1. AboodXD

    AboodXD I hack NSMB games, and other shiz.
    Member

    Joined:
    Oct 11, 2014
    Messages:
    2,780
    Country:
    United Arab Emirates
    IIRC it does some magic with the files to validate the ticket.

    What I'm sure about that it validates the ticket OFFLINE.
     
  2. Cyan

    Cyan GBATemp's lurking knight
    Global Moderator

    Joined:
    Oct 27, 2002
    Messages:
    22,532
    Country:
    France
    yes, it's done offline, in Async mode.

    Nintendo is generating a signature with a private key. Only Nintendo has it.
    the signature included inside the ticket.
    That signature can be decrypted (but not generated) with the common key. All consoles have it.

    If the decrypted signature checksum matches the ticket checksum (I'm not sure which part of the ticket is verified against the signature's hash), then it means the ticket is valid, and the console can use the data from it.
    If you edit the title key to install a different game, for example you know the title key for a game but you don't have it's ticket so you edit an existing ticket to put your title key inside, then the decrypted signature's checksum will not match the ticket's checksum anymore.


    it works here because the title key is the same for both Disc and eshop version.
    editing only one byte (Game type) affects only one byte in the encrypted signature.
    if we had to edit the entire title key and titleID, the signature would be too different to calculate it without the private key.
     
  3. joacosur15

    joacosur15 GBAtemp Regular
    Member

    Joined:
    Jan 2, 2016
    Messages:
    116
    Country:
    Argentina
    Do you think it can be patched?
     
  4. Cyan

    Cyan GBATemp's lurking knight
    Global Moderator

    Joined:
    Oct 27, 2002
    Messages:
    22,532
    Country:
    France
    what can be patched?

    we can't generate signatures without the private key or we could install homebrew directly to the WiiU menu.
     
  5. joacosur15

    joacosur15 GBAtemp Regular
    Member

    Joined:
    Jan 2, 2016
    Messages:
    116
    Country:
    Argentina
    The title instalation with single byte modification, or they have to create two different title ID for each game (digital and disk) to fix that?
     
  6. Chooker

    Chooker Member
    Newcomer

    Joined:
    Nov 4, 2014
    Messages:
    20
    Country:
    Russia
    Another console TIK modder 14kb x86
    https://mega.nz/#!fdIwhYoQ!gQiaMY7xQ...axmPmPdc3_Pgj8

    create copy of modding file with prefix modder_ or original_
    Convert to mod and vise verse.

    USE: Tik_Mod <title_file.tik>

    You can give file, if file not given, tool try to mod near title.tik
    simple copy title.tik to the folder and run Tik_Mod
     
    asper likes this.
  7. Kohmei

    Kohmei GBAtemp Advanced Fan
    Member

    Joined:
    Feb 17, 2013
    Messages:
    809
    Country:
    United States
    What is the benefit of an xor mask from a security perspective? It seems like the signature should already prevent the ticket from being modified, and if the xor mask is adding an additional layer to this, it has failed miserably at that.
     
    cearp likes this.
  8. asper

    OP asper GBAtemp Advanced Fan
    Member

    Joined:
    May 14, 2010
    Messages:
    866
    Country:
    United States
    Mine is just a theory confirmed by too few data. We will see what the truth will be ;)
     
  9. Chooker

    Chooker Member
    Newcomer

    Joined:
    Nov 4, 2014
    Messages:
    20
    Country:
    Russia
    asper likes this.
  10. FIX94

    FIX94 Global Moderator
    Global Moderator

    Joined:
    Dec 3, 2009
    Messages:
    7,284
    Country:
    Germany
    alright now, here is something crazy for you:
    I just dumped some .tik files from discs I had over network using iosuhax and... the tiks already start with "01" and are "xor'd" as well, meaning dumped tiks like that cant be installed directly without any errors, so the question now is, are those files in .wuds somehow unclean or does the wiiu at some level automatically even from disc adjust those values so the wiiu can actually use them? that explains though why they have to be changed in the first place I guess to be installable.
     
    VinsCool likes this.
  11. VinsCool

    VinsCool Cattus Incerta Tacitusque
    Member

    Joined:
    Jan 7, 2014
    Messages:
    13,622
    Country:
    Canada
    Woah this is getting interesting.
    One question though. Can the same method be used for already installed titles, as in, eshop purchasses?
     
  12. FIX94

    FIX94 Global Moderator
    Global Moderator

    Joined:
    Dec 3, 2009
    Messages:
    7,284
    Country:
    Germany
    I've dumped my eshop tiks as well and they contain my console id (4 bytes at 0x1D8) so you can most likely only install them directly on your own console unless you run a ciosu with signature checks disabled, else you probably risk a brick.
     
    VinsCool likes this.
  13. kongsnutz

    kongsnutz WOT?!?
    Member

    Joined:
    Jul 19, 2008
    Messages:
    1,609
    Country:
    United States
    NWPlayer is dumping hers, so we know it can be done.
     
  14. VinsCool

    VinsCool Cattus Incerta Tacitusque
    Member

    Joined:
    Jan 7, 2014
    Messages:
    13,622
    Country:
    Canada
    Another question regarding this. Would it be possible to compare a dumped ticket from one of those that already exist, possibly to find a pattern, or a potential similarity between them? That could possibly lead to some sort of dummy ticket that could be used for the same game without a wud, maybe?

    I just wonder, this is really interesting :P

    You say it has your console ID. But if we know that current modified tickets install on any console of the same region, I would assume that there is a possibility of a dummy ID, that installs regardless of the console?
     
  15. FIX94

    FIX94 Global Moderator
    Global Moderator

    Joined:
    Dec 3, 2009
    Messages:
    7,284
    Country:
    Germany
    No. The thing why this works most likely has to do with the tik not requiring a specific console, nintendo used the exact same sign mechanism for both eshop titles and disc titles so, disc titles cant have a console id requirement, which is why you can install it globally on every wiiu if you have an installer. The 3ds had similar things and the wii too by the way. So changing anything in a tik right now such as, removing that id, or changing it to another region id would make it invalid because its signature would not match up anymore.

    edit: I can even proof this to you, somebody just was friendly enough to dump a game tik I also had from his console and if I compare both tiks they indeed differ a lot because of the signatures:
    [​IMG]
    You can see on the counts alone that there would be no way to brute force that to another console.
     
    KiiWii and asper like this.
  16. VinsCool

    VinsCool Cattus Incerta Tacitusque
    Member

    Joined:
    Jan 7, 2014
    Messages:
    13,622
    Country:
    Canada
    Oh I see. Well then now I know, haha
     
  17. asper

    OP asper GBAtemp Advanced Fan
    Member

    Joined:
    May 14, 2010
    Messages:
    866
    Country:
    United States
    The only way to know is raw-dumping the same disc and decrypt it with discU but I really do not know how to do that. I know there is an iosu function to request the aes disc key from the disc but dunno if it is possible to dump it "raw" (and obtain substantially a wud).

    About the signature I really would like to know if there really is a xor mask "covering" the real value. If someone can find the real process debugging with ida I will be very happy to read it.

    About force-install a per-console title disabling the checks it can work but if nintendo will release a new firmware all the signature patches will be removed and with a force-install title in the console (nand or usb) you can really risk a brick unless (maybe) you firstly uninstall that title before updating.

    I tested a per-console title.tik on another console zeroing the per-console data: no brick, just it does not work. I also tested the original ticket (not modifying it) without success (no brick).
     
    Last edited: Oct 22, 2016
  18. Kohmei

    Kohmei GBAtemp Advanced Fan
    Member

    Joined:
    Feb 17, 2013
    Messages:
    809
    Country:
    United States
    That's interesting. So basically no pirated DLC without CFW, and yet for some reason they didn't think to do the same thing for games. How bizarre
     
  19. AboodXD

    AboodXD I hack NSMB games, and other shiz.
    Member

    Joined:
    Oct 11, 2014
    Messages:
    2,780
    Country:
    United Arab Emirates
    How amazingly stupid, no? :P
     
  20. sabykos

    sabykos GBAtemp Regular
    Member

    Joined:
    Jun 10, 2013
    Messages:
    281
    Country:
    Gambia, The
    Games come as discs, while DLC does not. Really not that bizarre. Discs need to be universally signed to work on every console. DLCs need not.
     
    Ryccardo likes this.
Draft saved Draft deleted
Loading...

Hide similar threads Similar threads with keywords - removing, formula, adding