Certificate chain
Certificate chains are intensively used to sign stuff on the Wii. They are normally preceded by a TMD file or a Ticket and are used to verify their signature up to the root key. Most chains contain three certificates, each padded to 0x40.
Certificates are also used to sign game savedata that is copied to the SD card. Saves are signed by Root-CA00000001-MS00000002-NGxxxxxxxx-AP0000000100000002 where AP is the system menu application cert (ECC/ECC public key), NG the device specific cert (ECC/ECC public key).
Certificates
Certificate | Signature type | Public key type | Cert name | Issued by | Description |
---|---|---|---|---|---|
Root | N/A | RSA-4096 | Root | N/A | Root certificate stored in the IOS kernel, in the IOSC section |
CA | RSA-4096 | RSA-2048 | CA00000001 | Root | Used to verify production (retail) XS, CP, MS certs |
CA | RSA-4096 | RSA-2048 | CA00000002 | Root | Used to verify debug (test/dev) XS, CP, MS certs |
CA | RSA-4096 | RSA-2048 | CA10000000 | Root | Used to verify arcade system CP and XS certs |
CA | RSA-4096 | RSA-2048 | CA20000000 | Root | Used to verify arcade CP and XS certs by SEGA |
CA | RSA-4096 | RSA-2048 | CA30000000 | Root | Used to verify arcade CP and XS certs by Namco |
CA | RSA-4096 | RSA-2048 | CA40000000 | Root | Used to verify "special" arcade CP and XS certs |
CA | RSA-4096 | RSA-2048 | CA50000000 | Root | Used to verify arcade CP and XS certs by Capcom |
CA | RSA-4096 | RSA-2048 | CA60000000 | Root | Used to verify other arcade CP and XS certs |
Ticket | RSA-2048 | RSA-2048 | XS00000003 | Root-CA00000001 | Used to verify retail tickets |
Ticket | RSA-2048 | RSA-2048 | XS00000006 | Root-CA00000002 | Used to verify dev tickets |
Ticket | RSA-2048 | RSA-2048 | XS50000000 | Root-CA50000000 | Used to verify arcade tickets by Capcom |
TMD | RSA-2048 | RSA-2048 | CP00000004 | Root-CA00000001 | Used to verify retail TMDs |
TMD | RSA-2048 | RSA-2048 | CP00000007 | Root-CA00000002 | Used to verify debug TMDs |
TMD | RSA-2048 | RSA-2048 | CP10000000 | Root-CA10000000 | Used to verify arcade system TMDs |
TMD | RSA-2048 | RSA-2048 | CP50000000 | Root-CA50000000 | Used to verify arcade TMDs by Capcom |
Device cert issuer | RSA-2048 | ECC-B233 | MS00000002 | Root-CA00000001 | Used to verify retail device certificates |
Device cert issuer | RSA-2048 | ECC-B233 | MS00000003 | Root-CA00000002 | Used to verify debug device certificates |
Device cert | ECC-B233 | ECC-B233 | NG%08x (device ID) | Root-CA00000001-MS00000002 | Used to verify AP certs |
Application | ECC-B233 | ECC-B233 | AP%016lx (title ID) | Root-CA00000001-MS00000002-NG%08x | Used to verify savedata |
Storage
The main storage location for certificates is /sys/cert.sys, where all certificates from TMDs and tickets are added, each of which has a certificate chain appended to the end. On the other hand, while saves have a smaller NG-AP chain, these are not installed to cert.sys, instead being directly read every time. The location of the MS certificate is not known.
Child/Parent
Because each certificate is used to sign another certificate or the TMD/Ticket and also is signed by another certificate or the root key each certificate has a child and a parent certificate.
To get the parent issuer name of a certificate just cut off everything after the last "-" of the issuer name. If this issuer name is "Root" the root key is used to sign the certificate otherwise another certificate in the chain is used.
To get the child you have to append a "-" and the stored child identity to the issuer name. If the child is not in the certificate chain the certificate is used to sign the TMD/Ticket (which will contain the child's name in its issuer field).
The TMD/Ticket is therefore effectively signed by the root key because if any of the certificates is modified some signature check will fail and the IOS will know that you changed something.
Signature types
The following signature types may be used by a certificate:
Type | Name | Signature Length (x) |
0x00010000 | RSA-4096 | 0x200 |
0x00010001 | RSA-2048 | 0x100 |
0x00010002 | Elliptic Curve | 2*30 = 60 = 0x3c |
Key types
The following key types may be used by a certificate:
Type | Name | Length (y) = Modulus + Public Exponent + (Pad to 0x40) |
0x00000000 | RSA-4096 | 0x200 + 0x4 + 0x38 |
0x00000001 | RSA-2048 | 0x100 + 0x4 + 0x38 |
0x00000002 | ECC-B233 | 60 + 0 + 60 |
Certificate structure
Each certificate in the chain has the following structure (padded to 0x40). Because the offsets and lengths of the data varies depending on the signature and key length the letter "x" represents the signature length, and the letter "y" represents the key length here:
Start | Length | Description |
0x000 | 4 | Signature type |
0x004 | x | Signature of the certificate data using the parent certificate's key. Calculated starting from the issuer field. |
0x040 + x | 64 | Issuer |
0x080 + x | 4 | Key type |
0x084 + x | 64 | Child Certificate Identity |
0x0c4 + x | y | Public Key (see Key Types) |