PowerVu implementation questions
I have several questions regarding the PowerVu implementation and hope someone has answers.
If you know a forum where there are PowerVu experts, I would appreciate if you could post this message on this forum to get back answers.
- I receive alternating DES keys when decrypting one channel. Anyone know which keys to keep and which to discard? As example I receive in this order the following decrypted 10h bytes from the Command 0 (Get Base CW) and the corresponding video DES keys:
A000xxxxxxE8E1xxxxxxxxxxxxxxxxxx gives the video DES key 1111111111111111
A000xxxxxxE137xxxxxxxxxxxxxxxxxx gives the video DES key 2222222222222222
A000xxxxxxE8E1xxxxxxxxxxxxxxxxxx gives the video DES key 1111111111111111
A000xxxxxxE137xxxxxxxxxxxxxxxxxx gives the video DES key 2222222222222222
A000xxxxxx3742xxxxxxxxxxxxxxxxxx gives the video DES key 3333333333333333
A000xxxxxxE137xxxxxxxxxxxxxxxxxx gives the video DES key 2222222222222222
The only documentation I found regarding this is in the pdf 'Kryptoanalyse PowerVu TV-Verschluesselung' from Colibri at the page 7:
"Außerdem merkt sich das ISE das ECM[6] Byte. Kommt eine neues Kommando 0 wird das aktuelle ECM[5] Byte mit dem vorherigen ECM[6] Byte verglichen. Sind sie identisch dann wurde die Reihenfolge der ECMs nicht verändert und es wurde auch kein ECM ausgelassen."
Anyone understand that?
- The description for processing the command 1 is not clear. Can someone confirm that the following calculation for the DES key from the command 1 is correct? This calculation is described in the pdf 'Kryptoanalyse PowerVu TV-Verschluesselung' from Colibri at the page 8.
Particulary which shift register should be used to decrypt the 'IV | SeedBase'? Should it be the shift register after the command 0 or the shift register produced after decrypting the part of the ECM in command 1?
Example of calculation:
Shift register after command 0: 11 22 33 44 55 66 77
SeedBase: aa bb cc dd
Base CW: 11 22 33 44 55 66 77
Decrypted part 2 of the ECM in Command 1:
aa bb 11 22 33 44 55 66 77 88 99 11 22 33 44 55
66 77 88 99 11 22 33 44 55 66 77 88 99 aa bb
video iv: 0000110000 in binary
Encrypted Video Seed: 000011000010101010101110111100110011011101 in binary
Decrypted Video Seed: 02 71 ae c2
Video DES key: 13 a8 e6 b0 64 b9 5e b3
Is the video DES key correct?
- Colibri says that the Video and Audio are encrypted using DES (ECB). Anyone knows how to decrypt the video stream if you have the video DES key?
To decrypt a 188 bytes video packet, you have to skip the 4 bytes header (and mark it as unencrypted) and decrypt 23 blocks of 8 bytes using the same DES key?
Something like:
videoPacket[3] &= 0x3f;
DES_key_schedule desKeySchedule;
DES_key_sched((DES_cblock *)desKey, &desKeySchedule);
for(int blockIndex = 0 ; blockIndex < 23 ; blockIndex++)
{
DES_ecb_encrypt((DES_cblock *)(videoPacket + 4 + (blockIndex * 8)), (DES_cblock *)(videoPacket + 4 + (blockIndex * 8)), &desKeySchedule, DES_DECRYPT);
}
Is that correct?
- Colibri says in the PDF PowerVu_management_keys_hacked and in the pdf PowerVuSecrets that the last 4 bytes of the EMM are a DVB CRC32 checksum. I don't manage to verify this checksum. Is there a trick? For the ECM there is no problem and the DVB CRC32 is valid.
Thanks