x02 | Unknown, mostly 0xFFFF |
| 0x01E6 | 0x01E7 | 0x02 | Ticket title version |
| 0x01E8 | 0x01EB | 0x04 | Permitted Titles Mask |
| 0x01EC | 0x01EF | 0x04 | Permit mask. The current disc title is ANDed with the inverse of this mask to see if the result matches the Permitted Titles Mask. |
| 0x01F0 | 0x01F0 | 0x01 | Title Export allowed using PRNG key (1 = allowed, 0 = not allowed) |
| 0x01F1 | 0x01F1 | 0x01 | Common Key index (2 = Wii U Wii mode, 1 = Korean Common key, 0 = "normal" Common key) |
| 0x01F2 | 0x0221 | 0x30 | Unknown. Is all 0 for non-VC, for VC, all 0 except last byte is 1. |
| 0x0222 | 0x0261 | 0x40 | Content access permissions (one bit for each content) |
| 0x0262 | 0x0263 | 0x02 | Padding (Always 0) |
| 0x0264 | 0x0267 | 0x04 | Enable time limit (1 = Enabled, 0 = Disabled) |
| 0x0268 | 0x026B | 0x04 | Time limit (Seconds) |
| 0x026C | 0x02A3 | 0x38 | 7 more time_limit structs as above ({int enable, seconds}) |
To get the title key decrypt the 16 bytes at offset 0x1bf with the Common Key using the Title ID (offset 0x1dc) as the initialization vector (the last 8 bytes of the IV should be zero).