Tutorial [Tutorial] Hex Editing - Unlocking DLC without CFW or Sigpatch!

Rahzadan

Active Member
OP
Newcomer
Joined
May 28, 2007
Messages
44
Trophies
0
Age
38
XP
334
Country
Canada
Special thanks to @raphamotta for his detailed tutorial(s) on this subject. This one serves as a more detailed explanation of the hex editing portions of his tutorial, which can be found here:

http://gbatemp.net/threads/tutorial...d-on-sysnand-without-cfw-or-aocptcher.464178/

Assumptions:
  • You've followed raphamotta's tutorial (link above) up to the hex editing part
  • You have your correct .tik file open in a hex editor (I use frhed) for the DLC in question
  • You've cheked the keys.txt file (dumped from tik2sd) and you've triple-checked you have the correct .tik file open, comparing your title key / title ID against "that site".

Facts to Keep in Mind:
  • DLC tickets are almost always exactly 848 bytes. There are exceptions to this, however the same rules apply to tickets of other sizes as well. I will go over how to tell where one ticket ends and the next one begins.
  • If your .tik file is 848 bytes, it contains 1 ticket. If it's 1696 bytes, it contains 2 tickets (most likely your legit + fake ticket), or 2544 bytes (3 tickets - likely your legit + fake, and 1 legit for a different game). I'm not sure how many tickets can be in one .tik file, but I can only assume the sky is the limit.
  • Your keys.txt file dumped from tik2sd will be essential for figuring out exactly WHERE (hex offset) inside WHAT .tik file, the ticket you're looking for is located.
  • In a .tik file with multiple tickets, each ticket BEGINS IMMEDIATELY after the first ticket ends. For example, an 848 byte ticket located at offset 0x0 ends at 0x34F. The 2nd ticket in this file would begin at offset 0x350 and end at 0x69F. Finally, a 3rd ticket would begin at 0x6A0 and end at 0x9EF.
  • In a hex editor, you can generally tell a FAKE ticket from a REAL one, because the FAKE ticket will have a lot of repeating characters, and a real one will look like more randomized gibberish, as in this example:
fpDcncH.png


  • The "@xxx" portion in your keys.txt is referring to the hex offset. Think of it like an address, or location inside of a file so we can know exactly WHERE the data (in this case the ticket) is located inside the file. In frhed (the hex editor I use), the offset is always shown at the bottom:
JaRUeR9.png

There are 2 possible scenarios. In the first scenario, there are 2 tickets in the .tik file. Meaning, your legit ticket for that game (free or paid DLC you downloaded from eShop) + your fake ticket (installed by WUP Installer / USB Helper). In the second scenario, there might be 3 or more tickets in the same .tik file. You'll want to swap them so that your legit ticket is not necessarily at the TOP, but HIGHER than the fake ticket, if that makes sense.

For the purposes of this tutorial, I will be going over the 2 ticket scenario using dummy .tik files I created myself, containing 2 FAKE tickets. YOUR .tik file will have your fake ticket in it (installed from WUP Installer) in addition to your REAL (legit) ticket for that game. I'm doing this because I won't want to reveal my real tickets (for obvious reasons).

How to Do It!:
  • 2 tickets (1 legit + 1 fake for the same game) are inside the .tik file (1696 bytes), and are the only 2 tickets in that file.
  • After searching in keys.txt, it indicates that the ticket(s) start at 0x0 and 0x350
  • We're going to swap them according to the image and instructions below.
mB8iaRy.png

For the other possible scenario with 3 or more tickets in your .tik file, just picture another 848 or 696 byte ticket for a different game BETWEEN the 1st and 2nd tickets, or perhaps at the top or bottom. In a case like this, you'd want to CUT the top fake ticket, and paste it in a separate, blank hex editor window temporarily. Then take the REAL ticket, and paste it temporarily into a 3rd blank hex window. Now, take your REAL ticket and paste it at the top (0x0), while putting your FAKE ticket at the bottom. Make sure all of you starting offsets for each ticket are correct once swapped, or the Wii U will say that your DLC is corrupted. It really doesn't matter what position that 3rd 'mysterious' ticket is in, because it's for a separate game and the Wii U will ignore the other tickets that aren't for that game if you ever launch it.

As a side note, it looks like @marc_max has created a ticket swapper tool, which makes this whole process automated. His tool cane be found here:

http://www.marcrobledo.com/wiiu-tik-fixer/

Let me know if there's anything you don't understand, or if I should make any changes!
 
Last edited by Rahzadan,

nexusmtz

Well-Known Member
Member
Joined
Feb 17, 2016
Messages
1,386
Trophies
0
XP
1,390
Country
United States
this only works for dlc, correct?
I don't understand the question. What, besides DLC, lets you make a valid purchase that wouldn't already cover the entire title? I did try it with an expired subscription, but the subscription was only 696 bytes. It didn't work, probably because I don't know how to specify times in the fake ticket.
 

nexusmtz

Well-Known Member
Member
Joined
Feb 17, 2016
Messages
1,386
Trophies
0
XP
1,390
Country
United States
I mean u can't use it for other games.
Keeping in mind that this technique works by repositioning your totally valid real ticket for the title ahead of the fake ticket for the same title, yes, it 'works' on regular games too. But with a game, since you have a valid ticket for the title, why would you want the fake ticket? It would do nothing extra for you.

It would repair a fake title that you had accidentally loaded over your real one, but you wouldn't swap the fake and real tickets, you'd just delete the fake ticket. (or delete them both, and let eshop repopulate it.)
 

godreborn

Well-Known Member
Member
Joined
Oct 10, 2009
Messages
28,775
Trophies
2
XP
18,622
Country
United States
I actually changed one of my fake tickets I had loaded over a real one. "Diseased Isabella," in hex repeated over and over again, right? a fake ticket will prevent u from downloading a real one from the eshop. installation will fail. I've fixed that.
 

nexusmtz

Well-Known Member
Member
Joined
Feb 17, 2016
Messages
1,386
Trophies
0
XP
1,390
Country
United States
I actually changed one of my fake tickets I had loaded over a real one. "Diseased Isabella," in hex repeated over and over again, right? a fake ticket will prevent u from downloading a real one from the eshop. installation will fail. I've fixed that.
Right. But just delete the fake one, don't swap the positions.
 

godreborn

Well-Known Member
Member
Joined
Oct 10, 2009
Messages
28,775
Trophies
2
XP
18,622
Country
United States
I've already done that. I was just wondering if u could use this for a game (i.e. Mario Kart 8 with credentials of Breath of the Wild).
 

nexusmtz

Well-Known Member
Member
Joined
Feb 17, 2016
Messages
1,386
Trophies
0
XP
1,390
Country
United States
I've already done that. I was just wondering if u could use this for a game (i.e. Mario Kart 8 with credentials of Breath of the Wild).
Oh. No, that won't work because then they're just two different titles' tickets in the same ticket bucket file, which is a normal thing to see.
 

nexusmtz

Well-Known Member
Member
Joined
Feb 17, 2016
Messages
1,386
Trophies
0
XP
1,390
Country
United States
what do you mean by offset 0x6A0?
An offset tells you how far something is from something else. In this case, it tells you how many bytes from the start of the file (offset 0). 0x6A0 is 1696 bytes because it's hexadecimal (6x256)+(10x16)+(0)=1656. A hex editor will usually show the offset in hex though, so you don't have to do any translation.
 

TheDarkGreninja

Listening to a song ad nauseam
Member
Joined
Aug 25, 2014
Messages
2,498
Trophies
0
Age
30
Location
On his bed
XP
1,289
Country
United Kingdom
An offset tells you how far something is from something else. In this case, it tells you how many bytes from the start of the file (offset 0). 0x6A0 is 1696 bytes because it's hexadecimal (6x256)+(10x16)+(0)=1656. A hex editor will usually show the offset in hex though, so you don't have to do any translation.
Ah, right, thats what he meant. Seemed I accidentally added a bit of data.
 
General chit-chat
Help Users
    KenniesNewName @ KenniesNewName: https://youtu.be/5G8GKGoC-vM