Why "adding or removing 2" from byte 0x0F of tiket.tik ? Answer and exact "formula".

Discussion in 'Wii U - Hacking & Backup Loaders' started by asper, Oct 21, 2016.

  1. asper
    OP

    asper GBAtemp Advanced Fan

    Member
    651
    330
    May 14, 2010
    United States
    After checking many title.tik (original and modified for installation) I got the exact "formula" to calculate the new value in

    let's take the 1st 16 bytes of a ticket (dunno which one, it doesn't matter):
    000300045CA5714B61BA6F982BDEA4C0

    looking at that wii page and that 3ds page you see that:
    04 = RSA_2048 SHA256 (signature type)

    You must leave 04 as is.
    Change 03 to 01.
    About last byte (let's call it 0x0F):

    (0x0F) XOR (02)

    so, in our example:

    (C0) XOR (02) = C2

    where C2 is the correct value to make the certificate beeing recognized by the console.

    So you have no more to "test" if adding or removing 2 from byte 0x0F, just xor its original value with 02.

    The real history in this "mistery" is clearly explained by the great @crediar in his answer at page 6 of this thread.


    Thank you for reading :)
     
    Last edited by asper, Oct 25, 2016
  2. AboodXD

    AboodXD I hack NSMB games, and other shiz.

    Member
    2,697
    1,417
    Oct 11, 2014
    United Arab Emirates
    Not under a rock.
    Wow, WILL DEFINITELY UPDATE MY TICKET MODIFIER ASAP!!

    — Posts automatically merged - Please don't double post! —

    I can answer question 2, the error will be different.
     
    xstationbr likes this.
  3. Keylogger

    Keylogger GBAtemp Advanced Maniac

    Member
    1,738
    367
    May 3, 2006
    France
    I want to add a new question:
    Why we need a modified WUPInstaller? What is modified?
     
    xstationbr likes this.
  4. cearp

    cearp the ticket master

    Member
    7,550
    4,813
    May 26, 2008
    Tuvalu
    so we change the ticket data to set the signature type to a different type.
    and the signature type we change it to... we can create that signature, and the system thinks it's legit?

    why is this? i don't get it.
    great for us :D but, if the wiiu thinks the ticket is legit... that's weird no?
     
  5. AboodXD

    AboodXD I hack NSMB games, and other shiz.

    Member
    2,697
    1,417
    Oct 11, 2014
    United Arab Emirates
    Not under a rock.
    Code:
    0x10 ^ 2
    Returns 0x12, it should have returned 0x0E...

    — Posts automatically merged - Please don't double post! —

    BTW,
    Code:
    ^
    is XOR in Python.
     
  6. Keylogger

    Keylogger GBAtemp Advanced Maniac

    Member
    1,738
    367
    May 3, 2006
    France
    Maybe a bug in the signature check? Like the trucha bug for Wii ?
     
  7. asper
    OP

    asper GBAtemp Advanced Fan

    Member
    651
    330
    May 14, 2010
    United States
    Autoquote, please re-read the 1st post ;) :
     
    cearp likes this.
  8. AboodXD

    AboodXD I hack NSMB games, and other shiz.

    Member
    2,697
    1,417
    Oct 11, 2014
    United Arab Emirates
    Not under a rock.
    @asper:
     
  9. asper
    OP

    asper GBAtemp Advanced Fan

    Member
    651
    330
    May 14, 2010
    United States
    You mean a game has 10 at 0x0F in original titlt.tik and the correct installation value is 0E ?
    0x10 ^ 0x02 = 0x12 is correct...
     
    Last edited by asper, Oct 21, 2016
    xstationbr likes this.
  10. Keylogger

    Keylogger GBAtemp Advanced Maniac

    Member
    1,738
    367
    May 3, 2006
    France
    @cearp Nothing prevent you to make a tik installer for Wii U now :P (CIAngel U xD )
     
    Last edited by Keylogger, Oct 21, 2016
  11. AboodXD

    AboodXD I hack NSMB games, and other shiz.

    Member
    2,697
    1,417
    Oct 11, 2014
    United Arab Emirates
    Not under a rock.
    @asper Yes, that's what I meant.
    0x10 ^ 0x02 = 0x12, but the correct value is 0x0E.

    This NSMBU USA BTW.
     
  12. asper
    OP

    asper GBAtemp Advanced Fan

    Member
    651
    330
    May 14, 2010
    United States
    Well original value for NSMB USA is 0E so 0E ^ 02 = 0C, not 12 nor 10...

    I tested my "formula" with more than 20 titles and it always got the correct value.
     
    Last edited by asper, Oct 21, 2016
    xstationbr likes this.
  13. cearp

    cearp the ticket master

    Member
    7,550
    4,813
    May 26, 2008
    Tuvalu
    do we have nand access/ftp or anything like that?
    or a way to read files from the wiiu nand/wiiu disk?
    i don't have a wiiu but i will get one in december/january.

    if, as it appears so, that many wiiu digitial games have the same title key as the disk game - we could make a simple tool to dump the key from the disk.
    and of course, a tool to dump all the keys from the database in nand.
    oops, ok i thought we were changing the sig type.
    but you say we change the value at 0xF - so that would break the signature no?
     
  14. AboodXD

    AboodXD I hack NSMB games, and other shiz.

    Member
    2,697
    1,417
    Oct 11, 2014
    United Arab Emirates
    Not under a rock.
    The value for WUD ticket is 0x10.
    The value for NUS ticket is 0x0E. (The correct value after modifying the ticket)

    0x10 - 2 = 0x0E.
     
    Last edited by AboodXD, Oct 21, 2016
  15. asper
    OP

    asper GBAtemp Advanced Fan

    Member
    651
    330
    May 14, 2010
    United States
    You MUST use NUS title.tik, not WUD.

    EDIT: sorry, I mean you must use the title.tik inside \system\02 folder
     
    Last edited by asper, Oct 21, 2016
  16. Keylogger

    Keylogger GBAtemp Advanced Maniac

    Member
    1,738
    367
    May 3, 2006
    France
    Wrong, you have to extract tiket from WUD
     
  17. AboodXD

    AboodXD I hack NSMB games, and other shiz.

    Member
    2,697
    1,417
    Oct 11, 2014
    United Arab Emirates
    Not under a rock.
    LOL, look, the original value is 0x10.
    The value that WUPInstaller accepts is 0x0E.
    0x10 - 2 = 0x0E.
     
  18. asper
    OP

    asper GBAtemp Advanced Fan

    Member
    651
    330
    May 14, 2010
    United States
    re-autoquote, please re-re-read the 1st post ;):
    So, "probably", the signature is firstly de-xored, then checked, if de-xoring fails also the signature fails.

    — Posts automatically merged - Please don't double post! —

    The NSMB USA I found has this: 00030004289BAC0D6362A7EA9C429B0E, maybe it is not original ? (EDIT: 0E is the original value, thanks to @Chooker for checking that out !)

    About NUS title.tik sorry, I mean you must use the title.tik inside \02 folders; at now there is no way to extract title.tik from already eshop installed games.
     
    Last edited by asper, Oct 21, 2016
  19. Antonio Carlos

    Antonio Carlos Newbie

    Newcomer
    8
    4
    May 11, 2016
    Brazil
    Very good.
    I had problem to modify .tik for capitain toad and bayonetta.
    Now perfect worked with its, (0x0F) XOR (02) and byte 0x01 (01) for digital media.
     
    paulloeduardo and asper like this.
  20. cearp

    cearp the ticket master

    Member
    7,550
    4,813
    May 26, 2008
    Tuvalu
    haha ok i read your post a few times, it makes a bit more sense now (if you are actually correct, since like you said you are not 100% but that it seems to be right)


    but, we generate the signature ourselves? why can we do this, wouldn't this need keys only nintendo has?

    eventually i will stop questioning and start enjoying ;)
    (when my wii u gets here in a few months)
     
    Last edited by cearp, Oct 21, 2016