C
campag5242
Thanks for the correction, I counted wrongly!
Hacking CA system challenge *Tandberg [ NO Keys Allowed in Chat Section/s ]*
- Thread starter Colibri.DVB
- Start date
C
campag5242
This seems to be working for both ECM & EMM.
Please note I am new (~1 week) to this CAS, so not certain about correctness & completeness re parsing all types of ECM & EMM for the location of the signature bytes.
Code:
uint16_t TandbergSignBlock(uint8_t * block, uint8_t len)
{
uint8_t i;
uint16_t sum=0;
for (i=0; i<len; i+=2) {
sum+=block[i]<<8 | block[i+1];
}
sum=sum*sum*sum*sum*sum*sum*sum;
return sum^0x17E3;
}
//pass this function the ecm/emm PDU beginning with the table_id 0x80/81/82/83 including any padding 0xff byte.
//returns 1 if signature OK, 0 elsewise.
//NB sets the signature bytes in the PDU to 0x00's (simplifies signing).
int8_t TandbergVerifyPDU(uint8_t *pdu)
{
uint8_t sigOK=0, offset, length, permissionLen;
uint16_t signature, calculated;
if (0x80==(pdu[0]&0xfe)) { //ecm
//check for Ex?
signature=pdu[pdu[2]+1]<<8 | pdu[pdu[2]+2];
memset(&pdu[pdu[2]+1], 0, 2);
offset=5;
length=pdu[4];
sigOK=1;
}
else if (0x82==(pdu[0]&0xfe)) { //emm
sigOK=1;
switch (pdu[3]) { //permission type
case 0x00:
permissionLen=0x00;
break;
case 0x01:
permissionLen=0x0A;
break;
case 0x02:
permissionLen=0x26;
break;
default:
printf("Unknown permission type\n");
sigOK=0;
}
if (sigOK) {
signature=pdu[permissionLen+5]<<8 | pdu[permissionLen+6];
memset(&pdu[permissionLen+5], 0, 2);
offset=3;
length=pdu[2];
}
}
else printf("Unknown table_id %02X\n", pdu[0]);
if (sigOK) { //we have identified a block for signing
calculated=TandbergSignBlock(&pdu[offset], length);
printf("Calc: %04X, Signed: %04X\n", calculated, signature);
if (signature!=calculated) sigOK=0;
}
return sigOK;
}Please note I am new (~1 week) to this CAS, so not certain about correctness & completeness re parsing all types of ECM & EMM for the location of the signature bytes.
Last edited:
Ist solved ?
Tandberg v3 is broken?
In all cases many thanks for you and all experts here for the effort made to decrypt tandberg v3
Sent from my iPhone using Tapatalk
C
campag5242
Sorry to disappoint, this is unrelated to the v3 changes - it's just about verifying the signature/hash.
It's always good to do this so that we can reject packets which have been corrupted by bad signal quality etc.
It's always good to do this so that we can reject packets which have been corrupted by bad signal quality etc.
C
campag5242
IMG3 EU back now with v3 (or should that be v2.EC?)
How is even an original box supposed to open this channel when there appear to be constant & frequent key-updates solely for Entitlement_ID 0691, whereas the ECM is using 0692?
How is even an original box supposed to open this channel when there appear to be constant & frequent key-updates solely for Entitlement_ID 0691, whereas the ECM is using 0692?
I found out couple curious things in the time testing tandberg.
As an example,I give you some facts that maybe related to your question.
BPL games come in my area using a 3 or 4 channel mux,each of them using ent_id 01,02,03 and 04.
But this specific mux is using a different sequence of keys than history shows.(or keys that you see in all softcam.key file distributed in thisforum)
key 01 is used for entitlement 02 and viceversa,and key 03 is used for ent 04 and viceversa.
You can check in the key area where they are posted.
An option is they are using key 0691 for ent_id 0692 in your specific mux.
In an non related issue,I used to know a campag (or similar) I used to chat a lot with in american forums,back in days where there was some testing on nagra.
But maybe is not you?
C
campag5242
Sorry, correction, updates for 692 & 693 are there, just much less frequent.
Yes, I was very keen on nagra1 back in the day. I haven't been active in a long while, sorry if I don't recall you :-(. 1800 was very much my favourite CAS, now it's becomming 1010
.
Yes, I was very keen on nagra1 back in the day. I haven't been active in a long while, sorry if I don't recall you :-(. 1800 was very much my favourite CAS, now it's becomming 1010
.Sorry, correction, updates for 692 & 693 are there, just much less frequent.
Yes, I was very keen on nagra1 back in the day. I haven't been active in a long while, sorry if I don't recall you :-(. 1800 was very much my favourite CAS, now it's becomming 1010
Was not using this nick back then.And no point to bring that up.
I was also investigating from the times of Dr 7 and then what came after,nagra 2 and so on.You are probably the one I knew,so if is true,then welcome back and nice to see you again.
CA 1010 not even remotely as fun as nagra 1 in its infancy,with all the fun gadgets around, playing with the cards and all.
C
campag5242
Watching ROM102 being dumped live on cardcoders coders forum was a highlight for me
So far my (novice) findings are that with this v3 Tandberg the EMM decryption is unchanged.... problems must be down to that ECM 0xEC tag/nano alone. There are so far no new EMM ROM key or EMM algos, as there were with the firmware upgrade around Sept 2016.
I assume this ECXX applies some extra ecryption/algo steps
for the 16 byte payload. So far I've tried XOR'ing the crypted block with ROM keys, XORing the key etc.
Next step is to try the EMM RAM key table... reminds me somewhat of the old Nagra MECM table
So far my (novice) findings are that with this v3 Tandberg the EMM decryption is unchanged.... problems must be down to that ECM 0xEC tag/nano alone. There are so far no new EMM ROM key or EMM algos, as there were with the firmware upgrade around Sept 2016.
I assume this ECXX applies some extra ecryption/algo steps
for the 16 byte payload. So far I've tried XOR'ing the crypted block with ROM keys, XORing the key etc.
Next step is to try the EMM RAM key table... reminds me somewhat of the old Nagra MECM table
- Messages
- 24,824
Nagra was pure Fun ..Dragon loader Cards , Dragon Cams , Diablo Cams and Cas3 Programmers With TV Cabo , Premier Direkt and D+ and even Polsat all being subject to major attacks
those really were the days .. And 3 key changes per day if i recall at the end before Nagra 3 was introduced to stop the fun :mecry:
Multivision France also well broken at that time .
Now Murdock is in full control of every situation and blocking anything remotely close to EPL programming streams most likely our Feeds and more .
It really not looking good more than 10 days since Tandberg V3 was introduced and so far it looks more and more likely we will have to continue to look at black screens on EPL Feeds with exception of possibly MTN but even that is very much hit and miss due to inclined orbit and always is more than too weak to lock when EPL Matches are being broadcast
i hope you guys can possibly find some way to break this impossible looking Tandberg V3 Encryption i very much enjoy reading about any progress being made i am no programmer maybbe some years ago i could but i really am getting too old now and possibly forgetful too .
those really were the days .. And 3 key changes per day if i recall at the end before Nagra 3 was introduced to stop the fun :mecry:
Multivision France also well broken at that time .
Now Murdock is in full control of every situation and blocking anything remotely close to EPL programming streams most likely our Feeds and more .
It really not looking good more than 10 days since Tandberg V3 was introduced and so far it looks more and more likely we will have to continue to look at black screens on EPL Feeds with exception of possibly MTN but even that is very much hit and miss due to inclined orbit and always is more than too weak to lock when EPL Matches are being broadcast
i hope you guys can possibly find some way to break this impossible looking Tandberg V3 Encryption i very much enjoy reading about any progress being made i am no programmer maybbe some years ago i could but i really am getting too old now and possibly forgetful too
.dale_para_bajo
Registered
- Messages
- 646
I do not recall chatting with you before. But It is nice to see some one getting his hand dirty.
You post a log. Can you tell us from where that output came from? I do not use osacm so maybe that is oscam output.
Now the interesting part is that you said
I do not quite understand. You seems to say you have decrypted the ECM? Is that true? Or are you saying you are just trying to catch a "CW cycling".
To be honest I postpone all try utill I can have a piece of Clear Text in this case CWs. But no one had posted crpt8 or similar. K2Tset try to help me find a CW with is one of a kind skill. Thanks. But he fail to find one! Witch make him question if this is CSA48 or CSA64 or even if it CSA at all.
You post a log. Can you tell us from where that output came from? I do not use osacm so maybe that is oscam output.
Now the interesting part is that you said
campaq5242 said:
I do not quite understand. You seems to say you have decrypted the ECM? Is that true? Or are you saying you are just trying to catch a "CW cycling".
To be honest I postpone all try utill I can have a piece of Clear Text in this case CWs. But no one had posted crpt8 or similar. K2Tset try to help me find a CW with is one of a kind skill. Thanks. But he fail to find one! Witch make him question if this is CSA48 or CSA64 or even if it CSA at all.
Last edited:
C
campag5242
Yes, it's oscam EMM log, but with the ECMs inserted in the timeline. ECM/EMM is merged by hand for now.
No, I have not decrypted the latest ECM with this 0xEC tag/nano. I suggest people experiment with algorithm mods & check consecutive ECMs, looking for any evidence of CW cycling. That's the first step...
But better still: obtain firmware & disassemble... out of my league I'm afraid.
No, I have not decrypted the latest ECM with this 0xEC tag/nano. I suggest people experiment with algorithm mods & check consecutive ECMs, looking for any evidence of CW cycling. That's the first step...
But better still: obtain firmware & disassemble... out of my league I'm afraid.
dale_para_bajo
Registered
- Messages
- 646
firmware .... Well we had seen copy of mails sent to REAL users of both PVU and tanberg. Messages has included comments to download firmware from Internet locations. No one has posted a single Software Upgrade Log. So if we add both we can make conclusions. Still people log if you see anything. Kebien seems to belive there is nothing can be done with those logs. I personally do not know, but better have what we can if available.
Now in type ED you need not to forget that ECM NANO was CBC
I will assume type EC will use similar approach or one of the many other types of scrambling mode. So hoping to detect a CW cycle in Encrypted NANO should be almost impossible. We need to decrypt 1rst.
Now in type ED you need not to forget that ECM NANO was CBC
I will assume type EC will use similar approach or one of the many other types of scrambling mode. So hoping to detect a CW cycle in Encrypted NANO should be almost impossible. We need to decrypt 1rst.
Watching ROM102 being dumped live on cardcoders coders forum was a highlight for me
Yes,it was really a breakthrough,I was there too in the private section.And through all nagraedit process.
I gonna dig into some old drives,I am sure I can pull out some conversations in forums from back then,for amusement purposes.
Forsat
VIP
- Messages
- 2,927
" Premier League Broadcasters - Urgent Software Upgrade Required For RX8200s, See PLP Extranet "
If someone have RX8200s, please make dump file from this decoder. Maybe its new firmware, and a solution to decrypt V3 with making a POC..
i have a rx8200 but i do not know ho to update it.