Difference between revisions of "WAD files"

From WiiBrew
Jump to: navigation, search
(WAD Format)
(Undo revision 107650 by SKCro (talk) This is what the tool is actually called)
(Tag: Undo)
 
(33 intermediate revisions by 22 users not shown)
Line 1: Line 1:
== WAD Format ==
+
:''This article is about Wii software packaging. For the data files used by Doom, see [[WiiDoom]].''
 +
==General info==
 +
The WAD file-format is a file-format that contains information for the Wii, such as System Menus, IOS's, and Channels.
 +
===Piracy===
 +
Unfortunately, WAD files are often used to distribute pirated channels (both Virtual Console and WiiWare), due to the fact that they are also used by Nintendo and therefore easy to rip from the Wii and, for some WAD files, Nintendo's servers, and easy to create installers for. Wiibrew does not in any way endorse piracy, and as such these uses of WAD files should not be discussed.
  
The data within a WAD file has the following format.
+
If you wish to discuss legitimate WAD files, please ensure you make clear which file you are talking about and what you will use it for, to prevent people jumping to conclusions about your intentions.
  
 +
== System Menu ==
 +
WAD files are often installed in the Wii System Menu to appear as channels, making launching easier. If a WiiBrew app isn't installed as a channel, it can usually only be launched from the Homebrew Channel itself. WAD file creation seems to be an intricate process and tools are difficult to locate, and most are based on the .NET framework. Associated with WAD file generation are forwarders, which when loaded simply load another arbitrary application. A common technique is to use a somewhat generalized WAD that can be easily customized to then forward to another WiiBrew application stored on the SD card.
  
 +
Wii System Channel WAD files exist for WiiMC, ftpii, and numerous others.
  
'''<span style="color: red;">This page is horribly out of date. Expect an update when the dust of recent events settles.</span>'''
+
Forwarders are somewhat easier to locate, a common one being the Narolez-NForwarder, for which source exists and is easily modifiable. One WAD generation system that still appears to be active is the CRAP system that appears to be .NET based. The Wadder system also seemed to be .NET based but it appears abandoned. Although these tools are often associated with piracy, there are clearly legitimate uses for them as well.
  
'''<span style="color: red;">Recently updated, should the certificate/ticket/TMD data be deleted?.</span>'''
+
The WAD files themselves contain either still images or a collection of images to be animated, as well as sound data. In addition there is a .DOL file for the program to be run when launched.
 +
 
 +
== '''WAD Format''' ==
 +
The data within a WAD file has the following format.
  
 
Thanks to Segher for his [http://git.infradead.org/users/segher/wii.git?a=blob_plain;f=zeventig.c;hb=HEAD source].
 
Thanks to Segher for his [http://git.infradead.org/users/segher/wii.git?a=blob_plain;f=zeventig.c;hb=HEAD source].
Line 13: Line 23:
 
=== Header ===
 
=== Header ===
  
{| style="border-collapse: collapse; padding: 0.2em 0.2em 0.2em 0.2em;"
+
{| class="wikitable"
|- style="background-color: #ddd;"
+
|-
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #cdc;" | '''Start'''
+
! '''Start'''
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ccd;" | '''End'''
+
! '''End'''
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ccc;" | '''Length'''
+
! '''Length'''
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #dcc;" | '''Description'''
+
! '''Description'''
|- style="background-color: #ddd;"
+
|-
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ded;" | 0x000
+
| 0x000
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #dde;" | 0x003
+
| 0x003
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ddd;" | 4
+
| 4
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #edd;" | Header size = 0x0020
+
| Header size = 0x0020
|- style="background-color: #ddd;"
+
|-
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ded;" | 0x004
+
| 0x004
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #dde;" | 0x007
+
| 0x007
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ddd;" | 4
+
| 4
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #edd;" | Header type (0x49730000 or 0x69620000)
+
| WAD Type ('Is\0\0' or 'ib\0\0' or 'Bk\0\0')
|- style="background-color: #ddd;"
+
|-
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ded;" | 0x008
+
| 0x008
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #dde;" | 0x00B
+
| 0x00B
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ddd;" | 4
+
| 4
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #edd;" | [[Certificate chain]] size.
+
| [[Certificate chain]] size.
|- style="background-color: #ddd;"
+
|-
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ded;" | 0x00C
+
| 0x00C
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #dde;" | 0x00F
+
| 0x00F
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ddd;" | 4
+
| 4
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #edd;" | Reserved = 0
+
| Reserved = 0
|- style="background-color: #ddd;"
+
|-
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ded;" | 0x010
+
| 0x010
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #dde;" | 0x013
+
| 0x013
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ddd;" | 4
+
| 4
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #edd;" | [[Ticket]] size
+
| [[Ticket]] size
|- style="background-color: #ddd;"
+
|-
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ded;" | 0x014
+
| 0x014
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #dde;" | 0x017
+
| 0x017
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ddd;" | 4
+
| 4
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #edd;" | [[TMD|Tmd file structure]] size
+
| [[Tmd file structure|TMD]] size
|- style="background-color: #ddd;"
+
|-
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ded;" | 0x018
+
| 0x018
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #dde;" | 0x01B
+
| 0x01B
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ddd;" | 4
+
| 4
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #edd;" | APP size
+
| Data (APP) size
|- style="background-color: #ddd;"
+
|-
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ded;" | 0x01C
+
| 0x01C
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #dde;" | 0x01F
+
| 0x01F
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ddd;" | 4
+
| 4
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #edd;" | Trailer size
+
| Footer size
 
|}
 
|}
  
The files are stored in the WAD in the same order that in the header. After each block (header, files), the file is aligned to 0x40 bytes.
+
The sections are stored in the WAD in the same order that in the header. Each block (header, sections) is aligned to 0x40 bytes.
  
=== Chain of Certificates ===
+
The contents are stored in the WAD in the same order as in the TMD. Each file is aligned to 0x40 bytes.
 
 
'''<span style="color: red;">It's recommended to read the [[certificate chain|Certificate chain]] article and using the header information instead of that info and constant offsets.</span>'''
 
 
 
{| style="border-collapse: collapse; padding: 0.2em 0.2em 0.2em 0.2em;"
 
|- style="background-color: #ddd;"
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #cdc;" | '''Start'''
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ccd;" | '''End'''
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ccc;" | '''Length'''
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #dcc;" | '''Description'''
 
|- style="background-color: #ddd;"
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ded;" | 0x040
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #dde;" | 0x043
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ddd;" | 4
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #edd;" | signature type (0x00010001 RSA2048, 0x00010000 RSA4096)
 
|- style="background-color: #ddd;"
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ded;" | 0x044
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #dde;" | 0x143+d
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ddd;" | 256 for RSA2048 (d=0x000), 512 for RSA4096 (d=0x100)
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #edd;" | signature
 
|- style="background-color: #ddd;"
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ded;" | 0x144+d
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #dde;" | 0x17F+d
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ddd;" | 60
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #edd;" | zero filled
 
|- style="background-color: #ddd;"
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ded;" | 0x180+d
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #dde;" | 0x1BF+d
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ddd;" | 64
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #edd;" | issuer
 
|- style="background-color: #ddd;"
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ded;" | 0x1C0+d
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #dde;" | 0x1C3+d
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ddd;" | 4
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #edd;" | ? subject type (0x00000000, 0x00000001)
 
|- style="background-color: #ddd;"
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ded;" | 0x1C4+d
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #dde;" | 0x203+d
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ddd;" | 64
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #edd;" | subject
 
|- style="background-color: #ddd;"
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ded;" | 0x204+d
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #dde;" | 0x307+d
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ddd;" | 260
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #edd;" | ? public key
 
|- style="background-color: #ddd;"
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ded;" | 0x308+d
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #dde;" | 0x30B+d
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ddd;" | 4
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #edd;" | ?? unknown (0x00010001)
 
|- style="background-color: #ddd;"
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ded;" | 0x30C+d
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #dde;" | 0x33F+d
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ddd;" | 52
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #edd;" | zero filled
 
|- style="background-color: #ddd;"
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ded;" | ...
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #dde;" | ...
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ddd;" | ...
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #edd;" | ...
 
|}
 
 
 
=== Key and IV ===
 
 
 
'''<span style="color: red;">It's recommended to read the [[ticket|Ticket]] article and using the header information instead of that info and constant offsets.</span>'''
 
 
 
{| style="border-collapse: collapse; padding: 0.2em 0.2em 0.2em 0.2em;"
 
|- style="background-color: #ddd;"
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #cdc;" | '''Start'''
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ccd;" | '''End'''
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ccc;" | '''Length'''
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #dcc;" | '''Description'''
 
|- style="background-color: #ddd;"
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ded;" | 0x0bff
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #dde;" | 0x0c0e
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ddd;" | 0x0010
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #edd;" | Encrypted title key (decrypt using the master key)
 
|- style="background-color: #ddd;"
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ded;" | 0x0c1c
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #dde;" | 0x0c23
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ddd;" | 0x0008
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #edd;" | First 8 bytes of IV for title key decryption (last 8 bytes are zero)
 
|}
 
 
 
To obtain the title key, simply decrypt it using the master key and the given IV (last eight bytes zero, first eight bytes supplied).
 
 
 
Note: this is probably part of the TMD/ticket/whatever. I'm throwing the offsets here for now, since this is arguably the most important part for extraction purposes.
 
 
 
=== File Table ===
 
 
 
'''<span style="color: red;">It's recommended to read the [[TMD|Tmd file structure]] article and using the header information instead of that info and constant offsets.</span>'''
 
 
 
WAD files contain a number of "files" in them. The number of files can be obtained from the halfword (2 bytes) at 0xede. The table itself starts at 0xee4, and it is composed of a number of file entries:
 
 
 
{| style="border-collapse: collapse; padding: 0.2em 0.2em 0.2em 0.2em;"
 
|- style="background-color: #ddd;"
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #cdc;" | '''Start'''
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ccd;" | '''End'''
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ccc;" | '''Length'''
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #dcc;" | '''Description'''
 
|- style="background-color: #ddd;"
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ded;" | 0x00
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #dde;" | 0x03
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ddd;" | 0x04
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #edd;" | File number / ID
 
|- style="background-color: #ddd;"
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ded;" | 0x04
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #dde;" | 0x05
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ddd;" | 0x02
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #edd;" | First 2 bytes of IV to decrypt contents (last 14 bytes are zero)
 
|- style="background-color: #ddd;"
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ded;" | 0x06
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #dde;" | 0x07
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ddd;" | 0x02
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #edd;" | Flags ?
 
|- style="background-color: #ddd;"
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ded;" | 0x08
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #dde;" | 0x0B
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ddd;" | 0x04
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #edd;" | Padding (zero)
 
|- style="background-color: #ddd;"
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ded;" | 0x0C
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #dde;" | 0x0F
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ddd;" | 0x04
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #edd;" | File size
 
|- style="background-color: #ddd;"
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ded;" | 0x10
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #dde;" | 0x24
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #ddd;" | 0x14
 
| style="border: 1px solid #ccc; padding: 0.2em; background-color: #edd;" | SHA-1 sum of decrypted file
 
|}
 
  
The files are located after the file table, with their starts aligned to a 64 byte boundary. To read a file, skip bytes until the next 64 byte boundary (unless already at one), read the ''File size'' bytes rounded to the next 16 bytes (the AES block size), decrypt using AES (using the title key and the IV in the file table entry plus 14 zero bytes), and take filesize bytes from the result to create the output file. The SHA-1 sum of this should match the one in the file table.
+
The contents (Data section) are encrypted using the title key (decrypt it from the [[ticket]]) and the content index (in the TMD, the 2 first bytes of the IV are the index, the last 14 bytes are zeroes) as IV. The SHA1 of the decrypted content must match the hash that is stored in the TMD.
  
=== APP ===
+
In a hex editor, the beginning of any WAD will be 00 00 00 20 49 73. This can be useful to remove a WAD from an ELF file.
The "APP" block in the WAD is a block of encrypted data that contains the info that is actually used by the channel.
 
  
The contents in the APP are referenced by the TMD content table. The APP is aligned to 64 bytes after each file.
+
=== Footer ===
 +
The "footer" is an optional, unencrypted timestamp / buildstamp.
  
The files are encrypted using the title key (decrypt it from the [[ticket]]) and the file index (in the TMD, the 2 first bytes of the IV are the index, the last 14 bytes are zeroes) as IV.
 
  
=== Trailer ===
+
{{stub}}
The "trailer" is a copy of the first file in the APP.
+
[[Category:Software]]
 +
[[Category:File formats]]

Latest revision as of 20:00, 20 May 2019

This article is about Wii software packaging. For the data files used by Doom, see WiiDoom.

General info

The WAD file-format is a file-format that contains information for the Wii, such as System Menus, IOS's, and Channels.

Piracy

Unfortunately, WAD files are often used to distribute pirated channels (both Virtual Console and WiiWare), due to the fact that they are also used by Nintendo and therefore easy to rip from the Wii and, for some WAD files, Nintendo's servers, and easy to create installers for. Wiibrew does not in any way endorse piracy, and as such these uses of WAD files should not be discussed.

If you wish to discuss legitimate WAD files, please ensure you make clear which file you are talking about and what you will use it for, to prevent people jumping to conclusions about your intentions.

System Menu

WAD files are often installed in the Wii System Menu to appear as channels, making launching easier. If a WiiBrew app isn't installed as a channel, it can usually only be launched from the Homebrew Channel itself. WAD file creation seems to be an intricate process and tools are difficult to locate, and most are based on the .NET framework. Associated with WAD file generation are forwarders, which when loaded simply load another arbitrary application. A common technique is to use a somewhat generalized WAD that can be easily customized to then forward to another WiiBrew application stored on the SD card.

Wii System Channel WAD files exist for WiiMC, ftpii, and numerous others.

Forwarders are somewhat easier to locate, a common one being the Narolez-NForwarder, for which source exists and is easily modifiable. One WAD generation system that still appears to be active is the CRAP system that appears to be .NET based. The Wadder system also seemed to be .NET based but it appears abandoned. Although these tools are often associated with piracy, there are clearly legitimate uses for them as well.

The WAD files themselves contain either still images or a collection of images to be animated, as well as sound data. In addition there is a .DOL file for the program to be run when launched.

WAD Format

The data within a WAD file has the following format.

Thanks to Segher for his source.

Header

Start End Length Description
0x000 0x003 4 Header size = 0x0020
0x004 0x007 4 WAD Type ('Is\0\0' or 'ib\0\0' or 'Bk\0\0')
0x008 0x00B 4 Certificate chain size.
0x00C 0x00F 4 Reserved = 0
0x010 0x013 4 Ticket size
0x014 0x017 4 TMD size
0x018 0x01B 4 Data (APP) size
0x01C 0x01F 4 Footer size

The sections are stored in the WAD in the same order that in the header. Each block (header, sections) is aligned to 0x40 bytes.

The contents are stored in the WAD in the same order as in the TMD. Each file is aligned to 0x40 bytes.

The contents (Data section) are encrypted using the title key (decrypt it from the ticket) and the content index (in the TMD, the 2 first bytes of the IV are the index, the last 14 bytes are zeroes) as IV. The SHA1 of the decrypted content must match the hash that is stored in the TMD.

In a hex editor, the beginning of any WAD will be 00 00 00 20 49 73. This can be useful to remove a WAD from an ELF file.

Footer

The "footer" is an optional, unencrypted timestamp / buildstamp.