In memory of Ben “bushing” Byer, who passed away on Monday, February 8th, 2016.

/dev/es

From WiiBrew
< /dev
Jump to navigation Jump to search


The ES (ETicket Services) is responsible for the security of Wii, making it OUR enemy! Along with the rest of IOS, this is generally considered a "private interface" -- game developers never call any of these functions directly.

Most of these are now implemented in libogc -- see http://devkitpro.svn.sourceforge.net/viewvc/devkitpro/trunk/libogc/libogc/es.c?view=log.

Please feel free to submit patches to implement the remaining functions.

Known ES Functions

ios_ioctlv( fd, 0x01, 3, 0, vec); // ES_AddTicket(const signed_blob *stik, u32 stik_size, const signed_blob *certificates, u32 certificates_size, const signed_blob *crl, u32 crl_size)
ios_ioctlv( fd, 0x02, 4, 0, vec); // ES_AddTitleStart(const signed_blob *stmd, u32 tmd_size, const signed_blob *certificates, u32 certificates_size, const signed_blob *crl, u32 crl_size)
ios_ioctlv( fd, 0x03, 2, 0, vec); // ES_AddContentStart(u64 titleID, u32 cid)
ios_ioctlv( fd, 0x04, 2, 0, vec); // ES_AddContentData(s32 cfd, u8 *data, u32 data_size)
ios_ioctlv( fd, 0x05, 1, 0, vec); // ES_AddContentFinish(u32 cid)
ios_ioctlv( fd, 0x06, 0, 0, vec); // ES_AddTitleFinish(void)
ios_ioctlv( fd, 0x07, 0, 1, vec); // ES_GetDeviceID
ios_ioctlvReboot(fd, 0x08, 2, 0, vec); // ES_LaunchTitle(u64 titleID, const tikview *view)
ios_ioctlv( fd, 0x09, 1, 0, vec);  // ES_OpenContent(u16 index)
ios_ioctlv( fd, 0x0A, 1, 1, vec); // ES_ReadContent(s32 cfd, u8 *data, u32 data_size)
ios_ioctlv( fd, 0x0B, 1, 0, vec); // ES_CloseContent(s32 cfd)
ios_ioctlv( fd, 0x0C, 0, 1, vec); // ES_GetOwnedTitlesCount
ios_ioctlv( fd, 0x0D, 1, 1, vec); // ES_GetOwnedTitles
ios_ioctlv( fd, 0x0E, 0, 1, vec); // ES_GetTitlesCount
ios_ioctlv( fd, 0x0F, 1, 1, vec); // ES_GetTitles
ios_ioctlv( fd, 0x10, 1, 1, vec); // ES_GetTitleContentsCount
ios_ioctlv( fd, 0x11, 2, 1, vec); // ES_GetTitleContent
ios_ioctlv( fd, 0x12, 1, 1, vec); // ES_GetNumTicketViews(u64 titleID, u32 *cnt)
ios_ioctlv( fd, 0x13, 2, 1, vec); // ES_GetTicketViews(u64 titleID, tikview *views, u32 cnt)
ios_ioctlv( fd, 0x14, 1, 1, vec); // ES_GetTmdViewSize
ios_ioctlv( fd, 0x15, 2, 1, vec); // ES_GetTmdView
ios_ioctlv( fd, 0x16, 1, 2, vec); // ES_GetConsumption
ios_ioctlv( fd, 0x17, 1, 0, vec); // ES_DeleteTitle
ios_ioctlv( fd, 0x18, 1, 0, vec); // ES_DeleteTicket
ios_ioctlv( fd, 0x19, 1, 1, vec); // ES_DIGetTmdViewSize( u8 *TMD, u32 *TMDViewSize )
ios_ioctlv( fd, 0x1A, 2, 1, vec); // ES_DiGetTmdView
ios_ioctlv( fd, 0x1B, 1, 1, vec); // ES_DiGetTicketView
ios_ioctlv( fd, 0x1C, 4, 2, vec); // ES_DiVerify
ios_ioctlv( fd, 0x1D, 1, 1, vec); // ES_GetDataDir
ios_ioctlv( fd, 0x1E, 0, 1, vec); // ES_GetDeviceCert(u8 *outbuf)
ios_ioctlv( fd, 0x1F, 6, 0, vec); // ES_ImportBoot( const signed_blob *tik, u32 tik_size, const signed_blob *tik_certs, u32 tik_certs_size, const signed_blob *tmd, u32 tmd_size, const signed_blob *tmd_certs, u32 tmd_certs_size, const u8 *content, u32 content_size )
ios_ioctlv( fd, 0x20, 0, 1, vec); // ES_GetTitleId
ios_ioctlv( fd, 0x21, 1, 0, vec); // ES_SetUid
ios_ioctlv( fd, 0x22, 1, 0, vec); // ES_DeleteTitleContent(u64 titleID) - deletes all files containing 'app' in a /title/xxxxxxxx/yyyyyyyy/content
ios_ioctlv( fd, 0x23, 3, 0, vec); // ES_SeekContent
ios_ioctlv( fd, 0x24, 3, 0, vec); // ES_OpenTitleContent(u64 titleID, const tikview *view, u16 index)
ios_ioctlv( fd, 0x25, 0, 0, vec); // ES_LaunchBC(void)
ios_ioctlv( fd, 0x26, 1, 1, vec); // ES_ExportTitleInit
ios_ioctlv( fd, 0x27, 2, 0, vec); // ES_ExportContentBegin
ios_ioctlv( fd, 0x28, 1, 1, vec); // ES_ExportContentData
ios_ioctlv( fd, 0x29, 1, 0, vec); // ES_ExportContentEnd
ios_ioctlv( fd, 0x2A, 0, 0, vec); // ES_ExportTitleDone(void)
ios_ioctlv( fd, 0x2B, 1, 0, vec); // ES_AddTmd
ios_ioctlv( fd, 0x2C, 3, 2, vec); // ES_Encrypt(u32 keynum, u8 *iv, u8 *source, u32 size, u8 *dest)
ios_ioctlv( fd, 0x2D, 3, 2, vec); // ES_Decrypt(u32 keynum, u8 *iv, u8 *source, u32 size, u8 *dest)
ios_ioctlv( fd, 0x2E, 0, 1, vec); // ES_GetBoot2Version(u32 *version)
ios_ioctlv( fd, 0x2F, 0, 0, vec); // ES_AddTitleCancel(void)
ios_ioctlv( fd, 0x30, 1, 2, vec); // ES_Sign(u8 *source, u32 size, u8 *sig, u8 *certs)
ios_ioctlv( fd, 0x31, 3, 0, vec); // ES_VerifySign
// the following functions are only available in IOS28+
ios_ioctlv( fd, 0x32, 1, 1, vec); // ES_GetStoredContentCount
ios_ioctlv( fd, 0x33, 2, 1, vec); // ES_GetStoredContent
ios_ioctlv( fd, 0x34, 1, 1, vec); // ES_GetStoredTmdSize
ios_ioctlv( fd, 0x35, 2, 1, vec); // ES_GetStoredTmd
ios_ioctlv( fd, 0x36, 0, 1, vec); // ES_GetSharedContentCount
ios_ioctlv( fd, 0x37, 1, 1, vec); // ES_GetSharedContents
ios_ioctlv( fd, 0x38, 1, 0, vec); // ?(ES_DeleteSharedContent)
ios_ioctlv( fd, 0x39, 0, 1, vec); // ES_GetDiTmdSize
ios_ioctlv( fd, 0x3A, 1, 1, vec); // ES_GetDiTmd
ios_ioctlv( fd, 0x3B, 4, 2, vec); // Unknown ... calls ES_DiVerify 
ios_ioctlv( fd, 0x3C, 2, 1, vec); // ES_SetupStreamKey ... calls ES_DiVerify(tikview,tmd,u32) 
ios_ioctlv( fd, 0x3D, 0, 1, vec); // ES_DeleteStreamKey ... wrapper for syscall 5c
// the following functions are only available in IOS37+ but not in IOS38
ios_ioctlv( fd, 0x3E, 2, 0, vec); // Unknown ... Deletes a content from a title's private directory
// the following functions are only available in IOS37v3609+ but not in IOS38
ios_ioctlv( fd, 0x3F, ?, ?, vec); // non-existant ioctl why? ... because.
ios_ioctlv( fd, 0x40, 1, 1, vec); // Unknown -- takes in a ticket?
// the following functions are only available in IOS56+
ios_ioctlv( fd, 0x41, 1, 1, vec); // Unknown -- retrieves a key?
ios_ioctlv( fd, 0x42, 2, 0, vec); // Unknown -- something with a key?
// the following functions are only available in IOS56v5405+/IOS57v5661+/IOS61v5405+/IOS70+ Please check (I thought it was a rule never add new functions existing IOS)
ios_ioctlv( fd, 0x43, 1, 1, vec); // Unknown -- something with a ticket and maybe a ".tv1" file?
ios_ioctlv( fd, 0x44, 2, 1, vec); // Unknown -- similar to ioctl 43
ios_ioctlv( fd, 0x45, 0, 0, vec); // Unknown ... korean-common-key check

/dev/es IOS_Ioctlv

This article is a stub. You can help WiiBrew by expanding it.
number name in count out count vec entry target vec entry size [bytes] libogc prototype Description
0x00 ? ? ? ? ? ? returns -1017 non-existant ioctl
0x01 ES_AddTicket 3 0 ? 0x2A4 ES_AddTicket(const signed_blob *stik, u32 stik_size, const signed_blob *certificates, u32 certificates_size, const signed_blob *crl, u32 crl_size) ?
? ?
? ?
0x02 ES_AddTitleStart 4 0 ? ? ES_AddTitleStart(const signed_blob *stmd, u32 tmd_size, const signed_blob *certificates, u32 certificates_size, const signed_blob *crl, u32 crl_size) ?
? ?
? ?
? 0x1c
0x03 ES_AddContentStart 2 0 ? 0x8 ES_AddContentStart(u64 titleID, u32 cid) ?
? 0x4
0x04 ES_AddContentData 2 0 ? 0x4 ES_AddContentData(s32 cfd, u8 *data, u32 data_size) ?
? ?
0x05 ES_AddContentFinish 1 0 ? 0x4 ES_AddContentFinish(u32 cid) ?
0x06 ES_AddTitleFinish 0 0 ES_AddTitleFinish(void) ?
0x07 ES_GetDeviceID 0 1 ? 0x4 ES_GetDeviceID(u32 *device_id) ?
0x08 ES_LaunchTitle 2 0 ? 0x8 ES_LaunchTitleBackground(u64 titleID, const tikview *view); ES_LaunchTitle(u64 titleID, const tikview *view); ?
? 0xd8
0x09 ES_OpenContent 1 0 ? 0x4 ES_OpenContent(u16 index) ?
0x0A ES_ReadContent 1 1 ? 0x4 ES_ReadContent(s32 cfd, u8 *data, u32 data_size) ?
? ?
0x0B ES_CloseContent 1 0 ? 0x4 ES_CloseContent(s32 cfd) ?
0x0C ES_GetOwnedTitlesCount 0 1 u32* count 0x4 ES_GetNumOwnedTitles(u32 *cnt) ?
0x0D ES_GetOwnedTitles 1 1 u32* count 0x4 ES_GetOwnedTitles(u64 *titles, u32 cnt) ?
u64 titles[] [count]*0x8
0x0E ES_GetTitlesCount 0 1 u32* count 0x4 ES_GetNumTitles(u32 *cnt) Sets the u32 pointed to by count to the number of titles on the system under /title.
0x0F ES_GetTitles 1 1 u32* count 0x4 ES_GetTitles(u64 *titles, u32 cnt) Fills out buffer with at most count 8 byte title ids of titles on the system under /title. It also update count for the number of title its copied.
u64 buffer[] [count]*0x8
0x10 ES_GetTitleContentsCount 1 1 u64 title_id 0x8 ES_GetTitleContentsCount(u64 titleID, u32 *num) Gets the number of contents from the tmd. It checks that the contents are present in the title's private content directory or linked via /shared1/content.map
u32* count 0x4
0x11 ES_GetTitleContents 2 1 u64 title_id 0x8 No Fills out content_ids with the content ids from the title's tmd. It checks if the contents are present in the title's private content directory or linked via /shared1/content.map
u32* count 0x4
u32 content_ids[] [count]*0x4
0x12 ES_GetNumTicketViews 1 1 u64 title_id 0x8 ES_GetNumTicketViews(u64 titleID, u32 *cnt) ?
u32* count 0x4
0x13 ES_GetTicketViews 2 1 u64 title_id 0x8 ES_GetTicketViews(u64 titleID, tikview *views, u32 cnt) ?
u32* count 0x4
tikview_t ticketviews[] [count]*0xd8
0x14 ES_GetTmdViewSize 1 1 u64 title_id 0x8 ES_GetTMDViewSize(u64 titleID, u32 *size) ?
u32* count 0x4
0x15 ES_GetTmdView 2 1 u64 title_id 0x8 ES_GetTMDView(u64 titleID, u8 *data, u32 size) ?
u32* count 0x4
tmdiew_t tmdview [count]
0x16 ES_GetConsumption 1 2 ? ? No ?
0x17 ES_DELETETITLE 1 0 u64 titleID 0x8 ES_DeleteTitle(u64 titleID) ?
0x18 ES_DeleteTicket 1 0 ? ? ES_DeleteTicket(const tikview *view) ?
0x19 ES_DIGetTmdViewSize 1 0 ? ? No ?
0x1A ES_DIGetTmdViewSize 2 1 ? ? No ?
0x1B ES_DiGetTicketView 1 1 ? ? No ?
0x1C ES_DiVerify 4 2 ? ? ES_Identify(const signed_blob *certificates, u32 certificates_size, const signed_blob *stmd, u32 tmd_size, const signed_blob *sticket, u32 ticket_size, u32 *keyid) ?
0x1D ES_GetTitleDir 1 1 ? ? ES_GetDataDir(u64 titleID,char *filepath) ?
0x1E ES_GetDeviceCert 1 0 ? ? ES_GetDeviceCert(u8 *outbuf) ?
0x1F ES_GetDeviceCert 6 0 ? ? ES_ImportBoot(const signed_blob *tik, u32 tik_size,const signed_blob *tik_certs,u32 tik_certs_size,const signed_blob *tmd,u32 tmd_size,const signed_blob *tmd_certs,u32 tmd_certs_size,const u8 *content,u32 content_size) ?
0x20 ES_GetTitleId 0 1 ? ? ES_GetTitleID(u64 *titleID) ?
0x21 ES_SetUid 1 0 ? ? ES_SetUID(u64 uid) ?
0x22 ES_DeleteTitleContent 1 0 ? ? ES_DeleteTitleContent(u64 titleID) Deletes all files containing the substring "app" in a title's content directory (/title/xxxxxxxx/yyyyyyyy/content).
0x23 ES_SeekContent 3 0 ? ? s32 ES_SeekContent(s32 cfd, s32 where, s32 whence) ?
0x24 ES_OpenTitleContent 3 0 ? ? s32 ES_OpenTitleContent(u64 titleID, tikview *views, u16 index) ?
0x25 ES_LaunchBC 0 0 ? ? No ?
0x38 ? (ES_DeleteSharedContent) 1 0 u8 sha1[] 0x14 ? Deletes the content file from /shared1 with the given sha1 checksum. It aborts if the tmd of an essential system title references the content. It rebuilds content.map after, removing the entry for the deleted file.
0x3e ? 2 0 u64 title_id 0x8 ? Deletes a specific content from a title's private content directory.
u32 content_id 0x4
0x3f ? 0 0 ? returns -1017
0x40 ? 1 1 tikview_t ticketview 0xd8 ? Copies the ticket associated with ticketview into ticket_buffer based on some access checks [currently unknown ticket offsets +0x1e8 to +0x1ef, +0x1f0.]
tik_t ticket_buffer 0x2a4
0x45 ? 0 0 ? Used by system menu 4.2 to check if the wii is a region changed Korean wii. returns -1017 if the keys are not found. see Error_003

/dev/es error codes

This article is a stub. You can help WiiBrew by expanding it.
Error code POSIX equivalent Notes
-106 ? Invalid TMD when using ES_OpenContent or <marcan> HUGHLALUGH SOMETHING FUCKED UP AND I'M NOT TELLING, or access denied
-1009 EIO Read failure (short read)
-1010 EIO Write failure (short write)
-1012 ? Invalid signature type
-1015 ? Invalid value for byte at 0x180 in ticket (valid:0,1,2)
-1017 EINVAL Wrong IN or OUT size, wrong size for a part of the vector, vector alignment problems, non-existant ioctl
-1020 ? ConsoleID mismatch
-1022 ? Content did not match hash in TMD
-1024 ENOMEM Memory allocation failure
-1026 EACCESS Incorrect access rights
-1028 ENOENT No ticket installed
-1029 ? Installed Ticket/TMD is invalid
-1035 ? Title with a higher version is already installed
-1036 ? Required sysversion(IOS) is not installed
-2008 EINVAL Invalid parameter(s)
-2011 ? Signature check failed
-2013 ? Keyring is full (contains 0x20 keys)
-2014 ? Bad hash length (!= 20)
-2016 ? unaligned data
-4100 ? Wrong Ticket-, Cert size or invalid Ticket-, Cert data
Retrieved from "https://wiibrew.org/w/index.php?title=/dev/es&oldid=100507"