From 3dbrew
Jump to navigation Jump to search

CommonETicket (for short, cetk) is a format as a ticket used to store an encrypted titlekey (using 128-Bit AES-CBC). This format seems to be identical to DSi/Wii tickets.


All of the data in the file is represented in Big Endian.


Offset Size Description
0x000 0x4 Signature Type
0x004 0x100 Signature
0x104 0x3C Padding modulo 64
0x140 0x40 Issuer
0x180 0x3C ECDH data for console-unique eShop tickets.
0x1BC 0x3 Unknown, first u8 is 0x01.
0x1BF 0x10 Encrypted TitleKey
0x1CF 0x1 Unknown
0x1D0 0x8 TicketID
0x1D8 0x4 Ticket consoleID
0x1DC 0x8 TitleID
0x1E4 0x2 Unknown
0x1E6 0x2 Ticket title version, this title version is also stored in the TMD.
0x1E8 0x8 Unused
0x1F0 0x1 Unused
0x1F1 0x1 Ticket common keyY index, usually 0x1 for retail system titles.
0x1F2 0xB2 Unused
0x2A4 0x30 Unknown
0x2D4 0x7C Unused

The Signature Type is the same const as that in TMD.

The titlekey is decrypted by using the AES engine with the ticket common-key keyslot where the keyY is one of 6 keyYs loaded via the keyY index stored in the ticket. AES-CBC mode is used where the IV is the big-endian titleID. Note that on a retail unit index0 is a retail keyY, while on a dev-unit index0 is the dev common-key which is a normal-key.(On retail for these keyYs, the hardware key-scrambler is used)

Certificate Chain

Tickets retrieved from CDN/SOAP have a certificate chain appended at the end of the file. There are two certificates in this chain:

Ticket RSA-2048 XS0000000c XS00000009 Used to verify the Ticket signature
CA RSA-4096 CA00000003 CA00000004 Used to verify the Ticket Certificate

The CA certificate is issued by 'Root', the public key for which is stored in NATIVE_FIRM.

Some facts

  • CETK can be fetched through HTTP using the link to default update server, using the title's TMD URL where "cetk" is used instead of "tmd" for the URL. The 3DS NIM module retrieves system tickets via SOAP request GetCommonETicket.