Dusting off this old account to post here
I recently noticed some iQue references in certain things, and noticed how the iQue Player, security-wise, sounded very familiar.. it looked like a prototype WiI!
Some further investigation showed that the founder of iQue also founded BroadOn (the company that did a lot of security-related stuff for the Wii; designed the Starlet, coded IOS etc).
More investigation (getting exceptions out of the iQue Player webservices) showed BroadOn was definitely involved here as well.
Check an SASK you have to hand. Then look at the page on wiibrew about NAND (128KB of boot1, then 1MB-128KB of two copies of boot2, stored in a modified WAD format).
Then double check the SASK and see how close the two are. 64KB of presumably boot1 (this is the same across all known SASKs! by the way, the boot1 key is different from the Wii's), 16KB of presumably boot2 header (ticket, certs, CRL, much like a WAD -- WADs can contain a CRL but no WAD ever did; and the "TMD" isn't a thing with iQue), then boot2 content (size described by the boot2 ticket); then 16KB of presumably system menu header, then system menu content.
And notice that two SASKs stop after the boot2 header (and even have zero content length in the ticket!) ; and only the latest 5 SASKs (1091, 1095, 1099, 1101, 1106) have a second boot-title.
I quickly hacked together a ticket dumper based on emoose's research (a couple of the fields are probably wrong though, I took a guess at what they were based on a few tickets):
https://pastebin.com/2NHCde84
It can handle SASKs, ticket.sys files, raw ticket.sys tickets, and raw tickets.
Using it, you can see that with the SASKs with two titles, the contentIDs are different.
1091: first ticket has contentID=1091, second ticket has contentID=1092
1095: first ticket has contentID=1095, second ticket has contentID=1096
1099: first ticket has contentID=1095, second ticket has contentID=1100 (and this SASK only differs from 1095 starting at the second ticket!)
1101: first ticket has contentID=1095, second ticket has contentID=1102 (and
parts of the first ticket and the first contents (starting at offset 0x1000 of the content) differ from 1099/1095!)
1106: first ticket has contentID=1095, second ticket has contentID=1107 (and
parts of the first ticket and the first contents (starting at offset 0x15300 of the content) differs from 1101!)
I'm working on reversing the PC-side applications; that's about the only thing I can do, as I don't actually have an iQue Player. (Anyone willing to sell me one at a reasonable price? I'm located in the UK.)