Hacking CA system challenge *Tandberg [ NO Keys Allowed in Chat Section/s ]*

K

kebien

Registered
Messages
1,329
Is that for a key that has nor being found?
And one of those feeds where they do not send ecm keys?
They can schedule to send keys once a day,once a week,once a month,who really knows.
This give you a scope about what could be considered a waste of time,we all value our time differently.

Bu why not try to see if the key can be bruteforced by one of the kind members of this board?
 
fiji

fiji

Member
Messages
1,096
LoveMyDish said:
I want to make sure i am not spending a week wasting my time. I am recording a mux for 1 week. I verified the tandberg EMM pid is 500 for this particular mux. That is the only PID i need to record???

Is that correct? or do i need to record the EMM and ECM pids?

The EMM PID 500 is recording at about 100 megs per 24 hours.
Click to expand...

2 minutes enough recording ts file space for searching tandberg ecm
upload your recording ts file link here we try to search ecm .
 
L

LoveMyDish

Registered
Messages
155
kebien said:
Is that for a key that has nor being found?
And one of those feeds where they do not send ecm keys?
They can schedule to send keys once a day,once a week,once a month,who really knows.
This give you a scope about what could be considered a waste of time,we all value our time differently.

Bu why not try to see if the key can be bruteforced by one of the kind members of this board?
Click to expand...

I am aware that they can send keys at random times, if ever, but I just wanted to make sure I was doing it correctly.

I will send a .TS file shortly with specs on it. A brute force on it would be appreciated, but i also was curious as to how often they are sending keys down the pipe. But, if i wasn't doing it right, then the check is worthless.
 
L

LoveMyDish

Registered
Messages
155
Here is a link to the .TS file. Specs are in the filename.
Ps, if you don't mind running through the process of the brute force.

From what i have read, If i am following correctly, you use the Rainbow Table to discover a decrypted CW. You then have a comparison of the encrypted CW found in the ECM pid. You then run that through a DES bruteforce decryption such as hash cat. Either i missed it, was there a final mention on how you know you got the right encrypted/decrypted CW's that you brute force.

http://s000.tinyupload.com/index.php?file_id=05609947075146292102

Thank you. I appreciate every ones input.
 
Last edited:
K

kebien

Registered
Messages
1,329
LoveMyDish said:
Here is a link to the .TS file. Specs are in the filename.
Ps, if you don't mind running through the process of the brute force.

From what i have read, If i am following correctly, you use the Rainbow Table to discover a decrypted CW. You then have a comparison of the encrypted CW found in the ECM pid. You then run that through a DES bruteforce decryption such as hash cat. Either i missed it, was there a final mention on how you know you got the right encrypted/decrypted CW's that you brute force.

http://s000.tinyupload.com/index.php?file_id=05609947075146292102

Thank you. I appreciate every ones input.
Click to expand...

Isn't that a powervu encrypted service? A&E at 4120mhz?
This thread is Tandberg
 
ViaHussun

ViaHussun

Donating Member
Messages
4,098
kebien said:
Isn't that a powervu encrypted service? A&E at 4120mhz?
This thread is Tandberg
Click to expand...

Not Powervu
Tandberg

Ads_z2.png
 
K

kebien

Registered
Messages
1,329
ViaHussun said:
Not Powervu
Tandberg

Ads_z2.png
Click to expand...

What does it mean "not transmitted PID"
does it means is empty?
If is empty,then is not encrypted in Tandberg,because none of the intended IRDS could decrypt it,unless is using a fixed key.
But maybe it means something else.
 
L

LoveMyDish

Registered
Messages
155
kebien said:
Isn't that a powervu encrypted service? A&E at 4120mhz?
This thread is Tandberg
Click to expand...

It's Tandberg. I looked back to see what the confusion was. I apologize. I recorded the .ts with EBSPRO and although the transponder was listed right, the satellite wasn't. The satellite is 103w.

A helpful fellow user emailed me some keys, but the keys were the ECM keys. POC.exe fetches EMM keys. This mux seems to rotate keys like every 5 seconds. Has there been another way of discovering the EMM keys, or is there confusion somewhere?
 
K

kebien

Registered
Messages
1,329
LoveMyDish said:
It's Tandberg. I looked back to see what the confusion was. I apologize. I recorded the .ts with EBSPRO and although the transponder was listed right, the satellite wasn't. The satellite is 103w.

A helpful fellow user emailed me some keys, but the keys were the ECM keys. POC.exe fetches EMM keys. This mux seems to rotate keys like every 5 seconds. Has there been another way of discovering the EMM keys, or is there confusion somewhere?
Click to expand...

ECM keys is all you need to get video.
POC gets you the ecm keys.
But for this it must collect data that come in the stream,plus a key found in firmware.
POC has this key embedded,so it collects the data and is able to decrypt EMM to get the ECM keys.

You can autoroll using the firmware key,some emulators like oscam can do that.
Read the beginning of this thread to find POC source code.
But depends on the provider to still using the same key update method
 
Dave5118

Dave5118

Feed Hunter
Messages
1,147
harshy said:
Guys we have a new problem with img3 eu, new nano we have to figure this out somehow!
Click to expand...
I have a few minutes record of the ARQ PL Clips Tandberg feed that popped up this afternoon, if anyone wants to 'analyze' it ;) It's 200MB in size.
It appeared to be using the new 'encryption' too.
 
You must log in or register to reply here.
Top