29
edits
Changes
no edit summary
Line 1:
Line 1:
−
+
+
+[[Category:Software]]
This article describes the logical layout of data on a '''Wii disc'''.
This article describes the logical layout of data on a '''Wii disc'''.
+
+== Differences from DVD ==
+Wii discs are mainly DVD based, however, to prevent piracy, they have a number of marks in their BCA, effectively nulling out those regions. All data is therefore written around these marks, also making the discs incompatible with normal drives.
+
+The GameCube and Wii check for these marks on disc boot by checking for null regions. Homebrew discs can therefore identify as Wii discs by nulling out these regions through software, although some software may need modification to avoid warning messages. [[Freeloader]] exploited this to not require a [[drivechip]].
+
+XOR Encryption is done using discId and a random seed by the Disc Controller Firmware, Panasonic MN103S and BCA Check by System Controller MN102H
+
+== Data Frame ==
+ u32 id; // PSN(Physical Sector Number)
+ u16 ied; // ID Error Detection Code, CRC16
+ u8 userdata[2048]; // Sector Data
+ u8 cpr_mai[6]; // Copyright Management Information(Not used)
+ u32 edc; // Error Detection Code, CRC32
+ // 2064B
+
+== RandomKeys ==
+ 0: 3
+ 1: 48
+ 2: 32512
+ 3: 28673
+ 4: 6
+ 5: 69
+ 6: 32256
+ 7: 24579
+ 8: 12
+ 9: 192
+ 10: 31744
+ 11: 16391
+ 12: 24
+ 13: 384
+ 14: 30720
+ 15: 15
+
+== DiscId ==
+ char gamecode[4];
+ char makercode[2];
+ u8 diskNumber;
+ u8 version;
+ u8 streaming;
+ u8 streamingBufferSize;
+ u8 pad[14];
+ u32 gcMagic;
+ u32 rvlMagic;
+
+== Burst Cutting Area ==
+ // UserData(unencrypted), 64B
+ u8 optionalInfo[52];
+ u8 manufacturer[2];
+ u8 recorderDevice[2];
+ u8 bcaSerial;
+ u8 discDate[2];
+ u8 discTime[2];
+ u8 discNumber[3];
+ // SecureData(unencrypted), 12B
+ u8 key[8];
+ u8 id[4];
+ // AuthenticationData(encrypted), 48B
+ u64 psn[6]; // 6 sector locations
+ // 188B
+
+== Disc Physical Format ==
+ // Leadin Area
+ PhysicalFormatInfo pfi;
+ DiscManufacturingInfo dmi;
+
+PhysicalFormatInfo
+ u8 reversed[6];
+ u8 discMagic; // value is -1.
+ u8 discSizeMinTransferRate; // The value is fixed on 16.
+ u8 discStructure; // The value is fixed on 1.
+ u8 recordedDensity; // The value is fixed on 1.
+ DataAreaAllocation m_dataAreaAllocation;
+ u8 reversed2[2026];
+ u8 reversed3[6];
+
+DiscManufacturingInfo
+ u8 reversed[6];
+ u8 unknown1[6];
+ u8 randomNumber2[6];
+ u8 unknown2[6];
+ u8 randomNumber3[6];
+ char mediaId[19]; // "Nintendo Game Disk"
+ u8 randomNumber4[6];
+ u8 bookTypePartVersion; // value must be 1.
+ u8 discSizeMinReadoutRate; // The value is fixed on 16.
+ u8 discStructure; // The value is fixed on 1.
+ u8 recordedDensity; // The value is fixed on 0.
+ DataAreaAllocation dataAreaAllocation;
+ u8 bcaDescriptor; // The value is fixed on 128.
+ u8 reversed2[1983];
+ u8 reversed3[6];
+
+DataAreaAllocation
+ u8 reversed;
+ u16 startSector; // 196608
+ u8 reversed2;
+ u16 endSector; // 909487
+ u8 reversed3[3];
+ // 12B
== "System Area" ==
== "System Area" ==
Line 82:
Line 182:
| 1
| 1
| Audio streaming
| Audio streaming
−|
+| 0
−|
+| 0: Streaming disabled, nonzero: streaming enabled. No Wii game uses streaming.{{check}}
|-
|-
| 0x009
| 0x009
| 1
| 1
| Streaming buffer size
| Streaming buffer size
−|
+| 0
−|
+| Buffer size for audio streaming, only used when streaming is enabled. 0 uses the default value, which is 10.
|-
|-
| 0x00A
| 0x00A
Line 101:
Line 201:
| Wii Magicword
| Wii Magicword
| 0x5D1C9EA3
| 0x5D1C9EA3
−| Identifies Disc as Wii
+| Identifies Disc as Wii. Present on Wii discs, zero on Gamecube discs.
|-
|-
| 0x01C
| 0x01C
Line 107:
Line 207:
| Gamecube Magicword
| Gamecube Magicword
| 0xC2339F3D
| 0xC2339F3D
−| Identifies Disc as Gamecube
+| Identifies Disc as Gamecube. Present on Gamecube discs, zero on Wii discs.
|-
|-
| 0x020
| 0x020
Line 119:
Line 219:
|
|
|
|
−| Disable hash verification and make all disc reads fail even before they reach the DVD drive.
+| Disable hash verification. On retail consoles, this makes all disc reads fail even before they reach the DVD drive.
|-
|-
| 0x061
| 0x061
Line 125:
Line 225:
|
|
|
|
−| Disable disc encryption and h3 hash table loading and verification (which effectively also makes all disc reads fail because the h2 hashes won't be able to verify against "something" that will be in the memory of the h3 hash table. none of these two bytes will allow unsigned code)
+| Disable disc encryption and h3 hash table loading and verification. On retail consoles, this effectively also makes all disc reads fail because the h2 hashes won't be able to verify against "something" that will be in the memory of the h3 hash table. None of these two bytes will allow unsigned code on retail consoles.
|-
|-
| 0x080
| 0x080
Line 136:
Line 236:
=== Partitions information ===
=== Partitions information ===
The Wii disc format uses partitions, mostly one is used for updates (the 1st) and the 2nd for the game.
+The Wii disc format uses partitions, mostly one is used for updates (the 1st) and the 2nd for the game, and the third for channels such as [[Wii Fit Channel]].
{| class="wikitable"
{| class="wikitable"
Line 264:
Line 364:
Offset 0x00000000 is considered as the start of the partition.
Offset 0x00000000 is considered as the start of the partition.
+
+The offset of the actual partition data is 0x00020000 for normal discs and 0x00008000 for unencrypted discs (discs where 0x61 in the header is non-zero).
{| class="wikitable"
{| class="wikitable"
Line 306:
Line 408:
| [[TMD]]
| [[TMD]]
|-
|-
−| 0x00020000
+| <tt>varies</tt>
| <tt>varies</tt>
| <tt>varies</tt>
| Partition Data
| Partition Data
Line 315:
Line 417:
===== Encrypted =====
===== Encrypted =====
−Partition data is encrypted using a key, which can be obtained from the partition header and the master key. The actual partition data starts at offset 0x20000 in the partition, and it is formatted in "clusters" of size 0x8000 (32k). Each one of these blocks consists of 0x400 bytes of encrypted SHA-1 hash data, followed by 0x7C00 bytes of encrypted user data. The 0x400 bytes SHA-1 data is encrypted using AES-128-CBC, with the partition key and a null (all zeroes) IV. Clusters are aggregated into subgroups of 8 clusters, and 8 subgroups are aggregated into one group of 64 clusters. The plaintext format is as follows:
+For discs where 0x61 in the disc header is non-zero, skip this section and go to [[#Decrypted]]. (Such discs don't work on retail consoles.)
+Partition data is encrypted using a key, which can be obtained from the partition header and the master key. The actual partition data starts at an offset into the partition (normally 0x20000), and it is formatted in "clusters" of size 0x8000 (32k). Each one of these blocks consists of 0x400 bytes of encrypted SHA-1 hash data, followed by 0x7C00 bytes of encrypted user data. The 0x400 bytes SHA-1 data is encrypted using AES-128-CBC, with the partition key and a null (all zeroes) IV. Clusters are aggregated into subgroups of 8 clusters, and 8 subgroups are aggregated into one group of 64 clusters. The plaintext format is as follows:
{| class="wikitable"
{| class="wikitable"
Line 363:
Line 467:
Finally, the global hash table ("H3"; which the partition header points to) contains the SHA-1 hash of the last table of each group in the partition. This table is not encrypted, but it is signed. To build it, take bytes 0x340-0x3DF from any sector in each group in the partition, apply SHA-1, and simply store all of the resulting hashes consecutively. All in all, each sector includes enough information to trace itself back to the master SHA-1 hash table. As a result, the entire partition is effectively signed. If anything is changed, the Wii will immediately crash (if the master hash table has been updated), or it will crash when it reads any sector in the modified group (if the group tables have been updated), any sector in the modified subgroup (if the subgroup tables have been updated), or any modified sector if no SHA-1s were updated.
Finally, the global hash table ("H3"; which the partition header points to) contains the SHA-1 hash of the last table of each group in the partition. This table is not encrypted, but it is signed. To build it, take bytes 0x340-0x3DF from any sector in each group in the partition, apply SHA-1, and simply store all of the resulting hashes consecutively. All in all, each sector includes enough information to trace itself back to the master SHA-1 hash table. As a result, the entire partition is effectively signed. If anything is changed, the Wii will immediately crash (if the master hash table has been updated), or it will crash when it reads any sector in the modified group (if the group tables have been updated), any sector in the modified subgroup (if the subgroup tables have been updated), or any modified sector if no SHA-1s were updated.
−The signature is stored in the [[Tmd file structure|TMD]]. The TMDs for the partition always have one content. The type of that content seems to be always 3, and the SHA1 hash is the SHA1 of the entire 0x18000 bytes of the hash table.
+The signature is stored in the [[Tmd file structure|TMD]]. The TMDs for the partition always have one content. The type of that content has been 1, 2, or 3, although the type does not seem to be read. The SHA1 hash is the SHA1 of the entire 0x18000 bytes of the hash table.
The [[Tmd file structure|TMD]] is signed using Nintendo private key. That makes basically impossible to run modified discs. Trucha Signer uses the [[signing bug]] to bypass the [[Tmd file structure|TMD]] signature checking, so the SHA1 hash of the master table can be updated, and modified discs can be booted.
The [[Tmd file structure|TMD]] is signed using Nintendo private key. That makes basically impossible to run modified discs. Trucha Signer uses the [[signing bug]] to bypass the [[Tmd file structure|TMD]] signature checking, so the SHA1 hash of the master table can be updated, and modified discs can be booted.
Line 370:
Line 474:
===== Decrypted =====
===== Decrypted =====
−Once the Partition Data is decrypted, it follows the same formatting as a Gamecube disc for the most part.
+Once the Partition Data is decrypted (or if it was stored unencrypted to begin with), it follows the same formatting as a Gamecube disc for the most part.
{| class="wikitable"
{| class="wikitable"
Line 384:
Line 488:
| 0x00420
| 0x00420
| 4
| 4
−| Pointer to the Main Dolphin, Address is (value << 2)
+| Pointer to the Main [[DOL]], Address is (value << 2)
|-
|-
| 0x00424
| 0x00424
Line 400:
Line 504:
| 0x02440
| 0x02440
| 4
| 4
−| Pointer to the App Loader
+| Pointer to the [[apploader]]
+|}
+=== Update partition ===
+The update partition has a [[TMD]] title ID of .UPE, and includes an __update.inf in the root, which describes the locations of the [[WAD files]] elsewhere.
+{| class="wikitable"
+|-
+! Start
+! Size
+! Description
+|-
+| 0x00
+| 16
+| Timestamp
+|-
+| 0x10
+| 4
+| Number of titles to update on newer discs, all 0 on older discs
+|-
+| 0x14
+| 12
+| Padding (all 0)
+|-
+| 0x20
+| varies
+| Update entries (see struct below)
|}
|}
+==== Update entry ====
+{| class="wikitable"
+! Start
+! Size
+! Description
+|-
+| 0x000
+| 4
+| Type
+|-
+| 0x004
+| 4
+| Attribute
+|-
+| 0x008
+| 8
+| Unknown
+|-
+| 0x010
+| 64
+| Path to WAD
+|-
+| 0x050
+| 8
+| [[Title ID]]
+|-
+| 0x058
+| 2
+| Title version
+|-
+| 0x05a
+| 64
+| Name
+|-
+| 0x09a
+| 64
+| Info
+|-
+| 0x0da
+| 288
+| Padding (all 0)
+|}
== Known Wii discs ==
== Known Wii discs ==
Line 418:
Line 590:
The [[Wii BootMe]] tool (created by CorteX) lets you change the way wii images boot.
The [[Wii BootMe]] tool (created by CorteX) lets you change the way wii images boot.
−[[Category:File formats]]
[[Category:File formats]]