You are mixing up Conditional Access Systems (CAs) and encryption modes. CAs are for example powervu, crytoworks, nagravision, etc. Each uses a different method to decrypt the Code Words (CWs) used to decrypt the video/audio tracks. Most systems use CSA (Common Scrambling Algorithm) to decrypt the streams once the keys (CWs) are decrypted. Powervu uses mostly DES (Data Encryption Standard) but also some channels use CSA.
Is anyone with any configuration able to watch DES encrypted PowerVu channel (like AFN) without streamrelay and then swith to any CSA encrypted channel (any non-powervu encrypted channel)? Do you have picture on CSA channels? Oscam is decrypting but screen stays black and only receiver reboot helps, until I again switch to DES encrypted channel.
Thanks
Can someone with vu receiver ( any model ) tell me if its supports direct decode for powervu or stream relay is needed ?
There is an unencrypted flag in the ECM that indicates if DES or CSA must be used to decrypt the video/audio streams.
Each ECM contain nanos. Starting with a two byte long length information (must be masked with FFFh). The next byte is the tag (the type of the nano). Then the data bytes of the nano will follow.
Data byte 0 and 1 of every nano must have the value 0E00h.
Data byte 2 and 3 of every nano must have the value 0000h.
In nano 20h the two msbits of data byte 7 indicates the if DES or CSA must be used to decrypt the video/audio streams:
00xxxxxxb = DES
10xxxxxxb = CSA
Here is an example of an ECM that shows that DES must be used to decode the video/audio stream:
47 41 F4 1B <= TS header
00 81
30 3D <= 303Dh & FFFh = 3Dh section length
30 37 <= 3037h & FFFh = 37h length of the first nano
20 <= tag
0E 00 <= must be 0E00h
00 00 <= must be 0000h
00
8E <= continues counter
A0
00 <= 00000000b the two msbits are relevant (00b means DES / 10b means CSA)
39 09 9C E8 53 75 06 02 9F 4C F0 EF 72 8C 00 00 90 00 00 B9 BD 34 AD A5 02 D6 B5 EE 8A 4D
2B D3 4A EA 67 8E 23 7B 28 A0 8F 95 37 EC 86 B1 <= remaining data of the first nano
5A 9D 67 9D <= CRC32
Here is an example of an ECM that shows that CSA must be used to decode the video/audio stream:
47 57 70 1E
<= TS header
00 80
30 61
<= 30
61
h & FFFh =
61h section length
30 37
<= 3037h & FFFh = 37h length of the first nano
20
<= tag
0E 00
00 00
00
A5 <= continues counter
A0
80 <= 10000000b the two msbits are relevant (00b means DES / 10b means CSA)
94 8A 13 91 B8 1C 89 73 2F FC FD 2D 16 18 00 00 10 00 00 26 18 A5 0F DC EE 2F E4 F5 BA 62
71 88 55 F0 C2 06 D3 53 31 FE 2E 1A 8B 6F 0C 3C
<= remaining data of the first nano
30 10
<= 30
10h & FFFh = 10h length of the second nano
27 <= tag
0E 00 <= must be 0E00h
00 00 <= must be 0E00h
80 <= key type (e.g. 80h is VID key)
00
4D 4A 7D 14 AA 58 69 6B <= convolved CW
82 <= check-sum
30 10 <= 3010h & FFFh = 10h length of the third nano
27 <= tag
0E 00 <= must be 0E00h
00 00 <= must be 0000h
I must correct you because you are wrong.Some PowerVu channels are opening on my VU+ clone without stream relay, others don't.
It's high time to pay more attention to this issue.
If some channels can be opened without stream relay it means that probably oscam patch is responsible for this behaviour.
Improving oscam patch may permit opening all PowerVu channels regardless of whether they are DES encrypted or CSA encrypted.
Please correct me if I am wrong.
What is the limiting factor?
DES or CSA video is not decrypted by Oscam,but by the box (it has hardware dedicated to decrypt video CSA,and some also DES,yours only does CSA).
There is no way,at the present time to access the DES hardware (if your box has it at all)
You need to examine the structure of the ECMs to determine whether CSA or DES is used.
Thank you for your detailed explanation.
What is this "dedicated DES hardware" in the box? Where is it located?
Is it a separate chip on the PCB?
How can we possibly know for sure if our box in fact has this "dedicated DES hardware"?
How come the cheap closed source box ("Alphabox X4 Mini" available for just $40) does have this "dedicated DES hardware" while the more expensive VU+ Solo clone ("MEELO+ ONE") doesn't have this "dedicated DES hardware"
It is in DES mode. On Spark (sh4), it is decoded by using MCAS but not OSCam.I want to find out whether CSA or DES is used for Turner International Asia package on Asiasat 7 @ 105.5° E on 3960 MHz Vertical.
There is a chip inside the box that has the decoders inside
For dreambox,is known how to access it,in VU is not known how to,this is why you don't get those channels
It is in DES mode. On Spark (sh4), it is decoded by using MCAS but not OSCam.
I am sorry, I am a bit confused...
Does it mean that MCAS emulator is better than Oscam Emu?
Or does it mean that Spark system is better than Enigma2 system?
It is in DES mode. On Spark (sh4), it is decoded by using MCAS but not OSCam.
Can you provide more details about this dedicated chip?
I want to open both of my STB receivers and check if this kind of chip is present on the PCB.
How does it look like?
Furthermore we can possibly use JTAG to obtain RAM memory dumps.
And we can find much useful data stored in RAM.
I have used JTAG debugging interface with Qualcomm MSM chipsets (ARM based) in mobile phones to reverse-engineer the firmware.
I believe JTAG interface is available on all STB boxes.
What kind of access do we need?
What kind of access do we have now?
Can you explain why Oscam Emu is able to open (without stream relay, just with DVB API) some PowerVu channels on my VU+ clone, and cannot open other PowerVu channels on the same satellite?
However the cheap closed source STB is able to open all PowerVu channels on the same satellite!
Does it mean that a dedicated DES / CSA decrypting chip is present in my VU+ clone? It means VU+ is able to decrypt properly at least some PowerVu channels without stream relay, isn't it?
MCAS developer does not include the table (can be checked in the mcas binary file to make sure).Why is S-Box A0 table missing?
Does it result in any malfunction?
You may check your STB system information, usually every receiver has this menu.How can I possibly check if my STB is running on Spark system?
The manufacturer doesn't say about this.
Maybe some other closed source system?
You may check your STB system information, usually every receiver has this menu.