CommonETicket: Difference between revisions

Line 51:

|}

The Signature Type is the same const as that in [[TMD]]~~. The certificate chain is located at offset 0x350 for tickets from CDN/SOAP, however this cert-chain is removed once the ticket is installed to NAND~~.

The Signature Type is the same const as that in [[TMD]].

The titlekey is decrypted by using the [[AES]] engine with the ticket common-key keyslot where the keyY is one of 6 keyYs loaded via the keyY index stored in the ticket. AES-CBC mode is used where the IV is the big-endian titleID. Note that on a retail unit index0 is a retail keyY, while on a dev-unit index0 is the dev common-key which is a normal-key.(On retail for these keyYs, the hardware key-scrambler is used)

== Certificate Chain ==

Tickets retrieved from CDN/SOAP have a Certificate chain appended at the end, outside of the ticket structure(offset 0x350/0x450 depending on the size of the ticket signature). There are two certificates in this chain:

{| class="wikitable" border="1"

|-

! CERTIFICATE

! SIGNATURE TYPE

! RETAIL CERT NAME

! DEBUG CERT NAME

! DESCRIPTION

|-

| Ticket

| RSA-2048

| XS0000000c

| XS00000009

| Used to verify the Ticket signature

|-

| CA

| RSA-4096

| CA00000003

| CA00000004

| Used to verify the Ticket Certificate

|}

The CA certificate is issued by 'Root', the public key for which is stored in NATIVE_FIRM.

== Some facts==

* '''CETK''' can be fetched through HTTP using the link to default update server, using the title's [[TMD]] URL where "cetk" is used instead of "tmd" for the URL. The 3DS NIM module retrieves system tickets via SOAP request ''GetCommonETicket''.

@@ Line 51: / Line 51: @@
 |}
-The Signature Type is the same const as that in [[TMD]]. The certificate chain is located at offset 0x350 for tickets from CDN/SOAP, however this cert-chain is removed once the ticket is installed to NAND.
+The Signature Type is the same const as that in [[TMD]].
 The titlekey is decrypted by using the [[AES]] engine with the ticket common-key keyslot where the keyY is one of 6 keyYs loaded via the keyY index stored in the ticket. AES-CBC mode is used where the IV is the big-endian titleID. Note that on a retail unit index0 is a retail keyY, while on a dev-unit index0 is the dev common-key which is a normal-key.(On retail for these keyYs, the hardware key-scrambler is used)
+== Certificate Chain ==
+Tickets retrieved from CDN/SOAP have a Certificate chain appended at the end, outside of the ticket structure(offset 0x350/0x450 depending on the size of the ticket signature). There are two certificates in this chain:
+{| class="wikitable" border="1"
+|-
+!  CERTIFICATE
+!  SIGNATURE TYPE
+!  RETAIL CERT NAME
+!  DEBUG CERT NAME
+!  DESCRIPTION
+|-
+|  Ticket
+|  RSA-2048
+|  XS0000000c
+|  XS00000009
+|  Used to verify the Ticket signature
+|-
+|  CA
+|  RSA-4096
+|  CA00000003
+|  CA00000004
+|  Used to verify the Ticket Certificate
+|}
+The CA certificate is issued by 'Root', the public key for which is stored in NATIVE_FIRM.
 == Some facts==
 * '''CETK''' can be fetched through HTTP using the link to default update server, using the title's [[TMD]] URL where "cetk" is used instead of "tmd" for the URL. The 3DS NIM module retrieves system tickets via SOAP request ''GetCommonETicket''.