3
edits
Changes
no edit summary
|-
|-
| 0x010000
| 0x010000
| RSA_4096 SHA1
| RSA-4096 PKCS#1 v1.5 with SHA-1
| 0x200
| 0x200
| 0x3C
| 0x3C
|-
|-
| 0x010001
| 0x010001
| RSA_2048 SHA1
| RSA-2048 PKCS#1 v1.5 with SHA-1
| 0x100
| 0x100
| 0x3C
| 0x3C
|-
|-
| 0x010002
| 0x010002
| Elliptic Curve with SHA1
| ECDSA with SHA-1
| 0x3C
| 0x3C
| 0x40
| 0x40
|-
|-
| 0x010003
| 0x010003
| RSA_4096 SHA256
| RSA-4096 PKCS#1 v1.5 with SHA-256
| 0x200
| 0x200
| 0x3C
| 0x3C
|-
|-
| 0x010004
| 0x010004
| RSA_2048 SHA256
| RSA-2048 PKCS#1 v1.5 with SHA-256
| 0x100
| 0x100
| 0x3C
| 0x3C
|-
|-
| 0x010005
| 0x010005
| ECDSA with SHA256
| ECDSA with SHA-256
| 0x3C
| 0x3C
| 0x40
| 0x40
|-
| 0x010006
| HMAC-SHA1-160
| 0x14
| 0x28
|}
|}
| 0x40 || 0x100 || Title key block
| 0x40 || 0x100 || Title key block
|-
|-
| 0x140 || 0x1 || Unknown
| 0x140 || 0x1 || Ticket Version (Always 2 for Switch (ES) Tickets)
|-
|-
| 0x141 || 0x1 || Title key type
| 0x141 || 0x1 || Title key type
|-
|-
| 0x142 || 0xE || Unknown
| 0x142 || 0x2 || Ticket Version
|-
| 0x144 || 0x1 || License Type
|-
| 0x145 || 0x1 || Master key revision
|-
| 0x146 || 0x2 || Properties Bitfield
|-
| 0x148 || 0x8 || Reserved
|-
|-
| 0x150 || 0x8 || Ticket ID
| 0x150 || 0x8 || Ticket ID
| 0x158 || 0x8 || Device ID
| 0x158 || 0x8 || Device ID
|-
|-
| 0x160 || 0x8 || Title ID
| 0x160 || 0x10 || Rights ID
|-
|-
| 0x170 || 0x4 || Account ID
| 0x170 || 0x4 || Account ID
|}
|}
The title key can be encrypted as a single AES block when title key type is 0 (presumably AES-128-CBC) or as an RSA-2048 message when title key type is 1. The latter is used for titles requiring stronger licensing (applications, add-on content), while the former (old) method is used for patches.
The title key can be stored as a 16-byte block when tickets are "common" [2.0.0+] with title key type 0, or as a "personalized" RSA-2048 message when title key type is 1. The latter is used for titles requiring stronger licensing (applications, add-on content), while the former (old) method is used for patches.
When RSA is used, this uses an SPL key handle that is initialized with the console-unique RSA-2048 ticket key.
When RSA is used, this uses an SPL key handle that is initialized with the console-unique RSA-2048 ticket key.
== Certificate chain ==
== Certificate chain ==
| Ticket
| Ticket
| RSA-2048
| RSA-2048
| XS00000021
| colspan="2" style="text-align:center;" | XS00000020
| ?
| Used to verify ticket signatures using AES title key block ("common" tickets)
| Used to verify (some?) ticket signatures
|-
| Ticket
| RSA-2048
| colspan="2" style="text-align:center;" | XS00000021
| Used to verify ticket signatures using RSA title key block ("personalized" tickets)
|-
|-
| Ticket
| Ticket
| RSA-2048
| RSA-2048
| XS00000020
| colspan="2" style="text-align:center;" | [9.0.0+] XS00000024
| ?
| Used to verify ticket signatures using RSA title key block ("personalized" tickets)
| Used to verify (some?) ticket signatures
|-
|-
| CA
| CA
| RSA-4096
| RSA-4096
| CA00000003
| style="text-align:center;" | CA00000003
| CA00000004
| style="text-align:center;" | CA00000004
| Used to verify the ticket certificate
| Used to verify the ticket certificate
|}
|}
The CA certificate is issued by 'Root', the public key for which is stored in ES.
The CA certificate is issued by 'Root', the public key for which is stored in ES.