Difference between revisions of "CommonETicket"
m (→Content) |
m |
||
| Line 51: | Line 51: | ||
|} | |} | ||
| − | The Signature Type is the same const as that in [[TMD]] | + | The Signature Type is the same const as that in [[TMD]]. |
The titlekey is decrypted by using the [[AES]] engine with the ticket common-key keyslot where the keyY is one of 6 keyYs loaded via the keyY index stored in the ticket. AES-CBC mode is used where the IV is the big-endian titleID. Note that on a retail unit index0 is a retail keyY, while on a dev-unit index0 is the dev common-key which is a normal-key.(On retail for these keyYs, the hardware key-scrambler is used) | The titlekey is decrypted by using the [[AES]] engine with the ticket common-key keyslot where the keyY is one of 6 keyYs loaded via the keyY index stored in the ticket. AES-CBC mode is used where the IV is the big-endian titleID. Note that on a retail unit index0 is a retail keyY, while on a dev-unit index0 is the dev common-key which is a normal-key.(On retail for these keyYs, the hardware key-scrambler is used) | ||
| + | |||
| + | == Certificate Chain == | ||
| + | Tickets retrieved from CDN/SOAP have a Certificate chain appended at the end, outside of the ticket structure(offset 0x350/0x450 depending on the size of the ticket signature). There are two certificates in this chain: | ||
| + | |||
| + | {| class="wikitable" border="1" | ||
| + | |- | ||
| + | ! CERTIFICATE | ||
| + | ! SIGNATURE TYPE | ||
| + | ! RETAIL CERT NAME | ||
| + | ! DEBUG CERT NAME | ||
| + | ! DESCRIPTION | ||
| + | |- | ||
| + | | Ticket | ||
| + | | RSA-2048 | ||
| + | | XS0000000c | ||
| + | | XS00000009 | ||
| + | | Used to verify the Ticket signature | ||
| + | |- | ||
| + | | CA | ||
| + | | RSA-4096 | ||
| + | | CA00000003 | ||
| + | | CA00000004 | ||
| + | | Used to verify the Ticket Certificate | ||
| + | |} | ||
| + | |||
| + | The CA certificate is issued by 'Root', the public key for which is stored in NATIVE_FIRM. | ||
== Some facts== | == Some facts== | ||
* '''CETK''' can be fetched through HTTP using the link to default update server, using the title's [[TMD]] URL where "cetk" is used instead of "tmd" for the URL. The 3DS NIM module retrieves system tickets via SOAP request ''GetCommonETicket''. | * '''CETK''' can be fetched through HTTP using the link to default update server, using the title's [[TMD]] URL where "cetk" is used instead of "tmd" for the URL. The 3DS NIM module retrieves system tickets via SOAP request ''GetCommonETicket''. | ||
Revision as of 17:36, 21 April 2013
CommonETicket (for short, cetk) is a format as a ticket used to store an encrypted titlekey (using 128-Bit AES-CBC). This format seems to be identical to DSi/Wii tickets.
Structure
All of the data in the file is represented in Big Endian.
Content
| Offset | Size | Description |
| 0x000 | 0x4 | Signature Type |
| 0x004 | 0x100 | Signature |
| 0x104 | 0x3C | Padding modulo 64 |
| 0x140 | 0x40 | Issuer |
| 0x180 | 0x3C | ECDH data for console-unique eShop tickets. |
| 0x1BC | 0x3 | Unknown, first u8 is 0x01. |
| 0x1BF | 0x10 | Encrypted TitleKey |
| 0x1CF | 0x1 | Unknown |
| 0x1D0 | 0x8 | TicketID |
| 0x1D8 | 0x4 | Ticket consoleID |
| 0x1DC | 0x8 | TitleID |
| 0x1E4 | 0x2 | Unknown |
| 0x1E6 | 0x2 | Ticket title version, this title version is also stored in the TMD. |
| 0x1E8 | 0x8 | Unused |
| 0x1F0 | 0x1 | Unused |
| 0x1F1 | 0x1 | Ticket common keyY index, usually 0x1 for retail system titles. |
| 0x1F2 | 0xB2 | Unused |
| 0x2A4 | 0x30 | Unknown |
| 0x2D4 | 0x7C | Unused |
The Signature Type is the same const as that in TMD.
The titlekey is decrypted by using the AES engine with the ticket common-key keyslot where the keyY is one of 6 keyYs loaded via the keyY index stored in the ticket. AES-CBC mode is used where the IV is the big-endian titleID. Note that on a retail unit index0 is a retail keyY, while on a dev-unit index0 is the dev common-key which is a normal-key.(On retail for these keyYs, the hardware key-scrambler is used)
Certificate Chain
Tickets retrieved from CDN/SOAP have a Certificate chain appended at the end, outside of the ticket structure(offset 0x350/0x450 depending on the size of the ticket signature). There are two certificates in this chain:
| CERTIFICATE | SIGNATURE TYPE | RETAIL CERT NAME | DEBUG CERT NAME | DESCRIPTION |
|---|---|---|---|---|
| Ticket | RSA-2048 | XS0000000c | XS00000009 | Used to verify the Ticket signature |
| CA | RSA-4096 | CA00000003 | CA00000004 | Used to verify the Ticket Certificate |
The CA certificate is issued by 'Root', the public key for which is stored in NATIVE_FIRM.
Some facts
- CETK can be fetched through HTTP using the link to default update server, using the title's TMD URL where "cetk" is used instead of "tmd" for the URL. The 3DS NIM module retrieves system tickets via SOAP request GetCommonETicket.
