Difference between revisions of "Ticket"

From WiiBrew
Jump to navigation Jump to search
(changed the offsets of seconds field to be correct and adjusted the final padding accordingly)
Line 22: Line 22:
| 0x0104
| 0x0104
| 0x013f
| 0x013f
| 0x3b
| 0x3c
| Padding (Always 0)
| Padding (Always 0)

Revision as of 20:06, 20 January 2009

Tickets are found in many encrypted files used by the Wii (e.g. WAD Files or Wiidiscs). They contain the encrypted AES "title key" and the Title ID of the data and are signed by a certificate from a certificate chain (which usually is the same for all titles and stored somewhere on the NAND). So far only tickets with RSA-2048 signatures have been seen. (Discs will only work with those signatures because the size of partition ticket is always 0x2a4)

File structure

Start End Length Description
0x0000 0x0003 0x04 Signature type (always 0x10001 for RSA-2048)
0x0004 0x0103 0x100 Signature by a certificate's key (everything after this field is covered by this signature)
0x0104 0x013f 0x3c Padding (Always 0)
0x0140 0x017f 0x40 Signature issuer
0x0180 0x01be 0x3f Unknown (0, unless it is a VC game)
0x01bf 0x01ce 0x10 Encrypted title key
0x01cf 0x01db 0x0d Unknown
0x01dc 0x01e3 0x08 Title ID / Initialization Vector (IV) used for AES-CBC encryption
0x01e4 0x01f0 0x0d Unknown
0x01f1 0x01f1 0x01 Common Key index (1 = Korean Common key, 0 = "normal" Common key)
0x01f2 0x0221 0x30 Unknown. Is all 0 for non-VC, for VC, all 0 except last byte is 1.
0x0222 0x0241 0x20 Always 0xFF (?)
0x0242 0x0243 0x02 Padding (Always 0)
0x0244 0x0247 0x04 Enable time limit (1 = Enabled, 0 = Disabled)
0x0248 0x024b 0x04 Time limit (Seconds)
0x024c 0x02a3 0x58 Padding (Always 0)

To get the title key decrypt the 16 bytes at offset 0x1bf with the Common Key using the Title ID (offset 0x1dc) as the initialization vector (the last 8 bytes of the IV should be zero).