The data within a WAD file has the following format.
This page is horribly out of date. Expect an update when the dust of recent events settles.
|0x000||0x003||4||Header size = 0x0020|
|0x004||0x007||4||Header type (0x49730000 or 0x69620000)|
|0x008||0x00B||4||Certificate chain size.|
|0x00C||0x00F||4||Reserved = 0|
|0x014||0x017||4||Tmd file structure size|
The files are stored in the WAD in the same order that in the header. After each block (header, files), the file is aligned to 0x40 bytes.
Chain of Certificates
|0x040||0x043||4||signature type (0x00010001 RSA2048, 0x00010000 RSA4096)|
|0x044||0x143+d||256 for RSA2048 (d=0x000), 512 for RSA4096 (d=0x100)||signature|
|0x1C0+d||0x1C3+d||4||? subject type (0x00000000, 0x00000001)|
|0x204+d||0x307+d||260||? public key|
|0x308+d||0x30B+d||4||?? unknown (0x00010001)|
Key and IV
|0x0bff||0x0c0e||0x0010||Encrypted title key (decrypt using the master key)|
|0x0c1c||0x0c23||0x0008||First 8 bytes of IV for title key decryption (last 8 bytes are zero)|
To obtain the title key, simply decrypt it using the master key and the given IV (last eight bytes zero, first eight bytes supplied).
Note: this is probably part of the TMD/ticket/whatever. I'm throwing the offsets here for now, since this is arguably the most important part for extraction purposes.
WAD files contain a number of "files" in them. The number of files can be obtained from the halfword (2 bytes) at 0xede. The table itself starts at 0xee4, and it is composed of a number of file entries:
|0x00||0x03||0x04||File number / ID|
|0x04||0x05||0x02||First 2 bytes of IV to decrypt contents (last 14 bytes are zero)|
|0x10||0x24||0x14||SHA-1 sum of decrypted file|
The files are located after the file table, with their starts aligned to a 64 byte boundary. To read a file, skip bytes until the next 64 byte boundary (unless already at one), read the File size bytes rounded to the next 16 bytes (the AES block size), decrypt using AES (using the title key and the IV in the file table entry plus 14 zero bytes), and take filesize bytes from the result to create the output file. The SHA-1 sum of this should match the one in the file table.