The data within a WAD file has the following format.
This page is horribly out of date. Expect an update when the dust of recent events settles.
NOTE: Recently updated, should the certificate/ticket/TMD data be deleted?.
Thanks to Segher for his source.
|0x000||0x003||4||Header size = 0x0020|
|0x004||0x007||4||Header type (0x49730000 or 0x69620000)|
|0x008||0x00B||4||Certificate chain size.|
|0x00C||0x00F||4||Reserved = 0|
|0x014||0x017||4||Tmd file structure size|
The files are stored in the WAD in the same order that in the header. After each block (header, files), the file is aligned to 0x40 bytes.
Chain of Certificates
It's recommended to read the certificate chain article and using the header information instead of that info and constant offsets.
|0x040||0x043||4||signature type (0x00010001 RSA2048, 0x00010000 RSA4096)|
|0x044||0x143+d||256 for RSA2048 (d=0x000), 512 for RSA4096 (d=0x100)||signature|
|0x1C0+d||0x1C3+d||4||? subject type (0x00000000, 0x00000001)|
|0x204+d||0x307+d||260||? public key|
|0x308+d||0x30B+d||4||?? unknown (0x00010001)|
Key and IV
It's recommended to read the ticket article and using the header information instead of that info and constant offsets.
|0x0bff||0x0c0e||0x0010||Encrypted title key (decrypt using the master key)|
|0x0c1c||0x0c23||0x0008||First 8 bytes of IV for title key decryption (last 8 bytes are zero)|
To obtain the title key, simply decrypt it using the master key and the given IV (last eight bytes zero, first eight bytes supplied).
Note: this is probably part of the TMD/ticket/whatever. I'm throwing the offsets here for now, since this is arguably the most important part for extraction purposes.
It's recommended to read the TMD article and using the header information instead of that info and constant offsets.
WAD files contain a number of "files" in them. The number of files can be obtained from the halfword (2 bytes) at 0xede. The table itself starts at 0xee4, and it is composed of a number of file entries:
|0x00||0x03||0x04||File number / ID|
|0x04||0x05||0x02||First 2 bytes of IV to decrypt contents (last 14 bytes are zero)|
|0x10||0x24||0x14||SHA-1 sum of decrypted file|
The files are located after the file table, with their starts aligned to a 64 byte boundary. To read a file, skip bytes until the next 64 byte boundary (unless already at one), read the File size bytes rounded to the next 16 bytes (the AES block size), decrypt using AES (using the title key and the IV in the file table entry plus 14 zero bytes), and take filesize bytes from the result to create the output file. The SHA-1 sum of this should match the one in the file table.
The "APP" block in the WAD is a block of encrypted data that contains the info that is actually used.
The contents in the APP are referenced by the TMD content table. The APP is aligned to 64 bytes after each file.
The files are encrypted using the title key (decrypt it from the ticket) and the file index (in the TMD, the 2 first bytes of the IV are the index, the last 14 bytes are zeroes) as IV.
The "trailer" is a copy of the first file in the APP section. It's unencrypted.