[Tutorial] Hex Editing - Unlocking DLC without CFW or Sigpatch!

Discussion in 'Wii U - Tutorials' started by Rahzadan, May 4, 2017.

  1. Rahzadan
    OP

    Rahzadan Member

    Newcomer
    44
    16
    May 28, 2007
    Canada
    Special thanks to @raphamotta for his detailed tutorial(s) on this subject. This one serves as a more detailed explanation of the hex editing portions of his tutorial, which can be found here:

    http://gbatemp.net/threads/tutorial...d-on-sysnand-without-cfw-or-aocptcher.464178/

    Assumptions:
    Warning: Spoilers inside!

    Facts to Keep in Mind:
    Warning: Spoilers inside!

    There are 2 possible scenarios. In the first scenario, there are 2 tickets in the .tik file. Meaning, your legit ticket for that game (free or paid DLC you downloaded from eShop) + your fake ticket (installed by WUP Installer / USB Helper). In the second scenario, there might be 3 or more tickets in the same .tik file. You'll want to swap them so that your legit ticket is not necessarily at the TOP, but HIGHER than the fake ticket, if that makes sense.

    For the purposes of this tutorial, I will be going over the 2 ticket scenario using dummy .tik files I created myself, containing 2 FAKE tickets. YOUR .tik file will have your fake ticket in it (installed from WUP Installer) in addition to your REAL (legit) ticket for that game. I'm doing this because I won't want to reveal my real tickets (for obvious reasons).

    How to Do It!:
    Warning: Spoilers inside!

    For the other possible scenario with 3 or more tickets in your .tik file, just picture another 848 or 696 byte ticket for a different game BETWEEN the 1st and 2nd tickets, or perhaps at the top or bottom. In a case like this, you'd want to CUT the top fake ticket, and paste it in a separate, blank hex editor window temporarily. Then take the REAL ticket, and paste it temporarily into a 3rd blank hex window. Now, take your REAL ticket and paste it at the top (0x0), while putting your FAKE ticket at the bottom. Make sure all of you starting offsets for each ticket are correct once swapped, or the Wii U will say that your DLC is corrupted. It really doesn't matter what position that 3rd 'mysterious' ticket is in, because it's for a separate game and the Wii U will ignore the other tickets that aren't for that game if you ever launch it.

    As a side note, it looks like @marc_max has created a ticket swapper tool, which makes this whole process automated. His tool cane be found here:

    http://www.marcrobledo.com/wiiu-tik-fixer/

    Let me know if there's anything you don't understand, or if I should make any changes!
     
    Last edited by Rahzadan, May 6, 2017
    PacPera, Rehv, HugaTheFox and 8 others like this.
  2. raphamotta

    raphamotta GBAtemp Fan

    Member
    423
    152
    Jul 12, 2013
    Very detailed! Thank you for that, I will add this thread in my tutorial :)
     
  3. nexusmtz

    nexusmtz GBAtemp Maniac

    Member
    1,201
    405
    Feb 17, 2016
    United States
    Good job. I'm sure the extra detail will be helpful.
    I would just leave out the 848 in that phrase though. eShop tickets are 696, and can be found in the same ticket bucket files.
     
    Madridi likes this.
  4. Rahzadan
    OP

    Rahzadan Member

    Newcomer
    44
    16
    May 28, 2007
    Canada
    Edited. Thanks for the tip!
     
  5. godreborn

    godreborn GBAtemp Addict

    Member
    2,020
    288
    Oct 10, 2009
    United States
    this only works for dlc, correct?
     
  6. nexusmtz

    nexusmtz GBAtemp Maniac

    Member
    1,201
    405
    Feb 17, 2016
    United States
    I don't understand the question. What, besides DLC, lets you make a valid purchase that wouldn't already cover the entire title? I did try it with an expired subscription, but the subscription was only 696 bytes. It didn't work, probably because I don't know how to specify times in the fake ticket.
     
  7. godreborn

    godreborn GBAtemp Addict

    Member
    2,020
    288
    Oct 10, 2009
    United States
    I mean u can't use it for other games.
     
  8. nexusmtz

    nexusmtz GBAtemp Maniac

    Member
    1,201
    405
    Feb 17, 2016
    United States
    Keeping in mind that this technique works by repositioning your totally valid real ticket for the title ahead of the fake ticket for the same title, yes, it 'works' on regular games too. But with a game, since you have a valid ticket for the title, why would you want the fake ticket? It would do nothing extra for you.

    It would repair a fake title that you had accidentally loaded over your real one, but you wouldn't swap the fake and real tickets, you'd just delete the fake ticket. (or delete them both, and let eshop repopulate it.)
     
  9. godreborn

    godreborn GBAtemp Addict

    Member
    2,020
    288
    Oct 10, 2009
    United States
    I actually changed one of my fake tickets I had loaded over a real one. "Diseased Isabella," in hex repeated over and over again, right? a fake ticket will prevent u from downloading a real one from the eshop. installation will fail. I've fixed that.
     
  10. nexusmtz

    nexusmtz GBAtemp Maniac

    Member
    1,201
    405
    Feb 17, 2016
    United States
    Right. But just delete the fake one, don't swap the positions.
     
  11. godreborn

    godreborn GBAtemp Addict

    Member
    2,020
    288
    Oct 10, 2009
    United States
    I've already done that. I was just wondering if u could use this for a game (i.e. Mario Kart 8 with credentials of Breath of the Wild).
     
  12. nexusmtz

    nexusmtz GBAtemp Maniac

    Member
    1,201
    405
    Feb 17, 2016
    United States
    Oh. No, that won't work because then they're just two different titles' tickets in the same ticket bucket file, which is a normal thing to see.
     
  13. TheDarkGreninja

    TheDarkGreninja How could you hate that face?

    Member
    2,063
    799
    Aug 25, 2014
    On his bed
    what do you mean by offset 0x6A0?
     
  14. nexusmtz

    nexusmtz GBAtemp Maniac

    Member
    1,201
    405
    Feb 17, 2016
    United States
    An offset tells you how far something is from something else. In this case, it tells you how many bytes from the start of the file (offset 0). 0x6A0 is 1696 bytes because it's hexadecimal (6x256)+(10x16)+(0)=1656. A hex editor will usually show the offset in hex though, so you don't have to do any translation.
     
  15. TheDarkGreninja

    TheDarkGreninja How could you hate that face?

    Member
    2,063
    799
    Aug 25, 2014
    On his bed
    Ah, right, thats what he meant. Seemed I accidentally added a bit of data.