In memory of Ben “bushing” Byer, who passed away on Monday, February 8th, 2016.

Wii disc

From WiiBrew
Jump to navigation Jump to search

This article describes the logical layout of data on a Wii disc.

Differences from DVD

Wii discs are mainly DVD based, however, to prevent piracy, they have a number of marks in their BCA, effectively nulling out those regions. All data is therefore written around these marks, also making the discs incompatible with normal drives.

The GameCube and Wii check for these marks on disc boot by checking for null regions. Homebrew discs can therefore identify as Wii discs by nulling out these regions through software, although some software may need modification to avoid warning messages. Freeloader exploited this to not require a drivechip.

XOR Encryption is done using discId and a random seed by the Disc Controller Firmware, Panasonic MN103S and BCA Check by System Controller MN102H

Data Frame

   u32 id; // PSN(Physical Sector Number)
   u16 ied; // ID Error Detection Code, CRC16
   u8 userdata[2048]; // Sector Data
   u8 cpr_mai[6]; // Copyright Management Information(Not used)
   u32 edc; // Error Detection Code, CRC32
   // 2064B

RandomKeys

   0: 3
   1: 48
   2: 32512
   3: 28673
   4: 6
   5: 69
   6: 32256
   7: 24579
   8: 12
   9: 192
   10: 31744
   11: 16391
   12: 24
   13: 384
   14: 30720
   15: 15

DiscId

   char gamecode[4];
   char makercode[2];
   u8 diskNumber;
   u8 version;
   u8 streaming;
   u8 streamingBufferSize;
   u8 pad[14];
   u32 gcMagic;
   u32 rvlMagic;

Burst Cutting Area

   // UserData(unencrypted), 64B
   u8 optionalInfo[52];
   u8 manufacturer[2];
   u8 recorderDevice[2];
   u8 bcaSerial;
   u8 discDate[2];
   u8 discTime[2];
   u8 discNumber[3];
   // SecureData(unencrypted), 12B
   u8 key[8];
   u8 id[4];
   // AuthenticationData(encrypted), 48B
   u64 psn[6]; // 6 sector locations
   // 188B

Disc Physical Format

   // Leadin Area
   PhysicalFormatInfo pfi;
   DiscManufacturingInfo dmi;

PhysicalFormatInfo

   u8 reversed[6];
   u8 discMagic; // value is -1.
   u8 discSizeMinTransferRate; // The value is fixed on 16.
   u8 discStructure; // The value is fixed on 1.
   u8 recordedDensity; // The value is fixed on 1.
   DataAreaAllocation m_dataAreaAllocation;
   u8 reversed2[2026];
   u8 reversed3[6];

DiscManufacturingInfo

   u8 reversed[6];
   u8 unknown1[6];
   u8 randomNumber2[6];
   u8 unknown2[6];
   u8 randomNumber3[6];
   char mediaId[19]; // "Nintendo Game Disk"
   u8 randomNumber4[6];
   u8 bookTypePartVersion; // value must be 1.
   u8 discSizeMinReadoutRate; // The value is fixed on 16.
   u8 discStructure; // The value is fixed on 1.
   u8 recordedDensity; // The value is fixed on 0.
   DataAreaAllocation dataAreaAllocation;
   u8 bcaDescriptor; // The value is fixed on 128.
   u8 reversed2[1983];
   u8 reversed3[6];

DataAreaAllocation

   u8 reversed;
   u16 startSector; // 196608
   u8 reversed2;
   u16 endSector; // 909487
   u8 reversed3[3];
   // 12B

"System Area"

Start Size Name Description
0x00000 1024 header
0x40000 >=120 Partitions information
0x4E000 32 Region setting
0x4FFFC 4 Magic (0xC3F81A8E)

Header

The first 0x400 bytes are like the GameCube disc header format.

Start Size Name Typical Value Description
0x000 1 Disc ID Wiidisc IDs
0x001 2 Game code
0x003 1 Region code 'D' = German ; 'E' = USA ; 'F' = France ; 'I' = Italy ; 'J' = Japan ; 'K' = Korea ; 'P' = PAL ; 'R' = Russia ; 'S' = Spanish ; 'T' = Taiwan ; 'U' = Australia
0x004 2 Maker code
0x006 1 Disc number 0x00 Used in multi-disc games
0x007 1 Disc version
0x008 1 Audio streaming 0 0: Streaming disabled, nonzero: streaming enabled. No Wii game uses streaming.[check]
0x009 1 Streaming buffer size 0 Buffer size for audio streaming, only used when streaming is enabled. 0 uses the default value, which is 10.
0x00A 14 0x00 unused?
0x018 4 Wii Magicword 0x5D1C9EA3 Identifies Disc as Wii. Present on Wii discs, zero on Gamecube discs.
0x01C 4 Gamecube Magicword 0xC2339F3D Identifies Disc as Gamecube. Present on Gamecube discs, zero on Wii discs.
0x020 64 Game title though most docs claim it to be 0x400 the Wii only reads 0x44 which will be padded by the DI driver to 0x60
0x060 1 Disable hash verification. On retail consoles, this makes all disc reads fail even before they reach the DVD drive.
0x061 1 Disable disc encryption and h3 hash table loading and verification. On retail consoles, this effectively also makes all disc reads fail because the h2 hashes won't be able to verify against "something" that will be in the memory of the h3 hash table. None of these two bytes will allow unsigned code on retail consoles.
0x080 380 Padding 0x00

Partitions information

The Wii disc format uses partitions, mostly one is used for updates (the 1st) and the 2nd for the game, and the third for channels such as Wii Fit Channel.

Start Size Description
0x40000 4 Total partitions in the disc
0x40004 4 Partition info table offset, Address is (value << 2)
0x40008 4 Total 2nd partitions in the disc (optional)
0x4000C 4 Partition info table offset, Address is (value << 2)
0x40010 4 Total 3rd partitions in the disc (optional)
0x40014 4 Partition info table offset, Address is (value << 2)
0x40018 4 Total 4th partitions in the disc (optional)
0x4001C 4 Partition info table offset, Address is (value << 2)

Partition table entry

Start Size Description
0x0 4 Partition offset, Address is (value << 2)
0x4 4 Type: 0 for a Data partition, 1 for an Update partition, 2 for a Channel installer. The demonstration VC titles on Super Smash Brothers Brawl use the Ascii title ID.

Region setting

Start Size Name Description
0x4E000 4 Region byte 0 = JAP/CHT (Taiwan), 1 = USA, 2 = PAL, 4 = KOR
0x4E004 12
0x4E010 1 Japan/Taiwan Age Rating byte. Indicates the Age Rating for a Wiidisc
0x4E011 1 USA
0x4E012 1
0x4E013 1 Germany Age Rating byte. Indicates the Age Rating for a Wiidisc
0x4E014 1 PEGI
0x4E015 1 Finland
0x4E016 1 Portugal
0x4E017 1 Britain
0x4E018 1 Australia
0x4E019 1 Korea
0x4E01A 6

Partition

Each partition starts with a Ticket followed by the TMD followed by three certifications.

Offset 0x00000000 is considered as the start of the partition.

The offset of the actual partition data is 0x00020000 for normal discs and 0x00008000 for unencrypted discs (discs where 0x61 in the header is non-zero).

Start Size Description
0x00000000 0x2A4 Ticket
0x000002A4 4 TMD size
0x000002A8 4 TMD offset >> 2
0x000002AC 4 Cert chain size
0x000002B0 4 Cert chain offset >> 2
0x000002B4 4 Offset to the H3 table >> 2 (size is always 0x18000)
0x000002B8 4 Data offset >> 2
0x000002BC 4 Data size >> 2
0x000002C0 varies TMD
varies varies Partition Data

Partition Data

Encrypted

For discs where 0x61 in the disc header is non-zero, skip this section and go to #Decrypted. (Such discs don't work on retail consoles.)

Partition data is encrypted using a key, which can be obtained from the partition header and the master key. The actual partition data starts at an offset into the partition (normally 0x20000), and it is formatted in "clusters" of size 0x8000 (32k). Each one of these blocks consists of 0x400 bytes of encrypted SHA-1 hash data, followed by 0x7C00 bytes of encrypted user data. The 0x400 bytes SHA-1 data is encrypted using AES-128-CBC, with the partition key and a null (all zeroes) IV. Clusters are aggregated into subgroups of 8 clusters, and 8 subgroups are aggregated into one group of 64 clusters. The plaintext format is as follows:

Start End Length Description
0x000 0x26B 0x26C 31 SHA-1 hashes ("H0", 20 bytes each), one for each block of 0x400 bytes of the decrypted user data for this cluster.
0x26C 0x27F 0x014 20 bytes of 0x00 padding
0x280 0x31F 0x0A0 8 SHA-1 hashes ("H1"), one for each cluster in this subgroup. Each hash is of the 0x000-0x26B bytes, that is, of the 31 hashes above. This means that each cluster carries a hash of the data cluster hashes for each of the clusters in its subgroup. Every cluster in the subgroup has identical data in this section.
0x320 0x33F 0x020 32 bytes of 0x00 padding
0x340 0x3DF 0x0A0 8 SHA-1 hashes("H2"), one for each subgroup in this group. Each hash is of the 0x280-0x31F bytes above. This means that each cluster carries a hash of the subgroup hash data for each of the subgroups in its group. All 64 clusters in a group have identical data in this section. Bytes 0x3D0-0x3DF here, when encrypted, serve as the IV for the user data.
0x3E0 0x3FF 0x020 32 bytes of 0x00 padding

If you're having trouble seeing how this works, here's the algorithm:

  • For every 0x400 bytes of user data (plaintext), apply SHA-1. Store the resulting table of hashes.
  • Aggregate 8 clusters. Apply SHA-1 to the table of data hashes that you've just created above for every cluster, and build a table of the resulting 8 hashes. Store this table in each of the 8 clusters.
  • Aggregate 8 subgroups (64 clusters). Apply SHA-1 to the table of hashes of each subgroup (note that every cluster in the subgroup shares this, so you only compute the SHA-1 once per subgroup). Build a table, and store a copy of this table into every one of the 64 clusters.

Finally, the global hash table ("H3"; which the partition header points to) contains the SHA-1 hash of the last table of each group in the partition. This table is not encrypted, but it is signed. To build it, take bytes 0x340-0x3DF from any sector in each group in the partition, apply SHA-1, and simply store all of the resulting hashes consecutively. All in all, each sector includes enough information to trace itself back to the master SHA-1 hash table. As a result, the entire partition is effectively signed. If anything is changed, the Wii will immediately crash (if the master hash table has been updated), or it will crash when it reads any sector in the modified group (if the group tables have been updated), any sector in the modified subgroup (if the subgroup tables have been updated), or any modified sector if no SHA-1s were updated.

The signature is stored in the TMD. The TMDs for the partition always have one content. The type of that content has been 1, 2, or 3, although the type does not seem to be read. The SHA1 hash is the SHA1 of the entire 0x18000 bytes of the hash table. The TMD is signed using Nintendo private key. That makes basically impossible to run modified discs. Trucha Signer uses the signing bug to bypass the TMD signature checking, so the SHA1 hash of the master table can be updated, and modified discs can be booted.

To decrypt the user data at 0x0400-0x7FFF, again use the partition key, but this time take the IV from bytes 0x3D0-0x3DF in the encrypted SHA-1 block.

Decrypted

Once the Partition Data is decrypted (or if it was stored unencrypted to begin with), it follows the same formatting as a Gamecube disc for the most part.

Start Size Description
0x00000 1024 Same format as the main disc header, except bytes 0x60 and 0x61 are set to 0x01.
0x00420 4 Pointer to the Main DOL, Address is (value << 2)
0x00424 4 Pointer to the File System start, Address is (value << 2)
0x00428 4 File System Size
0x0042C 4 Max File System Size
0x02440 4 Pointer to the apploader

Update partition

The update partition has a TMD title ID of .UPE, and includes an __update.inf in the root, which describes the locations of the WAD files elsewhere.

Start Size Description
0x00 16 Timestamp
0x10 4 Number of titles to update on newer discs, all 0 on older discs
0x14 12 Padding (all 0)
0x20 varies Update entries (see struct below)

Update entry

Start Size Description
0x000 4 Type
0x004 4 Attribute
0x008 8 Unknown
0x010 64 Path to WAD
0x050 8 Title ID
0x058 2 Title version
0x05a 64 Name
0x09a 64 Info
0x0da 288 Padding (all 0)

Known Wii discs

On the Title Database you can find some info about different game discs

Methods to boot a disc

As far as we know there are 2 methods to boot a game.

Method 1 is R (manual boot)
Method 2 is 0 (autoboot)


The Wii BootMe tool (created by CorteX) lets you change the way wii images boot.