WAD files

From WiiBrew
Jump to navigation Jump to search

WAD Format

The data within a WAD file has the following format.

This page is horribly out of date. Expect an update when the dust of recent events settles.

NOTE: Recently updated, should the certificate/ticket/TMD data be deleted?.

Thanks to Segher for his source.


Start End Length Description
0x000 0x003 4 Header size = 0x0020
0x004 0x007 4 Header type (0x49730000 or 0x69620000)
0x008 0x00B 4 Certificate chain size.
0x00C 0x00F 4 Reserved = 0
0x010 0x013 4 Ticket size
0x014 0x017 4 TMD size
0x018 0x01B 4 APP size
0x01C 0x01F 4 Trailer size

The files are stored in the WAD in the same order that in the header. After each block (header, files), the file is aligned to 0x40 bytes.

Chain of Certificates

It's recommended to read the certificate chain article and using the header information instead of that info and constant offsets.

Start End Length Description
0x040 0x043 4 signature type (0x00010001 RSA2048, 0x00010000 RSA4096)
0x044 0x143+d 256 for RSA2048 (d=0x000), 512 for RSA4096 (d=0x100) signature
0x144+d 0x17F+d 60 zero filled
0x180+d 0x1BF+d 64 issuer
0x1C0+d 0x1C3+d 4 ? subject type (0x00000000, 0x00000001)
0x1C4+d 0x203+d 64 subject
0x204+d 0x307+d 260 ? public key
0x308+d 0x30B+d 4 ?? unknown (0x00010001)
0x30C+d 0x33F+d 52 zero filled
... ... ... ...

Key and IV

It's recommended to read the ticket article and using the header information instead of that info and constant offsets.

Start End Length Description
0x0bff 0x0c0e 0x0010 Encrypted title key (decrypt using the master key)
0x0c1c 0x0c23 0x0008 First 8 bytes of IV for title key decryption (last 8 bytes are zero)

To obtain the title key, simply decrypt it using the master key and the given IV (last eight bytes zero, first eight bytes supplied).

Note: this is probably part of the TMD/ticket/whatever. I'm throwing the offsets here for now, since this is arguably the most important part for extraction purposes.

File Table

It's recommended to read the TMD article and using the header information instead of that info and constant offsets.

WAD files contain a number of "files" in them. The number of files can be obtained from the halfword (2 bytes) at 0xede. The table itself starts at 0xee4, and it is composed of a number of file entries:

Start End Length Description
0x00 0x03 0x04 File number / ID
0x04 0x05 0x02 First 2 bytes of IV to decrypt contents (last 14 bytes are zero)
0x06 0x07 0x02 Flags ?
0x08 0x0B 0x04 Padding (zero)
0x0C 0x0F 0x04 File size
0x10 0x24 0x14 SHA-1 sum of decrypted file

The files are located after the file table, with their starts aligned to a 64 byte boundary. To read a file, skip bytes until the next 64 byte boundary (unless already at one), read the File size bytes rounded to the next 16 bytes (the AES block size), decrypt using AES (using the title key and the IV in the file table entry plus 14 zero bytes), and take filesize bytes from the result to create the output file. The SHA-1 sum of this should match the one in the file table.


The "APP" block in the WAD is a block of encrypted data that contains the info that is actually used.

The contents in the APP are referenced by the TMD content table. The APP is aligned to 64 bytes after each file.

The files are encrypted using the title key (decrypt it from the ticket) and the file index (in the TMD, the 2 first bytes of the IV are the index, the last 14 bytes are zeroes) as IV.


The "trailer" is a copy of the first file in the APP section. It's unencrypted.