Difference between revisions of "CommonETicket"
m |
|||
| Line 56: | Line 56: | ||
== Certificate Chain == | == Certificate Chain == | ||
| − | Tickets retrieved from CDN/SOAP have a | + | Tickets retrieved from CDN/SOAP have a [[Certificates|certificate]] chain appended at the end of the file. There are two certificates in this chain: |
{| class="wikitable" border="1" | {| class="wikitable" border="1" | ||
Revision as of 12:24, 23 April 2013
CommonETicket (for short, cetk) is a format as a ticket used to store an encrypted titlekey (using 128-Bit AES-CBC). This format seems to be identical to DSi/Wii tickets.
Structure
All of the data in the file is represented in Big Endian.
Content
| Offset | Size | Description |
| 0x000 | 0x4 | Signature Type |
| 0x004 | 0x100 | Signature |
| 0x104 | 0x3C | Padding modulo 64 |
| 0x140 | 0x40 | Issuer |
| 0x180 | 0x3C | ECDH data for console-unique eShop tickets. |
| 0x1BC | 0x3 | Unknown, first u8 is 0x01. |
| 0x1BF | 0x10 | Encrypted TitleKey |
| 0x1CF | 0x1 | Unknown |
| 0x1D0 | 0x8 | TicketID |
| 0x1D8 | 0x4 | Ticket consoleID |
| 0x1DC | 0x8 | TitleID |
| 0x1E4 | 0x2 | Unknown |
| 0x1E6 | 0x2 | Ticket title version, this title version is also stored in the TMD. |
| 0x1E8 | 0x8 | Unused |
| 0x1F0 | 0x1 | Unused |
| 0x1F1 | 0x1 | Ticket common keyY index, usually 0x1 for retail system titles. |
| 0x1F2 | 0xB2 | Unused |
| 0x2A4 | 0x30 | Unknown |
| 0x2D4 | 0x7C | Unused |
The Signature Type is the same const as that in TMD.
The titlekey is decrypted by using the AES engine with the ticket common-key keyslot where the keyY is one of 6 keyYs loaded via the keyY index stored in the ticket. AES-CBC mode is used where the IV is the big-endian titleID. Note that on a retail unit index0 is a retail keyY, while on a dev-unit index0 is the dev common-key which is a normal-key.(On retail for these keyYs, the hardware key-scrambler is used)
Certificate Chain
Tickets retrieved from CDN/SOAP have a certificate chain appended at the end of the file. There are two certificates in this chain:
| CERTIFICATE | SIGNATURE TYPE | RETAIL CERT NAME | DEBUG CERT NAME | DESCRIPTION |
|---|---|---|---|---|
| Ticket | RSA-2048 | XS0000000c | XS00000009 | Used to verify the Ticket signature |
| CA | RSA-4096 | CA00000003 | CA00000004 | Used to verify the Ticket Certificate |
The CA certificate is issued by 'Root', the public key for which is stored in NATIVE_FIRM.
Some facts
- CETK can be fetched through HTTP using the link to default update server, using the title's TMD URL where "cetk" is used instead of "tmd" for the URL. The 3DS NIM module retrieves system tickets via SOAP request GetCommonETicket.