The data within a WAD file has the following format.
(TO BE CONTINUED)
|0x000||0x003||4||?? Header size = 0x0020|
Chain of Certificates
|0x040||0x043||4||signature type (0x00010001 RSA2048, 0x00010000 RSA4096)|
|0x044||0x143||256 for RSA2048 (d=0x000), 512 for RSA4096 (d=0x100)||signature|
|0x1C0+d||0x1C3+d||4||? subject type (0x00000000, 0x00000001)|
|0x204+d||0x307+d||260||? public key|
|0x308+d||0x30B+d||4||?? unknown (0x00010001)|
Key and IV
|0x0bff||0x0c0e||0x0010||Encrypted title key (decrypt using the master key)|
|0x0c1c||0x0c23||0x0008||First 8 bytes of IV for title key decryption (last 8 bytes are zero)|
Note: this is probably part of the TMD/ticket/whatever. I'm throwing the offsets here for now, since this is arguably the most important part for extraction purposes.
WAD files contain a number of "files" in them. The number of files can be obtained from the halfword (2 bytes) at 0xede. The table itself starts at 0xee4, and it is composed of a number of file entries:
|0x00||0x03||0x04||File number / ID|
|0x04||0x05||0x02||First 2 bytes of IV to decrypt contents (last 14 bytes are zero)|
|0x10||0x24||0x14||SHA-1 sum of decrypted file|
The files are located after the file table, with their starts aligned to a 64 byte boundary. To read a file, skip bytes until the next 64 byte boundary (unless already at one), read the File size bytes rounded to the next 16 bytes (the AES block size), decrypt using AES (using the title key and the IV in the file table entry plus 14 zero bytes), and take filesize bytes from the result to create the output file. The SHA-1 sum of this should match the one in the file table.