Content legitimacy

While using hShop, you may have noticed a couple mentions to "legit" or "piratelegit" content.
These terms may seem scary at first because to any normal person, it would indicate that any content that isn't "legit" is fake or not to be trusted.
However, when it comes to 3DS content, these terms have a vastly different meaning.

What does "legit" actually refer to?

To get a better understanding of the term, you first need to know a bit more about how the 3DS handles content downloaded from the eShop.

There are two things that affect the "legitimacy" of content, each of which are part of the CIA you download:

1. The ticket

   Think of the ticket as the entry card for your 3DS to download content.
   Every time your 3DS sends a request to download content from the eShop,
   the corresponding ticket (which is cryptographically signed) is sent over.
   The server then validates this ticket and returns the content if it is valid.
   If the ticket is not valid, access is denied.

   This ticket is essential because it contains a key which is used to decrypt the contents from the CDN.
   If the ticket is legit, it is possible to verify that the content inside a CIA came directly from the CDN
   and was not tampered with in any way whatsoever.

2. The TMD

   TMD stands for Title Metadata.
   As described in its name, it contains important metadata about the contents.
   The TMD is, just like the ticket, signed cryptographically.
   It includes things like the number of contents, content sizes, content hashes, and more.

   If the TMD is legit, it is possible to check every content for tampering or corruption.
   

What "legit" means

"Legit" is part of three legitimacy "levels":

• Standard: neither the ticket nor the TMD are legitimate. While this makes it possible for tampering to occur, it does not mean standard dumps should not be trusted. Standard dumps are almost always fine to use. You cannot install standard dumps on a system that does not have CFW.
• Piratelegit: the TMD is legit and the ticket is not "legit" but still contains the correct CDN decryption key. This level allows neither corruption nor tampering. The only difference between this and "legit" dumps is that the ticket has an invalid (forged) cryptographic signature. You cannot install piratelegit dumps on a system that does not have CFW.
• Legit: both the TMD and ticket are legit. These come in two forms, global and personalized.
  Global legit dumps can be installed on any system, including ones without CFW.
  Personalized legit dumps can be installed only on the system the corresponding title was purchased on.