Hacking CA system challenge *Tandberg [ NO Keys Allowed in Chat Section/s ]*

[MAHDI-DZ]

@nautilus7
Note from a member ....
diffrent line

9918: + if(!FindKey('T', 0x40, 0, "MK", buf, 8, 0, 0, 0, NULL) && !FindKey('T', 0x40, 0, "MK01", buf, 8, 0, 0, 0, NULL))

instead of

9918: + if(!FindKey('T', 0x40, 0, "MK", buf, 8, 0, 0, 0, NULL) )//|| !FindKey('T', 0x40, 0, "MK01", buf, 8, 0, 0, 0, NULL))

 

[nautilus7]

That's what i fixed today. What's your question?

 

[hapeba]

Sorry, to late ...

 

[budiarno]

Just edited some of the codes by Nautilus7, I got my OSCam-Emu need not to be inserted any MK Key to the SoftCam.Key.

Btw, thanks to Nautilus7 for the patch and Anubis_Ir for the Poc.

:thum:

 

[nautilus7]

If you put softCam.Key into oscam-svn directory and then compile, the keys from softcam will be included into the code.

It says so in the readme of oscam-emu, I haven't tried.

 

[nautilus7]

Hi
What about patch for standalone OSEmu?
Can you make it?

https://github.com/nautilus7/OSEmu

 

[budiarno]

If you put softCam.Key into oscam-svn directory and then compile, the keys from softcam will be included into the code.

It says so in the readme of oscam-emu, I haven't tried.

I've tried that way for PowerVu keys (and it works), but have not for the MK keys (I think it should also work).

But unfortunately, I just want to learn how OSCam works (specifically on the emulator part), and the C language at the same time. So I decided to do it the other way, I mean by working around the source code (not really add more lines to the codes, just about copy and paste).

 

[hamid0364]

FOX NETWORK 42 E ..IT,S FREE KNOW.... 11020 NO USE FROM TANDBERG ANYTIME ....

 

[bad_access]

Scramble again, open with same keys.

 

[pramote1802]

Need Help to extact firmware

@JimBizkit: Yes
The real range of a KeyIdx byte in tab id 82 and 83 is 00..7Fh.

Typically tab id 82 use only range 40h..7Fh.
Typically tab id 83 use only range 0..3Fh.

range 0..3Fh represents the 40h EMM-Keys that are stored in RAM.
range 40h..7Fh represents the 40h EMM-Keys that are stored in ROM/firmware.

in the first post I posted only the (for my first recording) needed EMM key with KeyIdx 58h (D5 B0 49 40 0D FB 83 25).

Typically every few minutes the EMM key index in tab id 82h will increment ( ... 7Dh, 7Eh, 7Fh, 40h, 41h, ...).

So we need the firmware to extract the 40h EMM keys (the firmware isn't encrypted).

firmware_update.zip
_https://mega.nz/#!1Q5zVLrQ!M6MIm2WKcC1Y79BCVT9thy0kt10wMGPFDj7t9gHVKBY

You don't need a disassembler.
There is a single big block present with all 40h keys together and you have already one EMM key that you can use as search pattern to find the block.

How to open firmware and search ?
What software for open file ?
plase show example how to?

 

[nautilus7]

you need a hex editor like hxd.

 

[budiarno]

Autoroll works on IMG only for now (even if it's detected as biss at the moment). Is it normal? Or do I miss something?

 

[nautilus7]

By "now", you mean now? Now IMG @7E is barca tv and it's in biss. How can tandberg autoroll be active?

I get nothing at the time of writing (now)...

 

[budiarno]

By "now", you mean now? Now IMG is barca tv and it's in biss. How can tandberg autoroll be active?

I get nothing at the time of writing (now)...

Yup, "now" means at this moment when IMG is on biss. EMMs of the tandberg are broadcasted even the channel is in biss at 'this time'.

 

[nautilus7]

At 7E or at 100.5E???

I get no EMMs at the moment at 7E.

Maybe it's both tandberg AND biss at 100,5E at the moment. It happens some times.

 

[budiarno]

At 100.5E. If we check on dvbsnoop, even the biss is not there at all (I don't know why, but maybe my dvbsnoop problem).

 

[nautilus7]

Try to restart you oscam, or change channel and go back to IMG again. Maybe this happens at the moment that they change from biss to tandberg and oscam gets confused.

 

[budiarno]

Try to restart you oscam, or change channel and go back to IMG again. Maybe this happens at the moment that they change from biss to tandberg and oscam gets confused.

I've tried that many times, even restarting the Enigma2 still the same result. I recorded here the OSCam log to show what's going on:



Oh by the way, mind the channel name detection (it's just incorrectly detected).

 

[harshy]

You need to to do a channel rescan then it will get you the correct CAID.

 

[ooOO_SORGOS_OOoo]

Budiarno what is news?