Hacking CA system challenge *Tandberg [ NO Keys Allowed in Chat Section/s ]*

0

007.4

VIP
Messages
364
As already mentioned, the new AES table could be in an xml file sent by email to the official users to upload to their boxes manually on a regular basis.
 
H

harshy

Well Known Member
Messages
746
Yeah but as kebian has said we need a recording of full feed with known DES key and AES key to see if it’s embedded in the full stream, it has to be otherwise the stream can’t authenticate the AES key.
 
Last edited:
N

nautilus7

VIP
Messages
607
Added support for nanoType EC in oscam-emu: hxxps://github.com/oscam-emu/oscam-emu/commit/66b5c46b7a70f872d4220a35721f69b0f1781a75

Code: 
emu 750 - Add Director (Tandberg) v6
- Support for NanoType "EC"
- Add "aes_cbc_encrypt" function to emu
- Unify Tandberg key calling functions

AES keys are accepted in this form:

Code: 
T 00 AES XXXXX...XXXXXX ;
T 01 AES XXXXX...XXXXXX ;
T 02 AES XXXXX...XXXXXX ;
T 03 AES XXXXX...XXXXXX ;
.
.
.
T 1D AES XXXXX...XXXXXX ;
T 1E AES XXXXX...XXXXXX ;
T 1F AES XXXXX...XXXXXX ;

It remains unknown if the keys we have are valid or not and whether we input them in the right way (number of bytes, etc).
 
Last edited:
A

ARA$H

Banned
Messages
1,081
Repeat and repeat ...........
Without having new AES keys
This algorithm will not be active
....
 
fiji

fiji

Well Known Member
Messages
1,097
harshy said:
Yeah but as kebian has said we need a recording of full feed with known DES key and AES key to see if it’s embedded in the full stream, it has to be otherwise the stream can’t authenticate the AES key.
Click to expand...

Need recording ts file for test if any user have signal .
minnimum 5 minutes recording ts file with full patch .
 
E

egydoctor2010

Member
Messages
66
nautilus7 said:
Added support for nanoType EC in oscam-emu: hxxps://github.com/oscam-emu/oscam-emu/commit/66b5c46b7a70f872d4220a35721f69b0f1781a75

Code: 
emu 750 - Add Director (Tandberg) v6
- Support for NanoType "EC"
- Add "aes_cbc_encrypt" function to emu
- Unify Tandberg key calling functions

AES keys are accepted in this form:

Code: 
T 00 AES XXXXX...XXXXXX ;
T 01 AES XXXXX...XXXXXX ;
T 02 AES XXXXX...XXXXXX ;
T 03 AES XXXXX...XXXXXX ;
.
.
.
T 1D AES XXXXX...XXXXXX ;
T 1E AES XXXXX...XXXXXX ;
T 1F AES XXXXX...XXXXXX ;

It remains unknown if the keys we have are valid or not and whether we input them in the right way (number of bytes, etc).
Click to expand...

how to put AES keys with this oscam
can i include AES_Keys.txt in keys or what ?
 
C

campag5242

@egydoctor2010

For oscam you need to enter the aes in in SoftCam.Key, laid out as nautilus7 described.

Nobody has a working 16-byte aes key. There are some keys posted on this forum which are 19 bytes long. They may be valid or not, nobody knows.

It looks like the first byte of the 19 is the key index (it runs from 0x00 to 0x1F). Problem then is, how do we obtain a 16-byte key from the remaining 18 bytes?
 
H

harshy

Well Known Member
Messages
746
vtcc said:
Yes it's like this type:D

<?xml version="1.0" encoding="UTF-8"?>

<!--Ericsson Television DCP-->

-<dcpDoc ver="1.0">


-<tcfData ver="1.0">


-<Node N="CA">

<Struct N="key#1" V="00XXXX0D5BD80EE2F518614F1000401FD136000"/>

<Struct N="key#2" V="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"/>

<Struct N="key#3" V="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"/>

</Node>

</tcfData>

</dcpDoc>
Click to expand...

Is this one of their xml files?
 
E

egydoctor2010

Member
Messages
66
img3 eu is now tandberg but how to provide keys

for example only i know that up till now there is no working aes keys

my oscam is asking for active entitlement 691
and T B AES key

can some one provide an example please
 
A

aspirepy

Well Known Member
Messages
1,901
Here is a tandberg feed of today and the log that corresponds to it:
poc 1.6_mod_2
TS mode
[Emu] info: FFDecsa parallel mode = 32
[Emu] stream found emm_pid: 1FE
emm:
83 70 0A 00 21 6A 63 F0 04 E7 02 FF FF
[Emu] got EMM nano tag E7 (EMM_TAG_OVERALL_ENTITLEMENT_DESCRIPTOR) for the first time
emm:
83 70 0A 00 21 6A 63 F0 04 E7 02 FF FF
emm:
83 70 0A 00 21 6A 63 F0 04 E7 02 FF FF
emm:
82 70 B4 01 DE 1D 82 01 33 0E 7F 02 08 00 21 0B
63 F0 2C E0 2A FF 01 00 00 00 00 00 00 02 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01
DE 1D 82 01 01 0E 7F 02 08 00 21 17 E3 F0 2C E0
2A FF 01 00 00 00 00 00 00 02 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 01 DE 1D 82 01
1A 5B 0C 02 08 00 21 92 63 F0 2C E0 2A FF 01 00
00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00
[Emu] got EMM nano tag E0 (EMM_TAG_RECEIVER_ALLOCATION_DESCRIPTOR) for the first time
emm:
83 70 0A 00 21 6A 63 F0 04 E7 02 FF FF
emm:
83 70 0A 00 21 6A 63 F0 04 E7 02 FF FF
emm:
83 70 0A 00 21 6A 63 F0 04 E7 02 FF FF
emm:
82 70 B4 01 DE 1D 82 01 E0 48 71 02 08 00 21 CE
B2 F0 2C E0 2A FF 01 00 00 00 00 00 00 02 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01
DE 1D 82 01 2E 3A 71 02 08 00 21 12 9C F0 2C E0
2A FF 01 00 00 00 00 00 00 02 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 01 DE 1D 82 01
33 31 71 02 08 00 21 57 E3 F0 2C E0 2A FF 01 00
00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00

emm:
83 70 0A 00 21 6A 63 F0 04 E7 02 FF FF
emm:
83 70 0A 00 21 6A 63 F0 04 E7 02 FF FF
emm:
83 70 0A 00 21 6A 63 F0 04 E7 02 FF FF
emm:
82 70 B4 01 DE 1D 82 01 75 B0 97 02 08 00 21 57
E3 F0 2C E0 2A FF 01 00 00 00 00 00 08 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01
DE 1D 82 01 00 91 97 02 08 00 21 4F 9C F0 2C E0
2A FF 01 00 00 00 00 00 08 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 01 DE 1D 82 01
E5 4A 71 02 08 00 21 38 63 F0 2C E0 2A FF 01 00
00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00
emm:
83 70 0A 00 21 6A 63 F0 04 E7 02 FF FF
emm:
82 70 92 00 69 BB 42 F0 8C E4 8A 01 FE 2F 23 4A
DB 97 D3 6D 60 C2 9E 51 A9 B9 7D 9E 50 30 25 D6
80 C3 63 55 3D 33 87 91 FD 70 E6 72 9B 54 71 45
AA 28 68 5A 55 78 AE F0 C8 F2 80 C9 91 19 68 8F
53 A2 D0 71 8D 46 79 49 86 B0 52 2E ED 02 F4 BF
24 22 C5 A4 D3 CE 49 01 52 F4 09 D9 BC 05 BD 89
CB 4C 7B 25 05 7B 24 E3 58 9B 76 C2 D8 BC CE BA
8A 37 1B 02 FD 2D 57 8C CB 69 97 10 7E 5D 9C 88
93 25 22 0B C9 96 0A 7F 67 ED C2 21 79 0D C2 69
DA 40 2B 62 8A
[Emu] got EMM nano tag E4 (EMM_TAG_SECURITY_TABLE_DESCRIPTOR) for the first time
[Emu] nano 0xE4, mode 1
[Emu] GetEMMKey: key_index(69), keySet: 2
emmKey:
80 A8 F1 80 F2 3D EF 70
[Emu] Keys found in EMM: new nano E4 ram keys 20 to 2F
 
tani1

tani1

Staff member
Super Moderator
Messages
17,767
New feed active now 10.0°E 11527 V 7120 (ARQ-PL9 CLIPS) on Tandberg V3
 
W

Wilb

Registered
Messages
24
What's the best tool to capture the raw stream from an Enigma2 box?

Sent from my MI 5 using Tapatalk
 
barney115

barney115

Donating Member
Staff member
Administrator
Messages
24,827
Wilb said:
What's the best tool to capture the raw stream from an Enigma2 box?

Sent from my MI 5 using Tapatalk
Click to expand...
DVB Snoop .
But please try staying on topic and open new thread topic with your questions in correct section of the forum please .
 
B

bigs15

Senior Member
Messages
435
3946 v 7120 Asiasat 5 Tandberg

AESkey found more internet before have feed test Tandberg v3, 20AESkey will not work 1000%
 
You must log in or register to reply here.
Top