CMD
A content metadata or CMD is a file or structure used to store data about an iQue app, such as encryption keys, its access to secure kernel calls, and its access to various hardware. It is used on its own in SKSA (where SA1 and SA2 both have their own attached CMD) and also contained as part of every ticket.
Format
A CMD consists of two parts: contentDesc, an optional 0x2800-byte long structure containing information about a game such as its save type, title, and thumbnail image; and BbContentMetaDataHead. The former is not used in the content metadata for SAs.
contentDesc
Offset | Length | Type | Information |
---|---|---|---|
0x00 | 0x04 | uint32 | EEPROM RDRAM location (typically 0x807C0000, 0 if unused) |
0x04 | 0x04 | uint32 | EEPROM size (either 0x200 or 0x800) |
0x08 | 0x04 | uint32 | Flash RDRAM location (typically 0x807C0000, 0 if unused) |
0x0C | 0x04 | uint32 | Flash size (0x20000 if used) |
0x10 | 0x04 | uint32 | SRAM RDRAM location (typically 0x807C0000, 0 if unused) |
0x14 | 0x04 | uint32 | SRAM size (0x8000 if used) |
0x18 | 0x04 | uint32 | Controller Pak 0 RDRAM location (could be 0x807C0000 or 0x807C0000, 0 if unused) |
0x1C | 0x04 | uint32 | Controller Pak 1 RDRAM location (0 if unused) |
0x20 | 0x04 | uint32 | Controller Pak 2 RDRAM location (0 if unused) |
0x24 | 0x04 | uint32 | Controller Pak 3 RDRAM location (0 if unused) |
0x28 | 0x04 | uint32 | Controller Pak size (0x8000 when used) |
0x2C | 0x04 | uint32 | Probably osRomBase (always 0xB0000000?) |
0x30 | 0x04 | uint32 | Probably osTvType (always 1? which is for NTSC) |
0x34 | 0x04 | uint32 | Probably osMemSize (always 0x400000? for no expansion pak) |
0x38 | 0x04 | uint32 | Unknown, possibly another libultra boot param |
0x3C | 0x04 | uint32 | Unknown, possibly another libultra boot param |
0x40 | 0x03 | chars | "CAM", unknown purpose |
0x43 | 0x01 | byte | Number of ".u0x" files for this game? |
0x44 | 0x02 | uint16 | Thumb image length (can't be more than 0x4000, decompressed size must be exactly 0x1880) |
0x46 | 0x02 | uint16 | Title image length (can't be more than 0x10000, how exactly would that even fit?) |
0x48 | Thumb image length | bytes | DEFLATE-compressed thumb image, stored as RGBA5551 (56w * 56h) |
0x48 + Thumb image length | Title image length | bytes | DEFLATE-compressed title image, stored as IA8 (184w * 24h) |
0x48 + Thumb image length + Title image length | 0x27B8 - image lengths | chars | Title name + ISBN |
BbContentMetaDataHead
Offset | Length | Type | Description | Information |
---|---|---|---|---|
0x2800 | 0x04 | uint32 | unusedPadding | padding |
0x2804 | 0x04 | uint32 | caCrlVersion | Certificate Authority(?) CRL version |
0x2808 | 0x04 | uint32 | cpCrlVersion | Content Protection(?) CRL version |
0x280C | 0x04 | uint32 | size | Size (in bytes) of the associated app |
0x2810 | 0x04 | uint32 | descFlags | Seemingly unused/unchecked; bit 0 set if the associated app is SA |
0x2814 | 0x10 | uint8[16] | commonCmdIv | titlekey_iv; IV used to encrypt title key (with common key) |
0x2824 | 0x14 | uint8[20] | hash | SHA-1 hash of the plaintext of the associated app |
0x2838 | 0x10 | uint8[16] | iv | content_iv; IV used to encrypt content |
0x2848 | 0x04 | uint32 | execFlags | Despite the name, only one use/flag is known: if bit 1 is set (the "recrypt flag"), the associated app will be re-encrypted on first launch |
0x284C | 0x04 | uint32 | hwAccessRights | bitfield, each bit enables access to some MMIO regs new to iQue Player:
(0x0000 for games except for Animal Forest which is 0x0033, 0x0013 for iQue Club, 0x01F7/0x01B3 for SA) |
0x2850 | 0x04 | uint32 | secureKernelRights | Which secure kernel calls the associated app can use, one bit per syscall: bit 0 allows SKC 0, etc. |
0x2854 | 0x04 | uint32 | bbid | If not zero, can only be run on the specified console (used for SAs, not games) |
0x2858 | 0x40 | uint8[64] | issuer | Certificate used to sign the cmd |
0x2898 | 0x04 | uint32 | id | Content ID of the associated app |
0x289C | 0x10 | uint8[16] | key | The associated app's title key. It is encrypted once with the common key. If the associated app is not an SA, then it is encrypted again with a key derived using the result of ECDH with the console's private key in the Virage2 and the public key in the app's ticket. |
0x28AC | 0x100 | uint8[256] | contentMetaDataSign | RSA-2048 signature over all of the above, but before the title key is encrypted a second time. |