Hacking Why "adding or removing 2" from byte 0x0F of tiket.tik ? Answer and exact "formula".

[piratesephiroth]

I just want to fully understand this.

(this is what i think happens, i might be wrong, please correct!)
So, wii u disk games, they happen to have a ticket on the disk.
The contents on the disk are encrypted, with the WUD key. (wii u disk key)
Yet the ticket on the disk, it contains the CDN key for the digital game. - Useless for the disk contents which are encrypted with different key, the WUD key. -- this confuses me if true, why nintendo?

For the brazil trick we take and change the ticket on disk to be a digital media type instead of physical, download the contents from cdn and install with our edited ticket.



And @crediar or anyone else in the know, when downloading the h3 files from cdn, how can we find out what .app content files will have a .h3 file?
Some games I have seem don't have a .h3 file for each .app file. In my tool I'm simply testing to see if a .h3 file exists for each content file, but it seems a bit ugly.

Thanks guys


---
and from what i see, the premade tickets I have found online... they have console ids in them.
with wiiu we can install tickets that have a console id?
(and especially one that is not ours?)
i ask because, with 3ds we cannot install anything that has a console id in the ticket, even our own console id... = no legit personal backups.

Only tickets in WUDs seem to have the 2 wrong bytes.
If we dump them from the disc inside the Wii U with iosuhax they come 100% correct.

 

[cearp]

Only tickets in WUDs seem to have the 2 wrong bytes.
If we dump them from the disc inside the Wii U with iosuhax they come 100% correct.

what about all my other points, they are all correct? i want to make sure i understand
and thanks

 

[piratesephiroth]

what about all my other points, they are all correct? i want to make sure i understand
and thanks

I don't know where the WUD key comes from.
I guess only the scene groups know that.

Discs always have at least one ticket and that's for the game itself, which of course is identical to the one in the eshop servers.
If the disc contains an update then it has an additional ticket for that too.

The 2 bytes are changed in the tickets for unknown reasons. The Wii U seems to fix them automatically, since as I wrote before they appear fine when we dump them with iosuhax.

 

[pedro702]

Wii VC games like Xenoblade and Kirby Dream Land also have a rvlt.tik/rvlt.tmd in the /code folder that are way smaller than the normal tickets/tmds use to download from nus.

do those tickets even install?

 

[cearp]

I don't know where the WUD key comes from.
I guess only the scene groups know that.

Discs always have at least one ticket and that's for the game itself, which of course is identical to the one in the eshop servers.
If the disc contains an update then it has an additional ticket for that too.

The 2 bytes are changed in the tickets for unknown reasons. The Wii U seems to fix them automatically, since as I wrote before they appear fine when we dump them with iosuhax.

ok good, so i do understand it correctly.
but why does nintendo give a ticket (especially with the eshop/nus/cdn key) if the key is not even usable with the contents on the disk?

 

[piratesephiroth]

ok good, so i do understand it correctly.
but why does nintendo give a ticket (especially with the eshop/nus/cdn key) if the key is not even usable with the contents on the disk?

Since all disks have it, I can only guess the ticket is required for the game to function.
Obviously they wouldn't include it just to allow free downloads.
The matching key happens because they use the same exact contents for physical and digital releases.

The Wii U system design looks way sloppier than the 3DS.

 

[kasai07]

that simple!

#include <stdio.h>
#include <string.h>

void main()
{
char *tab;
FILE *file;
FILE *file2;
if((file = fopen("title.tik","rb")) == NULL){printf("impossible d'ouvrir le fichier\n"); goto fin;}

int size;
fseek(fichier, 0, SEEK_END);
size = ftell(file);
fseek(file,0,SEEK_SET);

tab = malloc(size);

fread(tab, size, 1, file);

if(tab[1] == 0x03)
{
    tab[1] = 0x01;
    tab[15] = tab[15] - 0x02;
}else{
fclose(file);
printf("Title.tik deja modifier ou impossible a modifier\n");
goto fin;
}

if((file2 = fopen("title.modifier.tik","wb")) == NULL){printf("impossible d'ouvrir le fichier a ecrire\n"); goto fin;}

fwrite(tab, size, 1, file2);


fclose(file2);
fclose(file);
printf("Modfication du Title.tik Terminer!!!\n");
fin : system("pause");

}

 

[Kohmei]

I think it would be the easiest thing for them to issue an update that blocks console ID=00000000 tickets for installed games, rendering all your USB backups worthless.

Keep those update servers blocked...

 

[piratesephiroth]

I think it would be the easiest thing for them to issue an update that blocks console ID=00000000 tickets for installed games, rendering all your USB backups worthless.

Keep those update servers blocked...

system titles' tickets have that same null console id though.
Also pre-installed titles. (I think older models came with them)

(and disc games, obviously)

 

[cearp]

system titles' tickets have that same null console id though.
Also pre-installed titles. (I think older models came with them)

(and disc games, obviously)

some tickets (i think all that i looked at) on *thatwiiutitlekeysite* had a console id in the ticket...
they install?
with 3ds, tickets with a console id do not install, they only install if you blank it (00000000)

 

[piratesephiroth]

some tickets (i think all that i looked at) on *thatwiiutitlekeysite* had a console id in the ticket...
they install?
with 3ds, tickets with a console id do not install, they only install if you blank it (00000000)

I didn't test them. They probably won't install (and if they install they won't run).

 

[cearp]

I didn't test them. They probably won't install (and if they install they won't run).

i'm not sure... i found+download a premade usb install pack to install, and the ticket has a console id...
i don't have a wii u to test, but from seeing this (and other 'ready' tickets), i assume having a console id in them is fine

 

[paulogiygas91]

I have a question...when we put a disc game inside the Wii U, the ticket stored in the disc is somehow installed on the console? If true, it's the way the console keep track of what disc games you used in the console? (adding it on the play history and ratings on the eshop maybe?).

This method is basically inserting a "disc game" in the console, but altering these bytes makes the console see the game as a eshop title rather than a disc one?

 

[piratesephiroth]

i'm not sure... i found+download a premade usb install pack to install, and the ticket has a console id...
i don't have a wii u to test, but from seeing this (and other 'ready' tickets), i assume having a console id in them is fine

If they have a console id, they would have an eshop account id as well.
The console refuses to run any game until you log into the correct account that owns it, even if the game was purchased on that same console.
I find it extremely unlikely that the console id isn't checked.

 

[cearp]

If they have a console id, they would have an eshop account id as well.
The console refuses to run any game until you log into the correct account that owns it, even if the game was purchased on that same console.
I find it extremely unlikely that the console id isn't checked.

sure, i understand and agree with you
with 3ds we can't even install cias that have OUR OWN console id...

anyway, as time passes we will get more information and reports about installing stuff

 

[Kohmei]

system titles' tickets have that same null console id though.
Also pre-installed titles. (I think older models came with them)

(and disc games, obviously)

My pre-installed SM3DW has my console ID in it

 

[piratesephiroth]

My pre-installed SM3DW has my console ID in it

Maybe that was added after you logged into/created the NNID.
This seems to happen with pre-installed 3DS games. I recall some of them having console/account IDs in their tickets too.

 

[gamesquest1]

yeah i think if you delete the game on the 3DS once you redownload it it becomes a console unique ticket, same applies for system transfers, but not if you just make a NNID, on the 3ds it still keeps its universal ticket status, it may just be that the wiiu uses a different system for pre-installed games, or maybe it was just a download code with the console or something like some 3DS consoles that come with bundled games

still not seeing why nintendo decided to bundle universal tickets with all their games, really shot themselves in the foot with that one, they could have at least added a media flag into the ticket to make it a disk or download ticket so you couldn't use a disk ticket to install the game

 

[cearp]

still not seeing why nintendo decided to bundle universal tickets with all their games, really shot themselves in the foot with that one, they could have at least added a media flag into the ticket to make it a disk or download ticket so you couldn't use a disk ticket to install the game

sure i agree, it's weird.
in the ticket they include, it is the eshop version title key right?
which can't even be used for the disk game since that has a different key no?... (i have that correct?) - if so, it makes no sense.

 

[gamesquest1]

sure i agree, it's weird.
in the ticket they include, it is the eshop version title key right?
which can't even be used for the disk game since that has a different key no?... (i have that correct?) - if so, it makes no sense.

maybe its possible they were planning some system like on the xbox 360 where you could install a game and run it from the HDD and just leave the disk into to verify your ownership......would kinda make sense then i guess (in a backwards approach kind of way)