Difference between revisions of "SD title export"

From DSiBrew
Jump to navigation Jump to search
m (Hiccup moved page Tad to SD title export)
 
(26 intermediate revisions by 7 users not shown)
Line 1: Line 1:
The System Settings application delivered with each DSi can be used to export applications from NAND to SD. The files created on SD are encrypted with AES CCM (CTR with CBC-MAC), using either a shared key, or a console specific key.
+
The System Settings application delivered with each DSi can be used to export applications from NAND to SD. The bin files created on SD are using the following file structure. They are encrypted with AES CCM (CTR with CBC-MAC), using a combination of a shared key and a console specific key.
  
 
The application itself (APP), and the title metadata (TMD) is encrypted with a console specific key. This means that Nintendo intended that these files can only be imported back into the same DSi.
 
The application itself (APP), and the title metadata (TMD) is encrypted with a console specific key. This means that Nintendo intended that these files can only be imported back into the same DSi.
  
While the banner, the public savegame, and several other metadata blocks are encrypted with a shared key, which means any DSi can inspect these parts of the file.
+
While the banner, the public savegame, and several other metablocks are encrypted with a shared key, which means any DSi can inspect these parts of the file.
  
= B4 block =  
+
[[ES block encryption]] is used to encrypt the header block, footer block, and the 11 content parts. Each are their own seperate ES blocks.
 +
 
 +
= File structure overview =
 +
 
 +
{| class="wikitable"
 +
|-
 +
! Offset
 +
! Size
 +
! Description
 +
|-
 +
| 0x0
 +
| 0x4020
 +
| Banner/Icon
 +
|-
 +
| 0x4020
 +
| 0xD4
 +
| Header
 +
|-
 +
| 0x40F4
 +
| 0x460
 +
| Footer (certificates/hashes)
 +
|-
 +
| 0x4554
 +
| -
 +
| Content parts in sequence (TMD, SRL, savegame, custom banner).
 +
|}
 +
 
 +
The banner, header, footer and savegame are encrypted with a shared key between each DSi. The other content parts are encrypted with a console specific key.
 +
 
 +
= Header block @ 0x4020 (size 0xB4) =  
 
  0000000: 34 41 4e 54 31 30 00 01 74 e9 2c 1e 24 00 00 00  4ANT10..t.,.$...
 
  0000000: 34 41 4e 54 31 30 00 01 74 e9 2c 1e 24 00 00 00  4ANT10..t.,.$...
 
  0000010: d6 e0 39 c3 98 3f 06 b6 9a b2 9d 14 e7 06 e9 00  ..9..?..........
 
  0000010: d6 e0 39 c3 98 3f 06 b6 9a b2 9d 14 e7 06 e9 00  ..9..?..........
Line 29: Line 58:
 
| 0x00
 
| 0x00
 
| 4
 
| 4
| Always 0x544E4134
+
| Always 0x544E4134 ('TNA4', endian-swapped)
 
|-
 
|-
 
| 0x04
 
| 0x04
 
| 2
 
| 2
| Unknown
+
| group_id/publisher code
 
|-
 
|-
 
| 0x06
 
| 0x06
 
| 2
 
| 2
| Unknown
+
| Title version
 
|-
 
|-
 
| 0x08
 
| 0x08
Line 49: Line 78:
 
| 0x10
 
| 0x10
 
| 16
 
| 16
| Something
+
| Console ID from HWINFO_N.dat
 
|-
 
|-
 
| 0x20
 
| 0x20
 
| 4
 
| 4
| Gamecode of exported app
+
| Lower TitleID of exported app
 
|-
 
|-
 
| 0x24
 
| 0x24
 
| 4
 
| 4
| Unknown
+
| Upper TitleID of exported app
 
|-
 
|-
 
| 0x28
 
| 0x28
Line 64: Line 93:
 
|-
 
|-
 
| 0x54
 
| 0x54
| ?
+
| 8 * 4
| ?
+
| List of content ids in same order as tmd
 +
|-
 +
| 0x74
 +
| 0x3e
 +
| reserved section per [http://www.wiibrew.org/wiki/TMD tmds]
 
|}
 
|}
  
= 440 block =
+
= footer block @ 0x40F4 (size 0x460) =
  
 
  0000000: d6 f3 24 7c a1 0f 4a dc cd 07 34 d6 ce 62 32 93  ..$|..J...4..b2.
 
  0000000: d6 f3 24 7c a1 0f 4a dc cd 07 34 d6 ce 62 32 93  ..$|..J...4..b2.
Line 139: Line 172:
 
  0000430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 
  0000430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  
It is assumed that this block contains an ECC signature, aswell as the console id and serial of the DSi that exported the file.
+
 
 +
{| class="wikitable"
 +
|-
 +
! Offset
 +
! Size
 +
! Description
 +
|-
 +
| 0x00
 +
| 20
 +
| SHA1 of banner
 +
|-
 +
| 0x14
 +
| 20
 +
| SHA1 of tna4
 +
|-
 +
| 0x28
 +
| 20
 +
| SHA1 of tmd
 +
|-
 +
| 0x3c
 +
| 20*8
 +
| SHA1 of up to 8 contents [if unused, can be whatever happened to be in memory before]
 +
|-
 +
| 0xdc
 +
| 20
 +
| SHA1 of save data
 +
|-
 +
| 0xf0
 +
| 20
 +
| SHA1 of ?
 +
|-
 +
| 0x104
 +
| 0x3c
 +
| ECC signature of previous 0x104 bytes with AP cert
 +
|-
 +
| 0x140
 +
| 0x180
 +
| AP cert, signed by TW cert
 +
|-
 +
| 0x2c0
 +
| 0x180
 +
| TW cert, specific to a console (see dev.kp)
 +
|}
 +
 
 +
It is assumed that this block contains an ECC signature, aswell as the console id and serial of the DSi that exported the file, as part of a Nintendo cert.  Much like the Wii, the DSi carries with it a private ECC key that it can use to sign things, and a certificate signed by Nintendo that attests to the fact that the public ECC key belongs to a genuine DSi.

Latest revision as of 22:23, 6 April 2024

The System Settings application delivered with each DSi can be used to export applications from NAND to SD. The bin files created on SD are using the following file structure. They are encrypted with AES CCM (CTR with CBC-MAC), using a combination of a shared key and a console specific key.

The application itself (APP), and the title metadata (TMD) is encrypted with a console specific key. This means that Nintendo intended that these files can only be imported back into the same DSi.

While the banner, the public savegame, and several other metablocks are encrypted with a shared key, which means any DSi can inspect these parts of the file.

ES block encryption is used to encrypt the header block, footer block, and the 11 content parts. Each are their own seperate ES blocks.

File structure overview

Offset Size Description
0x0 0x4020 Banner/Icon
0x4020 0xD4 Header
0x40F4 0x460 Footer (certificates/hashes)
0x4554 - Content parts in sequence (TMD, SRL, savegame, custom banner).

The banner, header, footer and savegame are encrypted with a shared key between each DSi. The other content parts are encrypted with a console specific key.

Header block @ 0x4020 (size 0xB4)

0000000: 34 41 4e 54 31 30 00 01 74 e9 2c 1e 24 00 00 00  4ANT10..t.,.$...
0000010: d6 e0 39 c3 98 3f 06 b6 9a b2 9d 14 e7 06 e9 00  ..9..?..........
0000020: 45 4d 44 4b 04 00 03 00 28 02 00 00 20 d2 e0 00  EMDK....(... ...
0000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0000040: 00 00 00 00 00 00 00 00 00 00 00 00 80 80 06 00  ................
0000050: 00 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00  ................
0000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0000070: 00 00 00 00 00 80 06 00 00 00 00 00 00 00 00 00  ................
0000080: 00 00 00 00 00 86 00 00 00 00 00 00 00 00 00 00  ................
0000090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000b0: 00 00 00 00                                      ....


Offset Size Description
0x00 4 Always 0x544E4134 ('TNA4', endian-swapped)
0x04 2 group_id/publisher code
0x06 2 Title version
0x08 6 DSi MAC address
0x0E 2 zero
0x10 16 Console ID from HWINFO_N.dat
0x20 4 Lower TitleID of exported app
0x24 4 Upper TitleID of exported app
0x28 11 * 4 Contains the total lengths for each of the 11 parts.
0x54 8 * 4 List of content ids in same order as tmd
0x74 0x3e reserved section per tmds

footer block @ 0x40F4 (size 0x460)

0000000: d6 f3 24 7c a1 0f 4a dc cd 07 34 d6 ce 62 32 93  ..$|..J...4..b2.
0000010: 11 54 54 a5 28 38 13 5a 0c 87 8e dc 63 0a ab 2e  .TT.(8.Z....c...
0000020: 4a 0f 12 5c d7 31 ee 29 72 53 39 1d ff 70 c1 8a  J..\.1.)rS9..p..
0000030: 45 18 c1 88 85 1f f5 55 c6 5f 48 37 27 f3 0a 02  E......U._H7'...
0000040: e7 77 18 8b 84 ee cc e5 e4 40 e5 cb 64 bb 0a f3  .w.......@..d...
0000050: 20 00 53 00 74 00 75 00 64 00 69 00 6f 00 0a 00   .S.t.u.d.i.o...
0000060: 4e 00 69 00 6e 00 74 00 65 00 6e 00 64 00 6f 00  N.i.n.t.e.n.d.o.
0000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0000090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000d0: 00 00 00 00 00 00 00 00 00 00 00 00 c5 16 e5 12  ................
00000e0: 4c 70 9a fd 7a 03 87 d0 13 94 da 86 46 11 ff 31  Lp..z.......F..1
00000f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0000100: 00 00 00 00 00 b5 62 b1 02 c9 4e f3 14 2c 85 3d  ......b...N..,.=
0000110: a2 c6 be c9 d8 01 db 46 03 12 44 6e 89 87 c4 e5  .......F..Dn....
0000120: 83 1e 00 03 8f f8 cd 35 e3 e4 b8 8e be 6e 65 36  .......5.....ne6
0000130: f2 6d c6 dc 2c 4b d6 38 2b 2d 7f e5 22 b0 44 3b  .m..,K.8+-..".D;
0000140: 00 01 00 02 00 78 58 de a6 c4 70 9c 89 26 22 f2  .....xX...p..&".
0000150: 60 38 cb c5 d7 54 cd a3 d5 b9 d9 b3 84 63 6f be  `8...T.......co.
0000160: 36 ef 00 68 f0 9a 6b 35 91 1a 67 6f 73 dc 54 61  6..h..k5..gos.Ta
0000170: c1 c7 6c 6f d4 43 58 e6 e2 62 52 11 65 77 9a ce  ..lo.CX..bR.ew..
0000180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0000190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00001a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00001b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00001c0: 52 6f 6f 74 2d 43 41 30 30 30 30 30 30 30 31 2d  Root-CA00000001-
00001d0: 4d 53 30 30 30 30 30 30 30 38 2d 54 57 63 37 39  MS00000008-TWc79
00001e0: 64 63 65 63 39 2d 30 38 61 32 30 32 38 37 30 31  dcec9-08a2028701
00001f0: 30 38 34 31 31 38 00 00 00 00 00 00 00 00 00 00  084118..........
0000200: 00 00 00 02 41 50 30 30 30 33 30 30 31 35 34 38  ....AP0003001548
0000210: 34 65 34 32 34 35 00 00 00 00 00 00 00 00 00 00  4e4245..........
0000220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0000230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0000240: 00 00 00 00 00 00 00 00 00 d7 c1 33 4e 24 8c 13  ...........3N$..
0000250: 0f b3 f4 c4 bb 2a 4a 79 81 51 39 6f 00 ee a2 00  .....*Jy.Q9o....
0000260: 20 a6 f5 cc d8 72 01 74 60 57 4f a4 92 52 9b 5a   ....r.t`WO..R.Z
0000270: 56 75 a9 62 4f 67 25 e3 7b 05 21 e4 4f 1f c3 21  Vu.bOg%.{.!.O..!
0000280: 2b d8 ec e7 00 00 00 00 00 00 00 00 00 00 00 00  +...............
0000290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00002a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00002b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00002c0: 00 01 00 02 00 db da 21 3b e1 f1 bf bb 4d dc 1d  .......!;....M..
00002d0: 60 29 da 19 42 1e 66 4f a8 e5 27 a1 d4 ea 46 7d  `)..B.fO..'...F}
00002e0: 9b b4 00 95 c5 0d e8 fa ef a7 8d e9 bc 54 da c1  .............T..
00002f0: 24 94 0b 7c ad a8 61 d5 05 97 c2 64 38 ad 18 f9  $..|..a....d8...
0000300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0000310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0000320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0000330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0000340: 52 6f 6f 74 2d 43 41 30 30 30 30 30 30 30 31 2d  Root-CA00000001-
0000350: 4d 53 30 30 30 30 30 30 30 38 00 00 00 00 00 00  MS00000008......
0000360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0000370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0000380: 00 00 00 02 54 57 63 37 39 64 63 65 63 39 2d 30  ....TWc79dcec9-0
0000390: 38 61 32 30 32 38 37 30 31 30 38 34 31 31 38 00  8a2028701084118.
00003a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00003b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00003c0: 00 00 00 00 6f dd de 42 01 e0 34 a3 19 bc a9 af  ....o..B..4.....
00003d0: 50 fe 8a ac 75 08 07 a9 3a 2c 21 51 93 ae 4a 90  P...u...:,!Q..J.
00003e0: 6e 62 41 f1 a2 fe 00 00 3d 0a 13 97 da 53 17 98  nbA.....=....S..
00003f0: 69 38 65 67 ca f4 9c 87 ec 44 b7 eb d0 ec b8 3d  i8eg.....D.....=
0000400: 23 cf 7a 35 00 00 00 00 00 00 00 00 00 00 00 00  #.z5............
0000410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0000420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0000430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................


Offset Size Description
0x00 20 SHA1 of banner
0x14 20 SHA1 of tna4
0x28 20 SHA1 of tmd
0x3c 20*8 SHA1 of up to 8 contents [if unused, can be whatever happened to be in memory before]
0xdc 20 SHA1 of save data
0xf0 20 SHA1 of ?
0x104 0x3c ECC signature of previous 0x104 bytes with AP cert
0x140 0x180 AP cert, signed by TW cert
0x2c0 0x180 TW cert, specific to a console (see dev.kp)

It is assumed that this block contains an ECC signature, aswell as the console id and serial of the DSi that exported the file, as part of a Nintendo cert. Much like the Wii, the DSi carries with it a private ECC key that it can use to sign things, and a certificate signed by Nintendo that attests to the fact that the public ECC key belongs to a genuine DSi.