Difference between revisions of "CMD"

Revision as of 03:46, 11 December 2018

A content metadata or CMD is a file or structure used to store data about an iQue app, such as encryption keys, its access to secure kernel calls, and its access to various hardware. It is used on its own in SKSA (where SA1 and SA2 both have their own attached CMD) and also contained as part of every ticket.

Format

A CMD consists of two parts: contentDesc, an optional 0x2800-byte long structure containing information about a game such as its save type, title, and thumbnail image; and BbContentMetaDataHead. The former is not used in the content metadata for SAs.

contentDesc

Offset	Length	Type	Information
0x00	0x04	uint32	EEPROM RDRAM location (typically 0x807C0000, 0 if unused)
0x04	0x04	uint32	EEPROM size (either 0x200 or 0x800)
0x08	0x04	uint32	Flash RDRAM location (typically 0x807C0000, 0 if unused)
0x0C	0x04	uint32	Flash size (0x20000 if used)
0x10	0x04	uint32	SRAM RDRAM location (typically 0x807C0000, 0 if unused)
0x14	0x04	uint32	SRAM size (0x8000 if used)
0x18	0x04	uint32	Controller Pak 0 RDRAM location (could be 0x807C0000 or 0x807C0000, 0 if unused)
0x1C	0x04	uint32	Controller Pak 1 RDRAM location (0 if unused)
0x20	0x04	uint32	Controller Pak 2 RDRAM location (0 if unused)
0x24	0x04	uint32	Controller Pak 3 RDRAM location (0 if unused)
0x28	0x04	uint32	Controller Pak size (0x8000 when used)
0x2C	0x04	uint32	Probably osRomBase (always 0xB0000000?)
0x30	0x04	uint32	Probably osTvType (always 1? which is for NTSC)
0x34	0x04	uint32	Probably osMemSize (always 0x400000? for no expansion pak)
0x38	0x04	uint32	Unknown, possibly another libultra boot param
0x3C	0x04	uint32	Unknown, possibly another libultra boot param
0x40	0x03	chars	"CAM", unknown purpose
0x43	0x01	byte	Number of ".u0x" files for this game?
0x44	0x02	uint16	Thumb image length (can't be more than 0x4000, decompressed size must be exactly 0x1880)
0x46	0x02	uint16	Title image length (can't be more than 0x10000, how exactly would that even fit?)
0x48	Thumb image length	bytes	DEFLATE-compressed thumb image RGBA5551 (56px * 56px)
0x48 + Thumb image length	Title image length	bytes	DEFLATE-compressed title image RGBA5551 (184px * 24px)
0x48 + Thumb image length + Title image length	0x27B8 - image lengths	chars	Title name + ISBN

BbContentMetaDataHead

Offset	Length	Type	Description	Information
0x2800	0x04	uint32	unusedPadding	padding
0x2804	0x04	uint32	caCrlVersion	Certificate Authority(?) CRL version
0x2808	0x04	uint32	cpCrlVersion	Content Protection(?) CRL version
0x280C	0x04	uint32	size	Size (in bytes) of the associated app
0x2810	0x04	uint32	descFlags	Seemingly unused/unchecked; bit 0 set if the associated app is SA
0x2814	0x10	uint8[16]	commonCmdIv	titlekey_iv; IV used to encrypt title key (with common key)
0x2824	0x14	uint8[20]	hash	SHA-1 hash of the plaintext of the associated app
0x2838	0x10	uint8[16]	iv	content_iv; IV used to encrypt content
0x2848	0x04	uint32	execFlags	Despite the name, only one use/flag is known: if bit 1 is set (the "recrypt flag"), the associated app will be re-encrypted on first launch
0x284C	0x04	uint32	hwAccessRights	bitfield, each bit enables access to some MMIO regs new to iQue Player: bits 0-7: new PI stuff bit 0: PI buffer used for aes/NAND read output and PI DMA (1KB at PI_BASE+0x10000) bit 1: NAND flash regs in PI bit 2: memory mapper for old PI dma bit 3: hardware AES-engine in PI bit 4: new PI dma engine, DMAs from/to PI buffer bit 5: new GPIO; power + LED bit 6: external IO bus stuff (debug?) bit 7: new PI error stuff bit 8: enables access to USB regs bit 9: enables access to internal ram used for SK stack (0x0000 for games except for Animal Forest which is 0x0033, 0x0013 for iQue Club, 0x01F7/0x01B3 for SA)
0x2850	0x04	uint32	secureKernelRights	Which secure kernel calls the associated app can use, one bit per syscall: bit 0 allows SKC 0, etc.
0x2854	0x04	uint32	bbid	If not zero, can only be run on the specified console (used for SAs, not games)
0x2858	0x40	uint8[64]	issuer	Certificate used to sign the cmd
0x2898	0x04	uint32	id	Content ID of the associated app
0x289C	0x10	uint8[16]	key	The associated app's title key. It is encrypted once with the common key. If the associated app is not an SA, then it is encrypted again with a key derived using the result of ECDH with the console's private key in the Virage2 and the public key in the app's ticket.
0x28AC	0x100	uint8[256]	contentMetaDataSign	RSA-2048 signature over all of the above, but before the title key is encrypted a second time.

Difference between revisions of "CMD"

Revision as of 03:46, 11 December 2018

Format

contentDesc

BbContentMetaDataHead

Navigation menu

Search

@@ Line 1: / Line 1: @@
-An iQue '''Content MetaData (CMD)''' is used to store data about a piece of content, such as the size, hash and ID. It's used as part of the [[SKSA]] (for info about the SA1/SA2) and also used as part of the [[Title Data]] structure (for info about the game title).
+A '''content metadata''' or '''CMD''' is a file or structure used to store data about an iQue app, such as encryption keys, its access to secure kernel calls, and its access to various hardware. It is used on its own in [[SKSA]] (where SA1 and SA2 both have their own attached CMD) and also contained as part of every [[ticket]].
-Each ticket is signed via RSA-2048 using a CP (content protection?) certificate.
 == Format ==
-The CMD format is similar to a [http://wiibrew.org/wiki/Ticket Wii ticket], though it seems the structure was reworked sometime between the iQue and Wii.
+A CMD consists of two parts: '''contentDesc''', an optional 0x2800-byte long structure containing information about a game such as its save type, title, and thumbnail image; and '''BbContentMetaDataHead'''. The former is not used in the content metadata for SAs.
+=== contentDesc ===
 {| class="wikitable"
 |-
@@ Line 11: / Line 10: @@
 ! Length
 ! Type
-! Description
 ! Information
 |-
-| 0x0
+| 0x00
-| 0x8
+| 0x04
-| bytes
+| uint32
-| ca_crl_version
+| EEPROM RDRAM location (typically 0x807C0000, 0 if unused)
-| Unknown (always 0?)
+|-
+| 0x04
+| 0x04
+| uint32
+| EEPROM size (either 0x200 or 0x800)
 |-
-| 0x8
+| 0x08
-| 0x4
+| 0x04
-| int32
+| uint32
-| cmd_crl_version
+| Flash RDRAM location (typically 0x807C0000, 0 if unused)
-| Unknown (always 1?)
 |-
-| 0xC
+| 0x0C
-| 0x4
+| 0x04
 | uint32
-| content_size
+| Flash size (0x20000 if used)
-| Content Size
 |-
 | 0x10
-| 0x4
+| 0x04
-| int32
+| uint32
-| unused_flags
+| SRAM RDRAM location (typically 0x807C0000, 0 if unused)
-| bit 0 on if SA; nothing checks it though
 |-
 | 0x14
+| 0x04
+| uint32
+| SRAM size (0x8000 if used)
+|-
+| 0x18
+| 0x04
+| uint32
+| Controller Pak 0 RDRAM location (could be 0x807C0000 or 0x807C0000, 0 if unused)
+|-
+| 0x1C
+| 0x04
+| uint32
+| Controller Pak 1 RDRAM location (0 if unused)
+|-
+| 0x20
+| 0x04
+| uint32
+| Controller Pak 2 RDRAM location (0 if unused)
+|-
+| 0x24
+| 0x04
+| uint32
+| Controller Pak 3 RDRAM location (0 if unused)
+|-
+| 0x28
+| 0x04
+| uint32
+| Controller Pak size (0x8000 when used)
+|-
+| 0x2C
+| 0x04
+| uint32
+| Probably osRomBase (always 0xB0000000?)
+|-
+| 0x30
+| 0x04
+| uint32
+| Probably osTvType (always 1? which is for NTSC)
+|-
+| 0x34
+| 0x04
+| uint32
+| Probably osMemSize (always 0x400000? for no expansion pak)
+|-
+| 0x38
+| 0x04
+| uint32
+| Unknown, possibly another libultra boot param
+|-
+| 0x3C
+| 0x04
+| uint32
+| Unknown, possibly another libultra boot param
+|-
+| 0x40
+| 0x03
+| chars
+| "CAM", unknown purpose
+|-
+| 0x43
+| 0x01
+| byte
+| Number of ".u0x" files for this game?
+|-
+| 0x44
+| 0x02
+| uint16
+| Thumb image length (can't be more than 0x4000, decompressed size must be exactly 0x1880)
+|-
+| 0x46
+| 0x02
+| uint16
+| Title image length (can't be more than 0x10000, how exactly would that even fit?)
+|-
+| 0x48
+| ''Thumb image length''
+| bytes
+| DEFLATE-compressed thumb image RGBA5551 (56px * 56px)
+|-
+| 0x48 + ''Thumb image length''
+| ''Title image length''
+| bytes
+| DEFLATE-compressed title image RGBA5551 (184px * 24px)
+|-
+| 0x48 + ''Thumb image length'' + ''Title image length''
+| 0x27B8 - image lengths
+| chars
+| Title name + ISBN
+|}
+=== BbContentMetaDataHead ===
+{| class="wikitable"
+|-
+! Offset
+! Length
+! Type
+! Description
+! Information
+|-
+| 0x2800
+| 0x04
+| uint32
+| unusedPadding
+| padding
+|-
+| 0x2804
+| 0x04
+| uint32
+| caCrlVersion
+| Certificate Authority(?) CRL version
+|-
+| 0x2808
+| 0x04
+| uint32
+| cpCrlVersion
+| Content Protection(?) CRL version
+|-
+| 0x280C
+| 0x04
+| uint32
+| size
+| Size (in bytes) of the associated app
+|-
+| 0x2810
+| 0x04
+| uint32
+| descFlags
+| Seemingly unused/unchecked; bit 0 set if the associated app is SA
+|-
+| 0x2814
 | 0x10
-| bytes
+| uint8[16]
-| titlekey_iv
+| commonCmdIv
-| IV used to encrypt titlekey (with common key)
+| titlekey_iv; IV used to encrypt title key (with common key)
 |-
-| 0x24
+| 0x2824
 | 0x14
-| bytes
+| uint8[20]
-| content_hash
+| hash
-| sha1 hash of plaintext content
+| SHA-1 hash of the plaintext of the associated app
 |-
-| 0x38
+| 0x2838
 | 0x10
-| bytes
+| uint8[16]
-| content_iv
+| iv
-| IV used to encrypt content
+| content_iv; IV used to encrypt content
 |-
-| 0x48
+| 0x2848
-| 0x4
+| 0x04
-| int32
+| uint32
-| recrypt_flag
+| execFlags
-| if bit 1 on, content will be re-encrypted on first launch, using console-unique key stored in Virage2 in the SoC
+| Despite the name, only one use/flag is known: if bit 1 is set (the "recrypt flag"), the associated app will be re-encrypted on first launch
 |-
-| 0x4C
+| 0x284C
-| 0x4
+| 0x04
-| int32
+| uint32
-| allowed_hardware
+| hwAccessRights
 | bitfield, each bit enables access to some MMIO regs new to iQue Player:
 * bits 0-7: new PI stuff
@@ Line 78: / Line 207: @@
 * bit 8: enables access to USB regs
 * bit 9: enables access to internal ram used for SK stack
-(0 for games, 0x13 for iQue Club, 0x1F7/0x1B3 for SA)
+(0x0000 for games except for Animal Forest which is 0x0033, 0x0013 for iQue Club, 0x01F7/0x01B3 for SA)
 |-
-| 0x50
+| 0x2850
-| 0x4
+| 0x04
-| int32
+| uint32
-| allowed_secure_kernel_calls
+| secureKernelRights
-| one bit per syscall bit 0 allows skc 0, etc.
+| Which [[SKC|secure kernel calls]] the associated app can use, one bit per syscall: bit 0 allows SKC 0, etc.
 |-
-| 0x54
+| 0x2854
-| 0x4
+| 0x04
-| int32
+| uint32
-| console_id
+| bbid
-| can be zero; if not can only run on certain (used for SAs, not games)
+| If not zero, can only be run on the specified console (used for SAs, not games)
 |-
-| 0x58
+| 0x2858
 | 0x40
-| chars
+| uint8[64]
-| signer
+| issuer
-| Authority (cert used to sign ticket)
+| Certificate used to sign the cmd
 |-
-| 0x98
+| 0x2898
-| 0x4
+| 0x04
 | uint32
-| content_id
+| id
-| Content ID (can't be higher than 99999999, if (cid / 100) % 10 == 9, this is a game manual)
+| Content ID of the associated app
 |-
-| 0x9C
+| 0x289C
 | 0x10
-| bytes
+| uint8[16]
-| titlekey
+| key
-| crypted with common key, and if this is not an SA, then crypted again with key derived using ECDH of console's privkey and pubkey in ticket
+| The associated app's title key. It is encrypted once with the common key. If the associated app is not an SA, then it is encrypted ''again'' with a key derived using the result of ECDH with the console's private key in the Virage2 and the public key in the app's ticket.
 |-
-| 0xAC
+| 0x28AC
 | 0x100
-| bytes
+| uint8[256]
-| signature
+| contentMetaDataSign
-| RSA-2048 signature
+| RSA-2048 signature over all of the above, but before the title key is encrypted a second time.
 |}
-== Signature ==
-The signature is made from a SHA1 hash of 0x0 - 0xAC, prior to the titlekey being encrypted with the ECDH-derived titlekek.
 [[Category:File formats]]