Difference between revisions of "CommonETicket"
Line 48: | Line 48: | ||
The Signature Type is the same const as that in [[TMD]]. The certificate chain is located at offset 0x2A4 for tickets from CDN/SOAP, however this cert-chain is removed once the ticket is installed to NAND. | The Signature Type is the same const as that in [[TMD]]. The certificate chain is located at offset 0x2A4 for tickets from CDN/SOAP, however this cert-chain is removed once the ticket is installed to NAND. | ||
+ | |||
+ | The titlekey is decrypted by using the [[AES]] engine with the ticket common-key keyslot where the keyY is one of 6 keyYs loaded via the keyY index stored in the ticket. AES-CBC mode is used where the IV is the big-endian titleID. Note that on a retail unit index0 is a retail keyY, while on a dev-unit index0 is the dev common-key which is a normal-key.(On retail for these keyYs, the hardware key-scrambler is used) | ||
== Some facts== | == Some facts== | ||
* '''CETK''' can be fetched through HTTP using the link to default update server, using the title's [[TMD]] URL where "cetk" is used instead of "tmd" for the URL. The 3DS NIM module retrieves system tickets via SOAP request ''GetCommonETicket''. | * '''CETK''' can be fetched through HTTP using the link to default update server, using the title's [[TMD]] URL where "cetk" is used instead of "tmd" for the URL. The 3DS NIM module retrieves system tickets via SOAP request ''GetCommonETicket''. |
Revision as of 22:02, 31 March 2013
CommonETicket (for short, cetk) is a format as a ticket used to store an encrypted titlekey (using 128-Bit AES-CBC). This format seems to be identical to DSi/Wii tickets.
Structure
All of the data in the file is represented in Big Endian.
Content
Offset | Size | Description |
0x000 | 0x4 | Signature Type |
0x004 | 0x100 | Signature |
0x104 | 0x3C | Padding modulo 64 |
0x140 | 0x40 | Issuer |
0x180 | 0x3C | ECDH data for console-unique eShop tickets. |
0x1BC | 0x3 | Unknown, first u8 is 0x01. |
0x1BF | 0x10 | Encrypted TitleKey |
0x1CF | 0x1 | Unknown |
0x1D0 | 0x8 | TicketID |
0x1D8 | 0x4 | Ticket consoleID |
0x1DC | 0x8 | TitleID |
0x1E4 | 0x2 | Unknown |
0x1E6 | 0x2 | Ticket version |
0x1E8 | 0x8 | Unused |
0x1F0 | 0x1 | Unused |
0x1F1 | 0x1 | Ticket common keyY index, usually 0x1 for retail system titles. |
0x1F2 | 0xB2 | Unused |
The Signature Type is the same const as that in TMD. The certificate chain is located at offset 0x2A4 for tickets from CDN/SOAP, however this cert-chain is removed once the ticket is installed to NAND.
The titlekey is decrypted by using the AES engine with the ticket common-key keyslot where the keyY is one of 6 keyYs loaded via the keyY index stored in the ticket. AES-CBC mode is used where the IV is the big-endian titleID. Note that on a retail unit index0 is a retail keyY, while on a dev-unit index0 is the dev common-key which is a normal-key.(On retail for these keyYs, the hardware key-scrambler is used)
Some facts
- CETK can be fetched through HTTP using the link to default update server, using the title's TMD URL where "cetk" is used instead of "tmd" for the URL. The 3DS NIM module retrieves system tickets via SOAP request GetCommonETicket.