Quake 2 - temp ticket patch

[mrdude]

For those with a quake 2 dump that only has a temp ticket, this gets removed once you reboot your switch and then you can't decrypt the game nca files to launch it, you can fix this with a simple patch to the nsp file.

Scroll to offset: 0xB15 - change 00 10 to 10 00

Uninstall the old game, then reinstall with the newly patched NSP file, and your ticket will be a perm ticket. Thanks to @Tokiwa for helping with this.

Probably this same trick can be used on other nsp files with similar temp ticket files.

NOTE: you will still need to use in airplane mode, or patch that requirement out of the game.

PS, the only other game I found with this same issue is warhammer 40k boltgun - which gets patched in the same way but at offset 0xB55.

Post automatically merged: Aug 23, 2023

On further inverstigation it seems that on this nsp the offset 0xB15 is the master key revision and offset 0xB16 is the licence type, here's the different licence types you can have by changing the hex at 0xB16:

00 - perm
01 - pre inst
02 - shared title
03 - pre inst shared title
04 - all contents
05 - pre inst all contents
06 - shared title all contents
07 - pre inst shared title all contents
08 - device link independant
09 - pre inst device link independant
0a - shared title device link independant
0b - pre inst shared title device link independant
0c - all contents device link independant
0d - pre inst all contents device link independant
0e - shared title all contents device link independant
0f - pre inst shared title all contents device link independant
10 - temporary
11 - pre inst temporary
.... (from here same as above but just temporary)
20 - elicense required
.... (from here same as above but requires elicense)
30 - temporary elicense required
.... (from here same as above but just temp with elicense required)
40 - not used from here

For online play such as Local, Local Wireless and LAN - start the game in Airplane mode, once you get to the game menu, select mulitplayer - then turn airplane mode off and you can create and join lan games.

 

[Thorhax]

Thank you very much, I was able to fix it by exporting the ticket, editing the hex value you mentioned above, and installing the ticket, I rebooted my switch and finally Quake2 opens like a normal game again.

 

[duckbill007]

Or you can just use dbi which does this on the fly since version 557

 

[MightySashiman]

Or you can just use dbi which does this on the fly since version 557

but yet doesn't seem to do the trick (with Quake2 at least anyway(.

 

[Thorhax]

but yet doesn't seem to do the trick (with Quake2 at least anyway(.

this

 

[Purple_Shyguy]

Fantastic work! Thank you!

 

[gamba66]

Or you can just use dbi which does this on the fly since version 557

Maybe dbi 598 is bugged somehow? Atleast with that version it wont patch it for quake2, warhammer 40k and motogp23

 

[mrdude]

Or you can just use dbi which does this on the fly since version 557

I love DBI, it's a great bit of software so thanks for continuing to update it. I did try installing with DBI and installing the unmodded ticket - but the newest version I got from the github release page didn't patch this for quake 2, I didn't try on any other games though. Maybe there was an issue at my end, but others have also said it didn't work for them.
You can easily check by putting the quake 2 nsp offset at 0xb16 to 10, then installing the NSP - the game will work until you reboot the switch and after a reboot the ticket will be missing and you won't be able to launch the game because you won't be able to decrypt it. By modding the nsp and changing the offset above to 00, the game will still pass all the integrity checks and you don't need to worry in a years time when you instal the game with a different installer.

 

[lol_lmao_even]

it's because some dumper somewhere that people are using to share dumps online was incompetently programmed and it puts master key revision in the wrong place in the fake ticket. probably a off-by-one error. a *lot* of dumps online are affected by this, but it never mattered until just now we are reaching master key revision 0x10

 

[mrdude]

it's because some dumper somewhere that people are using to share dumps online was incompetently programmed and it puts master key revision in the wrong place in the fake ticket. probably a off-by-one error. a *lot* of dumps online are affected by this, but it never mattered until just now we are reaching master key revision 0x10

What dumper do you think it is? and why does it only happen on a tiny amount of games? I checked all my installed games and quake2 and warhammer were the only ones I found with this issue.

 

[lol_lmao_even]

What dumper do you think it is?

couldnt tell you. all of the ones I've personally used make proper fake tickets.

 

[mrdude]

couldnt tell you. all of the ones I've personally used make proper fake tickets.

So it's speculation on your part then.

 

[duckbill007]

but the newest version I got from the github release page didn't patch this for quake 2

Just checked - missed line in english translation caused exception, whit was silently catched and no patch was applied. Will fix in next release.

 

[mrdude]

Just checked - missed line in english translation caused exception, whit was silently catched and no patch was applied. Will fix in next release.

I have a question for you regarding tickets.

Do all NSP files only ever have 1 ticket file?
Are all ticket files the same size or do they differ depending on the game, update etc?

The reason I ask is that I was looking at tinwwo installer and other installers that share the same code such as AtmoXL, Awoo etc and I see that the bit of code that deals with importing the tickets is here:

void NSPInstall::InstallTicketCert()
    {
        // Read the tik files and put it into a buffer
        std::vector<const PFS0FileEntry*> tikFileEntries = m_NSP->GetFileEntriesByExtension("tik");
        std::vector<const PFS0FileEntry*> certFileEntries = m_NSP->GetFileEntriesByExtension("cert");

        for (size_t i = 0; i < tikFileEntries.size(); i++)
        {
            if (tikFileEntries[i] == nullptr) {
                LOG_DEBUG("Remote tik file is missing.\n");
                THROW_FORMAT("Remote tik file is not present!");
            }

            u64 tikSize = tikFileEntries[i]->fileSize;
            auto tikBuf = std::make_unique<u8[]>(tikSize);
            LOG_DEBUG("> Reading tik\n");
            m_NSP->BufferData(tikBuf.get(), m_NSP->GetDataOffset() + tikFileEntries[i]->dataOffset, tikSize);

            if (certFileEntries[i] == nullptr)
            {
                LOG_DEBUG("Remote cert file is missing.\n");
                THROW_FORMAT("Remote cert file is not present!");
            }

            u64 certSize = certFileEntries[i]->fileSize;
            auto certBuf = std::make_unique<u8[]>(certSize);
            LOG_DEBUG("> Reading cert\n");
            m_NSP->BufferData(certBuf.get(), m_NSP->GetDataOffset() + certFileEntries[i]->dataOffset, certSize);

            // Finally, let's actually import the ticket
            ASSERT_OK(esImportTicket(tikBuf.get(), tikSize, certBuf.get(), certSize), "Failed to import ticket");
        }
    }

Now I see that the ticket is stored in a buffer before being written, It should be possible to mod the buffer at the address where the ticket type is stored and write that modded code into the switch when installing. Does DBI do it like that or do you use a different method? I am just asking out of interest but I understand if you don't want to answer.

 

[gamba66]

fantastic! thanks to @mrdude for ultimately finding the source of this bug

and of course thanks to @Purple_Shyguy for first investigating it and @duckbill007 for his tool

love to see the community get together and fix things

 

[duckbill007]

Do all NSP files only ever have 1 ticket file?
Are all ticket files the same size or do they differ depending on the game, update etc?

There can be more than one ticket and ticket size depends of it's type. You can check this on switchbrew there are 5 or 6 ticket signature sizes.

Post automatically merged: Aug 23, 2023

Btw, code above does not check that cert matches ticket.

 

[falconcrest]

What dumper do you think it is? and why does it only happen on a tiny amount of games? I checked all my installed games and quake2 and warhammer were the only ones I found with this issue.

Rainbow skies does the same thing ;installed with DBI(latest version,598,i think)

 

[mrdude]

There can be more than one ticket and ticket size depends of it's type. You can check this on switchbrew there are 5 or 6 ticket signature sizes.

Post automatically merged: Aug 23, 2023

Btw, code above does not check that cert matches ticket.

Thanks, I was just going to add this bit of code before the ticket is written:

if (tikBuf.get()[646] == 16)
{
 tikBuf.get()[646] = 0;
}

That would have just zero'd out that address but if the sizes are all different I will need to look into this more. Thanks for replying though. Also can you post a link to that switchbrew page, I couldn't find anything to do with different ticket types.

 

[duckbill007]

Just use search keyword ticket there

Post automatically merged: Aug 23, 2023

You need to determine signature type, then size and only after that get offset. Also you need not only zero props, but also correct keygeneration

 

[mrdude]

Rainbow skies does the same thing ;installed with DBI(latest version,598,i think)

Can you try installing with this to see if it fixes it for you. Then let me know. Thanks

Post automatically merged: Aug 23, 2023

Just use search keyword ticket there

Post automatically merged: Aug 23, 2023

You need to determine signature type, then size and only after that get offset. Also you need not only zero props, but also correct keygeneration

I must be missing something, the page I found shows the ticket size to be 0x2C0, and the offset for the license to be at 0x144. I find that wiki to be confusing with the addresses as I am using windows and the endianness on that page is for linux if I am honest and it doesn't tell you all the different license types on it.

https://switchbrew.org/wiki/Ticket

All the tickets I checked have the license type in the same place, for the game nsp files. I'll do some more checking though. Thanks for your help though.