Hacking Why "adding or removing 2" from byte 0x0F of tiket.tik ? Answer and exact "formula".

[asper]

After checking many title.tik (original and modified for installation) I got the exact "formula" to calculate the new value in

let's take the 1st 16 bytes of a ticket (dunno which one, it doesn't matter):
000300045CA5714B61BA6F982BDEA4C0

looking at that wii page and that 3ds page you see that:
04 = RSA_2048 SHA256 (signature type)

You must leave 04 as is.
Change 03 to 01.
About last byte (let's call it 0x0F):

(0x0F) XOR (02)

so, in our example:

(C0) XOR (02) = C2

where C2 is the correct value to make the certificate beeing recognized by the console.

So you have no more to "test" if adding or removing 2 from byte 0x0F, just xor its original value with 02.

The real history in this "mistery" is clearly explained by the great @crediar in his answer at page 6 of this thread.


Thank you for reading

 

[AboodXD]

Wow, WILL DEFINITELY UPDATE MY TICKET MODIFIER ASAP!!

--------------------- MERGED ---------------------------

I can answer question 2, the error will be different.

 

[Keylogger]

I want to add a new question:
Why we need a modified WUPInstaller? What is modified?

 

[cearp]

so we change the ticket data to set the signature type to a different type.
and the signature type we change it to... we can create that signature, and the system thinks it's legit?

why is this? i don't get it.
great for us but, if the wiiu thinks the ticket is legit... that's weird no?

 

[AboodXD]

0x10 ^ 2

Returns 0x12, it should have returned 0x0E...

--------------------- MERGED ---------------------------

BTW,

^

is XOR in Python.

 

[Keylogger]

so we change the ticket data to set the signature type to a different type.
and the signature type we change it to... we can create that signature, and the system thinks it's legit?

why is this? i don't get it.
great for us but, if the wiiu thinks the ticket is legit... that's weird no?

Maybe a bug in the signature check? Like the trucha bug for Wii ?

 

[asper]

so we change the ticket data to set the signature type to a different type.
and the signature type we change it to... we can create that signature, and the system thinks it's legit?

why is this? i don't get it.
great for us but, if the wiiu thinks the ticket is legit... that's weird no?

Autoquote, please re-read the 1st post :

changing 03 to 01 does not change the signature type

 

[AboodXD]

@asper:

0x10 ^ 2

Returns 0x12, it should have returned 0x0E...

--------------------- MERGED ---------------------------

BTW,

^

is XOR in Python.

 

[asper]

0x10 ^ 2

Returns 0x12, it should have returned 0x0E...

--------------------- MERGED ---------------------------

BTW,

^

is XOR in Python.

You mean a game has 10 at 0x0F in original titlt.tik and the correct installation value is 0E ?
0x10 ^ 0x02 = 0x12 is correct...

 

[Keylogger]

@cearp Nothing prevent you to make a tik installer for Wii U now (CIAngel U xD )

 

[AboodXD]

@asper Yes, that's what I meant.
0x10 ^ 0x02 = 0x12, but the correct value is 0x0E.

This NSMBU USA BTW.

 

[asper]

@asper Yes, that's what I meant.
0x10 ^ 0x02 = 0x12, but the correct value is 0x0E.

This NSMBU USA BTW.

Well original value for NSMB USA is 0E so 0E ^ 02 = 0C, not 12 nor 10...

I tested my "formula" with more than 20 titles and it always got the correct value.

 

[cearp]

@cearp Nothing prevent you to make a tik installer for Wii U now

do we have nand access/ftp or anything like that?
or a way to read files from the wiiu nand/wiiu disk?
i don't have a wiiu but i will get one in december/january.

if, as it appears so, that many wiiu digitial games have the same title key as the disk game - we could make a simple tool to dump the key from the disk.
and of course, a tool to dump all the keys from the database in nand.

Autoquote, please re-read the 1st post :

oops, ok i thought we were changing the sig type.
but you say we change the value at 0xF - so that would break the signature no?

 

[AboodXD]

The value for WUD ticket is 0x10.
The value for NUS ticket is 0x0E. (The correct value after modifying the ticket)

0x10 - 2 = 0x0E.

 

[asper]

The value for WUD ticket is 0x10.
The value for NUS ticket is 0x0E. (The correct value after modifying the ticket)

You MUST use NUS title.tik, not WUD.

EDIT: sorry, I mean you must use the title.tik inside \system\02 folder

 

[Keylogger]

You MUST use NUS title.tik, not WUD.

Wrong, you have to extract tiket from WUD

 

[AboodXD]

LOL, look, the original value is 0x10.
The value that WUPInstaller accepts is 0x0E.
0x10 - 2 = 0x0E.

 

[asper]

oops, ok i thought we were changing the sig type.
but you say we change the value at 0xF - so that would break the signature no?

re-autoquote, please re-re-read the 1st post :

this means that the RSA signature is anyway correct ! So why you need to modify byte in 0x0F position to make the ticket be accepted ? Probably because, after generating the certificate ("Signature by a certificate's key" that goes from offset 0x04 to 0x103) this certificate is xored someway with a sort of xorpad where also the 1st bytes of the tickets are included; so, if you "subtract" 2 to byte 0x01 (changing it from 03 to 01) you need to "recalculate" the xorpad; dunno why byte 0x0F is related to byte 0x01 but it seems to work (i am not 100% sure about that explanation, if some reverser went deep in the IDA code and can confirm this I will be very happy to hear from you !)

So, "probably", the signature is firstly de-xored, then checked, if de-xoring fails also the signature fails.

--------------------- MERGED ---------------------------

LOL, look, the original value is 0x10.
The value that WUPInstaller accepts is 0x0E.
0x10 - 2 = 0x0E.

The NSMB USA I found has this: 00030004289BAC0D6362A7EA9C429B0E, maybe it is not original ? (EDIT: 0E is the original value, thanks to @Chooker for checking that out !)

About NUS title.tik sorry, I mean you must use the title.tik inside \02 folders; at now there is no way to extract title.tik from already eshop installed games.

 

[Antonio Carlos]

Very good.
I had problem to modify .tik for capitain toad and bayonetta.
Now perfect worked with its, (0x0F) XOR (02) and byte 0x01 (01) for digital media.

 

[cearp]

haha ok i read your post a few times, it makes a bit more sense now (if you are actually correct, since like you said you are not 100% but that it seems to be right)


but, we generate the signature ourselves? why can we do this, wouldn't this need keys only nintendo has?

eventually i will stop questioning and start enjoying
(when my wii u gets here in a few months)