Difference between revisions of "Ticket"
Jump to navigation
Jump to search
(Created page with "Category:File formats Tickets are a format used to store an encrypted titlekey (using 128-Bit AES-CBC). This format seems to be identical to DSi/Wii tickets. == Structure =...") |
|||
| Line 59: | Line 59: | ||
| 0xA4||0x2||Unknown | | 0xA4||0x2||Unknown | ||
|- | |- | ||
| − | | 0xA6||0x2||Ticket title version, this title version | + | | 0xA6||0x2||Ticket title version, this generally the same as the title version stored in the [[TMD|Title Metadata]]. |
|- | |- | ||
| 0xA8||0x8||Unused | | 0xA8||0x8||Unused | ||
| Line 73: | Line 73: | ||
| 0xE2||0x82||Unused | | 0xE2||0x82||Unused | ||
|- | |- | ||
| − | | 0x164|| | + | | 0x164||0xAC||Content Index Setup (Complex) |
| − | |||
| − | |||
|} | |} | ||
| − | |||
| − | |||
The titlekey is decrypted by using the [[AES]] engine with the ticket common-key keyslot where the keyY is one of 6 keyYs loaded via the keyY index stored in the ticket. AES-CBC mode is used where the IV is the big-endian titleID. Note that on a retail unit index0 is a retail keyY, while on a dev-unit index0 is the dev common-key which is a normal-key.(On retail for these keyYs, the hardware key-scrambler is used) | The titlekey is decrypted by using the [[AES]] engine with the ticket common-key keyslot where the keyY is one of 6 keyYs loaded via the keyY index stored in the ticket. AES-CBC mode is used where the IV is the big-endian titleID. Note that on a retail unit index0 is a retail keyY, while on a dev-unit index0 is the dev common-key which is a normal-key.(On retail for these keyYs, the hardware key-scrambler is used) | ||
| Line 109: | Line 105: | ||
== Some facts== | == Some facts== | ||
| − | * '''CommonETicket''' (for short, '''cetk''') is the name given to tickets for titles which | + | * '''CommonETicket''' (for short, '''cetk''') is the name given to tickets for titles which available on the [[EShop|eShop]], like [[Title list#CTR System Titles|system titles]]. |
* '''CETK''' can be fetched through HTTP using the link to default update server, using the title's [[TMD]] URL where "cetk" is used instead of "tmd" for the URL. The 3DS NIM module retrieves system tickets via SOAP request ''GetCommonETicket''. | * '''CETK''' can be fetched through HTTP using the link to default update server, using the title's [[TMD]] URL where "cetk" is used instead of "tmd" for the URL. The 3DS NIM module retrieves system tickets via SOAP request ''GetCommonETicket''. | ||
Revision as of 04:32, 13 February 2014
Tickets are a format used to store an encrypted titlekey (using 128-Bit AES-CBC). This format seems to be identical to DSi/Wii tickets.
Structure
All of the data in the file is represented in Big Endian.
| Offset | Size | Description |
| 0x000 | Y | Signature Data |
| Y | 0x210 | Ticket Data |
Signature Data
The total size of this section is referred to as "Y" in the overall TMD structure. The signature is of the header of the TMD.
| Offset | Size | Description |
| 0x0 | 0x4 | Signature Type |
| 0x4 | X | Signature |
| 0x4 + X | Padding Aligning the signature data to 0x40 bytes |
Signature Type
| Value | Signature Method | Signature Size | Padding Size |
|---|---|---|---|
| 0x010000 | RSA_4096 SHA1 (Unused for 3DS) | 0x200 | 0x3C |
| 0x010001 | RSA_2048 SHA1 (Unused for 3DS) | 0x100 | 0x3C |
| 0x010002 | Elliptic Curve with SHA1 (Unused for 3DS) | 0x3C | 0x40 |
| 0x010003 | RSA_4096 SHA256 | 0x200 | 0x3C |
| 0x010004 | RSA_2048 SHA256 | 0x100 | 0x3C |
| 0x010005 | ECDSA with SHA256 | 0x3C | 0x40 |
The hash for the signature is calculated over the Ticket Data.
Ticket Data
| Offset | Size | Description |
| 0x0 | 0x40 | Issuer |
| 0x40 | 0x3C | ECDH data for console-unique eShop tickets. |
| 0x7C | 0x3 | Unknown, first u8 is 0x01. |
| 0x7F | 0x10 | Encrypted TitleKey |
| 0x8F | 0x1 | Unknown |
| 0x90 | 0x8 | TicketID |
| 0x98 | 0x4 | Ticket consoleID |
| 0x9C | 0x8 | TitleID |
| 0xA4 | 0x2 | Unknown |
| 0xA6 | 0x2 | Ticket title version, this generally the same as the title version stored in the Title Metadata. |
| 0xA8 | 0x8 | Unused |
| 0xB0 | 0x1 | Unused |
| 0xB1 | 0x1 | Ticket common keyY index, usually 0x1 for retail system titles. |
| 0xB2 | 0x2F | Unused |
| 0xE1 | 0x1 | Unknown |
| 0xE2 | 0x82 | Unused |
| 0x164 | 0xAC | Content Index Setup (Complex) |
The titlekey is decrypted by using the AES engine with the ticket common-key keyslot where the keyY is one of 6 keyYs loaded via the keyY index stored in the ticket. AES-CBC mode is used where the IV is the big-endian titleID. Note that on a retail unit index0 is a retail keyY, while on a dev-unit index0 is the dev common-key which is a normal-key.(On retail for these keyYs, the hardware key-scrambler is used)
Certificate Chain
Tickets retrieved from CDN/SOAP have a certificate chain appended at the end of the file. There are two certificates in this chain:
| CERTIFICATE | SIGNATURE TYPE | RETAIL CERT NAME | DEBUG CERT NAME | DESCRIPTION |
|---|---|---|---|---|
| Ticket | RSA-2048 | XS0000000c | XS00000009 | Used to verify the Ticket signature |
| CA | RSA-4096 | CA00000003 | CA00000004 | Used to verify the Ticket Certificate |
The CA certificate is issued by 'Root', the public key for which is stored in NATIVE_FIRM.
Some facts
- CommonETicket (for short, cetk) is the name given to tickets for titles which available on the eShop, like system titles.
- CETK can be fetched through HTTP using the link to default update server, using the title's TMD URL where "cetk" is used instead of "tmd" for the URL. The 3DS NIM module retrieves system tickets via SOAP request GetCommonETicket.