More actions
wad2bin | |
---|---|
General | |
Author | DarkMatterCore |
Type | PC Utilities |
Version | 0.8 |
License | GPL-3.0 |
Last Updated | 2021/08/12 |
Links | |
Download | |
Website | |
Source | |
Support Author | |
wad2bin is a tool that converts installable Wii WAD packages to backup WAD packages (*.bin files) by using console-specific keydata.
These converted files can be stored on an SD card and used to launch channels through the System Menu 4.0+ or used with games that save and read data in this format.
User guide
Usage: wad2bin <keys.txt> <device.cert> <input WAD> <output dir> [<parent title ID> [--nullkey]]
- Paths must not exceed 259 characters. Relative paths are supported.
- The required directory tree for the *.bin file(s) will be created at the output directory.
- You can set your SD card root directory as the output directory.
Notes about DLC support:
- Parent title ID is only required if the input WAD is a DLC. A 16 character long hex string is expected.
- If "--nullkey" is set after the parent title ID, a null key will be used to encrypt DLC content data.
- Some older games (like Rock Band 2) depend on this to properly load DLC data when launched via the Disc Channel.
Guidelines
- Console-specific data is required to perform the conversion. Dump it from the target console with xyzzy-mod.
- The program expects two different files with console specific data: a text file with keydata (check
keys.txt.template
for the actual format) anddevice.cert
. Both files are generated by xyzzy-mod.- Both ticket and TMD for each converted WAD package must be installed on the target Wii console in order for this to work.
- For this matter, the program generates a bogus WAD package at the provided output directory, using the
<title_id>_bogus.wad
naming convention. It can be used with regular WAD Managers to install both ticket and TMD if needed. - Bogus WAD packages don't have any encrypted content data, thus they're expected to return errors like
-1022
during installation with regular WAD Managers - this is expected behaviour, so don't panic. - If you can't get your converted WAD package to work, try uninstalling the bogus WAD before installing it (for real). This fixes the problem most of the time.
- Channel WADs get converted to
content.bin
files, while DLC WADs get converted to<index>.bin
files.
- The program expects two different files with console specific data: a text file with keydata (check
- If a DLC WAD is provided, it doesn't matter if it's an uncomplete WAD with missing contents:
- A WAD with a tampered TMD that only references the packaged contents or a full WAD with all contents: all cases are supported by wad2bin. There's no need to provide any content indexes.
- DLCs can use a parent title ID that's different from the title ID from the game they belong if other games are capable of using them. That's why a parent title ID is required to convert DLCs.
- Converted DLC data can be encrypted using either a null key (used by older games) or the console-specific PRNG key (used by newer games, and also old games when launched with a cIOS).
- If the WAD ticket wasn't issued for the target console, or if the WAD isn't legit (e.g. homebrew WAD), a patched IOS must be installed and used. This varies depending on the converted WAD type:
- Channels - the IOS used by the System Menu must be patched to enable the signing bug on it:
- Regular Wii consoles - use Simple IOS Patcher to install a patched System Menu IOS (IOS60 for 4.0 and 4.1, IOS70 for 4.2 and IOS80 for 4.3).
- Wii U consoles (vWii) - use Patched IOS80 Installer for vWii to install a patched IOS80.
- DLCs - the game must be launched using a cIOS, or its required IOS version must be patched to enable the signing bug on it. This greatly depends on:
- How old the game is - if it enforces the usage of a null key when launched through the Disc Channel.
- The used launch method - cIOS enforce the usage of the PRNG key, even on older games.
- Ticket/TMD signature validity - if it's not valid, or if the ticket wasn't issued for the target console, a patched IOS or a cIOS will always be necessary.
- Because of all these reasons, it's difficult to establish a clear procedure that works for every single case. Further trial and error by the user is encouraged.
- Channels - the IOS used by the System Menu must be patched to enable the signing bug on it:
Supported DLCs
Not all DLCs can be converted to <index>.bin
files - this is because not all games with DLCs are capable of loading DLC data stored on the SD card. For this purpose, wad2bin holds a hardcoded DLC title ID list, in order to avoid converting a DLC WAD that simply won't work from the SD card.
The title ID from the parent game must be provided as an additional command line argument, because some games can "import" DLC data that belongs to other games. Only the following DLCs are supported:
- Rock Band 2 (
00010000-535A41xx
) (SZAx
):00010005-735A41xx
(sZAx
).00010005-735A42xx
(sZBx
).00010005-735A43xx
(sZCx
).00010005-735A44xx
(sZDx
).00010005-735A45xx
(sZEx
).00010005-735A46xx
(sZFx
).
- The Beatles: Rock Band (
00010000-52394Axx
) (R9Jx
):00010005-72394Axx
(r9Jx
).
- Rock Band 3 (
00010000-535A42xx
) (SZBx
):00010005-735A4Axx
(sZJx
).00010005-735A4Bxx
(sZKx
).00010005-735A4Cxx
(sZLx
).00010005-735A4Dxx
(sZMx
).
- Guitar Hero: World Tour (
00010000-535841xx
) (SXAx
):00010005-735841xx
(sXAx
).00010005-73594Fxx
(sYOx
).
- Guitar Hero 5 (
00010000-535845xx
) (SXEx
):00010005-735845xx
(sXEx
).00010005-735846xx
(sXFx
).00010005-735847xx
(sXGx
).00010005-735848xx
(sXHx
).
- Guitar Hero: Warriors of Rock (
00010000-535849xx
) (SXIx
):00010005-735849xx
(sXIx
).
- Just Dance 2 (
00010000-534432xx
) (SD2x
):00010005-734432xx
(sD2x
).
- Just Dance 3 (
00010000-534A44xx
) (SJDx
):00010005-734A44xx
(sJDx
).
- Just Dance 4 (
00010000-534A58xx
) (SJXx
):00010005-734A58xx
(sJXx
).
- Just Dance 2014 (
00010000-534A4Fxx
) (SJOx
):00010005-734A4Fxx
(sJOx
).
- Just Dance 2015 (
00010000-534533xx
) (SE3x
):00010005-734533xx
(sE3x
).
Any DLCs not appearing on this list will return an error if used as the input WAD package for the program. If you come across a DLC that can be loaded from the SD card and doesn't appear on this list, please contact me or open an issue and I'll gladly add it.
content.bin and <index>.bin
- Differences between
content.bin
files and<index>.bin
files:content.bin
files are used to store data from00010001
(downloadable channels) and00010004
(disc-based channels) titles, and get saved tosd:/private/wii/title/<ascii_lower_tid>/content.bin
.- Whilst
<index>.bin
files are used to store data from00010005
(DLC) titles, and get saved tosd:/private/wii/data/<ascii_lower_tid>/<index>.bin
- where<index>
represents a specific content index from its TMD (000 - 511). - Both
content.bin
and<index>.bin
files are backup WAD packages with a "Bk" header block, a TMD data block and encrypted contents using AES-128-CBC with the console-specific PRNG key and the content index as their IV (followed by 14 zeroes).
- However,
content.bin
files hold two leading blocks before the "Bk" header that are both encrypted using the SD key and the SD IV (which are not console specific):- A 0x640 byte-long title info header, which holds data such as title ID and a copy of the IMET header from the channel's
opening.bnr
(00000000.app
). - A copy of the
/meta/icon.bin
file entry from theopening.bnr
U8 archive, with a variable size.
- A 0x640 byte-long title info header, which holds data such as title ID and a copy of the IMET header from the channel's
content.bin
files also hold a trailing certificate area placed after the encrypted contents, which contains:- An ECDSA signature calculated over the whole backup WAD package area (using the console-specific ECC private key).
- A copy of the console-specific ECC-B233 device certificate (also known as "NG" cert).
- A title-issued ECC-B233 certificate (also known as "AP" cert), signed using the console-specific ECC private key. Its ECC public key is an ECDH shared secret generated with a custom ECC private key. The issuer title is always the System Menu (00000001-00000002).
- On the other hand, while
<index>.bin
files don't include any of the leading and trailing blocks fromcontent.bin
files, they are only allowed to hold a single encrypted content at a time, which index is used as part of the filename expressed in base 10 notation (e.g.000.bin
).
Dependencies
- ninty-233 (licensed under GPLv3 or later) is used for ECDH data generation and ECDSA signing/verification.
- mbedtls (licensed under Apache 2.0) is used for hash calculations, AES-CBC crypto operations and RSA signature verification.
- Keydata parsing based on code from hactool (licensed under ISC).
GUI
A Python-based graphical frontend for the program is available as gui.py.
Big thanks to LyfeOnEdge for developing it.
Screenshots
Changelog
v0.8
- Print
errno
values as part of error messages whenever possible. - Use GCC
format
function attribute onutilsPrintErrorMessage()
.
v0.7
- Removed parent title ID generation for DLC WADs. This doesn't work properly with games that are capable of using DLCs from other games.
- The hardcoded DLC title ID list is still being used as a filter to know if any converted DLCs will work or not.
- Added support for encrypting converted DLC data with a null key. Fixes issues with older games launched through the Disc Channel, such as
Rock Band 2
.- Please read the guidelines from the readme! Even if a null key is used, a patched IOS is still needed if the DLC ticket wasn't issued for the target console and you intend to launch the game through the Disc Channel.
- Added
The Beatles: Rock Band
DLC to the hardcoded DLC title ID list. - Written content padding is now encrypted as well.
- Several fixes to the U8 archive parsing code.
- Fixed a silly
ECSDA
->ECDSA
typo. - Reworked certificate chain, ticket and TMD handling.
- Implemented RSA signature verification in certificates, tickets and TMDs.
- Fixes a bug where the ticket would have been fakesigned even if it was perfectly valid.
- Useful info is now displayed at the end of the conversion process. Please read it.
v0.6
- Added a hardcoded list with title IDs from DLCs that can be converted to the
<index>.bin
format. Any other DLCs will return an error. Thanks to this, it's no longer necessary to input a parent title ID. - Fixed support for WAD packages with content data bigger than
U32_MAX
(0xFFFFFFFF).
v0.5
- Implemented bogus installable WAD package generation (header + certificate chain + ticket + TMD), saved at the provided output directory using the
<title_id>_bogus.wad
naming convention. - These bogus WAD packages can be used to install both ticket and TMD if needed, using regular WAD Managers. Errors such as -1022 can be safely ignored (e.g. content data isn't available in these WADs).
v0.4
- Fixed seeking after a missing content is detected while unpacking a DLC WAD.
v0.3
- Force the user to provide the full parent title ID for DLC WADs.
v0.2
- Added proper support for DLC WADs, even if they're incomplete (e.g. full TMD with missing content files).
v0.1
- Initial release.