From WiiUBrew
Jump to navigation Jump to search

SpotPass is a Nintendo Wii U feature that has the same purpose as on the Nintendo 3DS. It downloads automatically content.

Content Container

SpotPass content must use this container. Unlike the Nintendo 3DS the format is much smaller and doesn't include RSA signatures probably because they figured out the whole communication is already encrypted with HTTPS. The byte order is Big Endian. The parsing of the BOSS header is done in the ELF of the fw.img in the IOS-NIM-BOSS segment and begins at around address 0xE20D62B8.

BOSS Header

Offset Length Description
0x0 0x4 Magic Number "boss"
0x4 0x4 Magic Number 0x20001
0x8 0x2 Must be 0x0001
0xA 0x2 Must be 0x0002
0xC 0xC First 12 bytes of the Initialization Vector (IV)
0x18 0x8 Padding


The rest of the container is the payload. It is encrypted with AES-CTR. The first 12 bytes of the IV are from the header at offset 0xC. The last 4 missing bytes are always an integer in big endian of 1 (0x00, 0x00, 0x00, 0x01). The key that is used is the one in key slot 0x1F

Offset Length Description
0x0 0x20 SHA-256 HMAC of the remaining payload
0x20 Actual/Remaining payload. The content that gets written to the file system.

The first 32 bytes of the decrypted payload are the SHA-256 HMAC of the remaining payload. The key that is used is stored in key slot 0x20