CSA Brute Force

C0der · Jun 10, 2017

I read somewhere, in some rare, non-real conditions with the output of the SC fully known, it might be possible to "guess" the state of the SC in the run-phase.
But even then, it may not be possible to get the CW.
I was wondering about the last part. But looking at the algo it looks tough.
Besides other things, even if we know the output of the sbox, we dont know the input.

dale_para_bajo · Jun 10, 2017

I been busy on other stuff. But here we are.

C0der said:
If the state of the SC is known at some point after the first 32 steps, is it possible to "roll back" to get the CW?

Wao you are brave man. I guess with enough time and resources we can do all what we want. And please consider time as a resource as in some cases time can be a lonngggg time.

In PowerVu we do RollBack. But PowerVu is in fact a simple schema. For the most part you deal with bits ONLY so with every click you only have to worry about the flip of one bit. And if you neglect powervu cycling shifts of the register you end up with just 2 xor between Clear and Encrypted bit.

So it is complicated but doable to just test all possibilities and many if not all get easily cancel as the solution do not meet all requirements.

But this CSA SC has many variables to track. Again many books claim it can be done and I think I seen math people claiming that a 100 or so of equations could be use to solve.

C0der · Jun 28, 2017

If someone wants to try the "SC-only" thing...
Here is a real life example of a payload of 15 bytes with unknown CW:
C7 26 F4 60 03 BE 82 A4 3C 5E 7E 3D D9 E4 84
The plaintext is either
FF FF FF FF FF FF FF FF FF FF FF FF FF FF 80
or
00 00 00 00 00 00 00 00 00 00 00 00 00 00 7F
.

dale_para_bajo · Jun 29, 2017

I am lost!

C0der said:
I read somewhere, in some rare, non-real conditions with the output of the SC fully known, it might be possible to "guess" the state of the SC in the run-phase.
But even then, it may not be possible to get the CW.
I was wondering about the last part. But looking at the algo it looks tough.
Besides other things, even if we know the output of the sbox, we dont know the input.

C0der said:
If someone wants to try the "SC-only" thing...
Here is a real life example of a payload of 15 bytes with unknown CW:
C7 26 F4 60 03 BE 82 A4 3C 5E 7E 3D D9 E4 84
The plaintext is either
FF FF FF FF FF FF FF FF FF FF FF FF FF FF 80
or
00 00 00 00 00 00 00 00 00 00 00 00 00 00 7F
.

Are you insinuating that you have done the rollback and found key?
Are you asking us to try it?

Listen C0der you are a nice guy I am not trying to contradict you. On the opposite. If there here something to learn I am sining in. Lets try!. Just give us a hit what to do?

K2TSET · Jun 29, 2017

C0der said:
If someone wants to try the "SC-only" thing...
Here is a real life example of a payload of 15 bytes with unknown CW:
C7 26 F4 60 03 BE 82 A4 3C 5E 7E 3D D9 E4 84
The plaintext is either
FF FF FF FF FF FF FF FF FF FF FF FF FF FF 80
or
00 00 00 00 00 00 00 00 00 00 00 00 00 00 7F
.

I'm a bit confused as well, but think this is what you have in mind?

Is this the last bytes before PUSI ?
C7 26 F4 60 03 BE 82 A4
3C 5E 7E 3D D9 E4 84 so it the Residue?
if so encrypted with SC only since it does not have the length of 8

So to find the CW you will have to do BF like this (I guess)

for all CW to test (256^6)

do

calculate the chksum for CW

do the SC init with C7 26 F4 60 03 BE 82 A4 (32 rounds)

do the SC Run for 7 bytes = to 28 rounds

XOR the output of the 28 rounds with 3C 5E 7E 3D D9 E4 84

See if it fits with FF FF FF FF 80 or 00 00 00 00 7F

Sure you can stop the SC run if xor output does not fit after a round

I always like to have the ts before so it possible and check if result works and also to be sure where precise the bytes comes from.

C0der do you know if it works?

C0der · Jun 29, 2017

dale_para_bajo said:
Are you insinuating that you have done the rollback and found key?

Nah.
I wish.
The rollback seems (almost?) impossible.

I just went back to the idea of K2TSET.

Didnt check for PUSI. (But it most likely was.)
And the rest you got correct.

If it works? It should. But all I found was one false positiv.

K2TSET · Jun 30, 2017

C0der, could you upload a bit of the ts from where you took the C7 26 F4 60 03 BE 82 A4 3C 5E 7E 3D D9 E4 84 from?
Then I will try to BF the CW and then we can see if the "SC only" actually does work

C0der · Jun 30, 2017

Would that single ts-packet be enough?
Or do you need a PUSI?
(I dont actualy have a ts, since I used a tool that extracts only the needed bytes from the live-source. It can take a while to catch a packet with that length AND a known plain.)

K2TSET · Jun 30, 2017

C0der said:
Would that single ts-packet be enough?
Or do you need a PUSI?
(I dont actualy have a ts, since I used a tool that extracts only the needed bytes from the live-source. It can take a while to catch a packet with that length AND a known plain.)

To do a normal BF I would need 2 ts-packet with PUSI else there will be like 1 milion candidates on a complete search and no way to see if it fits.
How do you know you have a false result if you do not have the ts?

If you test on a live feed from where you got the string from then just make a new small recording for a few seconds and post it

C0der · Jun 30, 2017

I'll make a ts later (about 4 hours from now).

False positiv in that case was when only 6 of the 7 plain bytes match.

C0der · Jun 30, 2017

This doesn't have the 15-byte-packets, but its the same transponder/Pid/CW:
http://www23.zippyshare.com/v/cgw8BO5B/file.html

K2TSET · Jun 30, 2017

C0der said:
This doesn't have the 15-byte-packets, but its the same transponder/Pid/CW:
http://www23.zippyshare.com/v/cgw8BO5B/file.html

Thx, very short file ... only 2 pusi
I have started a search, will be back when I have some result

K2TSET · Jul 1, 2017

Full search done ... no CW found
47 57 E4 9B
82 C5 2E 64 2D 8A AC 0B 0B 02 06

47 57 E4 9C
DD 48 08 05 19 30 78 75 04 DD 6E

It might be the CSA use all 64 bit and not 48+chk
or maybe it's not CSA

C0der · Jul 1, 2017

Thanks. That is impressive speed.
And yeah, it seems to be something else.

K2TSET · Jul 1, 2017

C0der, looking on you file you do have the 2 pusi and the adaption just before (Stuffing).
BTW if you use HxD for viewing bin files try to have 188 instead of 16 in the top bar then it's very easy to view the ts-packets

First

Code:

47 17 E4 BA [COLOR="Red"]43[/COLOR] 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 75 5A 48 0E 31 22 59 1A C2 85 61 0C 54 A5 A5 24 4E 6D 01 D5 B1 1F C3 7E E5 1F C6 16 85 FC 5F 08 13 57 A3 01 82 92 5A 54 EF A7 C7 A1 6F 52 18 72 B8 2E F1 ED E1 E0 2A 9A F2 4A F6 E0 92 E7 03 96 33 81 4C CB E8 7E F8 EF F5 91 FF B6 38 46 C9 F1 EC DC 3F CA EF B1 75 E6 31 AD 6E D9 06 22 23 8C EF 08 DE F2 F4 B4 17 1C 99 D6 A4 94 36 CC 0E A6 2C 7D 6B 5E
47 57 E4 9B 82 C5 2E 64 2D 8A AC 0B 0B 02 06 97 47 0B 1F 36 7E A9 3E 13 F3 B3 9A 88 93 FA 90 24 00 48 4F A1 22 19 6B 0B 27 46 BC C0 C0 8B EB 8B 1A 85 79 DF FF C2 AB 85 1D 70 EF 72 99 15 B7 34 F6 2C 58 5F E8 FB DA 71 BA 01 5E 97 EC 91 96 7F CB B5 BC 44 7C 0E E5 92 AC EF 6F D1 A0 1A B5 17 CA 52 30 8B F6 EC C2 65 07 33 C3 5F 52 64 7D 37 78 48 04 BA 59 C0 9A CF 07 CA 37 1F B8 AA C6 3B 43 52 C5 6D 17 13 8C A4 46 04 B9 0A D9 4B 90 F9 15 71 F4 F8 FA 83 62 B4 49 B5 CA 5E C7 E4 F4 A7 4C C4 0C 41 B3 66 BD C4 BA 0E DA 5F 5D 64 A0 F9 36 8D 51 1D 9C C2 33 8D C7 D7 09 36

Last:

Code:

47 17 E4 BB [COLOR="red"]7D[/COLOR] 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 4F 4B A6 9E B8 99 2D FA 9E 0D DD 4E 2D 7F CE CB BD C5 EC 4B 39 DC EB 43 AD 52 DA D8 8C 6F 46 9C 2A B3 29 EB 92 24 09 37 69 9B 8D EF 52 51 C4 D8 44 29 F3 EE 77 3D E4 CF 70 E7
47 57 E4 9C DD 48 08 05 19 30 78 75 04 DD 6E 8B 74 2E 0E 61 77 E1 DA 35 37 7F 39 4F 62 EB C0 78 05 13 B6 D4 83 6B C6 2C B3 EB 94 F3 EC C4 FD 2D 2D 9A A7 2E 32 12 1B 7E 83 F9 B6 78 C0 A7 40 3C 0F 2C 46 8C 53 11 C4 30 45 8F F4 A9 2D 50 A5 22 EE 98 50 48 05 08 2D 97 39 94 91 C6 F6 13 8B 4C 85 17 99 1B 99 4A 67 6F E5 19 20 A6 AB F4 21 A1 56 1C 9C 13 6F 3F 6D 4D 19 3B E1 6B 6F D9 BD C5 B7 E3 93 CD 1D D5 25 8B 98 16 FC A2 D4 FF 96 AA 12 C5 E8 FD 69 82 DE 38 3C F9 A5 26 27 42 1C 4B 70 92 17 16 30 D5 17 4E 85 44 C4 78 A2 F2 1C BB 1C 33 7B 81 10 BA 21 AA 8E CB 45 58

You will see in the 2 packets with the Adaption field with all thee FF in the first you have a Adaption length of 0x43 and a remain lengt of 0x74 = dec 116 div 8 gives a rest of of 4 bytes

In the last you have a Adaption length of 0x7D and a remain lengt of 0x3A = dec 58 div 8 gives a rest of 2 bytes
So a SC-only might work if we know the plain text hope for some FF's or 00's.

Instead of playing with a unknown ts I suggest you grab some BISS ts where the CW are known and where your software detects a non 0 bytes rest, then try to look on the decrypted ts and see what those rest are?

If the are FF or 00 pls upload a bit of the file and tells us the CW and we can try to do some calc on SC_only it it will give same result.

C0der · Jul 1, 2017

Didn't use HxD before, but seems very useful.

Why you think SC-only would fail (if they use CSA 48)?

For the plaintext:
Depends on encoder and content.
What I have seen most as last 7 bytes:
FF FF FF FF FF FF 80
and
FF FF FF FF FF FF 00
.

K2TSET · Jul 1, 2017

C0der said:
Why you think SC-only would fail (if they use CSA 48)?

I don't think it should fail, only if there are no stuffing bytes FF's or 00's or if no Residue bytes.
This might depend on the encoder used for the feed

I guess the file you uploaded are not CSA 48
Have you tried other way to find the CW for it?

I suggest we do look use another ts where there are Residue Bytes to test and where we can start finding the CW normal way

In HxD you can search HEX strings,very useful

C0der · Jul 1, 2017

Yeah, RBT didn't find anything either.

K2TSET · Jul 1, 2017

Ok I grab a little bit of a ts file with a normal CW change like every 10 sec.
http://www90.zippyshare.com/v/EsGpHnJ5/file.html
If you search for 47 43 ff PUSI You will see there are Adaption field in the ts-packet before and there are Residue Bytes in some of them

I did a BF for the CW for the first part 00 8A 81 0B B0 0D D1 8E

Now we should be able to do the SC-only test

Encrypted:

Code:

47 03 FF B8 7B 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 15 E4 4A B2 12 64 E6 7F 3C 3C A2 D5 47 7D B8 8B B0 2A C3 53 54 73 AE 90 39 2B 76 74 02 BF 44 56 9D C2 0F 65 9F E1 7E 6F 1B F6 64 4E A5 6D 80 B0 C2 14 26 81 5F E5 3B 90 BB 92 ED 5D
47 43 FF 99 82 69 B1 21 DE 49 30 FE 5D 06 AA 03 B8 8D 3B C8 B5 8D F8 B9 39 C4 15 A9 FB 6B 21 3C 22 51 18 D1 DA E1 BB D4 44 B5 84 F1 49 98 98 99 B0 E6 CD B8 8E 01 6F E4 0D 85 50 E1 28 19 DE 55 E0 6B B2 FA 6F A4 25 7F 25 62 B4 18 A7 85 5A DE 63 65 4A B6 E0 CA 0C F2 5A C4 82 40 05 F7 C8 85 EF A6 64 74 E9 96 4F 87 4D 50 A5 B7 6D C9 8C FC 64 15 31 B9 7F 1B 14 50 82 C6 96 9C 3D CF BC 9D 9D 59 4A 4E EE 8C 86 DF C5 55 3D B8 58 93 1D D5 15 B3 83 37 54 82 26 6D 0E 8F 50 25 EA 0A D2 5C ED B1 F5 84 3A 70 40 27 F5 58 C7 B5 98 5C 04 CC BD BC 6A E4 FB 79 FE E1 FC DC A4 D3

Decrypted:

Code:

47 03 FF 38 7B 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF D9 6C 28 44 F7 67 2A CC 72 77 F4 A1 21 A5 B4 CE 40 22 E8 FD 88 81 6C 7A FF 1C 6D 14 01 0A A0 A5 A3 B7 B6 FF F0 3B 28 D2 0D 0B 1F 08 7D 15 92 BE 7C 8C B5 CA A7 44 54 67 38 98 00 00
47 43 FF 19 00 00 01 E0 00 00 80 C0 0A 39 85 41 CC 75 19 85 41 B0 55 00 00 00 01 09 50 00 00 00 01 06 01 01 14 80 00 00 00 01 01 AE E6 6F 6A 4B FF 57 EF D5 26 BC 14 87 3B 1D B9 DC E0 58 0B 82 02 F2 72 C6 3A 09 D2 72 F6 E8 0F 37 83 92 BE B7 A7 9B 59 F6 FA C4 44 8A 2C CA 6C ED FC 90 46 0B 35 05 AF 87 85 D2 76 EA ED 00 80 9F 5E 11 3D 9B D0 DF AE 51 DD F6 B3 C9 5C 54 27 7E 21 85 BC 7E 90 BA EC 6A 20 85 F2 CF 73 D9 35 52 71 2E 0F A9 8F 45 24 D2 62 9B 53 4D AD D9 15 1F 8D 4E 89 6E 27 69 00 68 8D 7B 55 9F 12 37 65 3A 44 BB 73 46 8B FD 87 51 7D 11 1C 73 8B 16 ED BD

Last 3C bytes of enc and dec before PUSI:

Code:

15 E4 4A B2 12 64 E6 7F 3C 3C A2 D5 47 7D B8 8B B0 2A C3 53 54 73 AE 90 39 2B 76 74 02 BF 44 56 9D C2 0F 65 9F E1 7E 6F 1B F6 64 4E A5 6D 80 B0 C2 14 26 81 5F E5 3B 90 BB 92 ED 5D
D9 6C 28 44 F7 67 2A CC 72 77 F4 A1 21 A5 B4 CE 40 22 E8 FD 88 81 6C 7A FF 1C 6D 14 01 0A A0 A5 A3 B7 B6 FF F0 3B 28 D2 0D 0B 1F 08 7D 15 92 BE 7C 8C B5 CA A7 44 54 67 38 98 00 00

3c = 60 bytes div 8 = gives a rest of 4 bytes
You will should notice the last 4 decoded bytes 38 90 00 00
Only 2 of them are 00 00 ... Why?

CSA Brute Force

Registered

Registered

Registered

Registered

Registered

Registered

Registered

Registered

Registered

Registered

Registered

Registered

Registered

Registered

Registered

Registered

Registered

Registered

Registered

Registered