IIRC it does some magic with the files to validate the ticket.
What I'm sure about that it validates the ticket OFFLINE.
What I'm sure about that it validates the ticket OFFLINE.
- Joined
- Oct 27, 2002
- Messages
- 23,749
- Trophies
- 4
- Age
- 45
- Location
- Engine room, learning
- XP
- 15,649
- Country
yes, it's done offline, in Async mode.
Nintendo is generating a signature with a private key. Only Nintendo has it.
the signature included inside the ticket.
That signature can be decrypted (but not generated) with the common key. All consoles have it.
If the decrypted signature checksum matches the ticket checksum (I'm not sure which part of the ticket is verified against the signature's hash), then it means the ticket is valid, and the console can use the data from it.
If you edit the title key to install a different game, for example you know the title key for a game but you don't have it's ticket so you edit an existing ticket to put your title key inside, then the decrypted signature's checksum will not match the ticket's checksum anymore.
it works here because the title key is the same for both Disc and eshop version.
editing only one byte (Game type) affects only one byte in the encrypted signature.
if we had to edit the entire title key and titleID, the signature would be too different to calculate it without the private key.
Nintendo is generating a signature with a private key. Only Nintendo has it.
the signature included inside the ticket.
That signature can be decrypted (but not generated) with the common key. All consoles have it.
If the decrypted signature checksum matches the ticket checksum (I'm not sure which part of the ticket is verified against the signature's hash), then it means the ticket is valid, and the console can use the data from it.
If you edit the title key to install a different game, for example you know the title key for a game but you don't have it's ticket so you edit an existing ticket to put your title key inside, then the decrypted signature's checksum will not match the ticket's checksum anymore.
it works here because the title key is the same for both Disc and eshop version.
editing only one byte (Game type) affects only one byte in the encrypted signature.
if we had to edit the entire title key and titleID, the signature would be too different to calculate it without the private key.
- Joined
- Oct 27, 2002
- Messages
- 23,749
- Trophies
- 4
- Age
- 45
- Location
- Engine room, learning
- XP
- 15,649
- Country
what can be patched?
we can't generate signatures without the private key or we could install homebrew directly to the WiiU menu.
we can't generate signatures without the private key or we could install homebrew directly to the WiiU menu.
The title instalation with single byte modification, or they have to create two different title ID for each game (digital and disk) to fix that?
Another console TIK modder 14kb x86
https://mega.nz/#!fdIwhYoQ!gQiaMY7xQ...axmPmPdc3_Pgj8
create copy of modding file with prefix modder_ or original_
Convert to mod and vise verse.
USE: Tik_Mod <title_file.tik>
You can give file, if file not given, tool try to mod near title.tik
simple copy title.tik to the folder and run Tik_Mod
https://mega.nz/#!fdIwhYoQ!gQiaMY7xQ...axmPmPdc3_Pgj8
create copy of modding file with prefix modder_ or original_
Convert to mod and vise verse.
USE: Tik_Mod <title_file.tik>
You can give file, if file not given, tool try to mod near title.tik
simple copy title.tik to the folder and run Tik_Mod
alright now, here is something crazy for you:
I just dumped some .tik files from discs I had over network using iosuhax and... the tiks already start with "01" and are "xor'd" as well, meaning dumped tiks like that cant be installed directly without any errors, so the question now is, are those files in .wuds somehow unclean or does the wiiu at some level automatically even from disc adjust those values so the wiiu can actually use them? that explains though why they have to be changed in the first place I guess to be installable.
I just dumped some .tik files from discs I had over network using iosuhax and... the tiks already start with "01" and are "xor'd" as well, meaning dumped tiks like that cant be installed directly without any errors, so the question now is, are those files in .wuds somehow unclean or does the wiiu at some level automatically even from disc adjust those values so the wiiu can actually use them? that explains though why they have to be changed in the first place I guess to be installable.
- Joined
- Jan 7, 2014
- Messages
- 14,600
- Trophies
- 4
- Location
- Another World
- Website
- www.gbatemp.net
- XP
- 25,207
- Country
Woah this is getting interesting.
One question though. Can the same method be used for already installed titles, as in, eshop purchasses?
I've dumped my eshop tiks as well and they contain my console id (4 bytes at 0x1D8) so you can most likely only install them directly on your own console unless you run a ciosu with signature checks disabled, else you probably risk a brick.
- Joined
- Jan 7, 2014
- Messages
- 14,600
- Trophies
- 4
- Location
- Another World
- Website
- www.gbatemp.net
- XP
- 25,207
- Country
Another question regarding this. Would it be possible to compare a dumped ticket from one of those that already exist, possibly to find a pattern, or a potential similarity between them? That could possibly lead to some sort of dummy ticket that could be used for the same game without a wud, maybe?
I just wonder, this is really interesting
You say it has your console ID. But if we know that current modified tickets install on any console of the same region, I would assume that there is a possibility of a dummy ID, that installs regardless of the console?
No. The thing why this works most likely has to do with the tik not requiring a specific console, nintendo used the exact same sign mechanism for both eshop titles and disc titles so, disc titles cant have a console id requirement, which is why you can install it globally on every wiiu if you have an installer. The 3ds had similar things and the wii too by the way. So changing anything in a tik right now such as, removing that id, or changing it to another region id would make it invalid because its signature would not match up anymore.
edit: I can even proof this to you, somebody just was friendly enough to dump a game tik I also had from his console and if I compare both tiks they indeed differ a lot because of the signatures:
You can see on the counts alone that there would be no way to brute force that to another console.
- Joined
- Jan 7, 2014
- Messages
- 14,600
- Trophies
- 4
- Location
- Another World
- Website
- www.gbatemp.net
- XP
- 25,207
- Country
Oh I see. Well then now I know, hahaNo. The thing why this works most likely has to do with the tik not requiring a specific console, nintendo used the exact same sign mechanism for both eshop titles and disc titles so, disc titles cant have a console id requirement, which is why you can install it globally on every wiiu if you have an installer. The 3ds had similar things and the wii too by the way. So changing anything in a tik right now such as, removing that id, or changing it to another region id would make it invalid because its signature would not match up anymore.
edit: I can even proof this to you, somebody just was friendly enough to dump a game tik I also had from his console and if I compare both tiks they indeed differ a lot because of the signatures:
You can see on the counts alone that there would be no way to brute force that to another console.
The only way to know is raw-dumping the same disc and decrypt it with discU but I really do not know how to do that. I know there is an iosu function to request the aes disc key from the disc but dunno if it is possible to dump it "raw" (and obtain substantially a wud).
About the signature I really would like to know if there really is a xor mask "covering" the real value. If someone can find the real process debugging with ida I will be very happy to read it.
About force-install a per-console title disabling the checks it can work but if nintendo will release a new firmware all the signature patches will be removed and with a force-install title in the console (nand or usb) you can really risk a brick unless (maybe) you firstly uninstall that title before updating.
I tested a per-console title.tik on another console zeroing the per-console data: no brick, just it does not work. I also tested the original ticket (not modifying it) without success (no brick).
Last edited by asper,
That's interesting. So basically no pirated DLC without CFW, and yet for some reason they didn't think to do the same thing for games. How bizarreNo. The thing why this works most likely has to do with the tik not requiring a specific console, nintendo used the exact same sign mechanism for both eshop titles and disc titles so, disc titles cant have a console id requirement, which is why you can install it globally on every wiiu if you have an installer. The 3ds had similar things and the wii too by the way. So changing anything in a tik right now such as, removing that id, or changing it to another region id would make it invalid because its signature would not match up anymore.
edit: I can even proof this to you, somebody just was friendly enough to dump a game tik I also had from his console and if I compare both tiks they indeed differ a lot because of the signatures:
You can see on the counts alone that there would be no way to brute force that to another console.
Similar threads
- No one is chatting at the moment.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@
AncientBoi:
What Network is it on? I wanna see what you guys are talking about. N What time frame is it on? -
-
-
-
-
