Difference between revisions of "Ticket"
Jump to navigation
Jump to search
(corrections/additions) |
|||
| Line 21: | Line 21: | ||
|- | |- | ||
| 0x0104 | | 0x0104 | ||
| − | | | + | | 0x013F |
| − | | | + | | 0x3C |
| Padding (Always 0 - everything after this field is covered by the above signature) | | Padding (Always 0 - everything after this field is covered by the above signature) | ||
|- | |- | ||
| 0x0140 | | 0x0140 | ||
| − | | | + | | 0x017F |
| 0x40 | | 0x40 | ||
| Signature issuer | | Signature issuer | ||
|- | |- | ||
| 0x0180 | | 0x0180 | ||
| − | | | + | | 0x01BB |
| − | | | + | | 0x3C |
| − | | | + | | ECDSA data, used to generate one-time key during install of console specific titles |
|- | |- | ||
| − | | | + | | 0x01BC |
| − | | | + | | 0x01BE |
| + | | 0x03 | ||
| + | | Unused/Padding | ||
| + | |- | ||
| + | | 0x01BF | ||
| + | | 0x01CE | ||
| 0x10 | | 0x10 | ||
| Encrypted title key | | Encrypted title key | ||
|- | |- | ||
| − | | | + | | 0x01CF |
| − | | | + | | 0x01CF |
| 0x01 | | 0x01 | ||
| Unknown | | Unknown | ||
|- | |- | ||
| − | | | + | | 0x01D0 |
| − | | | + | | 0x01D7 |
| 0x08 | | 0x08 | ||
| − | | ticket_id | + | | ticket_id (used as IV for title key decryption of console specific titles) |
|- | |- | ||
| Line 56: | Line 61: | ||
| Console ID | | Console ID | ||
|- | |- | ||
| − | | | + | | 0x01DC |
| − | | | + | | 0x01E3 |
| 0x08 | | 0x08 | ||
| Title ID / [http://en.wikipedia.org/wiki/Initialization_Vector Initialization Vector] (IV) used for AES-[http://en.wikipedia.org/wiki/Cipher_Block_Chaining#Cipher-block_chaining_.28CBC.29 CBC] encryption | | Title ID / [http://en.wikipedia.org/wiki/Initialization_Vector Initialization Vector] (IV) used for AES-[http://en.wikipedia.org/wiki/Cipher_Block_Chaining#Cipher-block_chaining_.28CBC.29 CBC] encryption | ||
|- | |- | ||
| − | | | + | | 0x01E4 |
| − | | | + | | 0x01E5 |
| 0x02 | | 0x02 | ||
| Unknown, mostly 0xFFFF | | Unknown, mostly 0xFFFF | ||
|- | |- | ||
| − | | | + | | 0x01E6 |
| − | | | + | | 0x01E7 |
| 0x02 | | 0x02 | ||
| − | | | + | | Ticket Version |
|- | |- | ||
| − | | | + | | 0x01E8 |
| − | + | | 0x01EF | |
| − | |||
| − | | | ||
| 0x08 | | 0x08 | ||
| Unknown | | Unknown | ||
|- | |- | ||
| − | | | + | | 0x01F0 |
| − | | | + | | 0x01F0 |
| + | | 0x01 | ||
| + | | Export allowed using PRNG key (1 = allowed, 0 = not allowed) | ||
| + | |- | ||
| + | | 0x01F1 | ||
| + | | 0x01F1 | ||
| 0x01 | | 0x01 | ||
| Common Key index (1 = Korean Common key, 0 = "normal" Common key) | | Common Key index (1 = Korean Common key, 0 = "normal" Common key) | ||
|- | |- | ||
| − | | | + | | 0x01F2 |
| 0x0221 | | 0x0221 | ||
| 0x30 | | 0x30 | ||
| Line 89: | Line 97: | ||
|- | |- | ||
| 0x0222 | | 0x0222 | ||
| − | | | + | | 0x0261 |
| − | | | + | | 0x40 |
| − | | | + | | Content access permissions (one bit for each content) |
|- | |- | ||
| − | | | + | | 0x0262 |
| − | | | + | | 0x0263 |
| 0x02 | | 0x02 | ||
| Padding (Always 0) | | Padding (Always 0) | ||
|- | |- | ||
| − | | | + | | 0x0264 |
| − | | | + | | 0x0267 |
| 0x04 | | 0x04 | ||
| Enable time limit (1 = Enabled, 0 = Disabled) | | Enable time limit (1 = Enabled, 0 = Disabled) | ||
|- | |- | ||
| − | | | + | | 0x0268 |
| − | | | + | | 0x026B |
| 0x04 | | 0x04 | ||
| Time limit (Seconds) | | Time limit (Seconds) | ||
|- | |- | ||
| − | | | + | | 0x026C |
| − | | | + | | 0x02A3 |
| − | | | + | | 0x38 |
| − | | | + | | 7 more time_limit structs as above ({int enable, seconds}) |
|} | |} | ||
Revision as of 13:51, 28 April 2011
Tickets are found in many encrypted files used by the Wii (e.g. WAD Files or Wiidiscs). They contain the encrypted AES "title key" and the Title ID of the data and are signed by a certificate from a certificate chain (which usually is the same for all titles and stored somewhere on the NAND). So far only tickets with RSA-2048 signatures have been seen. (Discs will only work with those signatures because the size of partition ticket is always 0x2a4)
File structure
| Start | End | Length | Description |
|---|---|---|---|
| 0x0000 | 0x0003 | 0x04 | Signature type (always 0x10001 for RSA-2048) |
| 0x0004 | 0x0103 | 0x100 | Signature by a certificate's key |
| 0x0104 | 0x013F | 0x3C | Padding (Always 0 - everything after this field is covered by the above signature) |
| 0x0140 | 0x017F | 0x40 | Signature issuer |
| 0x0180 | 0x01BB | 0x3C | ECDSA data, used to generate one-time key during install of console specific titles |
| 0x01BC | 0x01BE | 0x03 | Unused/Padding |
| 0x01BF | 0x01CE | 0x10 | Encrypted title key |
| 0x01CF | 0x01CF | 0x01 | Unknown |
| 0x01D0 | 0x01D7 | 0x08 | ticket_id (used as IV for title key decryption of console specific titles) |
| 0x01D8 | 0x01DB | 0x04 | Console ID |
| 0x01DC | 0x01E3 | 0x08 | Title ID / Initialization Vector (IV) used for AES-CBC encryption |
| 0x01E4 | 0x01E5 | 0x02 | Unknown, mostly 0xFFFF |
| 0x01E6 | 0x01E7 | 0x02 | Ticket Version |
| 0x01E8 | 0x01EF | 0x08 | Unknown |
| 0x01F0 | 0x01F0 | 0x01 | Export allowed using PRNG key (1 = allowed, 0 = not allowed) |
| 0x01F1 | 0x01F1 | 0x01 | Common Key index (1 = Korean Common key, 0 = "normal" Common key) |
| 0x01F2 | 0x0221 | 0x30 | Unknown. Is all 0 for non-VC, for VC, all 0 except last byte is 1. |
| 0x0222 | 0x0261 | 0x40 | Content access permissions (one bit for each content) |
| 0x0262 | 0x0263 | 0x02 | Padding (Always 0) |
| 0x0264 | 0x0267 | 0x04 | Enable time limit (1 = Enabled, 0 = Disabled) |
| 0x0268 | 0x026B | 0x04 | Time limit (Seconds) |
| 0x026C | 0x02A3 | 0x38 | 7 more time_limit structs as above ({int enable, seconds}) |
To get the title key decrypt the 16 bytes at offset 0x1bf with the Common Key using the Title ID (offset 0x1dc) as the initialization vector (the last 8 bytes of the IV should be zero).