Difference between revisions of "Ticket"

From iQueBrew
Jump to navigation Jump to search
m
m
 
(7 intermediate revisions by 3 users not shown)
Line 1: Line 1:
An iQue '''Ticket''' is used to store data about a piece of content, such as the size, hash and ID. It's used as part of the [[SKSA]] (for info about the SA1/SA2) and also used as part of the [[Title Data]] structure (for info about the game title).
+
A '''ticket''' is used to store data about an associated app and per-console information, such as encryption keys and whether or not the app is time-limited.
 
 
Each ticket is signed via RSA-2048 using a CP (content protection?) certificate.
 
  
 
== Format ==
 
== Format ==
The ticket format is similar to a [http://wiibrew.org/wiki/Ticket Wii ticket], though it seems the structure was reworked sometime between the iQue and Wii.
 
  
It's assumed that the title key needed to decrypt an SA / .app is part of the structure, though likely encrypted with a common-key that's yet to be dumped from the console.
+
A ticket (BbTicket) consists of two parts: the [[CMD|content metadata]] for the app, and a ticket head (BbTicketHead).
  
 
{| class="wikitable"
 
{| class="wikitable"
Line 13: Line 10:
 
! Length
 
! Length
 
! Type
 
! Type
 +
! Description
 
! Information
 
! Information
 
|-
 
|-
| 0x0
+
| 0x00
| 0x8
+
| 0x29AC
| bytes
+
| -
| Unknown (always 0?)
+
| [[CMD]]
|-
+
| Content metadata for the associated app
| 0x8
 
| 0x4
 
| int32
 
| Unknown (always 1?)
 
 
|-
 
|-
| 0xC
+
| 0x29AC
| 0x4
+
| 0x04
 
| uint32
 
| uint32
| Content Size
+
| bbId
 +
| ID of the console this ticket is for
 
|-
 
|-
| 0x10
+
| 0x29B0
| 0x4
+
| 0x02
| int32
+
| uint16
| Unknown (0 for tickets, 1 for SA?)
+
| tid
 +
| ticket ID; if bit 15 is set, then it is a trial ticket
 
|-
 
|-
| 0x14
+
| 0x29B2
| 0x10
+
| 0x02
| bytes
+
| uint16
| Unknown (possible title-key)
+
| code
 +
| What type of trial limitation: 0 or 2 = time, 1 = number of launches
 
|-
 
|-
| 0x24
+
| 0x29B4
| 0x14
+
| 0x02
| bytes
+
| uint16
| Content hash (hash of the decrypted content)
+
| limit
 +
| number of minutes, or number of launches, before limit is reached
 
|-
 
|-
| 0x38
+
| 0x29B6
| 0x10
+
| 0x02
| bytes
+
| uint16
| Unknown ('''very possible title-key''')
+
| reserved
 +
| padding               
 
|-
 
|-
| 0x48
+
| 0x29B8
| 0x4
+
| 0x04
| int32
+
| uint32
| Unknown (2 for game tickets, 0 for SA/iQue Club ticket?)
+
| tsCrlVersion
 +
| ticket_crl_version
 
|-
 
|-
| 0x4C
+
| 0x29BC
| 0x4
+
| 0x10
| int32
+
| uint8[16]
| Unknown (0 for games, 0x13 for iQue Club, 0x1F7/0x1B3 for SA)
+
| cmdIv
 +
| titlekey_iv; IV used to re-encrypt title key (with ECDH key)
 
|-
 
|-
| 0x50
+
| 0x29CC
| 0x4
+
| 0x40
| int32
+
| uint8[64]
| Unknown (0x4000 for games, 0x6001 for iQue Club, -1 for normal SAs, 0xE01 for weird SAs?)
+
| serverKey
|-
+
| ECC public key used with console's ECC private key to derive unique title key encryption key via ECDH   
| 0x54
 
| 0x4
 
| int32
 
| Unknown (always 0?)
 
 
|-
 
|-
| 0x58
+
| 0x2A0C
 
| 0x40
 
| 0x40
| chars
+
| uint8[64]
| Authority (cert used to sign ticket)
+
| issuer
|-
+
| Certificate used to sign the ticket
| 0x98
 
| 0x4
 
| uint32
 
| Content ID (can't be higher than 99999999, if (cid / 0x64) % 0xA == 9, this is a game manual?)
 
|-
 
| 0x9C
 
| 0x10
 
| bytes
 
| Unknown (possible title-key - contents change between devices, but signature remains the same???)
 
 
|-
 
|-
| 0xAC
+
| 0x2A4C
 
| 0x100
 
| 0x100
| bytes
+
| uint8[256]
| RSA-2048 signature
+
| ticketSign
|}
+
| RSA-2048 signature over all of the above ''and'' the CMD
 
 
In different SAs which seem to have matching bytes in the encrypted data, the field at 0x38 seems to be the only constant between them, likely our best suspect for the title-key.
 
 
 
 
 
 
[[Category:File formats]]
 
[[Category:File formats]]

Latest revision as of 13:25, 15 June 2018

A ticket is used to store data about an associated app and per-console information, such as encryption keys and whether or not the app is time-limited.

Format

A ticket (BbTicket) consists of two parts: the content metadata for the app, and a ticket head (BbTicketHead).

Offset Length Type Description Information
0x00 0x29AC - CMD Content metadata for the associated app
0x29AC 0x04 uint32 bbId ID of the console this ticket is for
0x29B0 0x02 uint16 tid ticket ID; if bit 15 is set, then it is a trial ticket
0x29B2 0x02 uint16 code What type of trial limitation: 0 or 2 = time, 1 = number of launches
0x29B4 0x02 uint16 limit number of minutes, or number of launches, before limit is reached
0x29B6 0x02 uint16 reserved padding
0x29B8 0x04 uint32 tsCrlVersion ticket_crl_version
0x29BC 0x10 uint8[16] cmdIv titlekey_iv; IV used to re-encrypt title key (with ECDH key)
0x29CC 0x40 uint8[64] serverKey ECC public key used with console's ECC private key to derive unique title key encryption key via ECDH
0x2A0C 0x40 uint8[64] issuer Certificate used to sign the ticket
0x2A4C 0x100 uint8[256] ticketSign RSA-2048 signature over all of the above and the CMD
Retrieved from "http://www.iquebrew.org/index.php?title=Ticket&oldid=878"