Hacking Why "adding or removing 2" from byte 0x0F of tiket.tik ? Answer and exact "formula".

veggav

Well-Known Member
Member
Joined
Nov 21, 2009
Messages
208
Trophies
1
XP
1,008
Country
Brazil
I've dumped my eshop tiks as well and they contain my console id (4 bytes at 0x1D8) so you can most likely only install them directly on your own console unless you run a ciosu with signature checks disabled, else you probably risk a brick.

I get you, NWPlayer, amd a bunch of people are able to dump tikets from disc because you got private iosu?
Do you think we might get a few more tickets that aren't available at the moment?
 

FIX94

Former Staff
Former Staff
Joined
Dec 3, 2009
Messages
7,284
Trophies
0
Age
29
Location
???
XP
11,238
Country
Germany
I get you, NWPlayer, amd a bunch of people are able to dump tikets from disc because you got private iosu?
Do you think we might get a few more tickets that aren't available at the moment?
uhm, the IOSU exploit is public already though which needs just a couple more things to load iosuhax, and iosuhax has been public on github by smea for months now so quite a few people have access to stuff by now, you do have to be a developer though to make sense of it all, there is no user friendly version of anything yet but that will be there soon so people who arent devs can do it too.
 
  • Like
Reactions: VinsCool and veggav

asper

Well-Known Member
OP
Member
Joined
May 14, 2010
Messages
942
Trophies
1
XP
2,028
Country
United States
Actually the 0xF thing is because none of the extraction tools seem to use the right IV (all zero) instead of the correct one.
Because it is within some random data nobody ever noticed until now I guess.

@crediar , I am sorry, can you explain better what you mean with "Because it is within some random data nobody ever noticed" ?
 

FIX94

Former Staff
Former Staff
Joined
Dec 3, 2009
Messages
7,284
Trophies
0
Age
29
Location
???
XP
11,238
Country
Germany
@crediar , I am sorry, can you explain better what you mean with "Because it is within some random data nobody ever noticed" ?
So to do AES decryption you need a key and a iv (initialization vector), if that vector is not correct the first decrypted block (one block=0x10 bytes) will look wrong, thats exactly what happens here to the first 0x10 tik bytes, whatever decrypts this at the moment does not correctly set up the iv.
 
  • Like
Reactions: ajd4096

asper

Well-Known Member
OP
Member
Joined
May 14, 2010
Messages
942
Trophies
1
XP
2,028
Country
United States
So to do AES decryption you need a key and a iv (initialization vector), if that vector is not correct the first decrypted block (one block=0x10 bytes) will look wrong, thats exactly what happens here to the first 0x10 tik bytes, whatever decrypts this at the moment does not correctly set up the iv.

With "whatever decrypts this" you mean inside the console ?
 

FIX94

Former Staff
Former Staff
Joined
Dec 3, 2009
Messages
7,284
Trophies
0
Age
29
Location
???
XP
11,238
Country
Germany
So, basically, all disks are "legit WUDs"; can be installed on any console ?
And eshop is keyed to one console?
yes that is correct.
With "whatever decrypts this" you mean inside the console ?
I mean the software decrypting the .wud right now has the problem, and thats why my own tik dumps from disc are automatically correct and can be installed ;)
 

cearp

瓜老外
Developer
Joined
May 26, 2008
Messages
8,721
Trophies
2
XP
8,468
Country
Tuvalu
I just want to fully understand this.

(this is what i think happens, i might be wrong, please correct!)
So, wii u disk games, they happen to have a ticket on the disk.
The contents on the disk are encrypted, with the WUD key. (wii u disk key)
Yet the ticket on the disk, it contains the CDN key for the digital game. - Useless for the disk contents which are encrypted with different key, the WUD key. -- this confuses me if true, why nintendo? :wtf:

For the brazil trick we take and change the ticket on disk to be a digital media type instead of physical, download the contents from cdn and install with our edited ticket.



And @crediar or anyone else in the know, when downloading the h3 files from cdn, how can we find out what .app content files will have a .h3 file?
Some games I have seem don't have a .h3 file for each .app file. In my tool I'm simply testing to see if a .h3 file exists for each content file, but it seems a bit ugly.

Thanks guys :)


---
and from what i see, the premade tickets I have found online... they have console ids in them.
with wiiu we can install tickets that have a console id?
(and especially one that is not ours?)
i ask because, with 3ds we cannot install anything that has a console id in the ticket, even our own console id... = no legit personal backups. :(
 
Last edited by cearp,
  • Like
Reactions: moops44

Cyanopsis

Well-Known Member
Newcomer
Joined
Nov 6, 2015
Messages
76
Trophies
0
Age
46
XP
456
Country
yes that is correct.

I mean the software decrypting the .wud right now has the problem, and thats why my own tik dumps from disc are automatically correct and can be installed ;)

Om that ticket database site there is a ticket for Zelda A link to the Past, which i guess is an e-shop VC title. That must be bogus then right?
 

cearp

瓜老外
Developer
Joined
May 26, 2008
Messages
8,721
Trophies
2
XP
8,468
Country
Tuvalu
Om that ticket database site there is a ticket for Zelda A link to the Past, which i guess is an e-shop VC title. That must be bogus then right?
today i noticed quite a few eshop tickets/keys up, so i guess with the recent progess/public progress, we can dump tickets from our console?
before i never saw eshop tickets, or even jpn tickets ha...

good the collection is building!
 
  • Like
Reactions: Azel

Pachee

Well-Known Member
Member
Joined
Nov 3, 2015
Messages
478
Trophies
0
XP
558
Country
United States
Om that ticket database site there is a ticket for Zelda A link to the Past, which i guess is an e-shop VC title. That must be bogus then right?
My SM3DW pre-install ticket is completely different than the "public" disc ticket

It's even many bytes shorter
Wii VC games like Xenoblade and Kirby Dream Land also have a rvlt.tik/rvlt.tmd in the /code folder that are way smaller than the normal tickets/tmds use to download from nus.
 

cearp

瓜老外
Developer
Joined
May 26, 2008
Messages
8,721
Trophies
2
XP
8,468
Country
Tuvalu
Wii VC games like Xenoblade and Kirby Dream Land also have a rvlt.tik/rvlt.tmd in the /code folder that are way smaller than the normal tickets/tmds use to download from nus.
so instead of a separate database like 3ds ha, wii u keeps the tickets in the game folder/data themselves?
or, there is also a database too?
 

Pachee

Well-Known Member
Member
Joined
Nov 3, 2015
Messages
478
Trophies
0
XP
558
Country
United States
so instead of a separate database like 3ds ha, wii u keeps the tickets in the game folder/data themselves?
or, there is also a database too?
No, there is a separate folder for the nus/ownership tickets, just like on the Wii.

These i mentioned above are just an example of those "smaller tickets" because until now we weren't able to dump stuff from nand. I don't know what they are for because this is the first time i have seen a 1kb tmd and 1kb ticket. Dream Land NUS tmd/ticket are 6/3kb for comparison.
 
Last edited by Pachee,

cearp

瓜老外
Developer
Joined
May 26, 2008
Messages
8,721
Trophies
2
XP
8,468
Country
Tuvalu
No, there is a separate folder for the nus/ownership tickets, just like on the Wii.

These i mentioned above are just an example of those "smaller tickets" because until now we weren't able to dump stuff from nand. I don't know what they are for because this is the first time i have seen a 1kb tmd and 1kb ticket. Dream Land NUS tmd/ticket are 6/3kb for comparison.
sure, but depending if these small tickets has the title key, that is all we need :)
 

Cyan

GBATemp's lurking knight
Former Staff
Joined
Oct 27, 2002
Messages
23,749
Trophies
4
Age
45
Location
Engine room, learning
XP
15,646
Country
France
@cearp:
Fix94 said his extracted NAND ticket from disc game already had 0x01 instead of 0x03
it's an issue with the extractor (discU and VGm ?) not using the correct IV for the first bloc? that's what I understood.
if that vector is not correct the first decrypted block (one block=0x10 bytes) will look wrong (what about the next blocks?),
that's what happen here, the first 0x10 bytes are wrong.


To know if you need .h3, look at the tmd.
each content has a content type, if it's 0x2003 then it has a .h3 (wait, I'm verifying it!)
edit: yes, that's it.
 

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • LeoTCK @ LeoTCK:
    SUPPORT LOCAL PRODUCTS, MAKE REVOLUTION
  • LeoTCK @ LeoTCK:
    THEY KEEP REMOVING LOCAL SHIt AND REPLACING WItH INFERIOR CHINESE CRAP
  • LeoTCK @ LeoTCK:
    THATS WHY MY PARTNER CANT GET A GOOTWEAR HIS SIZE ANYMORE
  • LeoTCK @ LeoTCK:
    HE HAS BIG FOOT AND BIG DUCK
  • LeoTCK @ LeoTCK:
    d*ck i mean*
  • LeoTCK @ LeoTCK:
    lol
  • Veho @ Veho:
    Mkay.
  • Veho @ Veho:
    I just ordered another package from China just to spite you.
  • SylverReZ @ SylverReZ:
    Communism lol
  • SylverReZ @ SylverReZ:
    OUR products
  • The Real Jdbye @ The Real Jdbye:
    @LeoTCK actually good quality products are dying out because they can't compete with dropshipped chinese crap
    +2
  • BakerMan @ BakerMan:
    @LeoTCK is your partner the sascrotch or smth?
  • Xdqwerty @ Xdqwerty:
    Good morning
  • Xdqwerty @ Xdqwerty:
    Out of nowhere I got several scars on my forearm and part of my arm and it really itches.
  • AdRoz78 @ AdRoz78:
    Hey, I bought a modchip today and it says "New 2040plus" in the top left corner. Is this a legit chip or was I scammed?
  • Veho @ Veho:
    @AdRoz78 start a thread and post a photo of the chip.
    +2
  • Xdqwerty @ Xdqwerty:
    Yawn
  • S @ salazarcosplay:
    and good morning everyone
    +1
  • K3Nv2 @ K3Nv2:
    @BakerMan, his partner is Luke
  • Sicklyboy @ Sicklyboy:
    Sup nerds
    +1
  • Flame @ Flame:
    oh hi, Sickly
  • K3Nv2 @ K3Nv2:
    Oh hi flame
    K3Nv2 @ K3Nv2: Oh hi flame