108
edits
Changes
Jump to navigation
Jump to search
Created page with "Tickets are used for decrypting downloads from DSi shop. They are essentially containing a 16-byte decryption key, plus signatures and some other stuff. == Ticket Format == Tick..."
Tickets are used for decrypting downloads from DSi shop. They are essentially containing a 16-byte decryption key, plus signatures and some other stuff.
== Ticket Format ==
Tickets exist as "cetk" file (as found on Nintendo's server), and as ".tik" files (as found in [[nand/ticket]] folder).
* .tik files: encrypted 2A4h+20h bytes (the +20h bytes are probably ES block encryption footer, using an unknown KEY or KEY X/Y?)
* cetk files: unencrypted 2A4h+700h bytes (the +700h bytes are some certificate footer).
For the overall format of the 2A4h bytes, see [http://wiibrew.org/wiki/Ticket], and NUS Downloader source code.
== Download Server ==
For free system updates, tickets can be downloaded as "cetk" files. For titles sold commercially in DSi ship, tickets must purchased somehow differently.
For example, the updates for ''DSi System Settings (EUR)'' can be downloaded from:
* http://nus.cdn.t.shop.nintendowifi.net/ccs/download/00030015484e4250/tmd - tmd (unencrypted)
* http://nus.cdn.t.shop.nintendowifi.net/ccs/download/00030015484e4250/cetk - ticket (unencrypted) (available only for free updates)
* http://nus.cdn.t.shop.nintendowifi.net/ccs/download/00030015484e4250/00000002 - executable, version 2 (encrypted via ticket)
* http://nus.cdn.t.shop.nintendowifi.net/ccs/download/00030015484e4250/00000003 - executable, version 3 (encrypted via ticket)
== Title Decryption ==
First, the encrypted Title Key must be decrypted (via AES-CBC):
KEY[00h..0Fh] = Common Key (AF,1B,F5,16,...) ;from ARM7BIOS
IV[00h..07h] = Title ID (00,03,00,tt,gg,gg,gg,gg) ;tik/cetk[1DCh]
IV[08h..0Fh] = Zerofilled ;padding
Input: Encrypted Title Key ;tik/cetk[1BFh]
Output: Decrypted Title Key ;for use in next step
Then, the actual executable/file can be decrypted (also via AES-CBC):
KEY[00h..0Fh] = Decrypted Title Key ;from above step
IV[00h..01h] = Usually Zero (or "Index" from tmd?) ;tmd[?]
IV[02h..0Fh] = Zerofilled ;padding
Input: Encrypted file "000000vv" ;from http download
Output: Decrypted file "000000vv.app" ;saved on eMMC
The above decryption steps do require a big-endian AES-CBC software implementation (the DSi hardware supports only little-endian, and it supports only AES-CTR and AES-CCM, and, especially, it supports only the "encrypt" key schedule, whilst AES-CBC would require a different "decrypt" key schedule).
== See Also ==
* [[NUS Downloader/database]]
* http://wiibrew.org/wiki/Ticket - Wii Tickets (similar to DSi tickets)
* http://3dbrew.org/wiki/Ticket - 3DS Tickets
== Ticket Format ==
Tickets exist as "cetk" file (as found on Nintendo's server), and as ".tik" files (as found in [[nand/ticket]] folder).
* .tik files: encrypted 2A4h+20h bytes (the +20h bytes are probably ES block encryption footer, using an unknown KEY or KEY X/Y?)
* cetk files: unencrypted 2A4h+700h bytes (the +700h bytes are some certificate footer).
For the overall format of the 2A4h bytes, see [http://wiibrew.org/wiki/Ticket], and NUS Downloader source code.
== Download Server ==
For free system updates, tickets can be downloaded as "cetk" files. For titles sold commercially in DSi ship, tickets must purchased somehow differently.
For example, the updates for ''DSi System Settings (EUR)'' can be downloaded from:
* http://nus.cdn.t.shop.nintendowifi.net/ccs/download/00030015484e4250/tmd - tmd (unencrypted)
* http://nus.cdn.t.shop.nintendowifi.net/ccs/download/00030015484e4250/cetk - ticket (unencrypted) (available only for free updates)
* http://nus.cdn.t.shop.nintendowifi.net/ccs/download/00030015484e4250/00000002 - executable, version 2 (encrypted via ticket)
* http://nus.cdn.t.shop.nintendowifi.net/ccs/download/00030015484e4250/00000003 - executable, version 3 (encrypted via ticket)
== Title Decryption ==
First, the encrypted Title Key must be decrypted (via AES-CBC):
KEY[00h..0Fh] = Common Key (AF,1B,F5,16,...) ;from ARM7BIOS
IV[00h..07h] = Title ID (00,03,00,tt,gg,gg,gg,gg) ;tik/cetk[1DCh]
IV[08h..0Fh] = Zerofilled ;padding
Input: Encrypted Title Key ;tik/cetk[1BFh]
Output: Decrypted Title Key ;for use in next step
Then, the actual executable/file can be decrypted (also via AES-CBC):
KEY[00h..0Fh] = Decrypted Title Key ;from above step
IV[00h..01h] = Usually Zero (or "Index" from tmd?) ;tmd[?]
IV[02h..0Fh] = Zerofilled ;padding
Input: Encrypted file "000000vv" ;from http download
Output: Decrypted file "000000vv.app" ;saved on eMMC
The above decryption steps do require a big-endian AES-CBC software implementation (the DSi hardware supports only little-endian, and it supports only AES-CTR and AES-CCM, and, especially, it supports only the "encrypt" key schedule, whilst AES-CBC would require a different "decrypt" key schedule).
== See Also ==
* [[NUS Downloader/database]]
* http://wiibrew.org/wiki/Ticket - Wii Tickets (similar to DSi tickets)
* http://3dbrew.org/wiki/Ticket - 3DS Tickets