Hacking CA system challenge *Tandberg [ NO Keys Allowed in Chat Section/s ]*

L

LoveMyDish

Registered
Messages
155
Confirmation please as i have not gotten this working as of yet.

To get a key from a EMM.bin file, you find out what the EMM PID is for the channel and record that. For example PID 0x01F4

I record it for an hour or for how ever long.. So far, have recorded for 3 hours... Nothing found as of yet...

Then i use the following command : POC emm.bin
It then says it's in Raw EMM mode.

It's should hopefully find any keys that might show up for any of the channels in the transponder mux correct?

Does someone have a sample emm.bin that they can upload that will find a key.. So far, I see it spit out a lot of stuff, but no key is ever found.

Example of stuff spit out :

[Emu] nano 0xE4, mode FF
[Emu] GetEMMKey: key_index(5C), keySet: 1
[Emu] Keys found in EMM: new nano E4 ram keys 10 to 1F
[Emu] nano 0xE4, mode FF
[Emu] GetEMMKey: key_index(5C), keySet: 1
[Emu] nano 0xE4, mode FF
[Emu] GetEMMKey: key_index(5C), keySet: 1
[Emu] nano 0xE4, mode FF
[Emu] GetEMMKey: key_index(5C), keySet: 1
[Emu] nano 0xE4, mode FF
[Emu] GetEMMKey: key_index(5C), keySet: 1
[Emu] Keys found in EMM: new nano E4 ram keys 20 to 2F
[Emu] nano 0xE4, mode FF
[Emu] GetEMMKey: key_index(5C), keySet: 1
[Emu] nano 0xE4, mode FF

Any thoughts?
 
N

nautilus7

VIP
Messages
607
Your bin file does not contain any 0x83 EMMs. You need those to find the ECM keys.

Is this record from IMG @ 7E or 100,5E? Only these feeds contain such EMMs.

What exactly are you trying to find?
 
Last edited:
H

hapeba

Registered
Messages
82
@Nautilus7
You has changed the version-number only in the file "VERSION".
Not in the file "module-emulator-osemu.c".
 
K

kebien

Registered
Messages
1,329
Nautilus7.
I think that check us superfluous and maybe work against autoroll in their favor,by just inserting any data there by the provider.
As an example,the ECM key gotten by bruteforce carry a 01,a remaining bit from the process.
That bit doesn't break the correct decryption.
My only worry is if the provider decide to set that bit,this key validation check won't allow a good key to be written.
 
N

nautilus7

VIP
Messages
607
Hi,

ECM keys are used in DES encryption/decryption. So, in each byte of the ECM key, the last bit (lsb) is a parity bit. Odd parity in particular.

If you check the keys send by EPL and found by osemu, they DO NOT respect that rule. Not only in the last byte, which is always 0x00 insted of the correct 0x01, but in other bytes aswell. Those parity bits are not used anywhere in the DES encryption/decryption algorithm though, so no harm done. They are meant for key validation purposes.

Anyway, if they start sending keys (that respect parity rule) ending in 0x01 or start using the last byte, I will edit the code to accept such keys as valid aswell.

In addition the check I added applies only to ECM keys found by EMM streams. You can add whatever ECM key you like in the softcam.key and it will be accepted fine.
 
Last edited:
R

Ragnarok

Donating Member
Messages
336
I've not seen any ecm keys have anything but a 00 at the end of them from an the EMM stream in POC or oscam, since august that haven't been fake

It will help stop oscam writing garbage keys to the softcam .key when any part of the the relevant 82 or 83 table EMMs gets corrupted by a bad signal.

You can still use the old patch, :D
 
N

nautilus7

VIP
Messages
607
Ragnarok said:
I've not seen any ecm keys have anything but a 00 at the end of them from an the EMM stream in POC or oscam, since august that haven't been fake

It will help stop oscam writing garbage keys to the softcam .key when any part of the the relevant 82 or 83 table EMMs gets corrupted by a bad signal.

You can still use the old patch, :D
Click to expand...
I agree.

@all, but just remember that with this fix it DOES NOT mean that EVERY key ending in 0x00 and thus being written in sofrcam.key is CORRECT. There will be keys ending in 0x00 that would be invalid awell. The correct key for each entitlement will be the last one written for that entitlement, as always have been the case.
 
Last edited:
K

kebien

Registered
Messages
1,329
Nautilus7
So,in case the EMM key is expired,the patch won't stop autoroll from writing bad keys to softcam file.

In my view a check to stop the expired keys ( 000030FE.....) to be written has a lot more value than check on that 00.

I commend you for your work,by the way,always important to have good people in this hobby.
 
Last edited:
N

nautilus7

VIP
Messages
607
By "EMM key" do you mean the MK keys? What exactly do you mean by "expired keys (000030FE)"?

Can you be more detailed about what you mean? I don't really understand.
 
P

pramote1802

Registered
Messages
5
Ragnarok said:
I've not seen any ecm keys have anything but a 00 at the end of them from an the EMM stream in POC or oscam, since august that haven't been fake

It will help stop oscam writing garbage keys to the softcam .key when any part of the the relevant 82 or 83 table EMMs gets corrupted by a bad signal.

You can still use the old patch, :D
Click to expand...

i have same problem Enigma2 mips pli4 mbmini not see EMM tables 82 83

i will go back to logs emm.bin is old version for use poc 1.6

i not have T MK it not work if do not have it

now i use some receiver for see EMM it autorow
 
freon

freon

Registered
Messages
387
A bit help please.
Arena Sport 3
Hellas SAT 39°E
TP 11135,V,30000,8PSK
Key is there, I'v got a dscription in oscam info, but screen stays black!?
Even if I remove key it's decoding but black screen???
 
O

ooOO_SORGOS_OOoo

Freon what is your receiver?
Delete/ erase all arena sports channels with channel list and scan again same frequences
 
freon

freon

Registered
Messages
387
Vu+ Solo2, Vu+ Zero, Dreambox 500 HD.
All the same, have the signal no problem with that.
Other Arenas are working just fine, onli Arena3 is the problem.
 
You must log in or register to reply here.
Top