Changes

5,471 bytes added , 14:00, 21 September 2024

no edit summary

Line 1: Line 1:

This article describes the logical layout of data on a '''Wii disc'''.

−

== Disc Format ==

+

== Differences from DVD ==

+

Wii discs are mainly DVD based, however, to prevent piracy, they have a number of marks in their BCA, effectively nulling out those regions. All data is therefore written around these marks, also making the discs incompatible with normal drives.

+

The GameCube and Wii check for these marks on disc boot by checking for null regions. Homebrew discs can therefore identify as Wii discs by nulling out these regions through software, although some software may need modification to avoid warning messages. [[Freeloader]] exploited this to not require a [[drivechip]].

+

XOR Encryption is done using discId and a random seed by the Disc Controller Firmware, Panasonic MN103S and BCA Check by System Controller MN102H

+

== Data Frame ==

+

u32 id; // PSN(Physical Sector Number)

+

u16 ied; // ID Error Detection Code, CRC16

+

u8 userdata[2048]; // Sector Data

+

u8 cpr_mai[6]; // Copyright Management Information(Not used)

+

u32 edc; // Error Detection Code, CRC32

+

// 2064B

+

== RandomKeys ==

+

0: 3

+

1: 48

+

2: 32512

+

3: 28673

+

4: 6

+

5: 69

+

6: 32256

+

7: 24579

+

8: 12

+

9: 192

+

10: 31744

+

11: 16391

+

12: 24

+

13: 384

+

14: 30720

+

15: 15

+

== DiscId ==

+

char gamecode[4];

+

char makercode[2];

+

u8 diskNumber;

+

u8 version;

+

u8 streaming;

+

u8 streamingBufferSize;

+

u8 pad[14];

+

u32 gcMagic;

+

u32 rvlMagic;

+

== Burst Cutting Area ==

+

// UserData(unencrypted), 64B

+

u8 optionalInfo[52];

+

u8 manufacturer[2];

+

u8 recorderDevice[2];

+

u8 bcaSerial;

+

u8 discDate[2];

+

u8 discTime[2];

+

u8 discNumber[3];

+

// SecureData(unencrypted), 12B

+

u8 key[8];

+

u8 id[4];

+

// AuthenticationData(encrypted), 48B

+

u64 psn[6]; // 6 sector locations

+

// 188B

+

== Disc Physical Format ==

+

// Leadin Area

+

PhysicalFormatInfo pfi;

+

DiscManufacturingInfo dmi;

+

PhysicalFormatInfo

+

u8 reversed[6];

+

u8 discMagic; // value is -1.

+

u8 discSizeMinTransferRate; // The value is fixed on 16.

+

u8 discStructure; // The value is fixed on 1.

+

u8 recordedDensity; // The value is fixed on 1.

+

DataAreaAllocation m_dataAreaAllocation;

+

u8 reversed2[2026];

+

u8 reversed3[6];

+

DiscManufacturingInfo

+

u8 reversed[6];

+

u8 unknown1[6];

+

u8 randomNumber2[6];

+

u8 unknown2[6];

+

u8 randomNumber3[6];

+

char mediaId[19]; // "Nintendo Game Disk"

+

u8 randomNumber4[6];

+

u8 bookTypePartVersion; // value must be 1.

+

u8 discSizeMinReadoutRate; // The value is fixed on 16.

+

u8 discStructure; // The value is fixed on 1.

+

u8 recordedDensity; // The value is fixed on 0.

+

DataAreaAllocation dataAreaAllocation;

+

u8 bcaDescriptor; // The value is fixed on 128.

+

u8 reversed2[1983];

+

u8 reversed3[6];

+

DataAreaAllocation

+

u8 reversed;

+

u16 startSector; // 196608

+

u8 reversed2;

+

u16 endSector; // 909487

+

u8 reversed3[3];

+

// 12B

+

== "System Area" ==

{| class="wikitable"

Line 12: Line 112:

| 0x00000

| 1024

−

| Header

+

| [[#Header|header]]

|

|-

| 0x40000

−

| 48

+

| >=120

−

| Partitions information

+

| [[#Partitions information|Partitions information]]

|

|-

| 0x4E000

| 32

−

| Region setting

+

| [[#Region setting|Region setting]]

|

|-

Line 47: Line 147:

| Disc ID

|

−

| [[~~Wiidisc_IDs~~]]

+

| [[Wiidisc IDs]]

|-

| 0x001

Line 59: Line 159:

| Region code

|

−

| 'E' = USA | 'P' = PAL | 'J' = ~~JAP |~~ 'K' = ~~KOR~~

+

| 'D' = German ; 'E' = USA ; 'F' = France ; 'I' = Italy ; 'J' = Japan ; 'K' = Korea ; 'P' = PAL ; 'R' = Russia ; 'S' = Spanish ; 'T' = Taiwan ; 'U' = Australia

|-

| 0x004

Line 69: Line 169:

| 0x006

| 1

−

| Disc ID

+

| Disc number

−

|

+

| 0x00

−

|

+

| Used in multi-disc games

|-

| 0x007

Line 82: Line 182:

| 1

| Audio streaming

−

|

+

| 0

−

|

+

| 0: Streaming disabled, nonzero: streaming enabled. No Wii game uses streaming.{{check}}

|-

| 0x009

| 1

| Streaming buffer size

−

|

+

| 0

−

|

+

| Buffer size for audio streaming, only used when streaming is enabled. 0 uses the default value, which is 10.

|-

| 0x00A

Line 97: Line 197:

| unused?

|-

−

| ~~0x18~~

+

| 0x018

| 4

−

| Magicword

+

| Wii Magicword

| 0x5D1C9EA3

−

|

+

| Identifies Disc as Wii. Present on Wii discs, zero on Gamecube discs.

+

|-

+

| 0x01C

+

| 4

+

| Gamecube Magicword

+

| 0xC2339F3D

+

| Identifies Disc as Gamecube. Present on Gamecube discs, zero on Wii discs.

|-

| 0x020

Line 113: Line 219:

|

−

| Disable hash verification ~~and make~~ all disc reads fail even before they reach the DVD drive.

+

| Disable hash verification. On retail consoles, this makes all disc reads fail even before they reach the DVD drive.

|-

| 0x061

Line 119: Line 225:

|

−

| Disable disc encryption and h3 hash table loading and verification ~~(which~~ effectively also makes all disc reads fail because the h2 hashes won't be able to verify against "something" that will be in the memory of the h3 hash table. ~~none~~ of these two bytes will allow unsigned code)

+

| Disable disc encryption and h3 hash table loading and verification. On retail consoles, this effectively also makes all disc reads fail because the h2 hashes won't be able to verify against "something" that will be in the memory of the h3 hash table. None of these two bytes will allow unsigned code on retail consoles.

|-

| 0x080

Line 125: Line 231:

| Padding

| 0x00

−

~~| style="border: 1px solid #ccc; padding: 0.2em; background-color: #edd;"~~ |

+

|

|}

−

+

=== Partitions information ===

−

The Wii disc format uses partitions, mostly one is used for updates (the 1st) and the 2nd for the game.

+

The Wii disc format uses partitions, mostly one is used for updates (the 1st) and the 2nd for the game, and the third for channels such as [[Wii Fit Channel]].

{| class="wikitable"

Line 187: Line 293:

| Type: 0 for a Data partition, 1 for an Update partition, 2 for a Channel installer. The demonstration VC titles on Super Smash Brothers Brawl use the Ascii title ID.

|}

−

~~Each partition starts with a [[Ticket]] followed by the TMD followed by [[Certificate chain | three certifications]].~~

−

~~Offset 0x00000000 is considered as the start of the partition.~~

=== Region setting ===

Line 204: Line 306:

| 4

| Region byte

−

| 0 = JAP, 1 = USA, 2 = ~~EUR~~, 4 = KOR

+

| 0 = JAP/CHT (Taiwan), 1 = USA, 2 = PAL, 4 = KOR

+

|-

+

| 0x4E004

+

| 12

+

|

|-

| 0x4E010

| 1

−

| ~~Region JAP byte~~

+

| Japan/Taiwan

−

| ~~Set to zero if 'Region~~ byte~~' is set to 0~~

+

| rowspan="2" | Age Rating byte. Indicates the Age Rating for a Wiidisc

|-

| 0x4E011

| 1

−

| ~~Region~~ USA ~~byte~~

+

| USA

−

| ~~Set to zero if 'Region~~ byte~~' is set to 1~~

+

|-

+

| 0x4E012

+

| 1

+

|

+

|-

+

| 0x4E013

+

| 1

+

| Germany

+

| rowspan="7" | Age Rating byte. Indicates the Age Rating for a Wiidisc

|-

| 0x4E014

| 1

−

| ~~Region EUR byte~~

+

| PEGI

−

| ~~Set to zero if 'Region byte' is set to 2~~

+

|-

−

|}~~AP byte', 'Region USA byte' and 'Region EUR byte' will work too.~~

+

| 0x4E015

+

| 1

+

| Finland

+

|-

+

| 0x4E016

+

| 1

+

| Portugal

+

|-

+

| 0x4E017

+

| 1

+

| Britain

+

|-

+

| 0x4E018

+

| 1

+

| Australia

+

|-

+

| 0x4E019

+

| 1

+

| Korea

+

|-

+

| 0x4E01A

+

| 6

+

|

+

|}

+

== Partition ==

−

~~===~~ [[~~TMD~~]] ~~and~~ [[Certificate chain]] ~~===~~

+

Each partition starts with a [[Ticket]] followed by the TMD followed by [[Certificate chain|three certifications]].

+

Offset 0x00000000 is considered as the start of the partition.

+

The offset of the actual partition data is 0x00020000 for normal discs and 0x00008000 for unencrypted discs (discs where 0x61 in the header is non-zero).

+

{| class="wikitable"

! Start

Line 264: Line 407:

| <tt>varies</tt>

| [[TMD]]

+

|-

+

| <tt>varies</tt>

+

| <tt>varies</tt>

+

| Partition Data

|}

−

== Partition Data ==

+

=== Partition Data ===

+

===== Encrypted =====

+

For discs where 0x61 in the disc header is non-zero, skip this section and go to [[#Decrypted]]. (Such discs don't work on retail consoles.)

−

Partition data is encrypted using a key, which can be obtained from the partition header and the master key. The actual partition data starts at offset ~~0x20000 in~~ the partition, and it is formatted in "clusters" of size 0x8000 (32k). Each one of these blocks consists of 0x400 bytes of encrypted SHA-1 hash data, followed by 0x7C00 bytes of encrypted user data. The 0x400 bytes SHA-1 data is encrypted using AES-128-CBC, with the partition key and a null (all zeroes) IV. Clusters are aggregated into subgroups of 8 clusters, and 8 subgroups are aggregated into one group of 64 clusters. The plaintext format is as follows:

+

Partition data is encrypted using a key, which can be obtained from the partition header and the master key. The actual partition data starts at an offset into the partition (normally 0x20000), and it is formatted in "clusters" of size 0x8000 (32k). Each one of these blocks consists of 0x400 bytes of encrypted SHA-1 hash data, followed by 0x7C00 bytes of encrypted user data. The 0x400 bytes SHA-1 data is encrypted using AES-128-CBC, with the partition key and a null (all zeroes) IV. Clusters are aggregated into subgroups of 8 clusters, and 8 subgroups are aggregated into one group of 64 clusters. The plaintext format is as follows:

{| class="wikitable"

Line 316: Line 467:

Finally, the global hash table ("H3"; which the partition header points to) contains the SHA-1 hash of the last table of each group in the partition. This table is not encrypted, but it is signed. To build it, take bytes 0x340-0x3DF from any sector in each group in the partition, apply SHA-1, and simply store all of the resulting hashes consecutively. All in all, each sector includes enough information to trace itself back to the master SHA-1 hash table. As a result, the entire partition is effectively signed. If anything is changed, the Wii will immediately crash (if the master hash table has been updated), or it will crash when it reads any sector in the modified group (if the group tables have been updated), any sector in the modified subgroup (if the subgroup tables have been updated), or any modified sector if no SHA-1s were updated.

−

The signature is stored in the [[~~Tmd_file_structure~~|TMD]]. The TMDs for the partition always have one content. The type of that content ~~seems to be always~~ 3, ~~and~~ the SHA1 hash is the SHA1 of the entire 0x18000 bytes of the hash table.

+

The signature is stored in the [[Tmd file structure|TMD]]. The TMDs for the partition always have one content. The type of that content has been 1, 2, or 3, although the type does not seem to be read. The SHA1 hash is the SHA1 of the entire 0x18000 bytes of the hash table.

−

The [[~~Tmd_file_structure~~|TMD]] is signed using Nintendo private key. That makes basically impossible to run modified discs. Trucha Signer uses the [[~~Signing_bug|~~signing bug]] to bypass the [[~~Tmd_file_structure~~|TMD]] signature checking, so the SHA1 hash of the master table can be updated, and modified discs can be booted.

+

The [[Tmd file structure|TMD]] is signed using Nintendo private key. That makes basically impossible to run modified discs. Trucha Signer uses the [[signing bug]] to bypass the [[Tmd file structure|TMD]] signature checking, so the SHA1 hash of the master table can be updated, and modified discs can be booted.

To decrypt the user data at 0x0400-0x7FFF, again use the partition key, but this time take the IV from bytes 0x3D0-0x3DF in the '''encrypted''' SHA-1 block.

−

==~~Known Wii discs~~==

+

===== Decrypted =====

−

On the [[~~Title_Database|~~Title Database]] you can find some info about different game discs

+

Once the Partition Data is decrypted (or if it was stored unencrypted to begin with), it follows the same formatting as a Gamecube disc for the most part.

+

{| class="wikitable"

+

|-

+

! Start

+

! Size

+

! Description

+

|-

+

| 0x00000

+

| 1024

+

| Same format as the main disc header, except bytes 0x60 and 0x61 are set to 0x01.

+

|-

+

| 0x00420

+

| 4

+

| Pointer to the Main [[DOL]], Address is (value << 2)

+

|-

+

| 0x00424

+

| 4

+

| Pointer to the File System start, Address is (value << 2)

+

|-

+

| 0x00428

+

| 4

+

| File System Size

+

|-

+

| 0x0042C

+

| 4

+

| Max File System Size

+

|-

+

| 0x02440

+

| 4

+

| Pointer to the [[apploader]]

+

|}

+

=== Update partition ===

+

The update partition has a [[TMD]] title ID of .UPE, and includes an __update.inf in the root, which describes the locations of the [[WAD files]] elsewhere.

+

{| class="wikitable"

+

|-

+

! Start

+

! Size

+

! Description

+

|-

+

| 0x00

+

| 16

+

| Timestamp

+

|-

+

| 0x10

+

| 4

+

| Number of titles to update on newer discs, all 0 on older discs

+

|-

+

| 0x14

+

| 12

+

| Padding (all 0)

+

|-

+

| 0x20

+

| varies

+

| Update entries (see struct below)

+

|}

+

==== Update entry ====

+

{| class="wikitable"

+

! Start

+

! Size

+

! Description

+

|-

+

| 0x000

+

| 4

+

| Type

+

|-

+

| 0x004

+

| 4

+

| Attribute

+

|-

+

| 0x008

+

| 8

+

| Unknown

+

|-

+

| 0x010

+

| 64

+

| Path to WAD

+

|-

+

| 0x050

+

| 8

+

| [[Title ID]]

+

|-

+

| 0x058

+

| 2

+

| Title version

+

|-

+

| 0x05a

+

| 64

+

| Name

+

|-

+

| 0x09a

+

| 64

+

| Info

+

|-

+

| 0x0da

+

| 288

+

| Padding (all 0)

+

|}

+

== Known Wii discs ==

+

On the [[Title Database]] you can find some info about different game discs

== Methods to boot a disc ==

Line 334: Line 589:

The [[Wii BootMe]] tool (created by CorteX) lets you change the way wii images boot.

−

[[Category:~~Wii_Software~~]]

+

[[Category:File formats]]

Cyndanera

29

edits

Changes

Wii disc (view source)

Revision as of 14:00, 21 September 2024