Lab004
In Lab004 we will study the
Feed Hunting process. A process very common among Sat-Universe (SU) users.
Lets create some definitions:
Stream Signal - Any signal coming from the satellite that have some useful media transmitted that can be play or read. For our purpose when we say
stream signal we will be talking about Video or Audio or Video+Audio.
TS Log - A record of a streaming signal.
Open Stream - People use many term to name a signal that is NOT Encrypted, many say Free To Air (FTA), on the clear(OTC), open or just free. We will say
Open to establish that it is not encrypted and watchable.
Feed Hunting - A Sat-Universe (SU) user scan the sky, looking for satellites signals that he could try to see if he can later watch. Once he detect a new candidate, he proceed to record a Full Transponder TS log. SU user hope that he can find useful information in the ts log that will allow him to open the stream in the future.
Service ID (SID) - in general SID represent a Video+Audio Channel. But it can be many number of stream compilations.
Over-the-top media service (OTT) - Todays definition, media content delivered over the Internet. But OTT has been long used before of IPTV on the internet. The OLD definition is just Over-The-Top. And in satellite means that a PID is NOT use for a single Stream media like Video or Audio. Instead multi-stream media is Packed in a single PID. Yes like a FULL transponder inside a single PID. The most common was
IP over Satellite Links (IPSAT). But there is T2MI, DTT and others. In the other hand there is Digital Storage Media Command and Control ( DSM-CC) - DATA Carousel, witch uses MultiStream. Most common is Multi-encapsulation (MPE).
Conditional Access Identification (CAID ) - It define what type of encryption is in used. Method by which one can obfuscate a digital-television stream, with access provided only to those with valid decryption subscription..
Crypt8 - I have not seen a definition, so here is mine,
Crypt8 are the 1rst 8 byte sequence in the PAY Load, when a whole or part of the Pay Load of a 188 TS gets repeated several time.
Once the SU user have a TS Log he will use TransEdit to study the various PIDs, Service IDs, and the CAID system used.
In general the process from goes from
Log =>
Crypt8 =>
CSA CW.
To get the
Crypt8 SU user uses colibri's CSA RBT. You do not need to have GPU to search for crypt8. GPU is only require to find CSA CW.
If the crypt8 is from the video PID and uses the h264 codec, then it is the FFh table. If the crypt8 is from the video PID and uses the mpeg2 codec, then it is the 00h table. If there are 3 similar high counting crypt8's, then may be the 030000h table.
For this LAB004 we will be using
example_tandberg_EE.ts
Lets create some working directories.
Code:
[WINKEY]+R CMD [ENTER]
> mkdir "C:\Apps\Home\cryptodir\Labs\004"
> cd C:\Apps\Home\cryptodir\Labs\004
> copy C:\Apps\Home\ts_examples\example_tandberg_EE.ts example_tandberg_EE.ts
If you are WIN GUI fanatic, you can use transedit to inspect our
example_tandberg_EE.ts.
Code:
PID HexPID StreamType Encrypted kbps Percent ServiceName
0 0x0000 PAT - 15.14 0.80 N/A
2228 0x08B4 H.264 Video $ 1705.67 90.16 _Service 465
2229 0x08B5 MPEG Audio $ 138.79 7.34 _Service 465
2230 0x08B6 PMT - 15.14 0.80 _Service 465
3154 0x0C52 ECM/EMM - 12.15 0.64 _Service 465
3354 0x0D1A ECM/EMM - 5.02 0.27 _Service 465
Lets do it in a NONE GUI fashion. 1rs we find the SID number of our channel.
Code:
> ffprobe -hide_banner -i example_tandberg_EE.ts > out.txt 2>&1
> type out.txt | busybox grep Stream -B5
Program 461
Program 462
Program 463
Program 464
Program 465
Stream #0:0[0x8b4]: Video: h264 ([27][0][0][0] / 0x001B), none, 90k tbr, 90k tbn
Stream #0:1[0x8b5](scc): Audio: mp3 ([3][0][0][0] / 0x0003), 0 channels, fltp
Previous of the streams we are interested, we see
Program 465. We can see then that our SID is
465. WE can also see that we have 2 streams: "[0x8b4]: Video: h264" and "[0x8b5](scc): Audio: mp3"
We can use
oetsdec.exe to try to decrypt. In this sample it will decrypt as we have the key store, So assume key is unknown and Ignore it did decrypt the file. But we can use it transponder analysis.
oetsdec.exe will create a log.txt. Then we can inspect log.txt to show us the transponder analysis.
Code:
>oetsdec.exe example_tandberg_EE.ts 465 out.ts
> type log.txt | busybox grep "stream found"
[Emu] stream found pmt pid: 0x08B6 (2230)
[Emu] stream found pat pid: 0x0000 (0000)
[Emu] stream found ecm pid: 0x0D1A (3354)
[Emu] stream found video pid: 0x08B4 (2228)
[Emu] stream found Audio pid count: 0x0001
[Emu] stream found Audio pid: 0x08B5 (2229)
[Emu] stream found caid: 0x1010 (4112)
From previous sample we know
what are the PIDS been used and that CAID=0x1010 is Tandberg, ECMPID=0x0D1A VPID=0x08B4 APID=0x08B5.
Now lets us colibri's
CSA RBT to get crypt8. My results shows
Code:
9A E1 DC 0F 63 46 2D 53 #[O] PID:08B4h
13 48 57 0B 6A E5 8B E3 #[E] PID:08B4h
00 7D 10 7D 6D 73 94 AB #[O] PID:08B4h
As you see we have both ODD [O] and EVEN [E] keys. And we can see [O] and [E] crypt8 keeps changing. They are not constant. This is because our sample is a TS that have a CAS in this case Tandberg.
In general Feed Hunters look for streams that their [O] and [E] do not change. And that no CAID nor ECM are shown, an indicative that BISS is in used.
After you do run your CSARBT you should find one of this CWs
Code:
9A E1 DC 0F 63 46 2D 53 #[O] PID:08B4h ==> 38 5F 62 F9 4F CA BC D5
13 48 57 0B 6A E5 8B E3 #[E] PID:08B4h ==> 1E E4 4F 51 05 69 CD 3B
00 7D 10 7D 6D 73 94 AB #[O] PID:08B4h ==> 8F 8E 4A 67 1C F3 97 A6
Lets resume. Up to here I had show to the newbie what a feed hunter do to find his BISS CWs. Nothing new here.