C
campag5242
Thanks for the correction, I counted wrongly!
uint16_t TandbergSignBlock(uint8_t * block, uint8_t len)
{
uint8_t i;
uint16_t sum=0;
for (i=0; i<len; i+=2) {
sum+=block[i]<<8 | block[i+1];
}
sum=sum*sum*sum*sum*sum*sum*sum;
return sum^0x17E3;
}
//pass this function the ecm/emm PDU beginning with the table_id 0x80/81/82/83 including any padding 0xff byte.
//returns 1 if signature OK, 0 elsewise.
//NB sets the signature bytes in the PDU to 0x00's (simplifies signing).
int8_t TandbergVerifyPDU(uint8_t *pdu)
{
uint8_t sigOK=0, offset, length, permissionLen;
uint16_t signature, calculated;
if (0x80==(pdu[0]&0xfe)) { //ecm
//check for Ex?
signature=pdu[pdu[2]+1]<<8 | pdu[pdu[2]+2];
memset(&pdu[pdu[2]+1], 0, 2);
offset=5;
length=pdu[4];
sigOK=1;
}
else if (0x82==(pdu[0]&0xfe)) { //emm
sigOK=1;
switch (pdu[3]) { //permission type
case 0x00:
permissionLen=0x00;
break;
case 0x01:
permissionLen=0x0A;
break;
case 0x02:
permissionLen=0x26;
break;
default:
printf("Unknown permission type\n");
sigOK=0;
}
if (sigOK) {
signature=pdu[permissionLen+5]<<8 | pdu[permissionLen+6];
memset(&pdu[permissionLen+5], 0, 2);
offset=3;
length=pdu[2];
}
}
else printf("Unknown table_id %02X\n", pdu[0]);
if (sigOK) { //we have identified a block for signing
calculated=TandbergSignBlock(&pdu[offset], length);
printf("Calc: %04X, Signed: %04X\n", calculated, signature);
if (signature!=calculated) sigOK=0;
}
return sigOK;
}
This seems to be working for both ECM & EMM.
Code:uint16_t TandbergSignBlock(uint8_t * block, uint8_t len) { uint8_t i; uint16_t sum=0; for (i=0; i<len; i+=2) { sum+=block[i]<<8 | block[i+1]; } sum=sum*sum*sum*sum*sum*sum*sum; return sum^0x17E3; } //pass this function the ecm/emm PDU beginning with the table_id 0x80/81/82/83 including any padding 0xff byte. //returns 1 if signature OK, 0 elsewise. //NB sets the signature bytes in the PDU to 0x00's (simplifies signing). int8_t TandbergVerifyPDU(uint8_t *pdu) { uint8_t sigOK=0, offset, length, permissionLen; uint16_t signature, calculated; if (0x80==(pdu[0]&0xfe)) { //ecm //check for Ex? signature=pdu[pdu[2]+1]<<8 | pdu[pdu[2]+2]; memset(&pdu[pdu[2]+1], 0, 2); offset=5; length=pdu[4]; sigOK=1; } else if (0x82==(pdu[0]&0xfe)) { //emm sigOK=1; switch (pdu[3]) { //permission type case 0x00: permissionLen=0x00; break; case 0x01: permissionLen=0x0A; break; case 0x02: permissionLen=0x26; break; default: printf("Unknown permission type\n"); sigOK=0; } if (sigOK) { signature=pdu[permissionLen+5]<<8 | pdu[permissionLen+6]; memset(&pdu[permissionLen+5], 0, 2); offset=3; length=pdu[2]; } } else printf("Unknown table_id %02X\n", pdu[0]); if (sigOK) { //we have identified a block for signing calculated=TandbergSignBlock(&pdu[offset], length); printf("Calc: %04X, Signed: %04X\n", calculated, signature); if (signature!=calculated) sigOK=0; } return sigOK; }
Please note I am new (~1 week) to this CAS, so not certain about correctness & completeness re parsing all types of ECM & EMM for the location of the signature bytes.
I found out couple curious things in the time testing tandberg.IMG3 EU back now with v3 (or should that be v2.EC?)
How is even an original box supposed to open this channel when there appear to be constant & frequent key-updates solely for Entitlement_ID 0691, whereas the ECM is using 0692?
Sorry, correction, updates for 692 & 693 are there, just much less frequent.
Yes, I was very keen on nagra1 back in the day. I haven't been active in a long while, sorry if I don't recall you :-(. 1800 was very much my favourite CAS, now it's becomming 1010 .
campaq5242 said:...Play with algo modifications to your heart's content trial-decrypting the ECMs until you see some evidence of CW cycling in the decrypted packets.....
Watching ROM102 being dumped live on cardcoders coders forum was a highlight for me
No sign of nano 0xec parser in available firmwares
found 0xee and 0xed but 0xec is not there :-(
does anyone know which firmware for rx8000 is last one and that works with new ECM?
i have a rx8200 but i do not know ho to update it.If someone have RX8200s, please make dump file from this decoder. Maybe its new firmware, and a solution to decrypt V3 with making a POC..