Changes

496 bytes added ,  16:36, 21 April 2013
m
no edit summary
Line 51: Line 51:  
|}
 
|}
   −
The Signature Type is the same const as that in [[TMD]]. The certificate chain is located at offset 0x350 for tickets from CDN/SOAP, however this cert-chain is removed once the ticket is installed to NAND.
+
The Signature Type is the same const as that in [[TMD]].  
    
The titlekey is decrypted by using the [[AES]] engine with the ticket common-key keyslot where the keyY is one of 6 keyYs loaded via the keyY index stored in the ticket. AES-CBC mode is used where the IV is the big-endian titleID. Note that on a retail unit index0 is a retail keyY, while on a dev-unit index0 is the dev common-key which is a normal-key.(On retail for these keyYs, the hardware key-scrambler is used)
 
The titlekey is decrypted by using the [[AES]] engine with the ticket common-key keyslot where the keyY is one of 6 keyYs loaded via the keyY index stored in the ticket. AES-CBC mode is used where the IV is the big-endian titleID. Note that on a retail unit index0 is a retail keyY, while on a dev-unit index0 is the dev common-key which is a normal-key.(On retail for these keyYs, the hardware key-scrambler is used)
 +
 +
== Certificate Chain ==
 +
Tickets retrieved from CDN/SOAP have a Certificate chain appended at the end, outside of the ticket structure(offset 0x350/0x450 depending on the size of the ticket signature). There are two certificates in this chain:
 +
 +
{| class="wikitable" border="1"
 +
|-
 +
!  CERTIFICATE
 +
!  SIGNATURE TYPE
 +
!  RETAIL CERT NAME
 +
!  DEBUG CERT NAME
 +
!  DESCRIPTION
 +
|-
 +
|  Ticket
 +
|  RSA-2048
 +
|  XS0000000c
 +
|  XS00000009
 +
|  Used to verify the Ticket signature
 +
|-
 +
|  CA
 +
|  RSA-4096
 +
|  CA00000003
 +
|  CA00000004
 +
|  Used to verify the Ticket Certificate
 +
|}
 +
 +
The CA certificate is issued by 'Root', the public key for which is stored in NATIVE_FIRM.
    
== Some facts==
 
== Some facts==
 
* '''CETK''' can be fetched through HTTP using the link to default update server, using the title's [[TMD]] URL where "cetk" is used instead of "tmd" for the URL. The 3DS NIM module retrieves system tickets via SOAP request ''GetCommonETicket''.
 
* '''CETK''' can be fetched through HTTP using the link to default update server, using the title's [[TMD]] URL where "cetk" is used instead of "tmd" for the URL. The 3DS NIM module retrieves system tickets via SOAP request ''GetCommonETicket''.
839

edits