iQue Player Security

From iQueBrew
Revision as of 07:57, 4 July 2018 by Jbop (talk | contribs) (Create security/encryption page)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Unlike its predecessor the Nintendo 64, the iQue Player makes extensive use of encryption for security. This is probably due to the console's USB connectivity, as well as its ability to download games from the iQue server over the internet -- which would make pirating games extremely easy if they were transmitted and stored unencrypted. The security scheme is similar to that of the Wii, though more rudimentary.


The iQue makes use of several encryption algorithms:

All symmetric encryption is done using AES-128-CBC

ECC (using the curve NIST B-233 / sect233r1) is used to cryptographically sign certain files, and also to generate AES keys through ECDH.

RSA-2048 is used to sign files.



Secure Kernel

Key / IV Location
SK key Offset 0x1460 in the bootrom
SK IV Offset 0x1470 in the bootrom

Title Keys

Encrypted once with the common key, and then again if the app is a game.

(The title keys for SA's are only encrypted once).

Key / IV #1 Location
iQue Player common key Offset 0xB8 in Virage2
Title key IV Offset 0x2814 in CMD
Key / IV #2 Location
Derived using ECDH with console's private
key and a public key in the game's ticket
See ECC section for more info
Title key IV 2 Offset 0x29BC in ticket


An application/game downloaded from the iQue server, or on the console before first launch, will have the .app extension.

Key / IV Location
Title key Offset 0x289C in CMD
This is encrypted once or twice; see above for details.
Content IV Offset 0x2838 in CMD


If the recrypt flag is set in its CMD, a .app file will be re-encrypted and made into a .rec file on first launch.

Key / IV Location
Recrypt key
(unique to both game and console)
Encrypted 32-byte entry in recrypt.sys.
Starts at offset 0x04 in decrypted entry.
Content IV Offset 0x2838 in CMD


Each individual 32-byte entry in the recrypt list is encrypted.

Key / IV Location
Recrypt list key Offset 0xC8 in Virage2
Derived from BBID -


Each console contains a unique key pair located in Virage2. The private key is located at offset 0x98, and the public key is located at offset 0x54.

This key pair is used to sign recrypt.sys with ECDSA to prevent tampering. Game saves are also signed when being copied to NAND, and their signatures are stored in (the aptly-named) sig.db.

Each game's ticket includes an ECC public key. This is used with the console's private key to create a unique AES key with which to re-encrypt the title key in the CMD. This derived key is created by taking the 16 bytes starting at offset 0x04 in the x-coordinate of the ECDH result.


The public key is located in SK.

Every CMD and ticket is covered by an RSA-2048 signature to prevent alterations, such as granting more hardware and secure kernel call access or changing what console the ticket is for. Unlike the Wii, the iQue Player does not suffer from the Trucha bug, so currently there is no way to use unsigned tickets other than patching SK, or possibly taking advantage of the "psychic paper" bug