haha ok i read your post a few times, it makes a bit more sense now (if you are actually correct, since like you said you are not 100% but that it seems to be right)
but, we generate the signature ourselves? why can we do this, wouldn't this need keys only nintendo has?
eventually i will stop questioning and start enjoying
(when my wii u gets here in a few months)
The signature is already there, inside the title.tik, gently calculated by Nintendo, we do not touch it, we only "interact" with what I suppose is a xor "mask". You should thank the genius who identified a correlation between byte 0x01 and 0x0F !! Maybe he was able to extract a legit eshop/nus title.tik from the console and check it against the wud title.tik ? Dunno but... a big thank to him
so if we checked the data against the signature ourselves, it would come back false, because nintendo changes that value at 0xF before verifying?The signature is already there, inside the title.tik, gently calculated by Nintendo, we do not touch it, we only "interact" with what I suppose is a xor "mask". You should thank the genius who identified a correlation between byte 0x01 and 0x0F !! Maybe he was able to extract a legit eshop/nus title.tik from the console and check it against the wud title.tik ? Dunno but... a big thank to him
i think i get it now... ha
yeah, thanks to whoever discovered this!
so if we checked the data against the signature ourselves, it would come back false, because nintendo changes that value at 0xF before verifying?
i think i get it now... ha
yeah, thanks to whoever discovered this!
I suppose (just speculation confirmed by what you can read in the 1st post) that bytes from 0x04 to 0x103 are "xormasked" someway; under that xormask there is the real certificate. I hope some IDA-guru will explain that far better than me.
Last edited by asper,
v1.2 of ticket modifier is out!
All you need to do now is to drag a tik file and drop it into tik_modifier.exe!
(ex: If you drag and drop "title.tik" into the program, a new file called "title_modified.tik" will be created)
All you need to do now is to drag a tik file and drop it into tik_modifier.exe!
(ex: If you drag and drop "title.tik" into the program, a new file called "title_modified.tik" will be created)
Last edited by AboodXD,
v1.2 of ticket modifier is out!
All you need to do now is to drag a tik file and drop it into tik_modifier.exe!
(ex: If you drag and drop "title.tik" into the program, a new file called "title_modified.tik" will be created)
Thank you for crediting me about the "Now calculates the right value for byte 0x0F!"
Anyone has the capability to code a homebrew app to do a ticket dumper from wiiu?
i would want to get some VC titles tickets, i own some games but since we cant get tickets from wuds to use in VC the only option would be for anyone with a VC title to dump the ticket right?
i would want to get some VC titles tickets, i own some games but since we cant get tickets from wuds to use in VC the only option would be for anyone with a VC title to dump the ticket right?
- Joined
- Oct 27, 2002
- Messages
- 23,749
- Trophies
- 4
- Age
- 46
- Location
- Engine room, learning
- XP
- 15,662
- Country
we don't have access to the folder where tickets are stored.
Maybe with IOSU Kernel hack it could be possible, but I don't think anyone made a NAND access homebrew yet.
edit:
Some users did, but it's not released (yet).
edit2:
It is now.
https://gbatemp.net/threads/how-to-load-a-fw-img-for-any-file-dumping-wiiubru-status-update.445840/
Maybe with IOSU Kernel hack it could be possible, but I don't think anyone made a NAND access homebrew yet.
edit:
Some users did, but it's not released (yet).
edit2:
It is now.
https://gbatemp.net/threads/how-to-load-a-fw-img-for-any-file-dumping-wiiubru-status-update.445840/
It is actually not possible but i think, thanks to iosu kernel exploit and great coders like @dimok and many others, it will be soon (very soon) a reality !
if we can dump games and if we can install files to nand (we can) - it must be possible to dump ticket files from nand and from disk.
the 5.5.1 spoof installs files to nand, right?
and we can dump disks, so i guess the code is out there.
-oops, simply not the permission to access where the tickets are in nand, ok that makes sense.
--------------------- MERGED ---------------------------
the 5.5.1 spoof installs files to nand, right?
and we can dump disks, so i guess the code is out there.
-oops, simply not the permission to access where the tickets are in nand, ok that makes sense.
--------------------- MERGED ---------------------------
although yeah what about the spoofer? is that in a 'safe' area of nand or something?
- Joined
- Oct 27, 2002
- Messages
- 23,749
- Trophies
- 4
- Age
- 46
- Location
- Engine room, learning
- XP
- 15,662
- Country
the spoofer is WUP installer. WUP installer is not accessing NAND at all.
it's hooking to the official install title function and tells it to install what's located on SD:/install/ instead of NAND/<temporary download folder>.
That function is responsible for accessing NAND and gets enough rights to do it from IOSU kernel.
WUP installer doesn't get any access rights, so it can't read from nand where the titles are installed.
Game launching process doesn't have enough rights from IOSU to access the disc directly, so the game dumper is not dumping the disc content.
It's using PPC Kernel to access the mounted virtual link "/vol" at game launch which the console merge with /content/ from the disc, nand or usb and the update folder from NAND or usb, savegame folder, DLC.
from the /vol/ we also don't have access to the ticket.
it's hooking to the official install title function and tells it to install what's located on SD:/install/ instead of NAND/<temporary download folder>.
That function is responsible for accessing NAND and gets enough rights to do it from IOSU kernel.
WUP installer doesn't get any access rights, so it can't read from nand where the titles are installed.
Game launching process doesn't have enough rights from IOSU to access the disc directly, so the game dumper is not dumping the disc content.
It's using PPC Kernel to access the mounted virtual link "/vol" at game launch which the console merge with /content/ from the disc, nand or usb and the update folder from NAND or usb, savegame folder, DLC.
from the /vol/ we also don't have access to the ticket.
- Joined
- Oct 27, 2002
- Messages
- 23,749
- Trophies
- 4
- Age
- 46
- Location
- Engine room, learning
- XP
- 15,662
- Country
Nobody thought about something this simple?
We only thought about the PPC kernel permission, IOSU access rights, etc.
Focusing on the kernel rights to disable the signature check, we didn't try to temper the signature itself.
On Wii, they made a mistake and we could modify the signature, but it was quickly fixed, so they shouldn't have reproduce this mistake. this time, it's a different issue, they didn't make the "same" mistake, but another one which is maybe not their fault, but the way RSA works.
To me the big mistake they did is using the same title key for both disc and eshop version, allowing NUS file decryption with disc ticket, allowing users to download games directly from their own servers (who need torrent website when you can take them at the source?).
We only thought about the PPC kernel permission, IOSU access rights, etc.
Focusing on the kernel rights to disable the signature check, we didn't try to temper the signature itself.
On Wii, they made a mistake and we could modify the signature, but it was quickly fixed, so they shouldn't have reproduce this mistake. this time, it's a different issue, they didn't make the "same" mistake, but another one which is maybe not their fault, but the way RSA works.
To me the big mistake they did is using the same title key for both disc and eshop version, allowing NUS file decryption with disc ticket, allowing users to download games directly from their own servers (who need torrent website when you can take them at the source?).
Well, it is not a real "tampering", it is "converting" a legit title.tik in another legit title.tik; I am really curious to check an original NUS title.tik with a WUD (system\02 or whatever) title.tik of the same game
- Joined
- Oct 27, 2002
- Messages
- 23,749
- Trophies
- 4
- Age
- 46
- Location
- Engine room, learning
- XP
- 15,662
- Country
They didn't expect someone to find their common key, etc.
But that would have been another layer of security they could use. like I said on another thread, that would probably be more hassle to manage two different TitleID and titlekey for the same game (duplicated updates or DLC to store on their servers)
they probably did it by convenience
But that would have been another layer of security they could use. like I said on another thread, that would probably be more hassle to manage two different TitleID and titlekey for the same game (duplicated updates or DLC to store on their servers)
they probably did it by convenience
Where does the validation to the games title.tik come from? Is there more code in the tik that compares to the wii u or does it connect to the internet and verify the code?
Can some compare different title.tik and find a like number or are ALL nintendo game codes on the wii u to campare and match?
I'm just throwing ideas out.
Can some compare different title.tik and find a like number or are ALL nintendo game codes on the wii u to campare and match?
I'm just throwing ideas out.
Similar threads
-
-
-
-
-
-
-
-
@
Psionic Roshambo:
Ughh gonna be bored today, class for new job has a lot of networking material and I'm certified in that already... -
-
-
-
@
Psionic Roshambo:
Employee code of conduct videos are awesome!!! Did you know eating the other employees is bad? I didn't know... Lol+1
-
-
-
-
-
-
-
-
-
-
-
-
-
