Difference between revisions of "AMPXI:ExportTicketWrapped"
Jump to navigation
Jump to search
(when you does stuff in a rush, you tend to make mistakes) |
(Is it just me or these "|" doesn't render properly?) |
||
Line 21: | Line 21: | ||
|- | |- | ||
| 7 | | 7 | ||
− | | (CryptedTicketBufferLength << 8) | 0x4 | + | | (CryptedTicketBufferLength << 8) <nowiki>|</nowiki> 0x4 |
|- | |- | ||
| 8 | | 8 | ||
Line 27: | Line 27: | ||
|- | |- | ||
| 9 | | 9 | ||
− | | (256 << 8) | 0x14 | + | | (256 << 8) <nowiki>|</nowiki> 0x14 |
|- | |- | ||
| 10 | | 10 |
Latest revision as of 22:08, 1 August 2018
Request[edit]
Index Word | Description |
---|---|
0 | Header code [0x006D0184] |
1 | Crypted ticket buffer length |
2 | 256 |
3-4 | u64, Title ID |
5-6 | u64, Ticket ID |
7 | (CryptedTicketBufferLength << 8) | 0x4 |
8 | Crypted ticket buffer output pointer |
9 | (256 << 8) | 0x14 |
10 | Wrapped AES key/IV buffer (size 256) |
Response[edit]
Index Word | Description |
---|---|
0 | Header code [0x006D00C1] |
1 | Result code |
2 | Output crypted ticket buffer length |
3 | Output wrapped AES key/IV length (should be 256) |
Description[edit]
This function gets a 32 byte buffer using the internal P9 PRNG function; first 16 bytes is used as AES-CBC key and last 16 bytes is used as IV.
Next, it searches through tickets looking for one with provided ticketID, returns 0xD8808040 if not found;
Next, it reads the ticket, 0x8000 bytes at a time, into a 0x8000-byte stack buffer, after each read that buffer is crypted using that randomly generated key/IV, then written into the first output buffer;
Finally, it encrypts the AES key/IV with RSA-2048 PKCS1; using a new public key stored in P9 .rodata; and writes the crypted output into the second output buffer.